Update to 2022-01-12 10:14

roles/bookstack/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version to deploy
-bookstack_version: '21.12'
+bookstack_version: '21.12.2'
 # URL of the arhive
 bookstack_archive_url: https://github.com/BookStackApp/BookStack/archive/v{{ bookstack_version }}.tar.gz
 # Expected sha1 of the archive
-bookstack_archive_sha1: d2abf62794f97e3fcd7ebd8a270c152329c3573e
+bookstack_archive_sha1: cc4498f2fba7094172c46eced77d6e9ec28410e1
 
 # Should ansible handle bookstack upgrades or just the inintial install
 bookstack_manage_upgrade: True

roles/common/defaults/main.yml

@@ -95,6 +95,7 @@ system_base_bash_aliases:
   rm: 'rm -i'
   cp: 'cp -i'
   mv: 'mv -i'
+  sudo: 'sudo ' # Allow alias expansion after sudo
 
 system_extra_bash_aliases: {}
 system_bash_aliases: "{{ system_base_bash_aliases | combine(system_extra_bash_aliases, recursive=True) }}"

roles/common/meta/main.yml

@@ -10,6 +10,7 @@ dependencies:
     when: iptables_manage | default(True)
   - role: zabbix_agent
   - role: fusioninventory_agent
+    when: fusinv_uri is defined and fusinv_uri | length > 0
   - role: sssd_ldap_auth
     when: ldap_auth | default(False)
   - role: sssd_ad_auth

roles/common/tasks/ansible.yml

@@ -10,7 +10,7 @@
     - system_ansible_ssh_keys is defined
     - system_ansible_ssh_keys | length > 0
     - system_ansible_src_ip is not defined or system_ansible_src_ip | length < 1
-  tags: system
+  tags: system,ssh
 
 - name: Deploy SSH keys for the ansible account (with source IP restriction)
   authorized_key:
@@ -23,4 +23,4 @@
     - system_ansible_ssh_keys | length > 0
     - system_ansible_src_ip is defined
     - system_ansible_src_ip | length > 0
-  tags: system
+  tags: system,ssh

roles/common/tasks/main.yml

@@ -17,7 +17,7 @@
     - ansible_os_family == 'RedHat'
 - include: mail.yml
 - include_tasks: system.yml
-- include_tasks: ansible.yml
+- include: ansible.yml
 - include_tasks: hardware.yml
   when: ansible_virtualization_role == 'host'
 - include_tasks: guest.yml

roles/diagrams/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Veresion of diagrams to deploy
-diagrams_version: 16.1.0
+diagrams_version: 16.2.4
 # URL of the WAR file to deploy
 diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war
 # Expected sha1 of the WAR file
-diagrams_war_sha1: ceee75855e8ac9a69d3723c2aa8c414a59d9c565
+diagrams_war_sha1: 36eb6e07a3eacffc53cdb71a780087380e74bf3c
 # root directory of the installation
 diagrams_root_dir: /opt/diagrams
 # Should ansible manage upgrades, or just initial install ?

roles/documize/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version of cocumize to deploy
-documize_version: 4.1.1
+documize_version: 4.2.0
 # URL of the binary to install
 documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64
 # Expected sha1 of the binary
-documize_bin_sha1: 7362cb0b0479b1315399df86fabef81aa1a43124
+documize_bin_sha1: b14140e76df4af67e16df2aaf8bf78b90452aa64
 
 # Should documize handle upgrades or only initial install ?
 documize_manage_upgrade: True

roles/fusioninventory_agent/defaults/main.yml

@@ -9,6 +9,8 @@ fusinv_disabled_tasks:
   - NetDiscovery
   - Deploy
   - NetInventory
+fusinv_no_category:
+  - monitor
 
