forked from evolix/ansible-roles
Merge branch 'unstable' into stable
This commit is contained in:
commit
198f3fab0a
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -2,3 +2,4 @@
|
|||
.kateproject.d
|
||||
.vagrant/
|
||||
*.swp
|
||||
.vscode
|
4
.markdownlint.json
Normal file
4
.markdownlint.json
Normal file
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"MD013": false,
|
||||
"MD024": false
|
||||
}
|
3
.vscode/settings.json
vendored
3
.vscode/settings.json
vendored
|
@ -3,5 +3,6 @@
|
|||
"*.yml": "ansible",
|
||||
"*.yaml": "ansible"
|
||||
},
|
||||
"yaml.format.enable": false
|
||||
"yaml.format.enable": false,
|
||||
"ansible.python.interpreterPath": "/bin/python"
|
||||
}
|
168
CHANGELOG.md
168
CHANGELOG.md
|
@ -1,4 +1,5 @@
|
|||
# Changelog
|
||||
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
||||
|
@ -8,7 +9,6 @@ The **major** part of the version is the year
|
|||
The **minor** part changes is the month
|
||||
The **patch** part changes is incremented if multiple releases happen the same month
|
||||
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
@ -21,6 +21,88 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [23.10] 2023-10-14
|
||||
|
||||
### Added
|
||||
|
||||
* apt: disable `NonFreeFirmware` warning for VM on Debian 12+
|
||||
* apt: explicit `signed-by` directives for official sources
|
||||
* bind: add reload-zone helper
|
||||
* certbot: deploy-hook for proftpd
|
||||
* docker-host: added var for user namespace setting
|
||||
* dovecot: add Munin plugins dovecot1 and dovecot_stats (patched)
|
||||
* dovecot: fix old_stats plugin for Dovecot 2.3
|
||||
* evocheck: add support for Debian >= 12 split SSH configuration
|
||||
* evolinux-base: add split SSH configuration for Debian >= 12
|
||||
* evolinux-base: configure `.bashrc` for all users
|
||||
* evolinux-base: New variable `evolinux_system_include_ntpd` to chose wether or not to include `ntpd` role
|
||||
* evolinux-base: reboot the server if the Cloud kernel has been installed
|
||||
* evolinux-users: add split SSH configuration for Debian >= 12
|
||||
* evolinux: install HPE Agentless Management Service (amsd)
|
||||
* fail2ban: add default variable fail2ban_dbpurgeage_default
|
||||
* fail2ban: add `fail2ban_sshd_port` variable to configure sshd port
|
||||
* kvm-host: release 23.10 for migrate-vm.sh
|
||||
* metricbeat/logstash: fix Ansible syntax
|
||||
* mysql: new munin graph to follow binlog_days over time
|
||||
* nagios-nrpe: add a NRPE check-local command with completion.
|
||||
* nagios-nrpe: add a proper monitoring plugin for GlusterFS (on servers, not for clients)
|
||||
* php: add new variable to disable overriding settings of php-fpm default pool (www)
|
||||
* policy_pam: New role to manage password policy with `pam_pwquality` & `pam_pwhistory`
|
||||
* userlogrotate: add a `userlogpurge` script disabled by default
|
||||
* userlogrotate: new version, with separate conf file
|
||||
* userlogrotate: rotate also php.log
|
||||
* java: allow version 17
|
||||
* timesyncd: new role, used instead of ntpd by default starting with Debian 12
|
||||
|
||||
### Changed
|
||||
|
||||
* all: change syntax "become: [yes,no]" → "become: [true,false]"
|
||||
* all: change syntax "force: [yes,no]" → "force: [true,false]"
|
||||
* elasticsearch: improve networking configuration
|
||||
* evolinux-base: include files under `sshd_config.d`
|
||||
* evolinux-users: remove Stretch references in tasks that also apply to next Debian versions
|
||||
* evomaintenance: upstream release 23.10.1
|
||||
* lxc-php: change LXC container in bookworm for php82
|
||||
* minifirewall: update nrpe script to check active configuration
|
||||
* minifirewall: upstream release 23.07
|
||||
* mysql: improve shell syntax for mysql_skip script
|
||||
* nagios-nrpe: set default check_load --per-cpu for BSD
|
||||
* pgbouncer: minor fixes
|
||||
* postfix (packmail or when postfix_slow_transport_include is True): change `miniprofmal_backoff_time` from 2h to 15m (see HowtoPostfix)
|
||||
* postfix (packmail) : optimize Amavis integration
|
||||
* postfix: disable sending mails via IPv6
|
||||
* postfix: new spam.sh update script that avoids reloading if files did not change.
|
||||
* postgresql: fix file `postgresql.pref.j2` for exclude package
|
||||
* postgresql: fix task `update apt cache` for PGDG repo
|
||||
* redis: standardize plugins path from `/usr/local/share/munin/` to `/usr/local/lib/munin/plugins/`
|
||||
* varnish: allow the systemd template to be overridden with a template outside of the role
|
||||
* lxc: purge openssh-server from container on install
|
||||
|
||||
### Fixed
|
||||
|
||||
* elasticsearch: comment the `Xlog:gc` line instead of changing it completely
|
||||
* evocheck: fix IS_SSHALLOWUSERS condition
|
||||
* evolinux-base, evolinux-users: Fix files mode under `/etc/ssh/sshd_config.d`
|
||||
* evolinux-base: fix file extension
|
||||
* fail2ban: fix cron `fail2ban_dbpurge` (should be bash instead of sh)
|
||||
* lxc-php: fix APT keyring path inside containers
|
||||
* nagios-nrpe: `check_ssl_local` now has an output that nrpe can understand when it isn't OK
|
||||
* nagios-nrpe: remount `/usr` **after** installing the packages
|
||||
* nagios-nrpe: sync Redis check from redis roles
|
||||
* nginx: set default server directive in default vhost
|
||||
* opendkim: update apt cache before install
|
||||
* packweb-apache,nagios-nrpe: add missing task and config for PHP 8.2 container
|
||||
* postfix: add missing `localhost.$mydomain` to `mydestination`
|
||||
* redis: replace erroneous `ini_file` module for Munin config, fix dedicated Munin config filename (z-XXX).
|
||||
* evolinux-base: use lineinfile instead of replace under root task
|
||||
* evolinux-base: Corriger autorisation pour evolinux_user
|
||||
* docker-host: Retirer directive state en trop
|
||||
* rbenv: Installer libyaml-dev
|
||||
|
||||
### Removed
|
||||
|
||||
* dovecot: remove Munin plugin dovecot (not working)
|
||||
|
||||
## [23.04] 2023-04-23
|
||||
|
||||
### Added
|
||||
|
@ -107,7 +189,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
* evolinux-base: subversion is not installed anymore
|
||||
|
||||
|
||||
## [22.12] 2022-12-14
|
||||
|
||||
### Added
|
||||
|
@ -162,7 +243,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
* openvpn: Deleted the task fixing the CRL rights since it has been fixed in upstream
|
||||
|
||||
|
||||
## [22.09] 2022-09-19
|
||||
|
||||
### Added
|
||||
|
@ -176,7 +256,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* proftpd: Add options to override configs (and add a warning if file was overriden)
|
||||
* proftpd: Allow user auth with ssh keys
|
||||
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: upstream release 22.09
|
||||
|
@ -184,7 +263,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* generate-ldif: Support any MariaDB version
|
||||
* minifirewall: use handlers to restart minifirewall
|
||||
* openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
|
||||
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
|
||||
* generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3)
|
||||
* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
|
||||
* nagios-nrpe: Upgrade check_mongo
|
||||
|
||||
|
@ -302,7 +381,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Added
|
||||
|
||||
* docker : Introduce new default settings + allow to change the docker data directory
|
||||
* docker : Introduce new default settings + allow to change the docker data directory
|
||||
* docker : Introduce new variables to tweak daemon settings
|
||||
|
||||
### Changed
|
||||
|
@ -335,7 +414,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* minifirewall: restore "force-restart" and fix "restart-if-needed"
|
||||
* minifirewall: tail template follows symlinks
|
||||
* minifirewall: upstream release 22.05
|
||||
* opendkim : add generate opendkim-genkey in sha256 and key 4096
|
||||
* opendkim : add generate opendkim-genkey in sha256 and key 4096
|
||||
* openvpn: use a local copy of files instead of cloning an external git repository
|
||||
* openvpn: use a subnet topology instead of the net30 default topology
|
||||
* tomcat: Tomcat 9 by default with Debian 11
|
||||
|
@ -698,6 +777,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [10.0.0] - 2020-05-13
|
||||
|
||||
### Added
|
||||
|
||||
* apache: the default VHost doesn't redirect to https for ".well-known" paths
|
||||
* apt: added buster backports prerferences
|
||||
* apt: check if cron is installed before adding a cron job
|
||||
|
@ -734,6 +814,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* bind: enable bind9 munin plugin for recursive resolvers
|
||||
|
||||
### Changed
|
||||
|
||||
* replace version_compare() with version()s
|
||||
* removed some deprecations for Ansible 2.7
|
||||
* apache: improve permissions in save_apache_status script
|
||||
|
@ -779,6 +860,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* varnish: remove custom ExecReload= script for Debian 10+
|
||||
|
||||
### Fixed
|
||||
|
||||
* etc-git: fix warnings ansible-lint
|
||||
* evoadmin-web: Put the php config at the right place for Buster
|
||||
* lxc: Don't stop the container if it already exists
|
||||
|
@ -801,16 +883,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* packweb-apache: Don't try to install PHPMyAdmin on Buster as it's not available
|
||||
|
||||
### Removed
|
||||
|
||||
* clamav : do not install the zoo package anymore
|
||||
|
||||
## [9.10.1] - 2019-06-21
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck : update (version 19.06) from upstream
|
||||
|
||||
## [9.10.0] - 2019-06-21
|
||||
|
||||
### Added
|
||||
|
||||
* apache: add server status suffix in VHost (and default site) if missing
|
||||
* apache: add a variable to customize the server-status host
|
||||
* apt: add a script to manage packages with "hold" mark
|
||||
|
@ -821,6 +906,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* redmine: enable gzip compression in nginx vhost
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck : update (unreleased) from upstream
|
||||
* evomaintenance : use the web API instead of PG Insert
|
||||
* fluentd: store gpg key locally
|
||||
|
@ -833,23 +919,26 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* apt: Add Debian Buster repositories
|
||||
|
||||
### Fixed
|
||||
|
||||
* rbenv: add check_mode for check rbenv and ruby versions
|
||||
* nagios-nrpe: fix redis_instances check when Redis port equal 0
|
||||
* redmine: fix 500 error on logging
|
||||
* evolinux-base: Validate sshd config with "-t" instead of "-T"
|
||||
* evolinux-base: Ensure rename is present
|
||||
* evolinux-users: Validate sshd config with "-t" instead of "-T"
|
||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
|
||||
* nagios-nrpe: Replace the dummy packages nagios-plugins-*with monitoring-plugins-*
|
||||
|
||||
## [9.9.0] - 2019-04-16
|
||||
|
||||
### Added
|
||||
|
||||
* etc-git: ignore evobackup/.keep-* files
|
||||
* lxc: /home is mounted in the container by default
|
||||
* nginx : add "x-frame-options: sameorigin" for Munin
|
||||
|
||||
### Changed
|
||||
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
|
||||
|
||||
* changed remote repository to <https://gitea.evolix.org/evolix/ansible-roles>
|
||||
* apt: Ensure jessie-backport from archives.debian.org is accepted
|
||||
* apt: Remove jessie-update suite as it's no longer exists
|
||||
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
|
||||
|
@ -862,8 +951,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* tomcat: better tomcat version management
|
||||
* webapps/evoadmin-web: add dbadmin.sh to sudoers file
|
||||
|
||||
|
||||
### Fixed
|
||||
|
||||
* spamassasin: fix sa-update.sh and ensure service is started and enabled
|
||||
* tomcat-instance: deploy correct version of config files
|
||||
* tomcat-instance: deploy correct version of server.xml
|
||||
|
@ -871,20 +960,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.8.0] - 2019-01-31
|
||||
|
||||
### Added
|
||||
|
||||
* filebeat: disable cloud_metadata processor by default
|
||||
* metricbeat: disable cloud_metadata processor by default
|
||||
* percona : new role to install Percona repositories and tools
|
||||
* redis: add variable for configure unixsocketperm
|
||||
|
||||
### Changed
|
||||
|
||||
* redmine: refactoring of redmine role with use of rbenv
|
||||
|
||||
### Fixed
|
||||
|
||||
* ntpd: Update the restrictions to follow wiki.evolix.org/HowtoNTP client config
|
||||
|
||||
## [9.7.0] - 2019-01-17
|
||||
|
||||
### Added
|
||||
|
||||
* apache: add Munin configuration for Apache server-status URL
|
||||
* evomaintenance: database variables must be set or the task fails
|
||||
* fail2ban: add "ips" tag added to fail2ban/tasks/ip_whitelist.yml
|
||||
|
@ -897,6 +990,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* proftpd: add FTPS and SFTP support
|
||||
|
||||
### Changed
|
||||
|
||||
* redis: distinction between main and master password
|
||||
* evocheck: update evocheck.sh for source install
|
||||
* php: added php-zip in the installed package list for debian 9 (and later)
|
||||
|
@ -904,6 +998,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* java: update Oracle java package to 8u192
|
||||
|
||||
### Fixed
|
||||
|
||||
* fail2ban: fix "ignoreip" update
|
||||
* metricbeat: fix username/password replacement
|
||||
