forked from evolix/ansible-roles
Merge branch 'unstable' into stable
This commit is contained in:
commit
fe1e66f79c
20
CHANGELOG.md
20
CHANGELOG.md
|
@ -21,11 +21,29 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
|
||||
### Security
|
||||
|
||||
## [24.05] 2024-05-15
|
||||
|
||||
### Added
|
||||
|
||||
* apt: add list-upgradable-held-packages.sh
|
||||
|
||||
### Changed
|
||||
|
||||
* evobackup-client: upstream release 24.05.1
|
||||
* evolinux-base: improve adding the current user to SSH AllowGroups of AllowUsers
|
||||
* evolinux-users: improve SSH configuration
|
||||
* evomaintenance: upstream release 24.05
|
||||
* evomaintenance: move upstream files into upstream folder
|
||||
|
||||
### Fixed
|
||||
|
||||
* apt: use archive.debian.org with Buster
|
||||
|
||||
## [24.04] 2024-04-30
|
||||
|
||||
### Added
|
||||
|
||||
proftpd: optional configuration of IP whitelists per groups of users
|
||||
* proftpd: optional configuration of IP whitelists per groups of users
|
||||
|
||||
### Changed
|
||||
|
||||
|
|
|
@ -29,4 +29,7 @@ apt_check_hold_cron_weekday: "*"
|
|||
apt_check_hold_cron_day: "*"
|
||||
apt_check_hold_cron_month: "*"
|
||||
|
||||
apt_list_upgradable_held_enabled: False
|
||||
apt_list_upgradable_held_special_time: "weekly"
|
||||
|
||||
apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
|
||||
|
|
127
apt/files/list-upgradable-held-packages.sh
Normal file
127
apt/files/list-upgradable-held-packages.sh
Normal file
|
@ -0,0 +1,127 @@
|
|||
#!/bin/bash
|
||||
|
||||
#####
|
||||
# This script will send an email if some packages are on hold
|
||||
# but have available updates.
|
||||
#####
|
||||
|
||||
readonly VERSION="24.05"
|
||||
|
||||
# set all programs to C language (english)
|
||||
export LC_ALL=C
|
||||
|
||||
# If expansion is attempted on an unset variable or parameter, the shell prints an
|
||||
# error message, and, if not interactive, exits with a non-zero status.
|
||||
set -o nounset
|
||||
# The pipeline's return status is the value of the last (rightmost) command
|
||||
# to exit with a non-zero status, or zero if all commands exit successfully.
|
||||
set -o pipefail
|
||||
# Enable trace mode if called with environment variable TRACE=1
|
||||
if [[ "${TRACE-0}" == "1" ]]; then
|
||||
set -o xtrace
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2155
|
||||
readonly PROGPATH=$(readlink -m "${0}")
|
||||
# readonly PROGNAME=$(basename "${PROGPATH}")
|
||||
# # shellcheck disable=SC2124
|
||||
# readonly ARGS=$@
|
||||
|
||||
# Fetch values from evomaintenance configuration
|
||||
get_evomaintenance_mail() {
|
||||
grep "EVOMAINTMAIL=" /etc/evomaintenance.cf | cut -d '=' -f2
|
||||
}
|
||||
get_fqdn() {
|
||||
hostname --fqdn
|
||||
}
|
||||
get_complete_hostname() {
|
||||
REAL_HOSTNAME="$(get_fqdn)"
|
||||
if [ "${HOSTNAME}" = "${REAL_HOSTNAME}" ]; then
|
||||
echo "${HOSTNAME}"
|
||||
else
|
||||
echo "${HOSTNAME} (${REAL_HOSTNAME})"
|
||||
fi
|
||||
}
|
||||
|
||||
format_mail() {
|
||||
cat <<EOTEMPLATE
|
||||
From: Evolix <${EMAIL_FROM}>
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
X-Script: ${PROGPATH}
|
||||
X-Script-Version: ${VERSION}
|
||||
To: ${EMAIL_CLIENT:-alert5@evolix.fr}
|
||||
Subject: Mise a jour manuelle disponible
|
||||
|
||||
Bonjour,
|
||||
|
||||
Un ou plusieurs paquets dont la mise à jour automatique a été
|
||||
explicitement bloquée ont une nouvelle version disponible.
|
||||
|
||||
Nom du serveur :
|
||||
${HOSTNAME_TEXT}
|
||||
|
||||
Liste des paquets :
|
||||
${upgradable_held_packages}
|
||||
|
||||
Pour que nous appliquions ces mises à jour vous devez
|
||||
nous contacter explicitement, de préférence par ticket,
|
||||
en mentionnant le serveur et les paquets concernés,
|
||||
ainsi que les modalités de mise à jour (créneau horaire,
|
||||
procédure technique…).
