From e73f05f0733c3250ecdb02971e253087d7760c9f Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Wed, 12 Jan 2022 10:14:43 +0100 Subject: [PATCH] Update to 2022-01-12 10:14 --- roles/bookstack/defaults/main.yml | 4 ++-- roles/common/defaults/main.yml | 1 + roles/common/meta/main.yml | 1 + roles/common/tasks/ansible.yml | 4 ++-- roles/common/tasks/main.yml | 2 +- roles/diagrams/defaults/main.yml | 4 ++-- roles/documize/defaults/main.yml | 4 ++-- roles/fusioninventory_agent/defaults/main.yml | 2 ++ roles/fusioninventory_agent/templates/agent.cfg.j2 | 5 +++++ roles/gitea/tasks/conf.yml | 5 ----- roles/httpd_front/tasks/main.yml | 13 +++++++++++++ roles/includes/create_selfsigned_cert.yml | 2 +- roles/network/tasks/main.yml | 2 ++ roles/repo_base/tasks/dbd_RedHat.yml | 4 ++-- roles/repo_samba4/defaults/main.yml | 2 +- roles/repo_zabbix/defaults/main.yml | 2 +- roles/rpm_build_server/files/watcher.pl | 6 +++++- roles/ssh/defaults/main.yml | 3 ++- roles/ssh/tasks/conf.yml | 2 +- roles/ssh/tasks/iptables.yml | 11 ++++++++--- roles/unbound/tasks/main.yml | 10 +++++----- roles/zimbra/defaults/main.yml | 4 ++-- 22 files changed, 61 insertions(+), 32 deletions(-) diff --git a/roles/bookstack/defaults/main.yml b/roles/bookstack/defaults/main.yml index e6ed7dd..e84836e 100644 --- a/roles/bookstack/defaults/main.yml +++ b/roles/bookstack/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to deploy -bookstack_version: '21.12' +bookstack_version: '21.12.2' # URL of the arhive bookstack_archive_url: https://github.com/BookStackApp/BookStack/archive/v{{ bookstack_version }}.tar.gz # Expected sha1 of the archive -bookstack_archive_sha1: d2abf62794f97e3fcd7ebd8a270c152329c3573e +bookstack_archive_sha1: cc4498f2fba7094172c46eced77d6e9ec28410e1 # Should ansible handle bookstack upgrades or just the inintial install bookstack_manage_upgrade: True diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 70c930c..1a46312 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -95,6 +95,7 @@ system_base_bash_aliases: rm: 'rm -i' cp: 'cp -i' mv: 'mv -i' + sudo: 'sudo ' # Allow alias expansion after sudo system_extra_bash_aliases: {} system_bash_aliases: "{{ system_base_bash_aliases | combine(system_extra_bash_aliases, recursive=True) }}" diff --git a/roles/common/meta/main.yml b/roles/common/meta/main.yml index 34dcd11..4876c06 100644 --- a/roles/common/meta/main.yml +++ b/roles/common/meta/main.yml @@ -10,6 +10,7 @@ dependencies: when: iptables_manage | default(True) - role: zabbix_agent - role: fusioninventory_agent + when: fusinv_uri is defined and fusinv_uri | length > 0 - role: sssd_ldap_auth when: ldap_auth | default(False) - role: sssd_ad_auth diff --git a/roles/common/tasks/ansible.yml b/roles/common/tasks/ansible.yml index 389a0f7..95d044e 100644 --- a/roles/common/tasks/ansible.yml +++ b/roles/common/tasks/ansible.yml @@ -10,7 +10,7 @@ - system_ansible_ssh_keys is defined - system_ansible_ssh_keys | length > 0 - system_ansible_src_ip is not defined or system_ansible_src_ip | length < 1 - tags: system + tags: system,ssh - name: Deploy SSH keys for the ansible account (with source IP restriction) authorized_key: @@ -23,4 +23,4 @@ - system_ansible_ssh_keys | length > 0 - system_ansible_src_ip is defined - system_ansible_src_ip | length > 0 - tags: system + tags: system,ssh diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 788bb55..b91f342 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -17,7 +17,7 @@ - ansible_os_family == 'RedHat' - include: mail.yml - include_tasks: system.yml -- include_tasks: ansible.yml +- include: ansible.yml - include_tasks: hardware.yml when: ansible_virtualization_role == 'host' - include_tasks: guest.yml diff --git a/roles/diagrams/defaults/main.yml b/roles/diagrams/defaults/main.yml index 6c226e7..22a6fdc 100644 --- a/roles/diagrams/defaults/main.yml +++ b/roles/diagrams/defaults/main.yml @@ -1,11 +1,11 @@ --- # Veresion of diagrams to deploy -diagrams_version: 16.1.0 +diagrams_version: 16.2.4 # URL of the WAR file to deploy diagrams_war_url: https://github.com/jgraph/drawio/releases/download/v{{ diagrams_version }}/draw.war # Expected sha1 of the WAR file -diagrams_war_sha1: ceee75855e8ac9a69d3723c2aa8c414a59d9c565 +diagrams_war_sha1: 36eb6e07a3eacffc53cdb71a780087380e74bf3c # root directory of the installation diagrams_root_dir: /opt/diagrams # Should ansible manage upgrades, or just initial install ? diff --git a/roles/documize/defaults/main.yml b/roles/documize/defaults/main.yml index 0ec56e8..9958a5f 100644 --- a/roles/documize/defaults/main.yml +++ b/roles/documize/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version of cocumize to deploy -documize_version: 4.1.1 +documize_version: 4.2.0 # URL of the binary to install documize_bin_url: https://github.com/documize/community/releases/download/v{{ documize_version }}/documize-community-linux-amd64 # Expected sha1 of the binary -documize_bin_sha1: 7362cb0b0479b1315399df86fabef81aa1a43124 +documize_bin_sha1: b14140e76df4af67e16df2aaf8bf78b90452aa64 # Should documize handle upgrades or only initial install ? documize_manage_upgrade: True diff --git a/roles/fusioninventory_agent/defaults/main.yml b/roles/fusioninventory_agent/defaults/main.yml index 6b6ee1e..7a6a0ad 100644 --- a/roles/fusioninventory_agent/defaults/main.yml +++ b/roles/fusioninventory_agent/defaults/main.yml @@ -9,6 +9,8 @@ fusinv_disabled_tasks: - NetDiscovery - Deploy - NetInventory +fusinv_no_category: + - monitor # Not included in debian repo # so we need to manually down and install it diff --git a/roles/fusioninventory_agent/templates/agent.cfg.j2 b/roles/fusioninventory_agent/templates/agent.cfg.j2 index aede73d..c77479a 100644 --- a/roles/fusioninventory_agent/templates/agent.cfg.j2 +++ b/roles/fusioninventory_agent/templates/agent.cfg.j2 @@ -4,4 +4,9 @@ password={{ fusinv_pass | quote }} no-p2p no-httpd httpd-ip="127.0.0.1" +{% if fusinv_disabled_tasks | length > 0 %} no-task={{ fusinv_disabled_tasks | join(',') | quote }} +{% endif %} +{% if fusinv_no_category | length > 0 %} +no-category={{ fusinv_no_category | join(',') | quote }} +{% endif %} diff --git a/roles/gitea/tasks/conf.yml b/roles/gitea/tasks/conf.yml index 19692f3..f3e154b 100644 --- a/roles/gitea/tasks/conf.yml +++ b/roles/gitea/tasks/conf.yml @@ -32,8 +32,3 @@ changed_when: False tags: gitea -- name: Regenerate authorized_keys - command: "{{ gitea_root_dir }}/bin/gitea -c {{ gitea_root_dir }}/etc/app.ini admin regenerate keys" - become_user: gitea - when: gitea_install_mode == 'upgrade' - tags: gitea diff --git a/roles/httpd_front/tasks/main.yml b/roles/httpd_front/tasks/main.yml index 67149d4..72d31f9 100644 --- a/roles/httpd_front/tasks/main.yml +++ b/roles/httpd_front/tasks/main.yml @@ -58,6 +58,19 @@ notify: reload httpd tags: [conf,web] +- name: Check if default cert exists + stat: path={{ httpd_cert_path }} + register: httpd_default_cert + tags: [conf,cert,web] + +- name: Create default self signed cert + include_tasks: ../includes/create_selfsigned_cert.yml + vars: + cert_path: "{{ httpd_cert_path }}" + cert_key_path: "{{ cert_key_path }" + when: not httpd_default_cert.stat.exists + tags: [conf,cert,web] + - name: Check if Let's Encrypt' cert exist stat: path=/var/lib/dehydrated/certificates/certs/{{ item.ssl.letsencrypt_cert }}/cert.pem register: httpd_letsencrypt_certs diff --git a/roles/includes/create_selfsigned_cert.yml b/roles/includes/create_selfsigned_cert.yml index aad651f..7f0c830 100644 --- a/roles/includes/create_selfsigned_cert.yml +++ b/roles/includes/create_selfsigned_cert.yml @@ -11,7 +11,7 @@ - name: Create the self signed certificate command: openssl req -x509 -newkey rsa:{{ cert_key_size | default(4096) }} \ - -subj "{{ cert_subj | default('/C=FR/ST=Aquitaine/L=Firewall Services/O=IT Security/CN=' + inventory_hostname) }}" \ + -subj "{{ cert_subj | default('/C=FR/ST=Aquitaine/L=Ehtrace/O=IT Security/CN=' + inventory_hostname) }}" \ -nodes -keyout {{ cert_key_path }} -out {{ cert_path }} -days {{ cert_validity | default(3650) }} args: creates: "{{ cert_path }}" diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index be9020e..fc32d64 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -3,9 +3,11 @@ - name: Configure IPv4 Forwarding sysctl: name="net.ipv4.ip_forward" value={{ net_ipv4_forward | ternary('1', '0') }} sysctl_file=/etc/sysctl.d/network.conf sysctl_set=yes state=present reload=yes when: ansible_virtualization_type != 'systemd-nspawn' + tags: net - name: Deploy /etc/hosts template: src=hosts.j2 dest=/etc/hosts + tags: net - name: Prevent PVE from changing /etc/hosts copy: content='' dest=/etc/.pve-ignore.hosts diff --git a/roles/repo_base/tasks/dbd_RedHat.yml b/roles/repo_base/tasks/dbd_RedHat.yml index 53d764c..2c2f7d1 100644 --- a/roles/repo_base/tasks/dbd_RedHat.yml +++ b/roles/repo_base/tasks/dbd_RedHat.yml @@ -4,7 +4,7 @@ yum_repository: name: dbd description: "Daniel Berteaud RPM" - baseurl: http://rpms.lapiole.org/el$releasever/ + baseurl: http://rpms.lapiole.org/el$releasever/ http://rpms.ehtrace.com/el$releasever/ gpgcheck: True gpgkey: https://rpms.lapiole.org/RPM-GPG-KEY tags: repo @@ -14,7 +14,7 @@ name: dbd-testing description: "Daniel Berteaud Testing RPM" file: dbd - baseurl: http://rpms.lapiole.org/testing/el$releasever/ + baseurl: http://rpms.lapiole.org/testing/el$releasever/ http://rpms.ehtrace.com/testing/el$releasever/ gpgcheck: True gpgkey: https://rpms.lapiole.org/RPM-GPG-KEY enabled: False diff --git a/roles/repo_samba4/defaults/main.yml b/roles/repo_samba4/defaults/main.yml index 6acd061..9094f7c 100644 --- a/roles/repo_samba4/defaults/main.yml +++ b/roles/repo_samba4/defaults/main.yml @@ -1,3 +1,3 @@ --- # Select a branch from https://samba.tranquil.it/centos7/ or https://samba.tranquil.it/centos7/ -samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.14.10') }} +samba_major_version: samba-{{ (ansible_distribution_major_version is version('8','<')) | ternary('4.12.15','4.15.3') }} diff --git a/roles/repo_zabbix/defaults/main.yml b/roles/repo_zabbix/defaults/main.yml index b33a64c..9c2cb93 100644 --- a/roles/repo_zabbix/defaults/main.yml +++ b/roles/repo_zabbix/defaults/main.yml @@ -1,2 +1,2 @@ --- -zabbix_major_version: 5.0 +zabbix_major_version: 5.4 diff --git a/roles/rpm_build_server/files/watcher.pl b/roles/rpm_build_server/files/watcher.pl index c28c655..636c6e3 100644 --- a/roles/rpm_build_server/files/watcher.pl +++ b/roles/rpm_build_server/files/watcher.pl @@ -172,7 +172,9 @@ sub handle_submit { } else { log_verbose("No email address for $submiter, no notification will be sent"); } - my $src_pkg = RPM2->open_package($srpm); + # Do not check the signature here + # We could try to submit a signed src.rpm for which we do not have the key system-wide + my $src_pkg = RPM2->open_package($srpm, RPM2->_rpmvsf_nosignatures); if (not $src_pkg->is_source_package){ log_verbose("Couldn't parse $srpm as a valid srpm"); return; @@ -234,6 +236,8 @@ sub handle_submit { move $built_pkg, $dest . '/' . basename($built_pkg); } }, $result); + log_info("[$job_id] Removing old packages"); + qx(rm -f \$(repomanage --keep=2 --old $repo_dir)); log_info("[$job_id] Updating repo metadata for $target"); qx(createrepo --checksum sha -x "*debuginfo*" --update -c $repo_cache_dir $repo_dir); if ($? != 0) { diff --git a/roles/ssh/defaults/main.yml b/roles/ssh/defaults/main.yml index 9ae39c9..d1eb5a4 100644 --- a/roles/ssh/defaults/main.yml +++ b/roles/ssh/defaults/main.yml @@ -41,12 +41,13 @@ ssh_users: [] # ssh_keys: # - 'ssh-rsa AAAAB3NzaC1yc2...' # - 'ssh-rsa AAAAB3NzaC1yc2...' +# keys_exclusive: True +# keys_file: %h/.ssh/authorized_keys # key_options: # - from="192.168.3.7" # - no-pty # sftp_only: True # chroot: /var/www/html -# keys_file: %h/.ssh/authorized_keys # allow_forwarding: False # sudo_defaults: # - '!env_reset' diff --git a/roles/ssh/tasks/conf.yml b/roles/ssh/tasks/conf.yml index 13cad89..73379ff 100644 --- a/roles/ssh/tasks/conf.yml +++ b/roles/ssh/tasks/conf.yml @@ -60,7 +60,7 @@ key_options: "{{ item.key_options | default([]) | join(',') }}" path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}" manage_dir: False - exclusive: True + exclusive: "{{ item.keys_exclusive | default(True) }}" ignore_errors: True # Needed eg, if LDAP isn't available on first run loop: "{{ ssh_users }}" tags: ssh diff --git a/roles/ssh/tasks/iptables.yml b/roles/ssh/tasks/iptables.yml index 66dd8f3..84ea71d 100644 --- a/roles/ssh/tasks/iptables.yml +++ b/roles/ssh/tasks/iptables.yml @@ -4,9 +4,14 @@ iptables_raw: name: sshd_limit rules: | - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): " - -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT + -N SSH_LIMIT + {% if trusted_ip is defined and trusted_ip | length > 0 %} + -A SSH_LIMIT -s {{ trusted_ip | join(',') }} -j RETURN + {% endif %} + -A SSH_LIMIT -m recent --name ssh_limit --set + -A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): " + -A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT + -A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -j SSH_LIMIT state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}" weight: 10 tags: ssh,firewall diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index c446b71..bf2989e 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -4,18 +4,18 @@ yum: name: - unbound - tags: unbound + tags: dns - name: Fetch the root hints get_url: url: https://www.internic.net/domain/named.cache dest: /etc/unbound/root.hints - tags: unbound + tags: dns - name: Deploy unbound configuration template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf notify: restart unbound - tags: unbound + tags: dns - name: Handle port in the firewall iptables_raw: @@ -24,8 +24,8 @@ rules: "-A INPUT -m state --state NEW -p udp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT\n -A INPUT -m state --state NEW -p tcp -m multiport --dports {{ unbound_port }} -s {{ unbound_src_ip | join(',') }} -j ACCEPT" when: iptables_manage | default(True) - tags: [unbound,firewall] + tags: dns,firewall - name: Start and enable the service service: name=unbound state=started enabled=True - tags: unbound + tags: dns diff --git a/roles/zimbra/defaults/main.yml b/roles/zimbra/defaults/main.yml index eb11cc0..9e32db9 100644 --- a/roles/zimbra/defaults/main.yml +++ b/roles/zimbra/defaults/main.yml @@ -70,8 +70,8 @@ zcs_domain_defaults: # Additional libs needed for CAS zcs_cas_libs: - - url: https://repo1.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.6.2/cas-client-core-3.6.2.jar - sha1: ccb636b9b8d8c048b4dd14b0b0627350def5e3a2 + - url: https://repo1.maven.org/maven2/org/jasig/cas/client/cas-client-core/3.6.4/cas-client-core-3.6.4.jar + sha1: fc6897188c0bf840c5ccec5c6f0d0a0d6cb5b84d - url: https://repo1.maven.org/maven2/org/slf4j/slf4j-api/1.7.32/slf4j-api-1.7.32.jar sha1: cdcff33940d9f2de763bc41ea05a0be5941176c3