 # Not included in debian repo
 # so we need to manually down and install it

roles/fusioninventory_agent/templates/agent.cfg.j2

@@ -4,4 +4,9 @@ password={{ fusinv_pass | quote }}
 no-p2p
 no-httpd
 httpd-ip="127.0.0.1"
+{% if fusinv_disabled_tasks | length > 0 %}
 no-task={{ fusinv_disabled_tasks | join(',') | quote }}
+{% endif %}
+{% if fusinv_no_category | length > 0 %}
+no-category={{ fusinv_no_category | join(',') | quote }}
+{% endif %}

roles/gitea/tasks/conf.yml

@@ -32,8 +32,3 @@
   changed_when: False
   tags: gitea
 
-- name: Regenerate authorized_keys
-  command: "{{ gitea_root_dir }}/bin/gitea -c {{ gitea_root_dir }}/etc/app.ini admin regenerate keys"
-  become_user: gitea
-  when: gitea_install_mode == 'upgrade'
-  tags: gitea

roles/httpd_front/tasks/main.yml

@@ -58,6 +58,19 @@
   notify: reload httpd
   tags: [conf,web]
 
+- name: Check if default cert exists
+  stat: path={{ httpd_cert_path }}
+  register: httpd_default_cert
+  tags: [conf,cert,web]
+
+- name: Create default self signed cert
+  include_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ httpd_cert_path }}"
+    cert_key_path: "{{ cert_key_path }"
+  when: not httpd_default_cert.stat.exists
+  tags: [conf,cert,web]
+
 - name: Check if Let's Encrypt' cert exist
   stat: path=/var/lib/dehydrated/certificates/certs/{{ item.ssl.letsencrypt_cert }}/cert.pem
   register: httpd_letsencrypt_certs

roles/includes/create_selfsigned_cert.yml

@@ -11,7 +11,7 @@
 
 - name: Create the self signed certificate
   command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \
-           -subj "{{ cert_subj | default('/C=FR/ST=Aquitaine/L=Firewall Services/O=IT Security/CN=' + inventory_hostname) }}" \
+           -subj "{{ cert_subj | default('/C=FR/ST=Aquitaine/L=Ehtrace/O=IT Security/CN=' + inventory_hostname) }}" \
            -nodes -keyout {{ cert_key_path }} -out {{ cert_path }} -days {{ cert_validity | default(3650) }}
   args:
     creates: "{{ cert_path }}"

roles/network/tasks/main.yml

@@ -3,9 +3,11 @@
 - name: Configure IPv4 Forwarding
   sysctl: name="net.ipv4.ip_forward" value={{ net_ipv4_forward | ternary('1', '0') }} sysctl_file=/etc/sysctl.d/network.conf sysctl_set=yes state=present reload=yes
   when: ansible_virtualization_type != 'systemd-nspawn'
+  tags: net
 
 - name: Deploy /etc/hosts
   template: src=hosts.j2 dest=/etc/hosts
+  tags: net
 
 - name: Prevent PVE from changing /etc/hosts
   copy: content='' dest=/etc/.pve-ignore.hosts

roles/repo_base/tasks/dbd_RedHat.yml

@@ -4,7 +4,7 @@
   yum_repository:
     name: dbd
     description: "Daniel Berteaud RPM"
-    baseurl: http://rpms.lapiole.org/el$releasever/
+    baseurl: http://rpms.lapiole.org/el$releasever/ http://rpms.ehtrace.com/el$releasever/
     gpgcheck: True
     gpgkey: https://rpms.lapiole.org/RPM-GPG-KEY
   tags: repo
@@ -14,7 +14,7 @@
     name: dbd-testing
     description: "Daniel Berteaud Testing RPM"
     file: dbd
-    baseurl: http://rpms.lapiole.org/testing/el$releasever/
+    baseurl: http://rpms.lapiole.org/testing/el$releasever/ http://rpms.ehtrace.com/testing/el$releasever/
     gpgcheck: True
     gpgkey: https://rpms.lapiole.org/RPM-GPG-KEY
     enabled: False

roles/repo_samba4/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
 # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/
-samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.14.10') }}
+samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.3') }}

roles/repo_zabbix/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-zabbix_major_version: 5.0
+zabbix_major_version: 5.4