* nagios-nrpe: check_process now return the error code (making the check more usefull than /bin/true)
|
||||
|
@ -912,16 +1007,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* redis: In instance mode, ensure to replace the nrpe check_redis with the instance check script
|
||||
* redis: Don't set the owner of /var/{lib,log}/redis to a redis instance account
|
||||
|
||||
|
||||
## [9.6.0] - 2018-12-04
|
||||
|
||||
### Added
|
||||
|
||||
* evolinux-base: deploy custom motd if template are present
|
||||
* minifirewall: all variables are configurable (untouched by default)
|
||||
* minifirewall: main file is configurable
|
||||
* squid: minifirewall main file is configurable
|
||||
|
||||
### Changed
|
||||
|
||||
* minifirewall: compare config before/after (for restart condition)
|
||||
* squid: better replacement in minifirewall config
|
||||
* evoadmin-mail: complete refactoring, use Debian Package
|
||||
|
@ -929,6 +1025,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.5.0] - 2018-11-14
|
||||
|
||||
### Added
|
||||
|
||||
* apache: separate task to update IP whitelist
|
||||
* evolinux-base: install man package
|
||||
* evolinux-users: add newaliases handler
|
||||
|
@ -942,11 +1039,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* mysql: logdir can be customized
|
||||
|
||||
### Changed
|
||||
|
||||
* evocheck: update script from upstream
|
||||
* evomaintenance: update script from upstream
|
||||
* mysql: restart service if systemd unit has been patched
|
||||
|
||||
### Fixed
|
||||
|
||||
* packweb-apache: mod-security config is already included elsewhere
|
||||
* redis: for permissions on log and lib directories
|
||||
* redis: fix shell for instance users
|
||||
|
@ -955,13 +1054,16 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.4.2] - 2018-10-12
|
||||
|
||||
### Added
|
||||
|
||||
* evomaintenance: install dependencies manually when installing vendored version
|
||||
* nagios-nrpe: add an option to ignore servers in NOLB status
|
||||
|
||||
### Changed
|
||||
|
||||
* haproxy: move check_haproxy_stats to nagios-nrpe role
|
||||
|
||||
### Fixed
|
||||
|
||||
* evoacme: better error when apache2ctl fails
|
||||
* evomaintenance: fix role compatibility with OpenBSD
|
||||
* spamassassin: add missing right for amavis
|
||||
|
@ -970,16 +1072,19 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.4.1] - 2018-09-28
|
||||
|
||||
### Added
|
||||
|
||||
* redis: set masterauth when redis_password is defined
|
||||
* evomaintenance: variable to install a vendored version
|
||||
* evomaintenance: tasks/variables to handle minifirewall restarts
|
||||
|
||||
### Changed
|
||||
|
||||
* mysql-oracle: better handle packages and users
|
||||
|
||||
## [9.4.0] - 2018-09-20
|
||||
|
||||
### Added
|
||||
|
||||
* etc-git: manage a cron job to monitor uncommited changes in /etc/.git (default: `True`)
|
||||
* evolinux-base: better shell history
|
||||
* evolinux-users: add user to /etc/aliases
|
||||
|
@ -994,9 +1099,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* nagios-nrpe: add check_redis_instances
|
||||
|
||||
### Changed
|
||||
|
||||
* dovecot: stronger TLS configuration
|
||||
|
||||
### Fixed
|
||||
|
||||
* apache: cleaner way to overwrite the server status suffix
|
||||
* packweb-apache: don't regenerate phpMyAdmin suffix each time
|
||||
* nginx: cleaner way to overwrite the server status suffix
|
||||
|
@ -1005,11 +1112,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.3.2] - 2018-09-06
|
||||
|
||||
### Added
|
||||
|
||||
* minifirewall: add a variable to disable the restart handler
|
||||
* minifirewall: add a variable to force a restart of the firewall (even with no change)
|
||||
* minifirewall: improve variables values and documentation
|
||||
|
||||
### Changed
|
||||
|
||||
* dovecot: enable SSL/TLS by default with snakeoil certificate
|
||||
|
||||
### Fixed
|
||||
|
@ -1019,11 +1128,13 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.3.1] - 2018-08-30
|
||||
|
||||
### Added
|
||||
|
||||
* metricbeat: new variables to configure elasticsearch hosts and auth
|
||||
|
||||
## [9.3.0] - 2018-08-24
|
||||
|
||||
### Added
|
||||
|
||||
* elasticsearch: tmpdir configuration compatible with 5.x also
|
||||
* elasticsearch: add http.publish_host variable
|
||||
* evoacme: disable old certbot cron also in cron.daily
|
||||
|
@ -1044,6 +1155,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* nagios-nrpe: add check_postgrey
|
||||
|
||||
### Changed
|
||||
|
||||
* etc-git: some entries of .gitignore are mandatory
|
||||
* evocheck: update upstream script
|
||||
* evolinux-base: improve hostname configuration (real vs. internal)
|
||||
|
@ -1062,6 +1174,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* kvm-host: install kvm-tools package instead of copying add-vm.sh
|
||||
|
||||
### Fixed
|
||||
|
||||
* apache: logrotate replacement is more subtle/precise. It replaces only the proper directive and not every occurence of the word.
|
||||
* bind: chroot-bind.sh must not be executed in check mode
|
||||
* evoacme: fix module detection in apache config
|
||||
|
@ -1073,12 +1186,14 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.2.0] - 2018-05-16
|
||||
|
||||
### Changed
|
||||
|
||||
* filebeat: install version 6.x by default
|
||||
* filebeat: cleanup unused code
|
||||
* squid: add some domaine and fix broken restrictions
|
||||
* elasticsearch: defaults to version 6.x
|
||||
|
||||
### Fixed
|
||||
|
||||
* evolinux-users: secondary groups are comma-separated
|
||||
* ntpd: fix configuration (server and ACL)
|
||||
* varnish: don't fork the process on startup with systemd
|
||||
|
@ -1088,6 +1203,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
### Added
|
||||
|
||||
### Changed
|
||||
|
||||
* apache: customize logrotate (52 weeks)
|
||||
* evolinux: groups for SSH configuration are used with Debian 10 and later
|
||||
* evolinux-base: fail2ban is not enabled by default
|
||||
|
@ -1099,9 +1215,11 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.1.8] - 2018-04-16
|
||||
|
||||
### Changed
|
||||
|
||||
* packweb-apache: use dependencies instead of include_role for apache and php roles
|
||||
|
||||
### Fixed
|
||||
|
||||
* mysql: use check_mode for apg command (Fix --check)
|
||||
* mysql/mysql-oracle: properly reload systemd
|
||||
* packweb-apache: use check_mode for apg command (Fix --check)
|
||||
|
@ -1109,6 +1227,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.1.7] - 2018-04-06
|
||||
|
||||
### Added
|
||||
|
||||
* added a few become attributes where missing
|
||||
* etc-git: add tags for Ansible
|
||||
* evolinux-base: install ncurses-term package
|
||||
|
@ -1126,6 +1245,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* redmine: added missing tags
|
||||
|
||||
### Changed
|
||||
|
||||
* elasticsearch: RESTART_ON_UPGRADE is configurable (default: `true`)
|
||||
* elasticsearch: use ES_TMPDIR variable for custom tmpdir, (from `/etc/default/elasticsearch` instead of changing `/etc/elesticsearch/jvm.options`).
|
||||
* evolinux-base: Exec the firewall tasks sooner (to avoid dependency issues)
|
||||
|
@ -1141,6 +1261,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* webapps/evoadmin-web: Fail if variable evoadmin_contact_email isn't defined
|
||||
|
||||
### Fixed
|
||||
|
||||
* dovecot: fix support of plus sign
|
||||
* mysql/mysql-oracle: mysqltuner cron task is executable
|
||||
* nginx: fix basic auth for default vhost
|
||||
|
@ -1149,21 +1270,25 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.1.6] - 2018-02-02
|
||||
|
||||
### Added
|
||||
|
||||
* mongodb: install python-pymongo for monitoring
|
||||
* nagios-nrpe: allowed_hosts can be updated
|
||||
|
||||
### Changed
|
||||
|
||||
* Changelog: explain the versioning scheme
|
||||
* Changelog: add a release date for 9.1.5
|
||||
* evoacme: exclude typical certbot directories
|
||||
|
||||
### Fixed
|
||||
|
||||
* fail2ban: fix horrible typo, Python is not Ruby
|
||||
* nginx: fix servers status dirname
|
||||
|
||||
## [9.1.5] - 2018-01-18
|
||||
|
||||
### Added
|
||||
|
||||
* There is a changelog!
|
||||
* redis: configuration variable for protected mode (v3.2+)
|
||||
* evolinux-users: users are in "adm" group for Debian 9 or later
|
||||
|
@ -1175,41 +1300,49 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* redmine: ability to install themes and plugins
|
||||
|
||||
### Changed
|
||||
|
||||
* rbenv: Ruby 2.5 becomes the default version
|
||||
* evocheck: update upstream version embedded in role (c993244)
|
||||
* bind: keep 52 weeks of logs
|
||||
|
||||
### Fixed
|
||||
|
||||
* squid: different logrotate file for Jessie or Stretch+
|
||||
* evoacme: don't invoke evoacme if no vhost is found
|
||||
* evomaintenance: explicit quotes in config file
|
||||
* redmine: force xpath gem < 3.0.0
|
||||
|
||||
### Security
|
||||
|
||||
* evomaintenance: fix permissions for config file
|
||||
|
||||
## [9.1.4] - 2017-12-20
|
||||
|
||||
### Added
|
||||
|
||||
* php: install php5-intl (for Jessie) and php-intl (for Debian 9 or later)
|
||||
* mysql: add a check_mysql_slave in nrpe configuration
|
||||
* ldap: slapd tcp port is configurable
|
||||
* elasticsearch: broader patterns for log rotation
|
||||
|
||||
### Changed
|
||||
|
||||
* split IP lists in 2 – default and additional – for easier customization.
|
||||
|
||||
### Fixed
|
||||
|
||||
* minifirewall: allow outgoing SSH connections over IPv6
|
||||
* nodejs: rename source.list file
|
||||
|
||||
### Security
|
||||
|
||||
* evoadmin-web: change config.local.php file permissions
|
||||
* evolinux-base: change default_www file permissions
|
||||
|
||||
## [9.1.3] 2017-12-08
|
||||
|
||||
### Added
|
||||
|
||||
* evolinux-base: install traceroute package
|
||||
* evolinux-base/ntpd: purge openntpd
|
||||
* tomcat: add Tomcat 8 cmpatibility
|
||||
|
@ -1221,6 +1354,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* elastic: option for stack main version
|
||||
|
||||
### Changed
|
||||
|
||||
* nginx: rename Let's Encrypt snippet
|
||||
* nginx: simpler apt preferences for backports
|
||||
* generate-ldif: add clamd service instead of clamav_db
|
||||
|
@ -1232,10 +1366,12 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* mongodb: comatible with Stretch
|
||||
|
||||
### Removed
|
||||
|
||||
* mongodb: logfile/pidfile are not configurable on Jessie
|
||||
* minifirewall: remove zidane.evolix.net from HTTPSITES
|
||||
|
||||
### Fixed
|
||||
|
||||
* nginx: fix munin CGI graphs
|
||||
* ntpd: fix default configuration (localhost only)
|
||||
* logstash: fix permissions on pipeline configuration
|
||||
|
@ -1246,14 +1382,17 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
## [9.1.2] 2017-12-05
|
||||
|
||||
### Fixed
|
||||
|
||||
* listupgrade: remount /usr as rw
|
||||
|
||||
## [9.1.1] 2017-11-21
|
||||
|
||||
### Added
|
||||
|
||||
* amazon-ec2: add egress rules
|
||||
|
||||
### Fixed
|
||||
|
||||
* evoacme: fix multiple bugs
|
||||
|
||||
## [9.1.0] 2017-11-19
|
||||
|
@ -1261,6 +1400,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
_Warning: huge release, many entries are missing below._
|
||||
|
||||
### Added
|
||||
|
||||
* amazon-ec2: new role, for EC2 instances creation
|
||||
* Move /usr rw remount into remount-usr role
|
||||
* kibana: host and basepath configuration
|
||||
|
@ -1271,6 +1411,7 @@ _Warning: huge release, many entries are missing below._
|
|||
* nagios-nrpe: add opendkim check
|
||||
|
||||
### Changed
|
||||
|
||||
* Combine evolix and additional trusted IP addresses
|
||||
* amazon-ec2: split tasks
|
||||
* apt: don't upgrade by default
|
||||
|
@ -1281,6 +1422,7 @@ _Warning: huge release, many entries are missing below._
|
|||
* ldap: better variables
|
||||
|
||||
### Fixed
|
||||
|
||||
* fail2ban: create config hierarchy beforehand
|
||||
* elasticsearch: fix datadir/tmpdir conditions
|
||||
* elastic: remove double ".list" suffix
|
||||
|
@ -1291,10 +1433,10 @@ _Warning: huge release, many entries are missing below._
|
|||
|
||||
### Security
|
||||
|
||||
|
||||
## [9.0.1] 2017-10-02
|
||||
|
||||
### Added
|
||||
|
||||
* haproxy: add a Nagios check
|
||||
* php: add "sury" mode for PHP 7.1 on Stretch
|
||||
* minifirewall: explicit dependency on iptables
|
||||
|
@ -1302,9 +1444,11 @@ _Warning: huge release, many entries are missing below._
|
|||
* docker-host: new variable for docker home
|
||||
|
||||
### Changed
|
||||
|
||||
* php: install php5/php package after fpm/libapache2-mod-php
|
||||
|
||||
### Fixed
|
||||
|
||||
* mysql: add "REPLICATION CLIENT" privilege for nrpe
|
||||
* evoadmin-web: revert from variables to keywords in the templates
|
||||
* evoacme: many fixes
|
||||
|
|
2
amavis/files/amavis_purge_virusmails
Normal file
2
amavis/files/amavis_purge_virusmails
Normal file
|
@ -0,0 +1,2 @@
|
|||
#!/bin/bash
|
||||
find /var/lib/amavis/virusmails/ -type f -mtime +30 -delete
|
|
@ -16,3 +16,12 @@
|
|||
notify: restart amavis
|
||||
tags:
|
||||
- amavis
|
||||
|
||||
- name: Install purge custom cron
|
||||
ansible.builtin.copy:
|
||||
src: amavis_purge_virusmails
|
||||
dest: /etc/cron.daily/amavis_purge_virusmails
|
||||
mode: "0755"
|
||||
tags:
|
||||
- amavis
|
||||
- amavis_purge_cron
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
|
||||
- name: Install Evolinux
|
||||
hosts: launched-instances
|
||||
become: yes
|
||||
become: true
|
||||
|
||||
vars_files:
|
||||
- 'vars/secrets.yml'
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
