Update to 2023-09-13 23:00
This commit is contained in:
parent
758b7f1094
commit
3475fdc9bf
|
|
@ -5,8 +5,8 @@
|
|||
element_id: element
|
||||
|
||||
# Version to deploy, and expected sha256
|
||||
element_version: 1.11.40
|
||||
element_archive_sha256: 7e0d0263ee2c52401f6f8f0ea2c5b76fef82aaa1860c1b4986235971f7b8b731
|
||||
element_version: 1.11.41
|
||||
element_archive_sha256: b03e59e4c3da71278f1b79df2469cdc25c250129c7669a0531888a0e1ae41529
|
||||
|
||||
# Where to install element
|
||||
element_root_dir: /opt/matrix/element
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
|
||||
# Synapse version to deploy
|
||||
synapse_version: '1.91.2'
|
||||
synapse_version: '1.92.1'
|
||||
|
||||
# Should ansible handle Synapse upgrades ? If false, only initial install will be done
|
||||
synapse_manage_upgrade: True
|
||||
|
|
|
|||
|
|
@ -17,7 +17,8 @@ SyslogIdentifier=odoo
|
|||
Restart=on-failure
|
||||
StartLimitInterval=0
|
||||
RestartSec=30
|
||||
MemoryLimit=2048M
|
||||
MemoryHigh=1800M
|
||||
MemoryMax=2048M
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
|
|
@ -24,11 +24,6 @@ squid_ssl_ports: [ 443, 8006, 8007, 8443, 8448 ]
|
|||
# Admin email displayed on denied and error pages
|
||||
# squid_admin_email: admin@example.com
|
||||
|
||||
# Should we scan content with ClamAV. Default is disabled
|
||||
squid_scan_av: True
|
||||
# Files bigger than (in bytes) this won't be scanned
|
||||
squid_av_max_size: 5000000
|
||||
|
||||
squid_servers_ip:
|
||||
- 10.0.0.0/8
|
||||
- 172.16.0.0/12
|
||||
|
|
|
|||
|
|
@ -1,15 +1,17 @@
|
|||
module ufdb 1.2;
|
||||
module ufdb 1.3;
|
||||
|
||||
require {
|
||||
type initrc_tmp_t;
|
||||
type initrc_t;
|
||||
type tmp_t;
|
||||
type squid_t;
|
||||
type unconfined_service_t;
|
||||
class sock_file write;
|
||||
class unix_stream_socket connectto;
|
||||
}
|
||||
|
||||
#============= squid_t ==============
|
||||
allow squid_t initrc_t:unix_stream_socket connectto;
|
||||
allow squid_t unconfined_service_t:unix_stream_socket connectto;
|
||||
allow squid_t initrc_tmp_t:sock_file write;
|
||||
allow squid_t tmp_t:sock_file write;
|
||||
|
|
|
|||
|
|
@ -6,12 +6,6 @@
|
|||
- name: restart squid
|
||||
service: name=squid state=restarted
|
||||
|
||||
- name: restart c-icap
|
||||
service: name=c-icap state={{ squid_scan_av | ternary('restarted', 'stopped') }}
|
||||
|
||||
- name: restart squid-clamd
|
||||
service: name=squid-clamd state={{ squid_scan_av | ternary('restarted', 'stopped') }}
|
||||
|
||||
- name: restart ufdb
|
||||
service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('restarted', 'stopped') }}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: httpd_common
|
||||
- role: clamav
|
||||
- role: mkdir
|
||||
|
|
|
|||
|
|
@ -4,8 +4,6 @@
|
|||
yum:
|
||||
name:
|
||||
- squid
|
||||
- c-icap
|
||||
- squidclamav
|
||||
- ufdbGuard
|
||||
notify: restart squid
|
||||
tags: proxy
|
||||
|
|
@ -138,43 +136,12 @@
|
|||
register: squid_safebrowsing
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy clamd config
|
||||
template: src=clamd.conf.j2 dest=/etc/clamd.d/squid.conf
|
||||
notify: restart squid-clamd
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy clamd systemd unit
|
||||
template: src=squid-clamd.service.j2 dest=/etc/systemd/system/squid-clamd.service
|
||||
register: squid_clam_unit
|
||||
notify: restart squid-clamd
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy c-icap configuration
|
||||
template: src=c-icap.conf.j2 dest=/etc/c-icap/c-icap.conf
|
||||
notify: restart c-icap
|
||||
tags: proxy
|
||||
|
||||
- name: Create systemd unit snippet dir
|
||||
file: path=/etc/systemd/system/{{ item }}.service.d state=directory