|
||||
|
||||
Cordialement
|
||||
|
||||
--
|
||||
Evolix
|
||||
EOTEMPLATE
|
||||
}
|
||||
|
||||
main() {
|
||||
held_packages=$(apt-mark showhold)
|
||||
upgradable_packages=$(apt list --upgradable 2> /dev/null)
|
||||
|
||||
if [ -z "${held_packages}" ]; then
|
||||
# No packages are on hold
|
||||
exit 0
|
||||
elif [ -z "${upgradable_packages}" ]; then
|
||||
# No packages are upgradable
|
||||
exit 0
|
||||
fi
|
||||
|
||||
kept_back_output=$(LC_ALL=C apt-get upgrade --dry-run | grep -A 1 'The following packages have been kept back:')
|
||||
if [ -z "${kept_back_output}" ]; then
|
||||
# No packages are kept back
|
||||
exit 0
|
||||
fi
|
||||
|
||||
upgradable_held_packages=$(apt list --upgradable 2> /dev/null | grep -f <(echo "${kept_back_output}" | tail -1 | tr ' ' '\n' | sed -e '/^$/d'))
|
||||
|
||||
if [ -z "${upgradable_held_packages}" ]; then
|
||||
# No held packages are upgradable
|
||||
exit 0
|
||||
fi
|
||||
|
||||
HOSTNAME="$(get_fqdn)"
|
||||
HOSTNAME_TEXT="$(get_complete_hostname)"
|
||||
EMAIL_CLIENT="$(get_evomaintenance_mail)"
|
||||
EMAIL_FROM="equipe@evolix.fr"
|
||||
MAIL_CONTENT="$(format_mail)"
|
||||
|
||||
SENDMAIL_BIN="$(command -v sendmail)"
|
||||
|
||||
if [ -z "${SENDMAIL_BIN}" ]; then
|
||||
>&2 echo "ERROR: No \`sendmail' command has been found, can't send mail."
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x "${SENDMAIL_BIN}" ]; then
|
||||
>&2 echo "ERROR: \`${SENDMAIL_BIN}' is not executable, can't send mail."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "${MAIL_CONTENT}" | "${SENDMAIL_BIN}" -oi -t -f "equipe@evolix.fr"
|
||||
exit 0
|
||||
}
|
||||
|
||||
main
|
|
@ -76,7 +76,16 @@
|
|||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check if Cron is installed
|
||||
- name: List scripts is installed
|
||||
ansible.builtin.copy:
|
||||
src: list-upgradable-held-packages.sh
|
||||
dest: /usr/share/scripts/list-upgradable-held-packages.sh
|
||||
force: true
|
||||
mode: "0755"
|
||||
tags:
|
||||
- apt
|
||||
|
||||
- name: Check if cron is installed
|
||||
ansible.builtin.shell:
|
||||
cmd: "dpkg --list 'cron' 2>/dev/null | grep -q -E '^(i|h)i'"
|
||||
register: is_cron
|
||||
|
@ -101,3 +110,15 @@
|
|||
tags:
|
||||
- apt
|
||||
when: is_cron.rc == 0
|
||||
|
||||
- name: List upgradable held packages (script)
|
||||
ansible.builtin.cron:
|
||||
cron_file: apt-hold-packages
|
||||
name: list-upgradable-held-packages
|
||||
job: "/usr/share/scripts/list-upgradable-held-packages.sh"
|
||||
user: root
|
||||
special_time: "{{ apt_list_upgradable_held_special_time | mandatory }}"
|
||||
state: "{{ apt_list_upgradable_held_enabled | bool | ternary('present', 'absent') }}"
|
||||
tags:
|
||||
- apt
|
||||
when: is_cron.rc == 0
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }}
|
||||
deb http://archive.debian.org/debian buster-backports {{ apt_backports_components | mandatory }}
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
|
||||
deb http://mirror.evolix.org/debian buster-updates {{ apt_basics_components | mandatory }}
|
||||
deb http://archive.debian.org/debian buster {{ apt_basics_components | mandatory }}
|
||||
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}
|
||||
|
|
|
@ -23,13 +23,29 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
### Security
|
||||
|
||||
## [24.04.1]
|
||||
## [24.05.1] - 2022-05-14
|
||||
|
||||
### Fixed
|
||||
|
||||
* client: fix shell syntax error
|
||||
|
||||
## [24.05] - 2022-05-02
|
||||
|
||||
### Added
|
||||
|
||||
* evobackupctl: update LIBDIR when copying the template
|
||||
|
||||
### Changed
|
||||
|
||||
* evobackupctl: simplify the program path retrieval
|
||||
|
||||
## [24.04.1] - 2022-04-30
|
||||
|
||||
### Fixed
|
||||
|
||||
* evobackupctl: quote ARGS variable for options parsing.