force: no
|
||||
force: false
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
force: no
|
||||
force: false
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
|
|
@ -14,6 +14,6 @@
|
|||
owner: log2mail
|
||||
group: adm
|
||||
mode: "0644"
|
||||
force: no
|
||||
force: false
|
||||
tags:
|
||||
- apache
|
||||
|
|
|
@ -73,7 +73,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
force: yes
|
||||
force: true
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
@ -85,7 +85,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
force: no
|
||||
force: false
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
@ -119,7 +119,7 @@
|
|||
src: evolinux-default.conf.j2
|
||||
dest: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||
mode: "0640"
|
||||
force: no
|
||||
force: false
|
||||
notify: reload apache
|
||||
tags:
|
||||
- apache
|
||||
|
@ -129,7 +129,7 @@
|
|||
src: /etc/apache2/sites-available/000-evolinux-default.conf
|
||||
dest: /etc/apache2/sites-enabled/000-default.conf
|
||||
state: link
|
||||
force: yes
|
||||
force: true
|
||||
notify: reload apache
|
||||
when: apache_evolinux_default_enabled | bool
|
||||
tags:
|
||||
|
@ -181,7 +181,7 @@
|
|||
src: save_apache_status.sh
|
||||
dest: /usr/share/scripts/save_apache_status.sh
|
||||
mode: "0755"
|
||||
force: no
|
||||
force: false
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
dest: "{{ apache_serverstatus_suffix_file }}"
|
||||
# The last character "\u000A" is a line feed (LF), it's better to keep it
|
||||
content: "{{ apache_serverstatus_suffix }}\u000A"
|
||||
force: yes
|
||||
force: true
|
||||
when: apache_serverstatus_suffix | length > 0
|
||||
|
||||
- name: generate random string for server-status suffix
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
#!/bin/env python3
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import re
|
||||
import sys
|
||||
|
@ -13,7 +13,7 @@ destinations = {
|
|||
".*-backports": "backports.sources",
|
||||
".debian.org": "system.sources",
|
||||
"mirror.evolix.org": "system.sources",
|
||||
"pub.evolix.net": "evolix_public_old.sources",
|
||||
"pub.evolix.net": "evolix_public_old.sources.bak",
|
||||
"pub.evolix.org": "evolix_public.sources",
|
||||
"artifacts.elastic.co": "elastic.sources",
|
||||
"download.docker.com": "docker.sources",
|
||||
|
@ -149,4 +149,4 @@ def main():
|
|||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
sys.exit(0)
|
||||
sys.exit(0)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
ansible.builtin.template:
|
||||
src: '{{ ansible_distribution_release }}_backports.sources.j2'
|
||||
dest: /etc/apt/sources.list.d/backports.sources
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_sources
|
||||
tags:
|
||||
|
@ -14,7 +14,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
tags:
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
ansible.builtin.template:
|
||||
src: '{{ ansible_distribution_release }}_backports.list.j2'
|
||||
dest: /etc/apt/sources.list.d/backports.list
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_list
|
||||
tags:
|
||||
|
@ -21,7 +21,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: '{{ ansible_distribution_release }}_backports_preferences'
|
||||
dest: /etc/apt/preferences.d/0-backports-defaults
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_backports_config
|
||||
tags:
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
src: "{{ ansible_distribution_release }}_basics.sources.j2"
|
||||
dest: /etc/apt/sources.list.d/system.sources
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
register: apt_basic_sources
|
||||
tags:
|
||||
- apt
|
||||
|
@ -15,7 +15,7 @@
|
|||
src: "{{ ansible_distribution_release }}_security.sources.j2"
|
||||
dest: /etc/apt/sources.list.d/security.sources
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
register: apt_security_sources
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
src: "{{ ansible_distribution_release }}_basics.list.j2"
|
||||
dest: /etc/apt/sources.list
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
register: apt_basic_list
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -16,11 +16,19 @@
|
|||
- apt
|
||||
when: _trusted_gpg_keyring.stat.exists
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -31,7 +39,7 @@
|
|||
ansible.builtin.template:
|
||||
src: evolix_public.sources.j2
|
||||
dest: /etc/apt/sources.list.d/evolix_public.sources
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_evolix_public
|
||||
tags:
|
||||
|
|
|
@ -16,11 +16,19 @@
|
|||
- apt
|
||||
when: _trusted_gpg_keyring.stat.exists
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Evolix GPG key
|
||||
ansible.builtin.copy:
|
||||
src: pub_evolix.asc
|
||||
dest: "{{ apt_keyring_dir }}/pub_evolix.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -31,7 +39,7 @@
|
|||
ansible.builtin.template:
|
||||
src: evolix_public.list.j2
|
||||
dest: /etc/apt/sources.list.d/evolix_public.list
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0640"
|
||||
register: apt_evolix_public
|
||||
tags:
|
||||
|
|
|
@ -71,7 +71,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: check_held_packages.sh
|
||||
dest: /usr/share/scripts/check_held_packages.sh
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0755"
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -96,6 +96,18 @@
|
|||
when: apt_clean_gandi_sourceslist | bool
|
||||
|
||||
|
||||
- name: "Disable NonFreeFirmware warning for VM on Debian 12+"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/apt/apt.conf.d/no-bookworm-firmware.conf
|
||||
create: yes
|
||||
line: "APT::Get::Update::SourceListWarnings::NonFreeFirmware \"false\";"
|
||||
tags:
|
||||
- apt
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- ansible_virtualization_role == "guest"
|
||||
|
||||
|
||||
- name: Install check for packages marked hold
|
||||
ansible.builtin.import_tasks: hold_packages.yml
|
||||
when: apt_install_hold_packages | bool
|
||||
|
|
|
@ -14,9 +14,9 @@
|
|||
|
||||
- name: Migration scripts are installed
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/usr/share/scripts/{{ item }}"
|
||||
force: yes
|
||||
src: "{{ item }}"
|
||||
dest: "/usr/share/scripts/{{ item }}"
|
||||
force: true
|
||||
mode: "0755"
|
||||
loop:
|
||||
- deb822-migration.py
|
||||
|
@ -29,4 +29,22 @@
|
|||
cmd: /usr/share/scripts/deb822-migration.sh
|
||||
ignore_errors: yes
|
||||
tags:
|
||||
- apt
|
||||
- apt
|
||||
|
||||
- name: Add signed-by when relevant for bookworm
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/apt/sources.list.d/system.sources
|
||||
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
|
||||
insertafter: "Suites: bookworm bookworm-updates"
|
||||
state: present
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Add signed-by when relevant for bookworm-security
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/apt/sources.list.d/security.sources
|
||||
line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
|
||||
insertafter: "Suites: bookworm-security"
|
||||
state: present
|
||||
tags:
|
||||
- apt
|
||||
|
|
|
@ -5,3 +5,4 @@ URIs: http://mirror.evolix.org/debian
|
|||
Suites: bookworm bookworm-updates
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-bookworm-automatic.gpg
|
||||
|
|
|
@ -5,3 +5,4 @@ URIs: https://security.debian.org/debian-security
|
|||
Suites: bookworm-security
|
||||
Components: {{ apt_basics_components | mandatory }}
|
||||
Enabled: yes
|
||||
Signed-By: /usr/share/keyrings/debian-archive-bookworm-security-automatic.gpg
|
|
@ -1,3 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian stretch-backports {{ apt_backports_components | mandatory }}
|
||||
deb http://archive.debian.org/debian stretch-backports {{ apt_backports_components | mandatory }}
|
||||
|
|
14
bind/files/reload-zone
Executable file
14
bind/files/reload-zone
Executable file
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Script utilitaire pour tester et recharger facilement un domaine dans Bind
|
||||
# Usage : reload-zone <DOMAINE>
|
||||
#
|
||||
# TODO:
|
||||
# - renommer le script (par ex bind-safe-reload)
|
||||
# - vérifier le serial
|
||||
# - ajouter un -h --help
|
||||
# - prendre en charge plusieurs zones (ou aucune)
|
||||
# - ajouter le script dans le role bind
|
||||
|
||||
named-checkzone "$1" /etc/bind/db."$1" && rndc reload "$1"
|
||||
|
|
@ -7,5 +7,5 @@
|
|||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify: restart bind
|
|
@ -23,7 +23,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify: restart apparmor
|
||||
when: check_apparmor.rc == 0
|
||||
|
||||
|
@ -47,7 +47,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart bind
|
||||
|
@ -77,7 +77,7 @@
|
|||
dest: /root/chroot-bind.sh
|
||||
mode: "0700"
|
||||
owner: root
|
||||
force: yes
|
||||
force: true
|
||||
backup: yes
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
|
@ -109,7 +109,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify: restart bind
|
||||
|
||||
- ansible.builtin.include: munin.yml
|
||||
|
|
|
@ -48,7 +48,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify: restart munin-node
|
||||
tags:
|
||||
- bind
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
force: true
|
||||
notify: restart bind
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
|
|
44
certbot/files/hooks/deploy/proftpd.sh
Executable file
44
certbot/files/hooks/deploy/proftpd.sh
Executable file
|
@ -0,0 +1,44 @@
|
|||
#!/bin/sh
|
||||
|
||||
error() {
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
exit 1
|
||||
}
|
||||
debug() {
|
||||
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
|
||||
>&2 echo "${PROGNAME}: $1"
|
||||
fi
|
||||
}
|
||||
daemon_found_and_running() {
|
||||
test -n "$(pidof proftpd)" && test -n "${proftpd_bin}"
|
||||
}
|
||||
config_check() {
|
||||
${proftpd_bin} configtest > /dev/null 2>&1
|
||||
}
|
||||
letsencrypt_used() {
|
||||
grep -q -r -E "letsencrypt" /etc/proftpd/
|
||||
}
|
||||
main() {
|
||||
if daemon_found_and_running; then
|
||||
if letsencrypt_used; then
|
||||
if config_check; then
|
||||
debug "ProFTPD detected... reloading"
|
||||
systemctl reload proftpd
|
||||
else
|
||||
error "ProFTPD config is broken, you must fix it !"
|
||||
fi
|
||||
else
|
||||
debug "ProFTPD doesn't use Let's Encrypt certificate. Skip."
|
||||
fi
|
||||
else
|
||||
debug "ProFTPD is not running or missing. Skip."
|
||||
fi
|
||||
}
|
||||
|
||||
readonly PROGNAME=$(basename "$0")
|
||||
readonly VERBOSE=${VERBOSE:-"0"}
|
||||
readonly QUIET=${QUIET:-"0"}
|
||||
|
||||
readonly proftpd_bin=$(command -v proftpd)
|
||||
|
||||
main
|
|
@ -15,7 +15,7 @@
|
|||
ansible.builtin.template:
|
||||
src: acme-challenge/nginx.conf.j2
|
||||
dest: /etc/nginx/snippets/letsencrypt.conf
|
||||
force: yes
|
||||
force: true
|
||||
notify: reload nginx
|
||||
when: is_nginx.stat.exists
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
|||
ansible.builtin.template:
|
||||
src: acme-challenge/apache.conf.j2
|
||||
dest: /etc/apache2/conf-available/letsencrypt.conf
|
||||
force: yes
|
||||
force: true
|
||||
notify: reload apache
|
||||
|
||||
- name: ACME challenge for Apache is enabled
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
mode: '0755'
|
||||
owner: root
|
||||
group: root
|
||||
force: yes
|
||||
force: true
|
||||
notify: install letsencrypt-auto
|
||||
|
||||
- name: Check certbot script
|
||||
|
@ -49,7 +49,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: cron_jessie
|
||||
dest: /etc/cron.d/certbot
|
||||
force: yes
|
||||
force: true
|
||||
when: certbot_custom_crontab | bool
|
||||
|
||||
- name: disable self-upgrade
|
||||
|
|
|
@ -12,6 +12,9 @@ docker_conf_no_newprivileges: False
|
|||
# Toggle live restore (need to be disabled in swarm mode)
|
||||
docker_conf_live_restore: True
|
||||
|
||||
# Toggle user namespace
|
||||
docker_conf_user_namespace: True
|
||||
|
||||
# Disable all default network connectivity
|
||||
docker_conf_disable_default_networking: False
|
||||
|
||||
|
|
|
@ -22,11 +22,19 @@
|
|||
state: present
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Docker's official GPG key
|
||||
ansible.builtin.copy:
|
||||
src: docker-debian.asc
|
||||
dest: "{{ apt_keyring_dir }}/docker-debian.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -43,7 +51,6 @@
|
|||
ansible.builtin.template:
|
||||
src: docker.sources.j2
|
||||
dest: /etc/apt/sources.list.d/docker.sources
|
||||
state: present
|
||||
register: docker_sources
|
||||
when: ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
|
|
|
@ -4,8 +4,10 @@
|
|||
,"data-root": "{{ docker_home }}"
|
||||
{# Keep containers running while docker daemon downtime #}
|
||||
,"live-restore": {{ docker_conf_live_restore | to_json }}
|
||||
{% if docker_conf_user_namespace %}
|
||||
{# Turn on user namespace remaping #}
|
||||
,"userns-remap": "default"
|
||||
{% endif %}
|
||||
{% if docker_conf_use_iptables %}
|
||||
{# Use iptables instead of docker-proxy #}
|
||||
,"userland-proxy": false
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
Installation and basic configuration of dovecot
|
||||
|
||||
Do not use this role to update Dovecot 2.2 to 2.3.
|
||||
|
||||
## Tasks
|
||||
|
||||
Minimal configuration is in `tasks/main.yml`
|
||||
|
@ -9,3 +11,14 @@ Minimal configuration is in `tasks/main.yml`
|
|||
## Available variables
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
## Munin plugins
|
||||
|
||||
### dovecot_stats_
|
||||
|
||||
Note : This is an Evolix patched version.