roles/rpm_build_server/files/watcher.pl

@@ -172,7 +172,9 @@ sub handle_submit {
   } else {
     log_verbose("No email address for $submiter, no notification will be sent");
   }
-  my $src_pkg = RPM2->open_package($srpm);
+  # Do not check the signature here
+  # We could try to submit a signed src.rpm for which we do not have the key system-wide
+  my $src_pkg = RPM2->open_package($srpm, RPM2->_rpmvsf_nosignatures);
   if (not $src_pkg->is_source_package){
     log_verbose("Couldn't parse $srpm as a valid srpm");
     return;
@@ -234,6 +236,8 @@ sub handle_submit {
         move $built_pkg, $dest . '/' . basename($built_pkg);
       }
     }, $result);
+    log_info("[$job_id] Removing old packages");
+    qx(rm -f \$(repomanage --keep=2 --old $repo_dir));
     log_info("[$job_id] Updating repo metadata for $target");
     qx(createrepo --checksum sha -x "*debuginfo*" --update -c $repo_cache_dir $repo_dir);
     if ($? != 0) {

roles/ssh/defaults/main.yml

@@ -41,12 +41,13 @@ ssh_users: []
 #    ssh_keys:
 #      - 'ssh-rsa AAAAB3NzaC1yc2...'
 #      - 'ssh-rsa AAAAB3NzaC1yc2...'
+#    keys_exclusive: True
+#    keys_file: %h/.ssh/authorized_keys
 #    key_options:
 #      - from="192.168.3.7"
 #      - no-pty
 #    sftp_only: True
 #    chroot: /var/www/html
-#    keys_file: %h/.ssh/authorized_keys
 #    allow_forwarding: False
 #    sudo_defaults:
 #      - '!env_reset'

roles/ssh/tasks/conf.yml

@@ -60,7 +60,7 @@
     key_options: "{{ item.key_options | default([]) | join(',') }}"
     path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
     manage_dir: False
-    exclusive: True
+    exclusive: "{{ item.keys_exclusive | default(True) }}"
   ignore_errors: True # Needed eg, if LDAP isn't available on first run
   loop: "{{ ssh_users }}"
   tags: ssh

roles/ssh/tasks/iptables.yml

@@ -4,9 +4,14 @@
   iptables_raw:
     name: sshd_limit
     rules: |
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
-      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
+      -N SSH_LIMIT
+      {% if trusted_ip is defined and trusted_ip | length > 0 %}
+      -A SSH_LIMIT -s {{ trusted_ip | join(',') }} -j RETURN
+      {% endif %}
+      -A SSH_LIMIT -m recent --name ssh_limit --set
+      -A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
+      -A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
+      -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -j SSH_LIMIT
     state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
     weight: 10
   tags: ssh,firewall

roles/unbound/tasks/main.yml

@@ -4,18 +4,18 @@
   yum:
     name:
       - unbound
-  tags: unbound
+  tags: dns
 
 - name: Fetch the root hints
   get_url:
     url: https://www.internic.net/domain/named.cache
     dest: /etc/unbound/root.hints
-  tags: unbound
+  tags: dns
 
 - name: Deploy unbound configuration
   template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf
   notify: restart unbound
-  tags: unbound
+  tags: dns
 
 - name: Handle port in the firewall
   iptables_raw:
@@ -24,8 +24,8 @@
     rules: "-A INPUT -m state --state NEW -p udp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT\n
             -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT"
   when: iptables_manage | default(True)
-  tags: [unbound,firewall]
+  tags: dns,firewall
 
 - name: Start and enable the service
   service: name=unbound state=started enabled=True
-  tags: unbound
+  tags: dns

roles/zimbra/defaults/main.yml

@@ -70,8 +70,8 @@ zcs_domain_defaults:
 
 # Additional libs needed for CAS
 zcs_cas_libs:
-  - url: https://repo1.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.6.2/cas-client-core-3.6.2.jar
-    sha1: ccb636b9b8d8c048b4dd14b0b0627350def5e3a2
+  - url: https://repo1.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.6.4/cas-client-core-3.6.4.jar
+    sha1: fc6897188c0bf840c5ccec5c6f0d0a0d6cb5b84d
   - url: https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar
     sha1: cdcff33940d9f2de763bc41ea05a0be5941176c3