|
||||
loop:
|
||||
- c-icap
|
||||
- squid
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy a systemd unit snippet for c-icap
|
||||
copy:
|
||||
content: |
|
||||
[Service]
|
||||
User=c-icap
|
||||
Group=c-icap
|
||||
Restart=on-failure
|
||||
StartLimitInterval=0
|
||||
RestartSec=1
|
||||
dest: /etc/systemd/system/c-icap.service.d/user.conf
|
||||
register: squid_c_icap_unit
|
||||
notify: restart c-icap
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy a systemd unit snipet for squid
|
||||
copy:
|
||||
content: |
|
||||
|
|
@ -186,14 +153,9 @@
|
|||
register: squid_unit
|
||||
tags: proxy
|
||||
|
||||
- name: Deploy squidclamav configuration
|
||||
template: src=squidclamav.conf.j2 dest=/etc/c-icap/squidclamav.conf mode=644
|
||||
notify: restart c-icap
|
||||
tags: proxy
|
||||
|
||||
- name: Reload systemd
|
||||
command: systemctl daemon-reload
|
||||
when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
|
||||
when: squid_unit.changed
|
||||
tags: proxy
|
||||
|
||||
- include_tasks: selinux.yml
|
||||
|
|
@ -252,14 +214,6 @@
|
|||
service: name=squid state=started enabled=True
|
||||
tags: proxy
|
||||
|
||||
- name: Start and enable c-icap
|
||||
service: name=c-icap state=started enabled=True
|
||||
tags: proxy
|
||||
|
||||
- name: Handle squid-clamd daemon
|
||||
service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
|
||||
tags: proxy
|
||||
|
||||
- name: Handle ufdb daemon
|
||||
service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
|
||||
tags: proxy
|
||||
|
|
|
|||
|
|
@ -1,17 +0,0 @@
|
|||
ServerAdmin {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
|
||||
ServerName {{ inventory_hostname }}
|
||||
TmpDir /tmp
|
||||
MaxMemObject 1048576
|
||||
Module logger sys_logger.so
|
||||
Logger sys_logger
|
||||
DebugLevel 0
|
||||
Port 127.0.0.1:1344
|
||||
TemplateDir /usr/share/c_icap/templates/
|
||||
{% if squid_scan_av %}
|
||||
Service squidclamav squidclamav.so
|
||||
{% endif %}
|
||||
|
||||
MaxKeepAliveRequests 1000
|
||||
MaxServers 20
|
||||
ThreadsPerChild 50
|
||||
MaxRequestsPerChild 100000
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
LogSyslog yes
|
||||
LogVerbose yes
|
||||
ExtendedDetectionInfo yes
|
||||
LocalSocket /var/run/clamav/squid.sock
|
||||
LocalSocketMode 666
|
||||
ExitOnOOM yes
|
||||
Foreground yes
|
||||
DetectBrokenExecutables yes
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
[Unit]
|
||||
Description=ClamAV antivirus daemon for squid
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/sbin/clamd -c /etc/clamd.d/squid.conf
|
||||
User=clamav
|
||||
Group=clamav
|
||||
Restart=on-failure
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
|
|
@ -58,21 +58,6 @@ quick_abort_min -1
|
|||
|
||||
max_filedesc 8192
|
||||
|
||||
icap_enable on
|
||||
icap_send_client_ip on
|
||||
icap_send_client_username on
|
||||
icap_client_username_encode off
|
||||
icap_client_username_header X-Authenticated-User
|
||||
icap_preview_enable on
|
||||
icap_preview_size 1024
|
||||
|
||||
{% if squid_scan_av %}
|
||||
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
|
||||
adaptation_access service_avi_req allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_req av_src
|
||||
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
|
||||
adaptation_access service_avi_resp allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_rep av_src
|
||||
{% endif %}
|
||||
|
||||
{% if squid_filter_url %}
|
||||
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
|
||||
url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid/
|
||||
|
|
|
|||
Loading…
Reference in New Issue