|
||||
|
||||
This plugin can be installed only when installin a server, because it needs Dovevcot plugin stats (Dovecot 2.2) or old_stats (Dovecot 2.3), which previously were not activated by default.
|
||||
|
||||
To skip this plugin installation, use "--skip-tags dovecot_stats_".
|
||||
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
[dovecot]
|
||||
group adm
|
|
@ -1,128 +0,0 @@
|
|||
#! /bin/bash
|
||||
#
|
||||
# Munin Plugin
|
||||
# to count logins to your dovecot mailserver
|
||||
#
|
||||
# Created by Dominik Schulz <lkml@ds.gauner.org>
|
||||
# http://developer.gauner.org/munin/
|
||||
# Contributions by:
|
||||
# - Stephane Enten <tuf@delyth.net>
|
||||
# - Steve Schnepp <steve.schnepp@pwkf.org>
|
||||
# - pcy <pcy@ulyssis.org> (make 'Connected Users' DERIVE, check existence of logfile in autoconf)
|
||||
#
|
||||
# Parameters understood:
|
||||
#
|
||||
# config (required)
|
||||
# autoconf (optional - used by munin-config)
|
||||
#
|
||||
# Config variables:
|
||||
#
|
||||
# logfile - Where to find the syslog file
|
||||
#
|
||||
# Add the following line to a file in /etc/munin/plugin-conf.d:
|
||||
# env.logfile /var/log/your/logfile.log
|
||||
#
|
||||
# Magic markers (optional - used by munin-config and installation scripts):
|
||||
#
|
||||
#%# family=auto
|
||||
#%# capabilities=autoconf
|
||||
|
||||
######################
|
||||
# Configuration
|
||||
######################
|
||||
EXPR_BIN=/usr/bin/expr
|
||||
LOGFILE=${logfile:-/var/log/mail.log}
|
||||
######################
|
||||
|
||||
if [ "$1" = "autoconf" ]; then
|
||||
[ -f "$LOGFILE" ] && echo yes || echo "no (logfile $LOGFILE not found)"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ "$1" = "config" ]; then
|
||||
echo 'graph_title Dovecot Logins'
|
||||
echo 'graph_category mail'
|
||||
echo 'graph_args --base 1000 -l 0'
|
||||
echo 'graph_vlabel Login Counters'
|
||||
|
||||
for t in Total TLS SSL IMAP POP3
|
||||
do
|
||||
field=$(echo $t | tr '[:upper:]' '[:lower:]')
|
||||
echo "login_$field.label $t Logins"
|
||||
echo "login_$field.type DERIVE"
|
||||
echo "login_$field.min 0"
|
||||
done
|
||||
|
||||
echo 'connected.label Connected Users'
|
||||
echo "connected.type DERIVE"
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
||||
######################
|
||||
# Total Logins
|
||||
######################
|
||||
echo -en "login_total.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# Connected Users
|
||||
######################
|
||||
DISCONNECTS=$(egrep -c '[dovecot]?.*Disconnected' $LOGFILE)
|
||||
CONNECTS=$(egrep -c '[dovecot]?.*Login' $LOGFILE)
|
||||
VALUE=$($EXPR_BIN $CONNECTS - $DISCONNECTS)
|
||||
if [ -z "$VALUE" ] || [ "$VALUE" -lt 0 ]; then
|
||||
VALUE=0
|
||||
fi
|
||||
echo -en "connected.value "
|
||||
echo $VALUE
|
||||
echo -n
|
||||
######################
|
||||
# TLS Logins
|
||||
######################
|
||||
echo -en "login_tls.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*TLS' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# SSL Logins
|
||||
######################
|
||||
echo -en "login_ssl.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*Login.*SSL' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# IMAP Logins
|
||||
######################
|
||||
echo -en "login_imap.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*imap.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
||||
######################
|
||||
# POP3 Logins
|
||||
######################
|
||||
echo -en "login_pop3.value "
|
||||
VALUE=$(egrep -c '[dovecot]?.*pop3.*Login' $LOGFILE)
|
||||
if [ ! -z "$VALUE" ]; then
|
||||
echo "$VALUE"
|
||||
else
|
||||
echo "0"
|
||||
fi
|
||||
echo -n
|
242
dovecot/files/munin_plugin_dovecot1
Normal file
242
dovecot/files/munin_plugin_dovecot1
Normal file
|
@ -0,0 +1,242 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
#%# family=auto
|
||||
#%# capabilities=autoconf
|
||||
|
||||
use Munin::Plugin;
|
||||
|
||||
$pos = undef;
|
||||
$connected = 0;
|
||||
$connectedimap = 0;
|
||||
$connectedpop3 = 0;
|
||||
$connections = 0;
|
||||
$connectionsimap = 0;
|
||||
$connectionspop3 = 0;
|
||||
$login = 0;
|
||||
$pop3login = 0;
|
||||
$imaplogin = 0;
|
||||
$tls = 0;
|
||||
$ssl = 0;
|
||||
$aborted = 0;
|
||||
|
||||
($dirname = $0) =~ s/[^\/]+$//;
|
||||
|
||||
$dovelogfile = 0 ;
|
||||
|
||||
$logfile = $ENV{'LOGFILE'} || '/var/log/mail.log';
|
||||
|
||||
if ( $logfile =~ /dovecot/ ) {
|
||||
$dovelogfile = 1 ;
|
||||
}
|
||||
|
||||
# Use an overridden $PATH for all external programs if needed
|
||||
$DOVEADM = "doveadm";
|
||||
|
||||
if ( $ARGV[0] and $ARGV[0] eq "autoconf" ) {
|
||||
|
||||
if (! -x $DOVEADM) {
|
||||
print "no (no doveadm)\n";
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (! -f $logfile) {
|
||||
print "no (logfile $logfile does not exist)\n";
|
||||
exit(0);
|
||||
}
|
||||
|
||||
if (-r "$logfile") {
|
||||
print "yes\n";
|
||||
exit 0;
|
||||
} else {
|
||||
print "no (logfile not readable)\n";
|
||||
}
|
||||
exit 0;
|
||||
}
|
||||
|
||||
if (-f "$logfile.0") {
|
||||
$rotlogfile = $logfile . ".0";
|
||||
} elsif (-f "$logfile.1") {
|
||||
$rotlogfile = $logfile . ".1";
|
||||
} elsif (-f "$logfile.01") {
|
||||
$rotlogfile = $logfile . ".01";
|
||||
} else {
|
||||
$rotlogfile = $logfile . ".0";
|
||||
}
|
||||
|
||||
if ( $ARGV[0] and $ARGV[0] eq "config" ) {
|
||||
print "multigraph dovecot_connections\n";
|
||||
print "graph_title Dovecot connections\n";
|
||||
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
|
||||
print "graph_vlabel connections\n";
|
||||
print "graph_category mail\n";
|
||||
print "connections.label Connections open\n";
|
||||
print "connections.type GAUGE\n";
|
||||
print "connections.draw LINE1\n";
|
||||
print "connections.min 0\n";
|
||||
print "connectionsimap.label IMAP\n";
|
||||
print "connectionsimap.type GAUGE\n";
|
||||
print "connectionsimap.draw AREA\n";
|
||||
print "connectionsimap.min 0\n";
|
||||
print "connectionspop3.label POP3\n";
|
||||
print "connectionspop3.type GAUGE\n";
|
||||
print "connectionspop3.draw STACK\n";
|
||||
print "connectionspop3.min 0\n";
|
||||
|
||||
print "multigraph dovecot_connected\n";
|
||||
print "graph_title Dovecot connected users\n";
|
||||
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
|
||||
print "graph_vlabel connections\n";
|
||||
print "graph_category mail\n";
|
||||
print "connected.label Connected users\n";
|
||||
print "connected.type GAUGE\n";
|
||||
print "connected.draw LINE1\n";
|
||||
print "connected.min 0\n";
|
||||
print "connectedimap.label IMAP\n";
|
||||
print "connectedimap.type GAUGE\n";
|
||||
print "connectedimap.draw AREA\n";
|
||||
print "connectedimap.min 0\n";
|
||||
print "connectedpop3.label POP3\n";
|
||||
print "connectedpop3.type GAUGE\n";
|
||||
print "connectedpop3.draw STACK\n";
|
||||
print "connectedpop3.min 0\n";
|
||||
|
||||
print "multigraph dovecot_logins\n";
|
||||
print "graph_title Dovecot logins\n";
|
||||
print "graph_args --base 1000 -l 0 --no-gridfit --slope-mode\n";
|
||||
print "graph_vlabel logins/5 minute\n";
|
||||
print "graph_category mail\n";
|
||||
print "login.label Logins\n";
|
||||
print "login.type GAUGE\n";
|
||||
print "login.draw LINE1\n";
|
||||
print "login.min 0\n";
|
||||
print "imaplogin.label IMAP logins\n";
|
||||
print "imaplogin.type GAUGE\n";
|
||||
print "imaplogin.draw LINE1\n";
|
||||
print "imaplogin.min 0\n";
|
||||
print "pop3login.label POP3 logins\n";
|
||||
print "pop3login.type GAUGE\n";
|
||||
print "pop3login.draw LINE1\n";
|
||||
print "pop3login.min 0\n";
|
||||
print "tls.label TLS\n";
|
||||
print "tls.type GAUGE\n";
|
||||
print "tls.draw LINE1\n";
|
||||
print "tls.min 0\n";
|
||||
print "ssl.label SSL\n";
|
||||
print "ssl.type GAUGE\n";
|
||||
print "ssl.draw LINE1\n";
|
||||
print "ssl.min 0\n";
|
||||
print "aborted.label Aborted logins\n";
|
||||
print "aborted.type GAUGE\n";
|
||||
print "aborted.draw LINE1\n";
|
||||
print "aborted.min 0\n";
|
||||
exit 0;
|
||||
}
|
||||
|
||||
if (! -f $logfile and ! -f $rotlogfile) {
|
||||
print "multigraph dovecot_connections\n";
|
||||
print "connections.value U";
|
||||
print "connectionsimap.value U";
|
||||
print "connectionspop3.value U";
|
||||
print "multigraph dovecot_connected\n";
|
||||
print "connected.value U\n";
|
||||
print "connectedimap.value U\n";
|
||||
print "connectedpop3.value U\n";
|
||||
print "multigraph dovecot_logins\n";
|
||||
print "login.value U\n";
|
||||
print "pop3login.value U\n";
|
||||
print "imaplogin.value U\n";
|
||||
print "tls.value U\n";
|
||||
print "ssl.value U\n";
|
||||
print "aborted.value U\n";
|
||||
|
||||
exit 0;
|
||||
}
|
||||
|
||||
# dit kan beter maar twee calls zijn toch nodig also we niet zelf aggegreren
|
||||
# suggestie: doveadm who -1 | awk '{print $1" "$2" "$4}' | sort | uniq -c
|
||||
$connectedimap = `$DOVEADM -f flow who | grep imap | wc -l`;
|
||||
$connectedpop3 = `$DOVEADM -f flow who | grep pop3 | wc -l`;
|
||||
$connectionsimap = `$DOVEADM -f flow who -1 | grep imap | wc -l`;
|
||||
$connectionspop3 = `$DOVEADM -f flow who -1 | grep pop3 | wc -l`;
|
||||
|
||||
#trim
|
||||
$connectedimap =~ s/\s+$//;
|
||||
$connectedpop3 =~ s/\s+$//;
|
||||
$connectionsimap =~ s/\s+$//;
|
||||
$connectionspop3 =~ s/\s+$//;
|
||||
|
||||
$connected = $connectedimap + $connectedpop3;
|
||||
$connections = $connectionsimap + $connectionspop3;
|
||||
|
||||
my ($pos) = restore_state();
|
||||
|
||||
$startsize = (stat $logfile)[7];
|
||||
|
||||
if (!defined $pos) {
|
||||
# Initial run.
|
||||
$pos = $startsize;
|
||||
}
|
||||
|
||||
if ($startsize < $pos) {
|
||||
# Log rotated
|
||||
parseDovecotfile ($rotlogfile, $pos, (stat $rotlogfile)[7]);
|
||||
$pos = 0;
|
||||
}
|
||||
|
||||
parseDovecotfile ($logfile, $pos, $startsize);
|
||||
$pos = $startsize;
|
||||
|
||||
save_state($pos);
|
||||
|
||||
print "multigraph dovecot_connections\n";
|
||||
print "connections.value $connections\n";
|
||||
print "connectionsimap.value $connectionsimap\n";
|
||||
print "connectionspop3.value $connectionspop3\n";
|
||||
print "multigraph dovecot_connected\n";
|
||||
print "connected.value $connected\n";
|
||||
print "connectedimap.value $connectedimap\n";
|
||||
print "connectedpop3.value $connectedpop3\n";
|
||||
print "multigraph dovecot_logins\n";
|
||||
print "login.value $login\n";
|
||||
print "pop3login.value $pop3login\n";
|
||||
print "imaplogin.value $imaplogin\n";
|
||||
print "tls.value $tls\n";
|
||||
print "ssl.value $ssl\n";
|
||||
print "aborted.value $aborted\n";
|
||||
|
||||
|
||||
sub parseDovecotfile {
|
||||
my ($fname, $start, $stop) = @_;
|
||||
open (logf, $fname) or exit 3;
|
||||
seek (logf, $start, 0) or exit 2;
|
||||
|
||||
while (tell (logf) < $stop) {
|
||||
my $line =<logf>;
|
||||
chomp ($line);
|
||||
|
||||
if ( $dovelogfile == 0 and $line !~ m/dovecot/) { next; }
|
||||
else {
|
||||
if ($line =~ m/Aborted/) {
|
||||
$aborted++;
|
||||
|
||||
} elsif ($line =~ m/Login:/) {
|
||||
$login++;
|
||||
|
||||
if ( $line =~ m/TLS/) {
|
||||
$tls++;
|
||||
} elsif ($line =~ m/SSL/) {
|
||||
$ssl++;
|
||||
}
|
||||
|
||||
if ( $line =~ m/pop3-login:/) {
|
||||
$pop3login++;
|
||||
} elsif ($line =~ m/imap-login:/) {
|
||||
$imaplogin++;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
close(logf);
|
||||
}
|
||||
|
||||
# vim:syntax=perl
|
158
dovecot/files/munin_plugin_dovecot_stats_
Normal file
158
dovecot/files/munin_plugin_dovecot_stats_
Normal file
|
@ -0,0 +1,158 @@
|
|||
#!/bin/bash
|
||||
: <<=cut
|
||||
|
||||
=head1 NAME
|
||||
|
||||
dovecot_stats_ - Munin plugin to display statistics for the dovecot mail server
|
||||
|
||||
=head1 CONFIGURATION
|
||||
|
||||
This plugin must be run with permissions to run "doveadm". That usually means root, but to test, run the following as any user:
|
||||
|
||||
doveadm who
|
||||
|
||||
If you get a permission denied message, check the permissions on the socket mentioned in the error line.