|
||||
|
||||
## [24.04]
|
||||
## [24.04] - 2022-04-29
|
||||
|
||||
### Added
|
||||
|
||||
|
@ -52,7 +68,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
* don't exit the whole program if a sync task can't be done
|
||||
|
||||
## [22.12]
|
||||
## [22.12] - 2022-12-27
|
||||
|
||||
### Changed
|
||||
|
||||
|
@ -77,6 +93,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
* Make start_time and stop_time compatible with OpenBSD
|
||||
|
||||
## [22.03]
|
||||
## [22.03] - 2022-04-03
|
||||
|
||||
Split client and server parts of the project
|
||||
|
|
|
@ -1,9 +1,8 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# shellcheck disable=SC2155
|
||||
readonly PROGNAME=$(basename "${0}")
|
||||
# shellcheck disable=SC2155
|
||||
readonly PROGDIR=$(readlink -m "$(dirname "${0}")")
|
||||
readonly PROGPATH=$(readlink -m "${0}")
|
||||
readonly PROGNAME=$(basename "${PROGPATH}")
|
||||
# shellcheck disable=SC2124
|
||||
readonly ARGS=$@
|
||||
|
||||
|
@ -78,10 +77,14 @@ copy_template() {
|
|||
if cp "${LIBDIR}/zzz_evobackup.sh" "${dest_path}"; then
|
||||
chmod 750 "${dest_path}"
|
||||
|
||||
sed -i "s|@COMMAND@|${PROGDIR}/${PROGNAME} ${ARGS}|" "${dest_path}"
|
||||
# Insert metadata about the template
|
||||
sed -i "s|@COMMAND@|${PROGPATH} ${ARGS}|" "${dest_path}"
|
||||
sed -i "s|@DATE@|$(date --iso-8601=seconds)|" "${dest_path}"
|
||||
sed -i "s|@VERSION@|${VERSION}|" "${dest_path}"
|
||||
|
||||
# Make sure that the library directory is correct
|
||||
sed -i "s|^LIBDIR=.\+|LIBDIR=\"${LIBDIR}\"|" "${dest_path}"
|
||||
|
||||
printf "New evobackup script has been saved to '%s'.\n" "${dest_path}"
|
||||
printf "Remember to customize it (mail notifications, backup servers…).\n"
|
||||
exit 0
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env bash
|
||||
# shellcheck disable=SC2034,SC2317
|
||||
|
||||
readonly VERSION="24.04.1"
|
||||
readonly VERSION="24.05.1"
|
||||
|
||||
# set all programs to C language (english)
|
||||
export LC_ALL=C
|
||||
|
|
|
@ -105,7 +105,7 @@ test_server() {
|
|||
pick_server() {
|
||||
local -i increment=${1:-0}
|
||||
local -i list_length=${#SERVERS[@]}
|
||||
local sync_name=${2:""}
|
||||
local sync_name=${2:-""}
|
||||
|
||||
if (( increment >= list_length )); then
|
||||
# We've reached the end of the list
|
||||
|
|
|
@ -10,11 +10,11 @@
|
|||
- name: "Remount /usr if needed"
|
||||
include_role:
|
||||
name: remount-usr
|
||||
when: evobackup_client__lib_dir is search("/usr") or evobackup_client__bin_dir is search("/usr")
|
||||
when: evobackup_client__lib_dir is search("/usr") or evobackup_client__bin_dir is search("/usr")
|
||||
|
||||
- name: copy evobackup libs
|
||||
ansible.builtin.copy:
|
||||
src: upstream/lib
|
||||
src: upstream/lib/
|
||||
dest: "{{ evobackup_client__lib_dir }}/"
|
||||
force: True
|
||||
mode: "0644"
|
||||
|
|
|
@ -37,6 +37,6 @@ Main variables are:
|
|||
* `evolinux_postfix_purge_exim`: purge Exim packages (default: `True`) ;
|
||||
* `evolinux_ssh_password_auth_addresses`: list of addresses that can authenticate with a password (default: `[]`)
|
||||
* `evolinux_ssh_disable_root`: disable SSH access for root (default: `False`)
|
||||
* `evolinux_ssh_allow_current_user`: don't lock yourself out (default: `False`)
|
||||
* `evolinux_ssh_allow_current_user`: don't lock yourself out is there is an AllowUsers or AllowGroups directive (default: `False`)
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
|
|
@ -16,34 +16,78 @@
|
|||
dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
|
||||
mode: "0644"
|
||||
|
||||
- name: "Get current user's group"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: logname
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
# Should we allow the current user?
|
||||
- name: Allow the current user
|
||||
block:
|
||||
- name: "Get current user's login"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: _logname
|
||||
check_mode: no
|
||||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -ER '^AllowUsers' /etc/ssh"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/allow_evolinux_user.conf
|
||||
create: yes
|
||||
line: "AllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowgroups_ssh
|
||||
check_mode: no
|
||||
|
||||
# If we have AllowUsers but not AllowGroups, append the user to the list
|
||||
# (in the first file where we found the directive)
|
||||
|
||||
- name: "Append user to existing AllowUsers sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ _logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
# If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
|
||||
# (in the first file where we found the directive)
|
||||
|
||||
- name: "Append evolinux ssh group to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "evolinux ssh group is present"
|
||||
ansible.builtin.group:
|
||||
name: "{{ evolinux_ssh_group }}"
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add current user to evolinux ssh group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
group: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
# If we don't have AllowGroups nor AllowUsers, do nothing
|
||||
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
||||
# TODO si allowusers et allowgroups, ajouter utilisateur aux deux
|
||||
# TODO si allowgroups, ajouter groupe de l’utilisateur
|
||||
|
|
|
@ -61,40 +61,66 @@
|
|||
notify: reload sshd
|
||||
when: ansible_distribution_major_version is version('9', '>=')
|
||||
|
||||
- name: "Get current user"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: logname
|
||||
check_mode: no
|
||||
# Should we allow the current user?
|
||||
- name: Allow the current user
|
||||
block:
|
||||
- name: "Get current user"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: _logname
|
||||
check_mode: no
|
||||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowgroups_ssh
|
||||
check_mode: no
|
||||
|
||||
# If we have AllowUsers but not AllowGroups, append the user to the list
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for current user"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ _logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
|
||||
# If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
|
||||
|
||||
- name: "Add current user to {{ evolinux_ssh_group }} group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
group: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: "/etc/ssh/sshd_config"
|
||||
regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
# we must double-escape caracters, because python
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: grep_allowusers_ssh
|
||||
check_mode: no
|
||||
when: evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- name: "Add AllowUsers sshd directive for current user"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ logname.stdout }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
|
||||
|
||||
- name: "Modify AllowUsers sshd directive for current user"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
|
||||
replace: '\1 {{ logname.stdout }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,8 +1,23 @@
|
|||
---
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- ansible.builtin.debug:
|
||||
var: _ssh_config_paths
|
||||
verbosity: 1
|
||||
|
||||
############################
|
||||
# AllowUsers or AllowGroups
|
||||
############################
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -14,7 +29,7 @@
|
|||
|
||||
- name: verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowUsers' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -42,12 +57,14 @@
|
|||
var: ssh_allowusers
|
||||
verbosity: 1
|
||||
|
||||
- ansible.builtin.include: ssh_allowgroups.yml
|
||||
- name: Configure SSH in AllowGroups mode
|
||||
ansible.builtin.include: ssh_allowgroups.yml
|
||||
when:
|
||||
- ssh_allowgroups
|
||||
- not ssh_allowusers
|
||||
|
||||
- ansible.builtin.include: ssh_allowusers.yml
|
||||
- name: Configure SSH in AllowUsers mode
|
||||
ansible.builtin.include: ssh_allowusers.yml
|
||||
vars:
|
||||
user: "{{ item.value }}"
|
||||
loop: "{{ evolinux_users | dict2items }}"
|
||||
|
@ -56,7 +73,24 @@
|
|||
- ssh_allowusers
|
||||
- not ssh_allowgroups
|
||||
|
||||
- name: disable root login
|
||||
# Do this again, to update the value
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
##################
|
||||
# PermitRootLogin
|
||||
##################
|
||||
|
||||
### For Debian < 12
|
||||
# if there is a commented value for PermitRootLogin
|
||||
# we replace it with a "no"
|
||||
|
||||
- name: Root login is disabled (Debian < 12)
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
|
||||
|
@ -64,11 +98,15 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- ansible_distribution_major_version is version('12', '<')
|
||||
|
||||
### For Debian >= 12
|
||||
# if there is no value for PermitRootLogin (anywhere)
|
||||
# we add a "no" in z-evolinux-users.conf
|
||||
|
||||
- name: verify PermitRootLogin directive (Debian >= 12)
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^PermitRootLogin' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
|
@ -76,12 +114,7 @@
|
|||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
# TODO avertir lorsque PermitRootLogin est déjà configuré?
|
||||
- ansible.builtin.debug:
|
||||
var: grep_permitrootlogin_ssh
|
||||
verbosity: 1
|
||||
|
||||
- name: disable root login (Debian >= 12)
|
||||
- name: Root login is disabled (Debian >= 12)
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "PermitRootLogin no"
|
||||
|
@ -93,6 +126,48 @@
|
|||
when:
|
||||
- evolinux_root_disable_ssh | bool
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_permitrootlogin_ssh.rc == 1
|
||||
- grep_permitrootlogin_ssh.rc != 0
|
||||
|
||||
#####################
|
||||
# Allow current user
|
||||
#####################
|
||||
|
||||
- name: Allow current user
|
||||
block:
|
||||
- name: Check if evolinux ssh group is used
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_evolinux_group_ssh
|
||||
|
||||
- debug:
|
||||
var: grep_evolinux_group_ssh
|
||||
|
||||
- name: "Get current user's login"
|
||||
ansible.builtin.command:
|
||||
cmd: logname
|
||||
changed_when: False
|
||||
register: _logname
|
||||
check_mode: no
|
||||
|
||||
- debug:
|
||||
var: evolinux_ssh_group
|
||||
|
||||
- debug:
|
||||
var: evolinux_ssh_allow_current_user
|
||||
|
||||
- name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
|
||||
ansible.builtin.user:
|
||||
name: "{{ _logname.stdout }}"
|
||||
groups: "{{ evolinux_ssh_group }}"
|
||||
append: yes
|
||||
when:
|
||||
- grep_evolinux_group_ssh.rc == 0
|
||||
when:
|
||||
- evolinux_ssh_group is defined
|
||||
- evolinux_ssh_group | length > 0
|
||||
- evolinux_ssh_allow_current_user | bool
|
||||
|
||||
- ansible.builtin.meta: flush_handlers
|
||||
|
|
|
@ -1,18 +1,27 @@
|
|||
---
|
||||
|
||||
###
|
||||
# this check must be repeated for each user
|
||||
# even if it's been done before
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- name: verify AllowGroups directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -Er '^AllowGroups' /etc/ssh"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowgroups_ssh
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
###
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian < 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
|
@ -21,25 +30,25 @@
|
|||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc != 0
|
||||
- grep_allowgroups_ssh.rc == 1 # Not found
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}' (Debian >= 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "\nAllowGroups {{ evolinux_ssh_group }}"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
create: yes
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_allowgroups_ssh.rc == 1 # Not found
|
||||
|
||||
- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
|
||||
replace: '\1 {{ evolinux_ssh_group }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '<=')
|
||||
- grep_allowgroups_ssh.rc == 0
|
||||
|
||||
- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
|
||||
ansible.builtin.lineinfile:
|
||||
path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "AllowGroups {{ evolinux_ssh_group }}"
|
||||
create: yes
|
||||
mode: "0644"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
when:
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
- grep_allowgroups_ssh.rc == 0 or grep_allowgroups_ssh.rc == 2 # Found, return code can be 0 or 2
|
||||
|
|
|
@ -1,55 +1,84 @@
|
|||
---
|
||||
|
||||
# this check must be repeated for each user
|
||||
###
|
||||
# these checks must be repeated for each user
|
||||
# even if it's been done before
|
||||
- name: verify AllowUsers directive
|
||||
|
||||
- name: Fetch SSHd config files
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
|
||||
cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: _ssh_config_paths
|
||||
|
||||
- name: Verify AllowUsers directive
|
||||
ansible.builtin.command:
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_allowusers_ssh
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
|
||||
###
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian < 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc != 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('12', '<')
|
||||
|
||||
- name: "Add AllowUsers sshd directive with '{{ user.name }}' (Debian >= 12)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config.d/z-evolinux-users.conf
|
||||
line: "\nAllowUsers {{ user.name }}"
|
||||
insertafter: 'Subsystem'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when:
|
||||
- grep_allowusers_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('12', '>=')
|
||||
|
||||
- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
|
||||
replace: '\1 {{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_allowusers_ssh.rc == 0
|
||||
when:
|
||||
- grep_allowusers_ssh.rc == 0
|
||||
|
||||
- name: "verify Match User directive"
|
||||
ansible.builtin.command:
|
||||
cmd: "grep -E '^Match User' /etc/ssh/sshd_config"
|
||||
cmd: "grep --extended-regexp --recursive --files-with-matches '^Match User' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_matchuser_ssh
|
||||
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}'"
|
||||
- name: "Add Match User sshd directive with '{{ user.name }}' (Debian <= 10)"
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/ssh/sshd_config
|
||||
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
|
||||
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc != 0
|
||||
when:
|
||||
- grep_matchuser_ssh.rc != 0
|
||||
- ansible_distribution_major_version is version('10', '<=')
|
||||
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive"
|
||||
- name: "Append '{{ user.name }}' to Match User's sshd directive (Debian <= 10)"
|
||||
ansible.builtin.replace:
|
||||
dest: /etc/ssh/sshd_config
|
||||
dest: "{{ grep_matchuser_ssh.stdout_lines[0] }}"
|
||||
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
|
||||
replace: '\1,{{ user.name }}'
|
||||
validate: '/usr/sbin/sshd -t -f %s'
|
||||
notify: reload sshd
|
||||
when: grep_matchuser_ssh.rc == 0
|
||||
when:
|
||||
- grep_matchuser_ssh.rc == 0
|
||||
- ansible_distribution_major_version is version('10', '<=')
|
||||
|
|
|
@ -1,33 +0,0 @@
|
|||
From: __FULLFROM__
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
MIME-Version: 1.0
|
||||
Content-Transfer-Encoding: 8bit
|
||||
To: __TO__
|
||||
Subject: [evomaintenance] Intervention sur __HOSTNAME__ (__USER__)
|
||||
|
||||
Bonjour,
|
||||
|
||||
Une intervention vient de se terminer sur votre serveur.
|
||||
Voici les renseignements sur l'intervention :
|
||||
|
||||
Nom du serveur : __HOSTNAME__
|
||||
Personne ayant réalisée l'intervention : __USER__
|
||||
Intervention réalisée depuis : __IP__
|
||||
Début de l'intervention : __BEGIN_DATE__
|
||||
Fin de l'intervention : __END_DATE__
|
||||
|
||||
###
|
||||
Renseignements sur l'intervention :
|
||||
__TEXTE__
|
||||
###
|
||||
|
||||
__GIT_COMMITS__
|
||||
|
||||
Pour réagir à cette intervention, vous pouvez répondre à ce message
|
||||
(sur l'adresse mail __FROM__). En cas d'urgence, utilisez
|
||||
l'adresse __URGENCYFROM__ ou notre téléphone portable d'astreinte
|
||||
(__URGENCYTEL__)
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
__FULLFROM__
|
100
evomaintenance/files/upstream/CHANGELOG.md
Normal file
100
evomaintenance/files/upstream/CHANGELOG.md
Normal file
|
@ -0,0 +1,100 @@
|
|||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||
and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**.
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
Add missing (but documented) `--(no-)evocheck` options
|
||||
|
||||
### Changed
|
||||
|
||||
### Deprecated
|
||||
|
||||
### Removed
|
||||
|
||||
### Fixed
|
||||
|
||||
### Security
|
||||
|
||||
## [23.10.1] - 2023-10-09
|
||||
|
||||
### Fixed
|
||||
|
||||
* Use a special variable name since USER is always defined from the environment
|
||||
|
||||
## [23.10] - 2023-10-09
|
||||
|
||||
### Added
|
||||
|
||||
* Force a user name with `-u,--user` option (default is still `logname(1)`).
|
||||
* More people credited
|
||||
|
||||
### Deprecated
|
||||
|
||||
* `--autosysadmin` is replaced by `--user autosysadmin`
|
||||
|
||||
|
||||
|
||||
## [22.07] - 2022-07-05
|
||||
|
||||
### Added
|
||||
|
||||
* Add `--autosysadmin` flag
|
||||
* Commit change in /etc of lxc containers
|
||||
|
||||
### Changed
|
||||
|
||||
### Deprecated
|
||||
|
||||
### Removed
|
||||
|
||||
### Fixed
|
||||
|
||||
### Security
|
||||
|
||||
## [22.01] - 2022-01-25
|
||||
|
||||
### Added
|
||||
|
||||
* version/host/user headers in sent email
|
||||
|
||||
### Changed
|
||||
|
||||
New version pattern
|
||||
|
||||
## [0.6.4] - 2021-06-17
|
||||
|
||||
### Added
|
||||
|
||||
* fallback if findmnt is absent
|
||||
|
||||
## [0.6.3] - 2020-02-02
|
||||
|
||||
### Added
|
||||
|
||||
* Notify syslog when partitions are re-mounted (Linux)
|
||||
|
||||
## [0.6.2] - 2020-02-02
|
||||
|
||||
### Fixed
|
||||
|
||||
* better detection of read-only partitions (Linux)
|
||||
|
||||
## [0.6.0] - 2019-11-05
|
||||
|
||||
### Added
|
||||
|
||||
* commit changes in /usr/share/scripts/ if needed
|
||||
|
||||
## Previous changelog
|
||||
|
||||
* 0.5.0 : options et mode interactif pour l'exécution des actions, meilleure compatibilité POSIX
|
||||
* 0.4.1 : Utilisation de "printf" à la place de "echo" pour mieux gérer les sauts de ligne
|
||||
* 0.4.0 : Amélioration de la récupération d'information (plus de cas gérés). Infos Git avant la saisie.
|
||||
* 0.3.0 : Écriture dans un fichier de log, amélioration de la récupération d'informations, amélioration de la syntaxe shell
|
||||
* 0.2.7 : Correction d'un bug lors de l'utilisation de '&' dans le texte
|
||||
* 0.2.6 : Precision du charset dans les entetes du mail
|
||||
* 0.2.5 : Correction d'un bug avec le path de sendmail sous OpenBSD
|
||||
* 0.2.4 : Correction d'un bug lors de l'utilisation de '/' dans le texte
|
||||
* 0.2.3 : Correction d'un bug avec $REALM
|
30
evomaintenance/files/upstream/README.md
Normal file
30
evomaintenance/files/upstream/README.md
Normal file
|
@ -0,0 +1,30 @@
|
|||
# Evomaintenance
|
||||
|
||||
```.plain
|
||||
$ evomaintenance --help
|
||||
evomaintenance is a program that helps reporting what you've done on a server
|
||||
|
||||
Usage: evomaintenance
|
||||
or evomaintenance --message="add new host"
|
||||
or evomaintenance --no-api --no-mail --no-commit
|
||||
or echo "add new vhost" | evomaintenance
|
||||
|
||||
Options
|
||||
-m, --message=MESSAGE set the message from the command line
|
||||
--mail enable the mail hook (default)
|
||||
--no-mail disable the mail hook
|
||||
--db enable the database hook
|
||||
--no-db disable the database hook (default)
|
||||
--api enable the API hook (default)
|
||||
--no-api disable the API hook
|
||||
--commit enable the commit hook (default)
|
||||
--no-commit disable the commit hook
|
||||
--evocheck enable evocheck execution (default)
|
||||
--no-evocheck disable evocheck execution
|
||||
--auto use "auto" mode
|
||||
--no-auto use "manual" mode (default)
|
||||
-v, --verbose increase verbosity
|
||||
-n, --dry-run actions are not executed
|
||||
--help print this message and exit
|
||||
--version print version and exit
|
||||
```
|
|
@ -1,12 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
VERSION="23.10.1"
|
||||
VERSION="24.05"
|
||||
|
||||
show_version() {
|
||||
cat <<END
|
||||
evomaintenance version ${VERSION}
|
||||
|
||||
Copyright 2007-2023 Evolix <info@evolix.fr>,
|
||||
Copyright 2007-2024 Evolix <info@evolix.fr>,
|
||||
Gregory Colpart <reg@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Brice Waegeneire <bwaegeneire@evolix.fr>,
|
||||
|
@ -437,6 +437,14 @@ while :; do
|
|||
printf 'ERROR: "--message" requires a non-empty option argument.\n' >&2
|
||||
exit 1
|
||||
;;
|
||||
--no-evocheck)
|
||||
# disable evocheck hook
|
||||
EVOCHECK=0
|
||||
;;
|
||||
--evocheck)
|
||||
# enable evocheck hook
|
||||
EVOCHECK=1
|
||||
;;
|
||||
--no-commit)
|
||||
# disable commit hook
|
||||
HOOK_COMMIT=0
|
||||
|
@ -581,7 +589,7 @@ GIT_REPOSITORIES="/etc /etc/bind /usr/share/scripts"
|
|||
|
||||
# Add /etc directories from lxc containers if they are git directories
|
||||
if [ -d /var/lib/lxc ]; then
|
||||
GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
|
||||
GIT_REPOSITORIES="${GIT_REPOSITORIES} $(find -L /var/lib/lxc/ -maxdepth 3 -name 'etc' | tr '\n' ' ' | sed 's/[[:space:]]\+$//')"
|
||||
fi
|
||||
|
||||
# initialize variable
|
|
@ -35,15 +35,12 @@
|
|||
|
||||
- name: Evomaintenance script and template are installed
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
src: "upstream/evomaintenance.sh"
|
||||
dest: "/usr/share/scripts/"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "{{ item.mode }}"
|
||||
mode: "0700"
|
||||
force: true
|
||||
backup: yes
|
||||
loop:
|
||||
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
|
||||
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
|
||||
tags:
|
||||
- evomaintenance
|
||||
- evomaintenance
|
||||
|
|
|
@ -1,52 +1,29 @@
|
|||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
Version: GnuPG v1
|
||||
Comment: GPGTools - https://gpgtools.org
|
||||
|
||||
mQINBFObJLYBEADkFW8HMjsoYRJQ4nCYC/6Eh0yLWHWfCh+/9ZSIj4w/pOe2V6V+
|
||||
W6DHY3kK3a+2bxrax9EqKe7uxkSKf95gfns+I9+R+RJfRpb1qvljURr54y35IZgs
|
||||
fMG22Np+TmM2RLgdFCZa18h0+RbH9i0b+ZrB9XPZmLb/h9ou7SowGqQ3wwOtT3Vy
|
||||
qmif0A2GCcjFTqWW6TXaY8eZJ9BCEqW3k/0Cjw7K/mSy/utxYiUIvZNKgaG/P8U7
|
||||
89QyvxeRxAf93YFAVzMXhoKxu12IuH4VnSwAfb8gQyxKRyiGOUwk0YoBPpqRnMmD
|
||||
Dl7SdmY3oQHEJzBelTMjTM8AjbB9mWoPBX5G8t4u47/FZ6PgdfmRg9hsKXhkLJc7
|
||||
C1btblOHNgDx19fzASWX+xOjZiKpP6MkEEzq1bilUFul6RDtxkTWsTa5TGixgCB/
|
||||
G2fK8I9JL/yQhDc6OGY9mjPOxMb5PgUlT8ox3v8wt25erWj9z30QoEBwfSg4tzLc
|
||||
Jq6N/iepQemNfo6Is+TG+JzI6vhXjlsBm/Xmz0ZiFPPObAH/vGCY5I6886vXQ7ft
|
||||
qWHYHT8jz/R4tigMGC+tvZ/kcmYBsLCCI5uSEP6JJRQQhHrCvOX0UaytItfsQfLm
|
||||
EYRd2F72o1yGh3yvWWfDIBXRmaBuIGXGpajC0JyBGSOWb9UxMNZY/2LJEwARAQAB
|
||||
tB9Ob2RlU291cmNlIDxncGdAbm9kZXNvdXJjZS5jb20+iQI4BBMBAgAiBQJTmyS2
|
||||
AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAWVaCraFdigHTmD/9OKhUy
|
||||
jJ+h8gMRg6ri5EQxOExccSRU0i7UHktecSs0DVC4lZG9AOzBe+Q36cym5Z1di6JQ
|
||||
kHl69q3zBdV3KTW+H1pdmnZlebYGz8paG9iQ/wS9gpnSeEyx0Enyi167Bzm0O4A1
|
||||
GK0prkLnz/yROHHEfHjsTgMvFwAnf9uaxwWgE1d1RitIWgJpAnp1DZ5O0uVlsPPm
|
||||
XAhuBJ32mU8S5BezPTuJJICwBlLYECGb1Y65Cil4OALU7T7sbUqfLCuaRKxuPtcU
|
||||
VnJ6/qiyPygvKZWhV6Od0Yxlyed1kftMJyYoL8kPHfeHJ+vIyt0s7cropfiwXoka
|
||||
1iJB5nKyt/eqMnPQ9aRpqkm9ABS/r7AauMA/9RALudQRHBdWIzfIg0Mlqb52yyTI
|
||||
IgQJHNGNX1T3z1XgZhI+Vi8SLFFSh8x9FeUZC6YJu0VXXj5iz+eZmk/nYjUt4Mtc
|
||||
pVsVYIB7oIDIbImODm8ggsgrIzqxOzQVP1zsCGek5U6QFc9GYrQ+Wv3/fG8hfkDn
|
||||
xXLww0OGaEQxfodm8cLFZ5b8JaG3+Yxfe7JkNclwvRimvlAjqIiW5OK0vvfHco+Y
|
||||
gANhQrlMnTx//IdZssaxvYytSHpPZTYw+qPEjbBJOLpoLrz8ZafN1uekpAqQjffI
|
||||
AOqW9SdIzq/kSHgl0bzWbPJPw86XzzftewjKNbkCDQRTmyS2ARAAxSSdQi+WpPQZ
|
||||
fOflkx9sYJa0cWzLl2w++FQnZ1Pn5F09D/kPMNh4qOsyvXWlekaV/SseDZtVziHJ
|
||||
Km6V8TBG3flmFlC3DWQfNNFwn5+pWSB8WHG4bTA5RyYEEYfpbekMtdoWW/Ro8Kmh
|
||||
41nuxZDSuBJhDeFIp0ccnN2Lp1o6XfIeDYPegyEPSSZqrudfqLrSZhStDlJgXjea
|
||||
JjW6UP6txPtYaaila9/Hn6vF87AQ5bR2dEWB/xRJzgNwRiax7KSU0xca6xAuf+TD
|
||||
xCjZ5pp2JwdCjquXLTmUnbIZ9LGV54UZ/MeiG8yVu6pxbiGnXo4Ekbk6xgi1ewLi
|
||||
vGmz4QRfVklV0dba3Zj0fRozfZ22qUHxCfDM7ad0eBXMFmHiN8hg3IUHTO+UdlX/
|
||||
aH3gADFAvSVDv0v8t6dGc6XE9Dr7mGEFnQMHO4zhM1HaS2Nh0TiL2tFLttLbfG5o
|
||||
QlxCfXX9/nasj3K9qnlEg9G3+4T7lpdPmZRRe1O8cHCI5imVg6cLIiBLPO16e0fK
|
||||
yHIgYswLdrJFfaHNYM/SWJxHpX795zn+iCwyvZSlLfH9mlegOeVmj9cyhN/VOmS3
|
||||
QRhlYXoA2z7WZTNoC6iAIlyIpMTcZr+ntaGVtFOLS6fwdBqDXjmSQu66mDKwU5Ek
|
||||
fNlbyrpzZMyFCDWEYo4AIR/18aGZBYUAEQEAAYkCHwQYAQIACQUCU5sktgIbDAAK
|
||||
CRAWVaCraFdigIPQEACcYh8rR19wMZZ/hgYv5so6Y1HcJNARuzmffQKozS/rxqec
|
||||
0xM3wceL1AIMuGhlXFeGd0wRv/RVzeZjnTGwhN1DnCDy1I66hUTgehONsfVanuP1
|
||||
PZKoL38EAxsMzdYgkYH6T9a4wJH/IPt+uuFTFFy3o8TKMvKaJk98+Jsp2X/QuNxh
|
||||
qpcIGaVbtQ1bn7m+k5Qe/fz+bFuUeXPivafLLlGc6KbdgMvSW9EVMO7yBy/2JE15
|
||||
ZJgl7lXKLQ31VQPAHT3an5IV2C/ie12eEqZWlnCiHV/wT+zhOkSpWdrheWfBT+ac
|
||||
hR4jDH80AS3F8jo3byQATJb3RoCYUCVc3u1ouhNZa5yLgYZ/iZkpk5gKjxHPudFb
|
||||
DdWjbGflN9k17VCf4Z9yAb9QMqHzHwIGXrb7ryFcuROMCLLVUp07PrTrRxnO9A/4
|
||||
xxECi0l/BzNxeU1gK88hEaNjIfviPR/h6Gq6KOcNKZ8rVFdwFpjbvwHMQBWhrqfu
|
||||
G3KaePvbnObKHXpfIKoAM7X2qfO+IFnLGTPyhFTcrl6vZBTMZTfZiC1XDQLuGUnd
|
||||
sckuXINIU3DFWzZGr0QrqkuE/jyr7FXeUJj9B7cLo+s/TXo+RaVfi3kOc9BoxIvy
|
||||
/qiNGs/TKy2/Ujqp/affmIMoMXSozKmga81JSwkADO1JMgUy6dApXz9kP4EE3g==
|
||||
=CLGF
|
||||
mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
|
||||
hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
|
||||
Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
|
||||
9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
|
||||
TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
|
||||
E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
|
||||
LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI
|
||||
AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc
|
||||
NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o
|
||||
xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk
|
||||
Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4
|
||||
hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg
|
||||
BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5
|
||||
AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u
|
||||
JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu
|
||||
ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi
|
||||
0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp
|
||||
Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ
|
||||
YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb
|
||||
DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE
|
||||
IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet
|
||||
y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao
|
||||
x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2
|
||||
K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw
|
||||
FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa
|
||||
=MARt
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
|
||||
- name: Add NodeJS repository (Debian <12)
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
|
||||
repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} nodistro main"
|
||||
filename: nodesource
|
||||
update_cache: yes
|
||||
state: present
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
Types: deb
|
||||
URIs: https://deb.nodesource.com/{{ nodejs_apt_version }}
|
||||
Suites: {{ ansible_distribution_release }}
|
||||
Suites: nodistro
|
||||
Components: main
|
||||
Signed-by: {{ apt_keyring_dir }}/nodesource.asc
|
||||
Enabled: yes
|
||||
Enabled: yes
|
||||
|
|
|
@ -31,11 +31,11 @@
|
|||
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||
block: |
|
||||
{% if vrrp_address.peers | default([]) | length <= 0 %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
||||
{% else %}
|
||||
{% for peer in vrrp_address.peers %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
||||
{% endfor %}
|
||||
{% for peer in vrrp_address.peers %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
create: yes
|
||||
mode: "0600"
|
||||
|
|
Loading…
Reference in a new issue