|
||||
|
||||
=head1 MAGIC MARKERS
|
||||
|
||||
#%# family=contrib
|
||||
#%# capability=autoconf suggest
|
||||
|
||||
=head1 AUTHOR
|
||||
|
||||
Paul Saunders <darac+munin@darac.org.uk>
|
||||
|
||||
=cut
|
||||
|
||||
. $MUNIN_LIBDIR/plugins/plugin.sh
|
||||
is_multigraph
|
||||
|
||||
if [[ "$1" == "autoconf" ]]; then
|
||||
if [[ -x /usr/bin/doveadm ]]; then
|
||||
echo yes
|
||||
else
|
||||
echo no
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Dovecot 2.3 changes the stas format, but we can still access the older version with "doveadm oldstats".
|
||||
dovecot_version=$(/usr/sbin/dovecot --version | awk '{print $1}')
|
||||
|
||||
verlte() {
|
||||
[ "$1" = "$2" ] && return 1 || [ "$2" = "`echo -e "$1\n$2" | sort -V | head -n1`" ]
|
||||
}
|
||||
|
||||
verlt() {
|
||||
[ "$1" = "$2" ] && return 1 || verlte $2 $1
|
||||
}
|
||||
|
||||
# The stats command is "stats" unless the version is NOT less than 2.3, in which case it's "oldstats".
|
||||
stats_command="stats"
|
||||
verlt $dovecot_version 2.3 || stats_command="oldstats"
|
||||
|
||||
|
||||
if [[ "$1" == "suggest" ]]; then
|
||||
doveadm $stats_command dump domain|awk 'NR!=1 {print $1}'
|
||||
exit 0
|
||||
fi
|
||||
|
||||
domain=$(basename $0)
|
||||
domain=${domain#dovecot_stats_}
|
||||
|
||||
if [[ -z $domain ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ "$1" == "config" ]]; then
|
||||
cat <<EOF
|
||||
multigraph dovecot_cpu_${domain//\./_}
|
||||
graph_title Dovecot CPU Usage for $domain
|
||||
graph_vlabel Seconds
|
||||
graph_category mail
|
||||
user_cpu.label User CPU
|
||||
user_cpu.type DERIVE
|
||||
user_cpu.min 0
|
||||
user_cpu.cdef user_cpu,1000000,/
|
||||
sys_cpu.label System CPU
|
||||
sys_cpu.type DERIVE
|
||||
sys_cpu.min 0
|
||||
sys_cpu.cdef sys_cpu,1000000,/
|
||||
|
||||
multigraph dovecot_system_${domain//\./_}
|
||||
graph_title Dovecot System Usage for $domain
|
||||
graph_category mail
|
||||
min_faults.label Minor page faults
|
||||
min_faults.type DERIVE
|
||||
min_faults.min 0
|
||||
maj_faults.label Major page faults
|
||||
maj_faults.type DERIVE
|
||||
maj_faults.min 0
|
||||
vol_cs.label Voluntary context switches
|
||||
vol_cs.type DERIVE
|
||||
vol_cs.min 0
|
||||
invol_cs.label Involuntary context switches
|
||||
invol_cs.type DERIVE
|
||||
invol_cs.min 0
|
||||
read_count.label read() syscalls
|
||||
read_count.type DERIVE
|
||||
read_count.min 0
|
||||
write_count.label write() syscalls
|
||||
write_count.type DERIVE
|
||||
write_count.min 0
|
||||
|
||||
multigraph dovecot_mail_${domain//\./_}
|
||||
graph_title Dovecot Mail Access for $domain
|
||||
graph_category mail
|
||||
num_logins.label Logins
|
||||
num_logins.type DERIVE
|
||||
num_logins.min 0
|
||||
num_cmds.label Commands
|
||||
num_cmds.type DERIVE
|
||||
num_cmds.min 0
|
||||
mail_lookup_path.label Path Lookups
|
||||
mail_lookup_path.type DERIVE
|
||||
mail_lookup_path.min 0
|
||||
mail_lookup_attr.label Attr lookups
|
||||
mail_lookup_attr.type DERIVE
|
||||
mail_lookup_attr.min 0
|
||||
mail_read_count.label Messages read
|
||||
mail_read_count.type DERIVE
|
||||
mail_read_count.min 0
|
||||
mail_cache_hits.label Cache hits
|
||||
mail_cache_hits.type DERIVE
|
||||
mail_cache_hits.min 0
|
||||
EOF
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Added by Will
|
||||
if [ "${domain}" = "global" ]; then
|
||||
args="global"
|
||||
else
|
||||
args="domain domain=$domain"
|
||||
fi
|
||||
|
||||
# Fetch data
|
||||
# Gawk script cadged from http://awk.info/?JanisP
|
||||
doveadm $stats_command dump $args | gawk -F\\t -v cols="user_cpu sys_cpu min_faults maj_faults vol_cs invol_cs read_count write_count num_logins num_cmds mail_lookup_path mail_lookup_attr mail_read_count mail_cache_hits " -v domain=${domain//\./_} '
|
||||
BEGIN {
|
||||
n=split(cols,col," ")
|
||||
for (i=1; i<=n; i++) s[col[i]]=i
|
||||
}
|
||||
NR==1 {
|
||||
for (f=1;f<=NF; f++)
|
||||
if ($f in s) c[s[$f]]=f
|
||||
next
|
||||
}
|
||||
{ for (f=1; f<=n; f++) {
|
||||
if (col[f] == "user_cpu") printf ("\nmultigraph dovecot_cpu_%s\n", domain)
|
||||
if (col[f] == "min_faults") printf ("\nmultigraph dovecot_system_%s\n", domain)
|
||||
if (col[f] == "num_logins") printf ("\nmultigraph dovecot_mail_%s\n", domain)
|
||||
if (col[f] == "user_cpu" || col[f] == "sys_cpu")
|
||||
printf("%s.value %d\n",col[f],$c[f] * 1000000)
|
||||
else
|
||||
printf("%s.value %d\n",col[f],$c[f])
|
||||
}
|
||||
}
|
||||
'
|
6
dovecot/files/z-evolinux-dovecot.conf
Normal file
6
dovecot/files/z-evolinux-dovecot.conf
Normal file
|
@ -0,0 +1,6 @@
|
|||
[dovecot1]
|
||||
user root
|
||||
|
||||
[dovecot_stats_*]
|
||||
user root
|
||||
|
|
@ -14,3 +14,7 @@
|
|||
name: log2mail
|
||||
state: restarted
|
||||
|
||||
- name: restart munin-node
|
||||
ansible.builtin.systemd:
|
||||
name: munin-node
|
||||
state: restarted
|
||||
|
|
|
@ -8,16 +8,63 @@
|
|||
|
||||
- name: Munin plugins are present and configured
|
||||
block:
|
||||
- name: Install munin plugin
|
||||
ansible.builtin.copy:
|
||||
src: munin_plugin
|
||||
dest: /etc/munin/plugins/dovecot
|
||||
|
||||
- name: Disable dovecot plugin
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugins/dovecot
|
||||
state: absent
|
||||
|
||||
- name: Remove dovecot plugin conf
|
||||
ansible.builtin.file:
|
||||
path: /etc/munin/plugin-conf.d/dovecot
|
||||
state: absent
|
||||
|
||||
- name: "Remount /usr if needed"
|
||||
ansible.builtin.include_role:
|
||||
name: remount-usr
|
||||
|
||||
- name: Ensures /usr/local/lib/munin/plugins/ dir exists
|
||||
ansible.builtin.file:
|
||||
path: "/usr/local/lib/munin/plugins/"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Install munin config
|
||||
- name: Install dovecot1 plugin
|
||||
# Original from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot1
|
||||
ansible.builtin.copy:
|
||||
src: munin_config
|
||||
dest: /etc/munin/plugin-conf.d/dovecot
|
||||
mode: "0644"
|
||||
src: munin_plugin_dovecot1
|
||||
dest: /usr/local/lib/munin/plugins/dovecot1
|
||||
mode: "0755"
|
||||
|
||||
- name: Install dovecot_stats_ plugin
|
||||
# Modified from https://github.com/munin-monitoring/contrib/blob/master/plugins/dovecot/dovecot_stats_
|
||||
ansible.builtin.copy:
|
||||
src: munin_plugin_dovecot_stats_
|
||||
dest: /usr/local/lib/munin/plugins/dovecot_stats_
|
||||
mode: "0755"
|
||||
tags: dovecot_stats_
|
||||
|
||||
- name: Copy Munin config
|
||||
ansible.builtin.copy:
|
||||
src: z-evolinux-dovecot.conf
|
||||
dest: /etc/munin/plugin-conf.d/z-evolinux-dovecot
|
||||
mode: '0644'
|
||||
notify: restart munin-node
|
||||
|
||||
- name: Enable dovecot1 plugin
|
||||
ansible.builtin.file:
|
||||
src: "/usr/local/lib/munin/plugins/dovecot1"
|
||||
dest: "/etc/munin/plugins/dovecot1"
|
||||
state: link
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Enable wildcard dovecot_stats_ plugin for all domains
|
||||
ansible.builtin.file:
|
||||
src: "/usr/local/lib/munin/plugins/dovecot_stats_"
|
||||
dest: "/etc/munin/plugins/dovecot_stats_global"
|
||||
state: link
|
||||
when: not ansible_check_mode
|
||||
tags: dovecot_stats_
|
||||
|
||||
when: munin_node_plugins_config.stat.exists
|
||||
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
# Plugins list (must be before filters {} that modify it)
|
||||
mail_plugins = $mail_plugins old_stats
|
||||
|
||||
# Autorise les mécanismes PLAIN/LOGIN même sans SSL/TLS
|
||||
disable_plaintext_auth = no
|
||||
auth_mechanisms = plain login
|
||||
|
@ -36,14 +39,26 @@ service login {
|
|||
mail_max_userip_connections = 42
|
||||
|
||||
# Configuration pour stats dovecot
|
||||
service stats {
|
||||
unix_listener stats-reader {
|
||||
protocol imap {
|
||||
mail_plugins = $mail_plugins imap_old_stats
|
||||
}
|
||||
plugin {
|
||||
old_stats_refresh = 30 secs
|
||||
old_stats_track_cmds = yes
|
||||
}
|
||||
service old-stats {
|
||||
fifo_listener old-stats-mail {
|
||||
user = vmail
|
||||
group = vmail
|
||||
mode = 0660
|
||||
}
|
||||
unix_listener old-stats-reader {
|
||||
user = vmail
|
||||
group = vmail
|
||||
mode = 0660
|
||||
}
|
||||
|
||||
unix_listener stats-writer {
|
||||
unix_listener old-stats-writer {
|
||||
user = vmail
|
||||
group = vmail
|
||||
mode = 0660
|
||||
|
|
|
@ -5,10 +5,20 @@ elasticsearch_cluster_name: Null
|
|||
elasticsearch_cluster_members: Null
|
||||
elasticsearch_minimum_master_nodes: Null
|
||||
elasticsearch_node_name: "${HOSTNAME}"
|
||||
elasticsearch_network_host:
|
||||
- "_local_"
|
||||
|
||||
# https://www.elastic.co/guide/en/elasticsearch/reference/8.7/modules-network.html
|
||||
elasticsearch_network_host: "_local_"
|
||||
elasticsearch_network_publish_host: Null
|
||||
elasticsearch_network_port: Null
|
||||
|
||||
elasticsearch_http_host: Null
|
||||
elasticsearch_http_publish_host: Null
|
||||
elasticsearch_http_port: Null
|
||||
|
||||
elasticsearch_transport_host: Null
|
||||
elasticsearch_transport_publish_host: Null
|
||||
elasticsearch_transport_port: Null
|
||||
|
||||
elasticsearch_discovery_seed_hosts: Null
|
||||
elasticsearch_cluster_initial_master_nodes: Null
|
||||
elasticsearch_custom_datadir: Null
|
||||
|
|
|
@ -19,4 +19,4 @@
|
|||
mode: "0755"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
force: yes
|
||||
force: true
|
||||
|
|
|
@ -5,11 +5,19 @@
|
|||
state: present
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Elastic GPG key is installed
|
||||
ansible.builtin.copy:
|
||||
src: elastic.asc
|
||||
dest: "{{ apt_keyring_dir }}/elastic.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -33,4 +41,4 @@
|
|||
- name: Update APT cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
when: elastic_sources is changed
|
||||
when: elastic_sources is changed
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
- name: Maximum map count check
|
||||
ansible.posix.sysctl:
|
||||
name: vm.max_map_count
|
||||
value: 262144
|
||||
value: "262144"
|
||||
sysctl_file: /etc/sysctl.d/elasticsearch.conf
|
||||
when: max_map_count | int < 262144
|
||||
tags:
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
- name: Configure network host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "network.host: {{ elasticsearch_network_host }}"
|
||||
line: "network.host: {{ elasticsearch_network_host }}"
|
||||
regexp: "^network.host:"
|
||||
insertafter: "^# *network.host:"
|
||||
when: elasticsearch_network_host | default("", True) | length > 0
|
||||
|
@ -32,28 +32,89 @@
|
|||
- name: Configure network publish_host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
|
||||
line: "network.publish_host: {{ elasticsearch_network_publish_host }}"
|
||||
regexp: "^network.publish_host:"
|
||||
insertafter: "^network.host:"
|
||||
when: elasticsearch_network_publish_host | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure network port
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "network.port: {{ elasticsearch_network_port }}"
|
||||
regexp: "^network.port:"
|
||||
insertafter: "^network.host:"
|
||||
when: elasticsearch_network_port | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure http host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "http.host: {{ elasticsearch_http_host }}"
|
||||
regexp: "^http.host:"
|
||||
insertafter: "^# *http.host:"
|
||||
when: elasticsearch_http_host | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure http publish_host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
|
||||
line: "http.publish_host: {{ elasticsearch_http_publish_host }}"
|
||||
regexp: "^http.publish_host:"
|
||||
insertafter: "^http.port:"
|
||||
when: elasticsearch_http_publish_host | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure http port
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "http.port: {{ elasticsearch_http_port }}"
|
||||
regexp: "^http.port:"
|
||||
insertafter: "^http.host:"
|
||||
when: elasticsearch_http_port | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure transport host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "transport.host: {{ elasticsearch_transport_host }}"
|
||||
regexp: "^transport.host:"
|
||||
insertafter: "^# *transport.host:"
|
||||
when: elasticsearch_transport_host | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure transport publish_host
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "transport.publish_host: {{ elasticsearch_transport_publish_host }}"
|
||||
regexp: "^transport.publish_host:"
|
||||
insertafter: "^transport.host:"
|
||||
when: elasticsearch_transport_publish_host | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure transport port
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "transport.port: {{ elasticsearch_transport_port }}"
|
||||
regexp: "^transport.port:"
|
||||
insertafter: "^transport.host:"
|
||||
when: elasticsearch_transport_port | default("", True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
||||
- name: Configure discovery seed hosts
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/elasticsearch/elasticsearch.yml
|
||||
line: "discovery.seed_hosts: {{ elasticsearch_discovery_seed_hosts | to_yaml(default_flow_style=True) }}"
|
||||
regexp: "^discovery.seed_hosts:"
|
||||
insertafter: "^# *discovery.seed_hosts:"
|
||||
when: elasticsearch_discovery_seed_hosts | default([], True) | length > 0
|
||||
tags:
|
||||
- config
|
||||
|
@ -118,14 +179,11 @@
|
|||
tags:
|
||||
- config
|
||||
|
||||
- name: Disable garbage collector logs (JDK >= 9)
|
||||
ansible.builtin.lineinfile:
|
||||
- name: Disable garbage collector logs
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/elasticsearch/jvm.options
|
||||
regexp: "Xlog:gc"
|
||||
line: "#9-:-Xlog:gc*,gc+age=trace,safepoint:file=/opt/my-app/gc.log:utctime,pid,tags:filecount=32,filesize=64m"
|
||||
owner: root
|
||||
group: elasticsearch
|
||||
mode: "0640"
|
||||
regexp: '^([^#]*-Xlog:gc.+)'
|
||||
replace: '#\1'
|
||||
tags:
|
||||
- config
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
|
||||
- name: APT sources
|
||||
ansible.builtin.import_tasks: apt_sources.yml
|
||||
ansible.builtin.include_tasks: apt_sources.yml
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
|
|
|
@ -32,7 +32,7 @@
|
|||
environment:
|
||||
TMPDIR: "{{ elasticsearch_plugin_head_tmp_dir }}"
|
||||
become_user: "{{ elasticsearch_plugin_head_owner }}"
|
||||
become: yes
|
||||
become: true
|
||||
|
||||
- name: Elasticsearch HTTP/CORS are enabled
|
||||
ansible.builtin.lineinfile:
|
||||
|
|
|
@ -10,12 +10,12 @@
|
|||
- ansible_distribution == "Debian"
|
||||
|
||||
- name: Install and configure utilities
|
||||
ansible.builtin.include: utils.yml
|
||||
ansible.builtin.import_tasks: utils.yml
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
- name: Configure repositories
|
||||
ansible.builtin.include: repositories.yml
|
||||
ansible.builtin.import_tasks: repositories.yml
|
||||
tags:
|
||||
- etc-git
|
||||
when: etc_git_config_repositories | bool
|
|
@ -26,7 +26,7 @@
|
|||
when:
|
||||
- _usr_share_scripts.stat.isdir
|
||||
|
||||
- ansible.builtin.include: repository.yml
|
||||
- ansible.builtin.import_tasks: repository.yml
|
||||
vars:
|
||||
repository_path: "/usr/share/scripts"
|
||||
gitignore_items: []
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
dest: "{{ repository_path }}/.gitignore"
|
||||
owner: root
|
||||
mode: "0600"
|
||||
force: no
|
||||
force: false
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
src: evocommit
|
||||
dest: /usr/local/bin/evocommit
|
||||
mode: "0755"
|
||||
force: yes
|
||||
force: true
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
@ -19,7 +19,7 @@
|
|||
src: ansible-commit
|
||||
dest: /usr/local/bin/ansible-commit
|
||||
mode: "0755"
|
||||
force: yes
|
||||
force: true
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
|||
src: etc-git-optimize
|
||||
dest: /usr/share/scripts/etc-git-optimize
|
||||
mode: "0755"
|
||||
force: yes
|
||||
force: true
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
@ -37,7 +37,7 @@
|
|||
src: etc-git-status
|
||||
dest: /usr/share/scripts/etc-git-status
|
||||
mode: "0755"
|
||||
force: yes
|
||||
force: true
|
||||
tags:
|
||||
- etc-git
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
- hosts: default
|
||||
gather_facts: yes
|
||||
become: yes
|
||||
become: true
|
||||
|
||||
roles:
|
||||
# - squid
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.04.01"
|
||||
VERSION="23.07"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.04.01"
|
||||
VERSION="23.07"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -55,7 +55,7 @@ detect_os() {
|
|||
DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
|
||||
|
||||
if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then
|
||||
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
|
||||
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
|
||||
echo "This version is built for Debian 9 and later." >&2
|
||||
exit
|
||||
fi
|
||||
|
@ -231,8 +231,15 @@ check_customcrontab() {
|
|||
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
|
||||
}
|
||||
check_sshallowusers() {
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
||||
if is_debian_bookworm; then
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|
||||
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
|
||||
else
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
||||
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
||||
fi
|
||||
}
|
||||
check_diskperf() {
|
||||
perfFile="/root/disk-perf.txt"
|
||||
|
@ -276,7 +283,7 @@ check_alert5minifw() {
|
|||
fi
|
||||
}
|
||||
check_minifw() {
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||
|| failed "IS_MINIFW" "minifirewall seems not started"
|
||||
}
|
||||
check_minifw_includes() {
|
||||
|
@ -307,7 +314,7 @@ check_nrpedisks() {
|
|||
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
|
||||
}
|
||||
check_nrpepid() {
|
||||
if is_debian_bullseye; then
|
||||
if { is_debian_bullseye || is_debian_bookworm ; }; then
|
||||
{ test -e /etc/nagios/nrpe.cfg \
|
||||
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
||||
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
||||
|
@ -874,19 +881,27 @@ check_ldap_backup() {
|
|||
check_redis_backup() {
|
||||
if is_installed redis-server; then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
# REDIS_BACKUP_PATH may contain space-separated paths, example:
|
||||
# REDIS_BACKUP_PATH may contain space-separated paths, for example:
|
||||
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
|
||||
# Old default path: /home/backup/dump.rdb
|
||||
# New default path: /home/backup/redis/dump.rdb
|
||||
if [ -z "${REDIS_BACKUP_PATH}" ]; then
|
||||
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
|
||||
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
|
||||
fi
|
||||
else
|
||||
for file in ${REDIS_BACKUP_PATH}; do
|
||||
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
|
||||
done
|
||||
# Warning : this script doesn't handle spaces in file paths !
|
||||
|
||||
REDIS_BACKUP_PATH="${REDIS_BACKUP_PATH:-$(find /home/backup/ -iname "*.rdb*")}"
|
||||
|
||||
# Check number of dumps
|
||||
n_instances=$(pgrep 'redis-server' | wc -l)
|
||||
n_dumps=$(echo $REDIS_BACKUP_PATH | wc -w)
|
||||
if [ ${n_dumps} -lt ${n_instances} ]; then
|
||||
failed "IS_REDIS_BACKUP" "Missing Redis dump : ${n_instances} instance(s) found versus ${n_dumps} dump(s) found."
|
||||
fi
|
||||
|
||||
# Check last dump date
|
||||
age_threshold=$(date +"%s" -d "now - 2 days")
|
||||
for dump in ${REDIS_BACKUP_PATH}; do
|
||||
last_update=$(stat -c "%Z" $dump)
|
||||
if [ "${last_update}" -lt "${age_threshold}" ]; then
|
||||
failed "IS_REDIS_BACKUP" "Redis dump ${dump} is older than 2 days."
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_elastic_backup() {
|
||||
|
@ -1076,14 +1091,14 @@ check_usrsharescripts() {
|
|||
check_sshpermitrootno() {
|
||||
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
|
||||
if is_debian_stretch; then
|
||||
# Noop, we'll use the default $sshd_args
|
||||
# Noop, we'll use the default $sshd_args
|
||||
:
|
||||
elif is_debian_buster; then
|
||||
sshd_args="${sshd_args},rdomain="
|
||||
sshd_args="${sshd_args},rdomain="
|
||||
else
|
||||
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||
# -T doesn't require the additional -C.
|
||||
sshd_args=
|
||||
sshd_args=
|
||||
fi
|
||||
# shellcheck disable=SC2086
|
||||
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
|
||||
|
@ -1216,7 +1231,7 @@ check_lxc_container_resolv_conf() {
|
|||
else
|
||||
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
}
|
||||
# Check that there are containers if lxc is installed.
|
||||
|
@ -1302,7 +1317,7 @@ get_version() {
|
|||
case "${program}" in
|
||||
## Special case if `command --version => 'command` is not the standard way to get the version
|
||||
# my_command)
|
||||
# /path/to/my_command --get-version
|
||||
# /path/to/my_command --get-version
|
||||
# ;;
|
||||
|
||||
add-vm)
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Linux (Debian) server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="23.04.01"
|
||||
VERSION="23.07"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
|
|
@ -16,5 +16,5 @@
|
|||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
force: yes
|
||||
force: true
|
||||
when: is_cron_installed.rc == 0
|
||||
|
|
|
@ -36,7 +36,7 @@
|
|||
dest: "{{ evocheck_bin_dir }}/evocheck.sh"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
force: yes
|
||||
force: true
|
||||
tags:
|
||||
- evocheck
|
||||
|
||||
|
@ -44,6 +44,6 @@
|
|||
ansible.builtin.copy:
|
||||
src: evocheck.cf
|
||||
dest: /etc/evocheck.cf
|
||||
force: no
|
||||
force: false
|
||||
tags:
|
||||
- evocheck
|
||||
|
|
|
@ -51,6 +51,7 @@ evolinux_internal_fqdn: "{{ evolinux_internal_hostname }}.{{ evolinux_intern
|
|||
evolinux_kernel_include: True
|
||||
|
||||
evolinux_kernel_cloud_auto: True
|
||||
evolinux_kernel_cloud_reboot: True
|
||||
evolinux_kernel_reboot_after_panic: True
|
||||
evolinux_kernel_disable_tcp_timestamps: True
|
||||
evolinux_kernel_customize_swappiness: True
|
||||
|
@ -103,6 +104,8 @@ evolinux_system_locales: True
|
|||
|
||||
evolinux_system_set_timezone: True
|
||||
evolinux_system_timezone: "Europe/Paris"
|
||||
evolinux_system_include_ntpd: "{{ ansible_distribution_major_version is version('12', '<') }}"
|
||||
evolinux_system_include_timesyncd: "{{ ansible_distribution_major_version is version('12', '>=') }}"
|
||||
|
||||
evolinux_system_vim_skip_defaults: True
|
||||
evolinux_system_vim_default_editor: True
|
||||
|
@ -173,6 +176,8 @@ evolinux_logs_default_dateext : True
|
|||
evolinux_logs_disable_logrotate_rsyslog: True
|
||||
evolinux_logs_rsyslog_conf: True
|
||||
evolinux_logrotate_dateformat: "-%Y%m%d%H"
|
||||
evolinux_logs_disable_logcheck_journald: True
|
||||
evolinux_logs_journald_conf: True
|
||||
|
||||
# default www
|
||||
|
||||
|
@ -229,4 +234,4 @@ evolinux_cron_checkhpraid_frequency: daily
|
|||
evolinux_motd_include: True
|
||||
|
||||
# Utils
|
||||
evolinux_utils_include: True
|
||||
evolinux_utils_include: True
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
PROGNAME="dump-server-state"
|
||||
REPOSITORY="https://gitea.evolix.org/evolix/dump-server-state"
|
||||
|
||||
VERSION="22.04.3"
|
||||
VERSION="23.08"
|
||||
readonly VERSION
|
||||
|
||||
dump_dir=
|
||||
|
@ -15,7 +15,7 @@ show_version() {
|
|||
cat <<END
|
||||
${PROGNAME} version ${VERSION}
|
||||
|
||||
Copyright 2018-2022 Evolix <info@evolix.fr>,
|
||||
Copyright 2018-2023 Evolix <info@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Éric Morino <emorino@evolix.fr>,
|
||||
Brice Waegeneire <bwaegeneire@evolix.fr>
|
||||
|
@ -23,7 +23,7 @@ Copyright 2018-2022 Evolix <info@evolix.fr>,
|
|||
|
||||
${REPOSITORY}
|
||||
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY.This is free software,
|
||||
${PROGNAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU General Public License v3.0 for details.
|
||||
END
|
||||
|
@ -442,14 +442,14 @@ task_iptables() {
|
|||
printf "\n#### ip6tables --table mangle --list ###############\n"
|
||||
${ip6tables_bin} --table mangle --list --numeric --verbose --line-numbers
|
||||
fi
|
||||
} > "${dump_dir}/iptables-v.txt")
|
||||
} > "${dump_dir}/iptables-v.txt") 2> "${dump_dir}/iptables-v.err"
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* iptables -v OK"
|
||||
else
|
||||
debug "* iptables -v ERROR"
|
||||
debug "${last_result}"
|
||||
debug "$(cat ${dump_dir}/iptables-v.err)"
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
|
@ -467,14 +467,14 @@ task_iptables() {
|
|||
printf "\n#### ip6tables --table mangle --list ###############\n"
|
||||
${ip6tables_bin} --table mangle --list --numeric
|
||||
fi
|
||||
} > "${dump_dir}/iptables.txt")
|
||||
} > "${dump_dir}/iptables.txt") 2> "${dump_dir}/iptables.err"
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* iptables OK"
|
||||
else
|
||||
debug "* iptables ERROR"
|
||||
debug "${last_result}"
|
||||
debug "$(cat ${dump_dir}/iptables.err)"
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
|
@ -485,14 +485,14 @@ task_iptables() {
|
|||
iptables_save_bin=$(command -v iptables-save)
|
||||
|
||||
if [ -n "${iptables_save_bin}" ]; then
|
||||
last_result=$(${iptables_save_bin} > "${dump_dir}/iptables-save.txt")
|
||||
${iptables_save_bin} > "${dump_dir}/iptables-save.txt" 2> "${dump_dir}/iptables-save.err"
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* iptables-save OK"
|
||||
else
|
||||
debug "* iptables-save ERROR"
|
||||
debug "${last_result}"
|
||||
debug "$(cat ${dump_dir}/iptables-save.err)"
|
||||
# Ignore errors because we don't know if this is nft related or a real error
|
||||
# rc=10
|
||||
fi
|
||||
|
@ -503,14 +503,14 @@ task_iptables() {
|
|||
nft_bin=$(command -v nft)
|
||||
|
||||
if [ -n "${nft_bin}" ]; then
|
||||
last_result=$(${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt")
|
||||
${nft_bin} list ruleset > "${dump_dir}/nft-ruleset.txt" 2> "${dump_dir}/nft-ruleset.err"
|
||||
last_rc=$?
|
||||
|
||||
if [ ${last_rc} -eq 0 ]; then
|
||||
debug "* nft ruleset OK"
|
||||
else
|
||||
debug "* nft ruleset ERROR"
|
||||
debug "${last_result}"
|
||||
debug "$(cat ${dump_dir}/nft-ruleset.err)"
|
||||
rc=10
|
||||
fi
|
||||
fi
|
||||
|
@ -762,6 +762,10 @@ task_systemctl() {
|
|||
fi
|
||||
}
|
||||
|
||||
clean_empty_error_file() {
|
||||
find "${dump_dir}" -type f -name "*.err" -size 0 -delete
|
||||
}
|
||||
|
||||
main() {
|
||||
if [ -z "${dump_dir}" ]; then
|
||||
echo "ERROR: You must provide the --dump-dir argument" >&2
|
||||
|
@ -841,6 +845,7 @@ main() {
|
|||
task_systemctl
|
||||
fi
|
||||
|
||||
clean_empty_error_file
|
||||
|
||||
debug "=> Your dump is available at ${dump_dir}"
|
||||
exit ${rc}
|
||||
|
|
2
evolinux-base/files/logs/journald.conf
Normal file
2
evolinux-base/files/logs/journald.conf
Normal file
|
@ -0,0 +1,2 @@
|
|||
[Journal]
|
||||
MaxRetentionSec=1day
|
|
@ -79,3 +79,7 @@
|
|||
name: log2mail
|
||||
state: restarted
|
||||
|
||||
- name: restart systemd-journald
|
||||
ansible.builtin.service:
|
||||
name: systemd-journald.service
|
||||
state: restarted
|
||||
|
|
14
evolinux-base/tasks/bash.yml
Normal file
14
evolinux-base/tasks/bash.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
|
||||
- name: "Customize common bashrc"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/bash.bashrc
|
||||
line: "{{ item }}"
|
||||
create: yes
|
||||
state: present
|
||||
loop:
|
||||
- "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
|
||||
- "export HISTSIZE=65535"
|
||||
- "export HISTTIMEFORMAT=\"%c : \""
|
||||
- "shopt -s histappend"
|
||||
- "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
|
|
@ -20,7 +20,7 @@
|
|||
src: default_www/index.html.j2
|
||||
dest: /var/www/index.html
|
||||
mode: "0644"
|
||||
force: no
|
||||
force: false
|
||||
when: evolinux_default_www_files | bool
|
||||
|
||||
# SSL cert
|
||||
|
|
|
@ -12,4 +12,4 @@
|
|||
src: /usr/local/sbin/dump-server-state
|
||||
dest: /usr/local/sbin/backup-server-state
|
||||
state: link
|
||||
force: yes
|
||||
force: true
|
||||
|
|
|
@ -41,13 +41,21 @@
|
|||
state: absent
|
||||
when: perc_hba11_search.rc == 0
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: MegaCLI SAS package is present
|
||||
block:
|
||||
- name: HWRaid GPG key is installed
|
||||
ansible.builtin.copy:
|
||||
src: hwraid.le-vert.net.asc
|
||||
dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -1,10 +1,18 @@
|
|||
---
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: HPE GPG key is installed
|
||||
ansible.builtin.copy:
|
||||
src: hpePublicKey2048_key1.asc
|
||||
dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -35,6 +43,12 @@
|
|||
tags:
|
||||
- packages
|
||||
|
||||
- name: Install HPE Agentless Management Service (amsd)
|
||||
ansible.builtin.apt:
|
||||
name: amsd
|
||||
tags:
|
||||
- packages
|
||||
|
||||
# NOTE: check_hpraid cron use check_hpraid from nagios-nrpe role
|
||||
# So, if nagios-nrpe role is not installed it will not work
|
||||
- name: Install and configure check_hpraid cron (HP gen >=10)
|
||||
|
|
|
@ -41,7 +41,7 @@
|
|||
ansible.builtin.copy:
|
||||
dest: /etc/mailname
|
||||
content: "{{ evolinux_fqdn }}\n"
|
||||
force: yes
|
||||
force: true
|
||||
when: evolinux_hostname_mailname | bool
|
||||
|
||||
# Override facts
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
ansible.builtin.apt:
|
||||
name: "linux-image-cloud-amd64"
|
||||
state: present
|
||||
register: _use_cloud_kernel
|
||||
when:
|
||||
- ansible_machine == "x86_64"
|
||||
- ansible_virtualization_role == "guest"
|
||||
|
@ -17,6 +18,14 @@
|
|||
- ansible_machine == "x86_64"
|
||||
- ansible_virtualization_role == "guest"
|
||||
- evolinux_kernel_cloud_auto | bool
|
||||
|
||||
- name: "Reboot the server to enable the new kernel"
|
||||
ansible.builtin.reboot:
|
||||
reboot_timeout: 600
|
||||
search_paths: ['/lib/molly-guard', '/sbin']
|
||||
when:
|
||||
- _use_cloud_kernel is changed
|
||||
- evolinux_kernel_cloud_reboot | bool
|
||||
|
||||
- name: Reboot after panic
|
||||
ansible.posix.sysctl:
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
# TODO: voir comment faire des backups initiaux des fichiers
|
||||
|
||||
# RSyslog
|
||||
- name: Copy rsyslog.conf
|
||||
ansible.builtin.copy:
|
||||
src: logs/rsyslog.conf
|
||||
|
@ -10,6 +11,7 @@
|
|||
notify: restart rsyslog
|
||||
when: evolinux_logs_rsyslog_conf | bool
|
||||
|
||||
# Logrotate
|
||||
- name: Disable logrotate default conf
|
||||
ansible.builtin.command:
|
||||
cmd: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
|
||||
|
@ -61,4 +63,28 @@
|
|||
insertafter: 'dateext'
|
||||
when: evolinux_logs_default_dateext | bool
|
||||
|
||||
# Logcheck
|
||||
- name: Disable logcheck monitoring of journald
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/logrotate.conf
|
||||
line: "#journal"
|
||||
regexp: "^journal"
|
||||
when: evolinux_logs_disable_logcheck_journald | bool
|
||||
|
||||
# Journald
|
||||
- name: /etc/systemd/journald.conf.d/ is present
|
||||
ansible.builtin.file:
|
||||
path: /etc/systemd/journald.conf.d/
|
||||
state: directory
|
||||
mode: "0755"
|
||||
when: evolinux_logs_journald_conf | bool
|
||||
|
||||
- name: Copy journald.conf
|
||||
ansible.builtin.copy:
|
||||
src: logs/journald.conf
|
||||
dest: /etc/systemd/journald.conf.d/00-evolinux-default.conf
|
||||
mode: "0644"
|
||||
notify: restart systemd-journald
|
||||
when: evolinux_logs_journald_conf | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -74,6 +74,9 @@
|
|||
# name: evolix/evolinux-users
|
||||
# when: evolinux_users_include
|
||||
|
||||
- name: Bash configuration
|
||||
ansible.builtin.import_tasks: bash.yml
|
||||
|
||||
- name: Root user configuration
|
||||
ansible.builtin.import_tasks: root.yml
|
||||
when: evolinux_root_include | bool
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
ansible.builtin.lineinfile:
|
||||
dest: /etc/postfix/main.cf
|
||||
state: present
|
||||
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost"
|
||||
line: "mydestination = {{ [evolinux_fqdn, evolinux_internal_fqdn] | unique | join(' ') }} localhost.localdomain localhost localhost.$mydomain"
|
||||
regexp: '^mydestination'
|
||||
notify: reload postfix
|
||||
tags:
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
ansible.builtin.copy:
|
||||
content: ""
|
||||
dest: "/root/.bash_history"
|
||||
force: no
|
||||
force: false
|
||||
when: evolinux_root_bash_history | bool
|
||||
|
||||
- name: Set umask in /root/.profile
|
||||
|
@ -47,7 +47,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: root/gitconfig
|
||||
dest: "/root/.gitconfig"
|
||||
force: no
|
||||
force: false
|
||||
when: evolinux_root_gitconfig | bool
|
||||
|
||||
- name: Is .bash_history append-only
|
||||
|
@ -90,14 +90,40 @@
|
|||
- "set shiftwidth=4"
|
||||
when: evolinux_root_vim_conf | bool
|
||||
|
||||
- name: disable SSH access for root
|
||||
- name: disable SSH access for root (Debian < 12)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: files under /etc/ssh/sshd_config.d are included (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
line: "Include /etc/ssh/sshd_config.d/*.conf"
|
||||
insertbefore: BOF
|
||||
notify: reload ssh
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: disable SSH access for root (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
line: "PermitRootLogin no"
|
||||
regexp: "^#?PermitRootLogin "
|
||||
create: yes
|
||||
mode: "0644"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
|
||||
### Disabled : it seems useless and too dangerous for now
|
||||
# - name: remove root from AllowUsers directive
|
||||
|
|
|
@ -1,71 +1,22 @@
|
|||
---
|
||||
# This is a copy of ssh.single-file.yml
|
||||
# It needs to be changed when we move to a included-files configuration
|
||||
|
||||
|
||||
- ansible.builtin.debug:
|
||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
|
||||
when: evolinux_ssh_password_auth_addresses == []
|
||||
|
||||
# From 'man sshd_config' :
|
||||
# « If all of the criteria on the Match line are satisfied, the keywords
|
||||
# on the following lines override those set in the global section of the config
|
||||
# file, until either another Match line or the end of the file.
|
||||
# If a keyword appears in multiple Match blocks that are satisfied,
|
||||
# only the first instance of the keyword is applied. »
|
||||
#
|
||||
# We want to allow any user from a list of IP addresses to login with password,
|
||||
# but users of the "{{ evolinux_internal_group }}" group can't login with password from other IP addresses
|
||||
- name: files under /etc/ssh/sshd_config.d are included
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
line: "Include /etc/ssh/sshd_config.d/*.conf"
|
||||
insertbefore: BOF
|
||||
notify: reload ssh
|
||||
|
||||
- name: "Security directives for Evolinux (Debian 10 or later)"
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version is version('10', '>=')
|
||||
- name: add SSH server configuration template
|
||||
ansible.builtin.template:
|
||||
src: sshd/defaults.j2
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
|
||||
- name: Security directives for Evolinux (Jessie/Stretch)
|
||||
ansible.builtin.blockinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
marker: "# {mark} EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
block: |
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_ssh_password_auth_addresses != []
|
||||
- ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
# We disable AcceptEnv because it can be a security issue, but also because we
|
||||
# do not want clients to push their environment variables like LANG.
|
||||
- name: disable AcceptEnv in ssh config
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^AcceptEnv'
|
||||
replace: "#AcceptEnv"
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_disable_acceptenv | bool
|
||||
|
||||
- name: Set log level to verbose (for Debian >= 9)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#?LogLevel [A-Z]+'
|
||||
replace: "LogLevel VERBOSE"
|
||||
notify: reload sshd
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- name: "Get current user"
|
||||
- name: "Get current user's group"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
|
@ -73,10 +24,9 @@
|
|||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "grep -ER '^AllowUsers' /etc/ssh"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
|
@ -85,20 +35,15 @@
|
|||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ logname.stdout }}"
|
||||
dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
|
||||
create: yes
|
||||
line: "AllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for current user"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
||||
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
|
||||
# TODO si allowgroups, ajouter groupe de l’utilisateur
|
||||
|
|
|
@ -131,6 +131,13 @@
|
|||
|
||||
- ansible.builtin.include_role:
|
||||
name: evolix/ntpd
|
||||
when:
|
||||
- evolinux_system_include_ntpd | bool
|
||||
|
||||
- ansible.builtin.include_role:
|
||||
name: evolix/timesyncd
|
||||
when:
|
||||
- evolinux_system_include_timesyncd | bool
|
||||
|
||||
## alert5
|
||||
|
||||
|
@ -138,7 +145,7 @@
|
|||
ansible.builtin.template:
|
||||
src: system/alert5.sysvinit.j2
|
||||
dest: /etc/init.d/alert5
|
||||
force: no
|
||||
force: false
|
||||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init | bool
|
||||
|
@ -153,13 +160,14 @@
|
|||
- evolinux_system_alert5_enable | bool
|
||||
- ansible_distribution_release == "jessie" or ansible_distribution_release == "stretch"
|
||||
|
||||
|
||||
- ansible.builtin.include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: Install alert5 init script (buster and later)
|
||||
ansible.builtin.template:
|
||||
src: system/alert5.sh.j2
|
||||
dest: /usr/share/scripts/alert5.sh
|
||||
force: no
|
||||
force: false
|
||||
mode: "0755"
|
||||
when:
|
||||
- evolinux_system_alert5_init | bool
|
||||
|
@ -169,7 +177,7 @@
|
|||
ansible.builtin.copy:
|
||||
src: alert5.service
|
||||
dest: /etc/systemd/system/alert5.service
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
when:
|
||||
- evolinux_system_alert5_init | bool
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
force: no
|
||||
force: false
|
||||
|
||||
- name: update-evobackup-canary script is present
|
||||
ansible.builtin.copy:
|
||||
|
|
15
evolinux-base/templates/sshd/defaults.j2
Normal file
15
evolinux-base/templates/sshd/defaults.j2
Normal file
|
@ -0,0 +1,15 @@
|
|||
Port 22
|
||||
{% if evolinux_root_disable_ssh %}
|
||||
PermitRootLogin no
|
||||
{% endif %}
|
||||
LogLevel VERBOSE
|
||||
SetEnv LC_ALL=en_US.UTF-8
|
||||
|
||||
{% if evolinux_ssh_password_auth_addresses %}
|
||||
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
|
||||
PasswordAuthentication yes
|
||||
{% endif %}
|
||||
{% if evolinux_internal_group %}
|
||||
Match Group {{ evolinux_internal_group }}
|
||||
PasswordAuthentication no
|
||||
{% endif %}
|
|
@ -12,5 +12,5 @@
|
|||
src: todo.defaults.txt
|
||||
dest: /etc/evolinux/todo.txt
|
||||
mode: "0640"
|
||||
force: no
|
||||
force: false
|
||||
when: ansible_distribution == "Debian"
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -14,7 +14,7 @@
|
|||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -62,6 +62,37 @@
|
|||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
replace: "PermitRootLogin no"
|
||||
notify: reload sshd
|
||||
when: evolinux_root_disable_ssh | bool
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: verify PermitRootLogin directive (Debian >= 12)
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_permitrootlogin_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
# TODO avertir lorsque PermitRootLogin est déjà configuré?
|
||||
- ansible.builtin.debug:
|
||||
var: grep_permitrootlogin_ssh
|
||||
verbosity: 1
|
||||
|
||||
- name: disable root login (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "PermitRootLogin no"
|
||||
create: yes
|
||||
mode: "0644"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
insertbefore: "BOF"
|
||||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_permitrootlogin_ssh.rc == 1
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -4,11 +4,13 @@
|
|||
# even if it's been done before
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
|
@ -17,7 +19,9 @@
|
|||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc != 0
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
|
@ -26,4 +30,16 @@
|
|||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowgroups_ssh.rc == 0
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "AllowGroups {{ evolinux_ssh_group }}"
|
||||
create: yes
|
||||
mode: "0644"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
|
|
@ -11,9 +11,9 @@
|
|||
|
||||
|
||||
- block:
|
||||
- ansible.builtin.include: sudo_stretch_common.yml
|
||||
- ansible.builtin.include: sudo_common.yml
|
||||
|
||||
- ansible.builtin.include: sudo_stretch_user.yml
|
||||
- ansible.builtin.include: sudo_user.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
|
|
@ -10,9 +10,9 @@
|
|||
|
||||
- name: "Verify 'evolinux' sudoers file presence (Debian 9 or later)"
|
||||
ansible.builtin.template:
|
||||
src: sudoers_stretch.j2
|
||||
src: sudoers.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
force: false
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
|
@ -4,7 +4,7 @@
|
|||
ansible.builtin.template:
|
||||
src: sudoers_jessie.j2
|
||||
dest: /etc/sudoers.d/evolinux
|
||||
force: no
|
||||
force: false
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
register: copy_sudoers_evolinux
|
||||
|
|
|
@ -23,7 +23,8 @@ nagios ALL = NOPASSWD: /sbin/megacli -LdInfo -Lall -aALL -NoLog
|
|||
nagios ALL = NOPASSWD: /sbin/megacli -AdpBbuCmd -GetBbuStatus -aALL -NoLog
|
||||
nagios ALL = NOPASSWD: /sbin/ssacli controller all show status
|
||||
nagios ALL = NOPASSWD: /sbin/ssacli controller slot=0 logicaldrive all show
|
||||
|
||||
nagios ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_gluster.rb
|
||||
|
||||
nagios ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
|
||||
|
||||
%{{ evolinux_sudo_group }} ALL=(ALL:ALL) ALL
|
|
@ -1,21 +1,16 @@
|
|||
#!/bin/sh
|
||||
|
||||
# EvoMaintenance script
|
||||
# Dependencies (all OS): git postgresql-client
|
||||
# Dependencies (Debian): sudo
|
||||
|
||||
# Copyright 2007-2022 Evolix <info@evolix.fr>, Gregory Colpart <reg@evolix.fr>,
|
||||
# Jérémy Lecour <jlecour@evolix.fr> and others.
|
||||
|
||||
VERSION="22.07"
|
||||
VERSION="23.10.1"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
evomaintenance version ${VERSION}
|
||||
|
||||
Copyright 2007-2022 Evolix <info@evolix.fr>,
|
||||
Copyright 2007-2023 Evolix <info@evolix.fr>,
|
||||
Gregory Colpart <reg@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Brice Waegeneire <bwaegeneire@evolix.fr>,
|
||||
Mathieu Trossevin <mtrossevin@evolix.fr>
|
||||
and others.
|
||||
|
||||
evomaintenance comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
|
@ -47,11 +42,11 @@ Options
|
|||
--no-evocheck disable evocheck execution
|
||||
--auto use "auto" mode
|
||||
--no-auto use "manual" mode (default)
|
||||
--autosysadmin author change as autosysadmin
|
||||
-u, --user=USER force USER value (default: logname(1))
|
||||
-v, --verbose increase verbosity
|
||||
-n, --dry-run actions are not executed
|
||||
--help print this message and exit
|
||||
--version print version and exit
|
||||
-V, --version print version and exit
|
||||
END
|
||||
}
|
||||
|
||||
|
@ -109,7 +104,7 @@ get_begin_date() {
|
|||
|
||||
get_ip() {
|
||||
ip=$(get_who | cut -d" " -f6 | sed -e "s/^(// ; s/)$//")
|
||||
if is_autosysadmin || [ "${ip}" = ":0" ]; then
|
||||
if is_autosysadmin || [ "${ip}" = ":0" ]; then
|
||||
ip="localhost"
|
||||
elif [ -z "${ip}" ]; then
|
||||
ip="unknown (no tty)"
|
||||
|
@ -127,8 +122,8 @@ get_now() {
|
|||
}
|
||||
|
||||
get_user() {
|
||||
if is_autosysadmin; then
|
||||
echo autosysadmin
|
||||
if [ -n "${FORCE_USER}" ]; then
|
||||
echo "${FORCE_USER}"
|
||||
else
|
||||
logname
|
||||
fi
|
||||
|
@ -193,7 +188,7 @@ print_session_data() {
|
|||
}
|
||||
|
||||
is_autosysadmin() {
|
||||
test "${AUTOSYSADMIN}" -eq 1
|
||||
test "${USER}" = "autosysadmin"
|
||||
}
|
||||
|
||||
is_repository_readonly() {
|
||||
|
@ -404,7 +399,7 @@ AUTO=${AUTO:-"0"}
|
|||
EVOCHECK=${EVOCHECK:-"0"}
|
||||
GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20}
|
||||
API_ENDPOINT=${API_ENDPOINT:-""}
|
||||
AUTOSYSADMIN=${AUTOSYSADMIN:-0}
|
||||
FORCE_USER=${FORCE_USER:-""}
|
||||
|
||||
# initialize variables
|
||||
MESSAGE=""
|
||||
|
@ -482,6 +477,31 @@ while :; do
|
|||
# use "auto" mode
|
||||
AUTO=1
|
||||
;;
|
||||
--autosysadmin)
|
||||
# Deprecated, backward compatibility
|
||||
# author change as autosysadmin
|
||||
printf 'WARNING: "--autosysadmin" is deprecated, use "--user autosysadmin".\n' >&2
|
||||
FORCE_USER="autosysadmin"
|
||||
;;
|
||||
-u|--user)
|
||||
# user options, with value speparated by space
|
||||
if [ -n "$2" ]; then
|
||||
FORCE_USER=$2
|
||||
shift
|
||||
else
|
||||
printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
--user=?*)
|
||||
# message options, with value speparated by =
|
||||
FORCE_USER=${1#*=}
|
||||
;;
|
||||
--user=)
|
||||
# message options, without value
|
||||
printf 'ERROR: "--user" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
-n|--dry-run)
|
||||
# disable actual commands
|
||||
DRY_RUN=1
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "{{ item.mode }}"
|
||||
force: yes
|
||||
force: true
|
||||
backup: yes
|
||||
loop:
|
||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: "{{ item.mode }}"
|
||||
force: yes
|
||||
force: true
|
||||
backup: yes
|
||||
loop:
|
||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||
|
|
|
@ -23,6 +23,7 @@ fail2ban_default_findtime: 10m
|
|||
fail2ban_default_action: "action_"
|
||||
|
||||
fail2ban_sshd: True
|
||||
fail2ban_sshd_port: "ssh,2222,22222"
|
||||
fail2ban_sshd_maxretry: 10
|
||||
fail2ban_sshd_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_sshd_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
@ -45,4 +46,6 @@ fail2ban_wordpress_soft_findtime: "{{ fail2ban_default_findtime }}"
|
|||
fail2ban_roundcube: False
|
||||
fail2ban_roundcube_maxretry: 5
|
||||
fail2ban_roundcube_bantime: "{{ fail2ban_default_bantime }}"
|
||||
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
|
||||
fail2ban_roundcube_findtime: "{{ fail2ban_default_findtime }}"
|
||||
|
||||
fail2ban_dbpurgeage_default: "86400 second"
|
||||
|
|
|
@ -14,12 +14,12 @@
|
|||
|
||||
- name:
|
||||
ansible.builtin.set_fact:
|
||||
dbpurgeage_default : "{{ dbpurgeage.stdout }}"
|
||||
fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }}"
|
||||
when: dbpurgeage.stdout | regex_search("^\\d+\w+$")
|
||||
|
||||
- name:
|
||||
ansible.builtin.set_fact:
|
||||
dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
|
||||
fail2ban_dbpurgeage_default : "{{ dbpurgeage.stdout }} second"
|
||||
when: dbpurgeage.stdout | regex_search("^\\d+$")
|
||||
|
||||
- name: Add crontab
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
# Juin - Decembre 2022 : #64088
|
||||
# Purge pour Stretch et Buster
|
||||
|
||||
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
|
||||
/usr/bin/ionice -c3 /usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE datetime('now', '-{{ fail2ban_dbpurgeage_default }}') > datetime(timeofban, 'unixepoch');"
|
||||
|
||||
place_dispo=$( df -h /var/lib/fail2ban/fail2ban.sqlite3 --output="avail" -h --block-size=1 |tail -n1 )
|
||||
place_pris=$( echo $(("$(stat --format %s /var/lib/fail2ban/fail2ban.sqlite3 ) * 2" )) )
|
||||
|
|
|
@ -21,7 +21,7 @@ action = %({{ fail2ban_default_action }})s
|
|||
|
||||
[sshd]
|
||||
enabled = {{ fail2ban_sshd }}
|
||||
port = ssh,2222,22222
|
||||
port = {{ fail2ban_sshd_port }}
|
||||
|
||||
maxretry = {{ fail2ban_sshd_maxretry }}
|
||||
findtime = {{ fail2ban_sshd_findtime }}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- hosts: all
|
||||
become: yes
|
||||
become: true
|
||||
# gather_facts: no
|
||||
roles:
|
||||
- role: fail2ban
|
||||
|
|
|
@ -5,11 +5,19 @@
|
|||
state: present
|
||||
when: ansible_distribution_major_version is version('10', '<')
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Elastic GPG key is installed
|
||||
ansible.builtin.copy:
|
||||
src: elastic.asc
|
||||
dest: "{{ apt_keyring_dir }}/elastic.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
@ -33,4 +41,4 @@
|
|||
- name: Update APT cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: yes
|
||||
when: elastic_sources is changed
|
||||
when: elastic_sources is changed
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: APT sources
|
||||
ansible.builtin.import_tasks: apt_sources.yml
|
||||
ansible.builtin.include_tasks: apt_sources.yml
|
||||
args:
|
||||
apply:
|
||||
tags:
|
||||
|
|
|
@ -1,10 +1,18 @@
|
|||
---
|
||||
|
||||
- name: "Ensure {{ apt_keyring_dir }} directory exists"
|
||||
file:
|
||||
path: "{{ apt_keyring_dir }}"
|
||||
state: directory
|
||||
mode: "755"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Add Fluentd GPG key
|
||||
ansible.builtin.copy:
|
||||
src: treasuredata.asc
|
||||
dest: "{{ apt_keyring_dir }}/treasuredata.asc"
|
||||
force: yes
|
||||
force: true
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
ansible.builtin.file:
|
||||
src: /usr/share/munin/plugins/haproxy_ng
|
||||
dest: /etc/munin/plugins/haproxy_ng
|
||||
force: yes
|
||||
force: true
|
||||
state: link
|
||||
notify: restart munin-node
|
||||
tags:
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue