Add the CentOS roles. Losing history.
This commit is contained in:
parent
4870ab4789
commit
4cb34462d9
|
@ -0,0 +1,38 @@
|
||||||
|
# This playbook updates hosts without guests.
|
||||||
|
#
|
||||||
|
# requires -e "target=somehostname" -e "yumcommand=update"
|
||||||
|
|
||||||
|
|
||||||
|
- name: update the system
|
||||||
|
hosts: "{{ target }}"
|
||||||
|
gather_facts: false
|
||||||
|
remote_user: root
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
# - name: expire-caches
|
||||||
|
# command: yum clean expire-cache
|
||||||
|
|
||||||
|
# - name: yum -y {{ yumcommand }}
|
||||||
|
# command: yum -y {{ yumcommand }}
|
||||||
|
# async: 7200
|
||||||
|
# poll: 30
|
||||||
|
|
||||||
|
- name: Update all the packages
|
||||||
|
yum: name=* state=latest update_cache=yes
|
||||||
|
async: 7200
|
||||||
|
poll: 30
|
||||||
|
|
||||||
|
- name: run rkhunter if installed
|
||||||
|
hosts: "{{ target }}"
|
||||||
|
remote_user: root
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: check for rkhunter
|
||||||
|
command: /usr/bin/test -f /usr/bin/rkhunter
|
||||||
|
register: rkhunter
|
||||||
|
ignore_errors: true
|
||||||
|
|
||||||
|
- name: run rkhunter --propupd
|
||||||
|
command: /usr/bin/rkhunter --propupd
|
||||||
|
when: rkhunter|success
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
---
|
||||||
|
centos_pkg_state: latest
|
||||||
|
|
||||||
|
timezone: "Europe/Rome"
|
||||||
|
#hostname: '{{ ansible_fqdn }}'
|
||||||
|
hostname: '{{ inventory_hostname }}'
|
||||||
|
centos_set_dns_servers: False
|
||||||
|
dns1: 208.67.220.220
|
||||||
|
dns2: 208.67.222.222
|
||||||
|
configure_domain_name_in_interface: False
|
||||||
|
|
||||||
|
centos_packages_to_install:
|
||||||
|
- dstat
|
||||||
|
- lsof
|
||||||
|
- strace
|
||||||
|
- traceroute
|
||||||
|
- bind-utils
|
||||||
|
- yum-cron
|
||||||
|
- yum-plugin-fastestmirror
|
||||||
|
- whois
|
||||||
|
- iotop
|
||||||
|
- policycoreutils-python
|
||||||
|
- firewalld
|
||||||
|
- ipset
|
||||||
|
- ntp
|
||||||
|
- psmisc
|
||||||
|
- tcpdump
|
||||||
|
- tuned
|
||||||
|
- bash-completion
|
||||||
|
- rsync
|
||||||
|
- bzip2
|
||||||
|
- wget
|
||||||
|
- curl
|
||||||
|
- unzip
|
||||||
|
|
||||||
|
centos_packages_from_epel:
|
||||||
|
- htop
|
||||||
|
- lbzip2
|
||||||
|
|
||||||
|
centos_ntpd_enabled: True
|
||||||
|
|
||||||
|
centos_packages_cleanup: True
|
||||||
|
centos_remove_avahi: True
|
||||||
|
centos_remove_networkmanager: False
|
||||||
|
centos_disable_avahi: True
|
||||||
|
centos_disable_networkmanager: False
|
||||||
|
|
||||||
|
centos_packages_to_remove:
|
||||||
|
- ppp
|
||||||
|
- wpa_supplicant
|
||||||
|
|
||||||
|
centos_nm_packages:
|
||||||
|
- NetworkManager-tui
|
||||||
|
- ModemManager-glib
|
||||||
|
- NetworkManager-glib
|
||||||
|
- NetworkManager
|
||||||
|
|
||||||
|
centos_avahi_packages:
|
||||||
|
- avahi
|
||||||
|
- avahi-libs
|
||||||
|
- avahi-autoipd
|
||||||
|
|
||||||
|
centos_services_to_be_disabled:
|
||||||
|
- acpid
|
||||||
|
|
||||||
|
centos_enable_locate: False
|
||||||
|
centos_locate_package:
|
||||||
|
- mlocate
|
||||||
|
|
||||||
|
centos_hw_packages:
|
||||||
|
- smartmontools
|
||||||
|
- system-storage-manager
|
||||||
|
|
||||||
|
centos_selinux_daemons_dump_core: False
|
||||||
|
|
||||||
|
manage_root_ssh_keys: True
|
||||||
|
|
|
@ -0,0 +1,578 @@
|
||||||
|
|
||||||
|
module qemu_ag_provisioning-sepol 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type etc_t;
|
||||||
|
type systemd_timedated_t;
|
||||||
|
type virt_qemu_ga_t;
|
||||||
|
type proc_net_t;
|
||||||
|
class lnk_file unlink;
|
||||||
|
class file read;
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= systemd_timedated_t ==============
|
||||||
|
# audit(1547125065.450:3522):
|
||||||
|
# scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:etc_t:s0"
|
||||||
|
# class="lnk_file" perms="unlink"
|
||||||
|
# comm="systemd-timedat" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125065.450:3522): avc: denied { unlink } for
|
||||||
|
# pid=1597 comm="systemd-timedat" name="localtime" dev="vda1" ino=75
|
||||||
|
# scontext=system_u:system_r:systemd_timedated_t:s0
|
||||||
|
# tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file"
|
||||||
|
# audit(1547125812.510:3650):
|
||||||
|
# scontext="system_u:system_r:systemd_timedated_t:s0" tcontext="system_u:object_r:etc_t:s0"
|
||||||
|
# class="lnk_file" perms="unlink"
|
||||||
|
# comm="systemd-timedat" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125812.510:3650): avc: denied { unlink } for
|
||||||
|
# pid=1653 comm="systemd-timedat" name="localtime" dev="vda1" ino=75
|
||||||
|
# scontext=system_u:system_r:systemd_timedated_t:s0
|
||||||
|
# tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file"
|
||||||
|
#!!!! WARNING: 'etc_t' is a base type.
|
||||||
|
allow systemd_timedated_t etc_t:lnk_file unlink;
|
||||||
|
|
||||||
|
#============= virt_qemu_ga_t ==============
|
||||||
|
# audit(1547125125.358:3533):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125125.358:3533): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125125.359:3534):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125125.359:3534): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125125.359:3535):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125125.359:3535): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125125.360:3536):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125125.360:3536): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125245.358:3545):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125245.358:3545): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125245.358:3546):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125245.358:3546): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125245.358:3547):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125245.358:3547): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125245.358:3544):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125245.358:3544): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125365.360:3555):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125365.360:3555): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125365.360:3556):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125365.360:3556): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125365.360:3557):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125365.360:3557): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125365.360:3558):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125365.360:3558): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125485.357:3631):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125485.357:3631): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125485.357:3632):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125485.357:3632): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125485.357:3633):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125485.357:3633): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125485.357:3634):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125485.357:3634): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125605.358:3642):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125605.358:3642): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125605.358:3643):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125605.358:3643): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125605.358:3644):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125605.358:3644): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125605.358:3641):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125605.358:3641): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125725.357:3646):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125725.357:3646): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125725.357:3647):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125725.357:3647): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125725.357:3648):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125725.357:3648): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125725.357:3645):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125725.357:3645): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125845.367:3652):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125845.367:3652): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125845.367:3653):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125845.367:3653): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125845.367:3654):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125845.367:3654): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125845.367:3655):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125845.367:3655): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125965.355:3657):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125965.355:3657): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125965.355:3658):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125965.355:3658): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125965.355:3659):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125965.355:3659): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547125965.355:3656):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547125965.355:3656): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126085.356:3661):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126085.356:3661): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126085.356:3662):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126085.356:3662): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126085.356:3663):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126085.356:3663): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126085.356:3660):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126085.356:3660): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126205.364:3665):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126205.364:3665): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126205.364:3666):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126205.364:3666): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126205.364:3667):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126205.364:3667): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126205.363:3664):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126205.363:3664): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126325.362:3669):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126325.362:3669): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126325.362:3670):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126325.362:3670): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126325.362:3671):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126325.362:3671): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126325.362:3668):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126325.362:3668): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126445.360:3673):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126445.360:3673): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126445.360:3674):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126445.360:3674): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126445.360:3675):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126445.360:3675): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126445.360:3672):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126445.360:3672): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126565.360:3677):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126565.360:3677): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126565.360:3678):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126565.360:3678): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126565.360:3679):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126565.360:3679): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126565.360:3676):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126565.360:3676): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126685.355:3681):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126685.355:3681): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126685.355:3682):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126685.355:3682): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126685.355:3683):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126685.355:3683): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126685.355:3680):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126685.355:3680): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126805.355:3685):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126805.355:3685): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126805.355:3686):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126805.355:3686): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126805.355:3687):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126805.355:3687): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126805.355:3684):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126805.355:3684): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126925.359:3689):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126925.359:3689): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126925.359:3690):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126925.359:3690): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126925.359:3691):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126925.359:3691): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547126925.359:3688):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547126925.359:3688): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547127045.360:3693):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547127045.360:3693): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547127045.360:3694):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547127045.360:3694): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547127045.360:3695):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547127045.360:3695): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
# audit(1547127045.360:3692):
|
||||||
|
# scontext="system_u:system_r:virt_qemu_ga_t:s0" tcontext="system_u:object_r:proc_net_t:s0"
|
||||||
|
# class="file" perms="read"
|
||||||
|
# comm="qemu-ga" exe="" path=""
|
||||||
|
# message="type=AVC msg=audit(1547127045.360:3692): avc: denied { read } for
|
||||||
|
# pid=18090 comm="qemu-ga" name="dev" dev="proc" ino=4026531976
|
||||||
|
# scontext=system_u:system_r:virt_qemu_ga_t:s0
|
||||||
|
# tcontext=system_u:object_r:proc_net_t:s0 tclass=file"
|
||||||
|
allow virt_qemu_ga_t proc_net_t:file read;
|
|
@ -0,0 +1,12 @@
|
||||||
|
|
||||||
|
module systemd-enable-sepol 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type unconfined_t;
|
||||||
|
type init_t;
|
||||||
|
class service enable;
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= unconfined_t ==============
|
||||||
|
allow unconfined_t init_t:service enable;
|
||||||
|
|
|
@ -0,0 +1,135 @@
|
||||||
|
---
|
||||||
|
- name: Install the basic packages
|
||||||
|
yum: name={{ centos_packages_to_install }} state={{ centos_pkg_state }}
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Install the basic packages from the EPEL repository
|
||||||
|
yum: name={{ centos_packages_from_epel }} state={{ centos_pkg_state }}
|
||||||
|
when: centos_install_epel
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Install the packages we want on a non virtualized host
|
||||||
|
yum: name={{ centos_hw_packages | default([]) }} state={{ centos_pkg_state }}
|
||||||
|
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Install the selinux policy file to fix a timedatectl problem and various qemu-ga ones
|
||||||
|
copy: src=qemu_ag_provisioning-sepol.te dest=/usr/local/etc/qemu_ag_provisioning-sepol.te
|
||||||
|
register: qemu_ga_selinux_policy
|
||||||
|
tags: [ 'centos', 'rhel', 'selinux' ]
|
||||||
|
|
||||||
|
- name: Activate the selinux policy for qemu
|
||||||
|
shell: checkmodule -M -m -o /usr/local/etc/qemu_ag_provisioning-sepol.mod /usr/local/etc/qemu_ag_provisioning-sepol.te ; semodule_package -o /usr/local/etc/qemu_ag_provisioning-sepol.pp -m /usr/local/etc/qemu_ag_provisioning-sepol.mod ; semodule -i /usr/local/etc/qemu_ag_provisioning-sepol.pp
|
||||||
|
args:
|
||||||
|
creates: /usr/local/etc/qemu_ag_provisioning-sepol.pp
|
||||||
|
when: qemu_ga_selinux_policy is changed
|
||||||
|
tags: [ 'centos', 'rhel', 'selinux' ]
|
||||||
|
|
||||||
|
- name: Install the selinux policy file to fix a systemd policy glitch
|
||||||
|
copy: src=systemd-enable.te dest=/usr/local/etc/systemd-enable-sepol.te
|
||||||
|
register: systemd_selinux_policy
|
||||||
|
tags: [ 'centos', 'rhel', 'selinux' ]
|
||||||
|
|
||||||
|
- name: Activate the selinux policy for systemd
|
||||||
|
shell: checkmodule -M -m -o /usr/local/etc/systemd-enable-sepol.mod /usr/local/etc/systemd-enable-sepol.te ; semodule_package -o /usr/local/etc/systemd-enable-sepol.pp -m /usr/local/etc/systemd-enable-sepol.mod ; semodule -i /usr/local/etc/systemd-enable-sepol.pp
|
||||||
|
args:
|
||||||
|
creates: /usr/local/etc/systemd-enable-sepol.pp
|
||||||
|
when: systemd_selinux_policy is changed
|
||||||
|
tags: [ 'centos', 'rhel', 'selinux' ]
|
||||||
|
|
||||||
|
- name: Activate smartmontools on a non virtualized host
|
||||||
|
service: name=smartd state=started enabled=yes
|
||||||
|
when: ansible_virtualization_role is defined and ansible_virtualization_role == 'host'
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Install the locate utility if needed
|
||||||
|
yum: name={{ centos_locate_package }} state={{ centos_pkg_state }}
|
||||||
|
when: centos_enable_locate
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Set the timezone
|
||||||
|
command: timedatectl set-timezone {{ timezone }}
|
||||||
|
tags: [ 'centos', 'bootstrap' ]
|
||||||
|
|
||||||
|
- name: Set the hostname
|
||||||
|
hostname: name={{ hostname }}
|
||||||
|
when: hostname is defined
|
||||||
|
tags: [ 'centos', 'bootstrap' ]
|
||||||
|
|
||||||
|
- name: Configure the main interface to set the correct resolvers. dns1
|
||||||
|
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DNS1=" line="DNS1={{ dns1 }}"
|
||||||
|
when: centos_set_dns_servers
|
||||||
|
tags: [ 'centos', 'bootstrap' ]
|
||||||
|
|
||||||
|
- name: Configure the main interface to set the correct resolvers. dns2
|
||||||
|
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DNS2=" line="DNS2={{ dns2 }}"
|
||||||
|
when: centos_set_dns_servers
|
||||||
|
tags: [ 'centos', 'bootstrap' ]
|
||||||
|
|
||||||
|
- name: Configure the main interface to set the correct resolvers. search domain
|
||||||
|
lineinfile: name=/etc/sysconfig/network-scripts/ifcfg-eth0 regexp="^DOMAIN=" line="DOMAIN={{ domain_name }}"
|
||||||
|
when: configure_domain_name_in_interface
|
||||||
|
tags: [ 'centos', 'bootstrap' ]
|
||||||
|
|
||||||
|
- name: Ensure that the ntpd service is enabled and running
|
||||||
|
service: name=ntpd state=started enabled=yes
|
||||||
|
when: centos_ntpd_enabled
|
||||||
|
tags: [ 'centos', 'bootstrap', 'ntp' ]
|
||||||
|
|
||||||
|
- name: Ensure that the ntpd service is stopped and disabled
|
||||||
|
service: name=ntpd state=stopped enabled=no
|
||||||
|
when: not centos_ntpd_enabled
|
||||||
|
tags: [ 'centos', 'bootstrap', 'ntp' ]
|
||||||
|
|
||||||
|
- name: Stop avahi before removing it when it is not needed
|
||||||
|
service: name=avahi-daemon state=stopped enabled=no
|
||||||
|
when: centos_remove_avahi or centos_disable_avahi
|
||||||
|
ignore_errors: True
|
||||||
|
tags: [ 'centos', 'bootstrap', 'avahi' ]
|
||||||
|
|
||||||
|
- name: Stop and disable NetworkManager when we do not need it or we are going to remove it
|
||||||
|
service: name=NetworkManager state=stopped enabled=no
|
||||||
|
when: centos_remove_networkmanager or centos_disable_networkmanager
|
||||||
|
ignore_errors: True
|
||||||
|
tags: [ 'centos', 'bootstrap', 'networkmanager' ]
|
||||||
|
|
||||||
|
- name: Remove some unneeded packages
|
||||||
|
yum: name={{ centos_packages_to_remove | default ([]) }} state=absent
|
||||||
|
when: centos_packages_cleanup
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Remove the Avahi packages
|
||||||
|
yum: name={{ centos_avahi_packages | default ([]) }} state=absent
|
||||||
|
when: centos_remove_avahi
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Remove the NetworkManager packages
|
||||||
|
yum: name={{ centos_nm_packages | default ([]) }} state=absent
|
||||||
|
when: centos_remove_networkmanager
|
||||||
|
tags: [ 'centos', 'bootstrap', 'packages' ]
|
||||||
|
|
||||||
|
- name: Disable some unneeded services
|
||||||
|
service: name= state=stopped enabled=no
|
||||||
|
with_items: '{{ centos_services_to_be_disabled }}'
|
||||||
|
when: centos_services_to_be_disabled is defined
|
||||||
|
ignore_errors: True
|
||||||
|
tags: [ 'centos', 'bootstrap', 'daemons' ]
|
||||||
|
|
||||||
|
- name: Configure selinux to permit core dumps by daemons
|
||||||
|
seboolean: name=daemons_dump_core state=yes persistent=yes
|
||||||
|
when: centos_selinux_daemons_dump_core
|
||||||
|
tags: [ 'centos', 'bootstrap', 'selinux' ]
|
||||||
|
|
||||||
|
- name: various pub ssh keys for users and apps
|
||||||
|
authorized_key: user=root key="{{ item }}" state=present
|
||||||
|
with_items: '{{ root_ssh_keys | default([]) }}'
|
||||||
|
when: manage_root_ssh_keys
|
||||||
|
tags: root_pubkeys
|
||||||
|
|
||||||
|
- name: Remove obsolete keys from the authorized ones
|
||||||
|
authorized_key: user=root key="{{ item }}" state=absent
|
||||||
|
with_items: '{{ obsolete_root_ssh_keys | default([]) }}'
|
||||||
|
when: obsolete_root_ssh_keys is defined
|
||||||
|
tags: root_pubkeys
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
bind_pkg_state: present
|
||||||
|
bind_use_chroot: True
|
||||||
|
bind_chroot_base: /var/named/chroot
|
||||||
|
bind_service_enabled: True
|
||||||
|
#bind_config_path: '{{ bind_chroot_base }}/etc'
|
||||||
|
bind_config_path: '/etc'
|
||||||
|
bind_user: named
|
||||||
|
bind_group: named
|
||||||
|
|
||||||
|
bind_packages:
|
||||||
|
- bind
|
||||||
|
- bind-license
|
||||||
|
- bind-utils
|
||||||
|
|
||||||
|
bind_chroot_packages:
|
||||||
|
- bind-chroot
|
||||||
|
- bind-license
|
||||||
|
- bind-utils
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: dns server reload
|
||||||
|
service: name=named state=reloaded
|
||||||
|
when: not bind_use_chroot
|
||||||
|
|
||||||
|
- name: dns server reload
|
||||||
|
service: name=named-chroot state=reloaded
|
||||||
|
when: bind_use_chroot
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the bind packages to setup a dns server
|
||||||
|
yum: name={{ bind_packages }} state={{ bind_pkg_state }}
|
||||||
|
|
||||||
|
- name: Start and enable the bind service
|
||||||
|
service: name=named state=started enabled=yes
|
||||||
|
when: bind_service_enabled
|
||||||
|
|
||||||
|
- name: Stop and disable the chroot bind service
|
||||||
|
service: name=named-chroot state=stopped enabled=no
|
||||||
|
|
||||||
|
- name: Stop and disable the bind service
|
||||||
|
service: name=named state=stopped enabled=no
|
||||||
|
when: not bind_service_enabled
|
||||||
|
|
||||||
|
when: not bind_use_chroot
|
||||||
|
tags: [ 'bind', 'nameserver' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Install the bind packages to setup a dns server in a chroot environment
|
||||||
|
yum: name={{ bind_chroot_packages }} state={{ bind_pkg_state }}
|
||||||
|
|
||||||
|
- name: Start and enable the chroot bind service
|
||||||
|
service: name=named-chroot state=started enabled=yes
|
||||||
|
when: bind_service_enabled
|
||||||
|
|
||||||
|
- name: Stop and disable the bind service
|
||||||
|
service: name=named state=stopped enabled=no
|
||||||
|
|
||||||
|
- name: Stop and disable the chroot bind service
|
||||||
|
service: name=named-chroot state=stopped enabled=no
|
||||||
|
when: not bind_service_enabled
|
||||||
|
|
||||||
|
when: bind_use_chroot
|
||||||
|
tags: [ 'bind', 'nameserver' ]
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: '../../library/centos/roles/external-repos'
|
||||||
|
- role: '../../library/centos/roles/basic-setup'
|
||||||
|
- role: '../../library/roles/motd'
|
||||||
|
- role: '../../library/roles/linux-kernel-sysctl'
|
||||||
|
- role: '../../library/centos/roles/tuned-setup'
|
|
@ -0,0 +1,12 @@
|
||||||
|
[Service]
|
||||||
|
ExecStart=
|
||||||
|
ExecStart=/usr/bin/docker-current daemon \
|
||||||
|
--exec-opt native.cgroupdriver=systemd \
|
||||||
|
-H tcp://0.0.0.0:2375 \
|
||||||
|
-H unix:///var/run/docker.sock \
|
||||||
|
$OPTIONS \
|
||||||
|
$DOCKER_STORAGE_OPTIONS \
|
||||||
|
$DOCKER_NETWORK_OPTIONS \
|
||||||
|
$ADD_REGISTRY \
|
||||||
|
$BLOCK_REGISTRY \
|
||||||
|
$INSECURE_REGISTRY
|
|
@ -0,0 +1,10 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Docker Socket for the API
|
||||||
|
|
||||||
|
[Socket]
|
||||||
|
ListenStream=127.0.0.1:2375
|
||||||
|
BindIPv6Only=both
|
||||||
|
Service=docker.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
### installs pip and docker-py to enable using ansible's docker module
|
||||||
|
- name: Install python setup tools
|
||||||
|
yum: name=python-setuptools state=latest
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Install Pypi
|
||||||
|
easy_install: name=pip
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Install docker-py
|
||||||
|
pip: name=docker-py
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
|
||||||
|
- name: Install Docker
|
||||||
|
yum: name=docker state=latest
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Create a dir to place the service file override "docker-tcp-override.conf"
|
||||||
|
file: path=/etc/systemd/system/docker.service.d/ state=directory owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
|
||||||
|
- name: Create a systemd service overrride "docker-tcp-override.conf" to force Docker to actually listen to tcp 127.0.0.1:2375 along the unix socket (required for shinyproxy)
|
||||||
|
copy: src=docker-tcp-override.conf dest=/etc/systemd/system/docker.service.d/ owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
|
||||||
|
#### The other way around enabling docker's tcp socket in systemd based distros... Didn't work for me.
|
||||||
|
#- name: Create a systemd socketfile "docker-tcp.socket" to have Docker listen to tcp port 2375 (required for shinyproxy)
|
||||||
|
# copy: src=docker-tcp.socket dest=/etc/systemd/system/ owner=root group=root selevel=s0 seuser=system_u serole=object_r setype=systemd_unit_file_t mode=0755
|
||||||
|
|
||||||
|
#- name: Make sure Docker is *not* running before starting the socket service, otherwise things *won't* work
|
||||||
|
# service: name=docker state=stopped enabled=yes
|
||||||
|
# #when: "changed not in socketfile_changed.src"
|
||||||
|
|
||||||
|
#- name: Make sure docker-tcp.socket is enabled and running
|
||||||
|
# systemd: name=docker-tcp.socket state=restarted enabled=yes daemon_reload=yes
|
||||||
|
####
|
||||||
|
#
|
||||||
|
- name: Force a docker service (re)start since we don't know whether the service file override has been updated/deployed for the first time (can't register file changes from copy module???)
|
||||||
|
systemd: name=docker state=restarted enabled=yes daemon_reload=yes
|
||||||
|
when: (ansible_distribution == "CentOS" or ansible_distribution == "RedHat") and ansible_distribution_version == "7"
|
||||||
|
# service: name=docker state=started enabled=yes
|
|
@ -0,0 +1,2 @@
|
||||||
|
- import_tasks: centos7.yml
|
||||||
|
- import_tasks: ubuntu1404.yml
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
### installs pip and docker-py to enable using ansible's docker module
|
||||||
|
|
||||||
|
- name: Install python setup tools
|
||||||
|
apt: name=python-setuptools state=latest
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Install Pypi
|
||||||
|
easy_install: name=pip
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Install docker-py
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
pip: name=docker-py
|
||||||
|
|
||||||
|
- name: Install Docker
|
||||||
|
apt: name=docker state=latest
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: Install Docker
|
||||||
|
apt: name=docker.io state=latest
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
tags: docker
|
||||||
|
|
||||||
|
- name: override DOCKER_OPTS to ensure that the demon listens to a tcp port
|
||||||
|
lineinfile: dest=/etc/default/docker state=present regexp='^DOCKER_OPTS' line='DOCKER_OPTS=\'-H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock\''
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
||||||
|
|
||||||
|
- name: Force a docker service (re)start since we don't know whether the service file override has been updated/deployed for the first time (can't register file changes from copy module???)
|
||||||
|
service: name=docker state=restarted enabled=yes
|
||||||
|
when: (ansible_distribution == "Ubuntu" and ansible_distribution_version == "14.04")
|
|
@ -0,0 +1,37 @@
|
||||||
|
---
|
||||||
|
duplicity_install_duply: True
|
||||||
|
duplicity_cli_only: True
|
||||||
|
# ftps is nice but it fails if the target directory does not exist.
|
||||||
|
duplicity_use_ftps: True
|
||||||
|
duplicity_target_protocol: sftp
|
||||||
|
duplicity_use_ssh_keys: False
|
||||||
|
duplicity_max_backup_age: 1M
|
||||||
|
duplicity_max_full_backups: 2
|
||||||
|
duplicity_max_full_with_incrs: 1
|
||||||
|
duplicity_verbosity: 5
|
||||||
|
duplicity_temp_dir: /var/cache/duplicity
|
||||||
|
duplicity_cron_job_logfile: /var/log/duplicity_backup.log
|
||||||
|
duplicity_volsize: 50
|
||||||
|
|
||||||
|
duply_default_profile: '{{ ansible_fqdn }}'
|
||||||
|
duply_default_targets:
|
||||||
|
- '+ /etc/'
|
||||||
|
- '- **'
|
||||||
|
- '/'
|
||||||
|
|
||||||
|
duply_additional_targets:
|
||||||
|
- '- /var/cache'
|
||||||
|
- '+ /var/'
|
||||||
|
- '+ /home'
|
||||||
|
|
||||||
|
# Set the values on a vault encrypted file:
|
||||||
|
# duplicity_passphrase:
|
||||||
|
# duplicity_ftp_password:
|
||||||
|
# duplicity_backup_server:
|
||||||
|
# duplicity_backup_user:
|
||||||
|
# duplicity_backup_dest_dir:
|
||||||
|
|
||||||
|
# TODO: Create the configuration
|
||||||
|
# a pre script that runs the DB backups
|
||||||
|
# a exclude file with the list of directories to backup
|
||||||
|
# change the DB backup scripts to not run if duply is active
|
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
- name: Install the duplicity package
|
||||||
|
yum: name=duplicity state=present
|
||||||
|
tags: [ 'duplicity', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install the duply wrapper
|
||||||
|
yum: name=duply state=present
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install lftp if we want use ftps
|
||||||
|
yum: name=lftp state=present
|
||||||
|
when: duplicity_use_ftps
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Create the duply directory for the default profile
|
||||||
|
file: dest=/etc/duply/{{ duply_default_profile }} state=directory owner=root group=root mode=0700
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Create the duply temp directory
|
||||||
|
file: dest={{ duplicity_temp_dir }} state=directory owner=root group=root mode=0700
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install the duply default profile configuration
|
||||||
|
template: src=duply-profile-conf.j2 dest=/etc/duply/{{ duply_default_profile }}/conf owner=root group=root mode=0400
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install the duply pre script
|
||||||
|
template: src=duply-pre-script.j2 dest=/etc/duply/{{ duply_default_profile }}/pre owner=root group=root mode=0500
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install the duply pattern files list
|
||||||
|
template: src=duply-exclude.j2 dest=/etc/duply/{{ duply_default_profile }}/exclude owner=root group=root mode=0400
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
||||||
|
|
||||||
|
- name: Install the duply cron job
|
||||||
|
template: src=duplicity_backup.cron.j2 dest=/etc/cron.daily/duplicity_backup owner=root group=root mode=0555
|
||||||
|
when: duplicity_install_duply
|
||||||
|
tags: [ 'duplicity', 'duply', 'duplicity_backup' ]
|
|
@ -0,0 +1,27 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
DATE=$( date )
|
||||||
|
DUPLY=/usr/bin/duply
|
||||||
|
D_PROFILE={{ duply_default_profile }}
|
||||||
|
LOG_FILE={{ duplicity_cron_job_logfile }}
|
||||||
|
LOCK_FILE={{ duplicity_temp_dir }}/.duply-backup.lock
|
||||||
|
|
||||||
|
if [ ! -f $LOCK_FILE ] ; then
|
||||||
|
echo $$ > $LOCK_FILE
|
||||||
|
echo "----------------------" > $LOG_FILE
|
||||||
|
echo "$DATE: starting backup" >> $LOG_FILE
|
||||||
|
echo "----------------------" >> $LOG_FILE
|
||||||
|
$DUPLY $D_PROFILE backup >> $LOG_FILE 2>&1
|
||||||
|
echo "----------------------" >> $LOG_FILE
|
||||||
|
echo "Starting the purge old backups operation" >> $LOG_FILE
|
||||||
|
echo "----------------------" >> $LOG_FILE
|
||||||
|
$DUPLY $D_PROFILE purge --force >> $LOG_FILE 2>&1
|
||||||
|
echo "----------------------" >> $LOG_FILE
|
||||||
|
echo "Backup and purge operations finished" >> $LOG_FILE
|
||||||
|
echo "----------------------" >> $LOG_FILE
|
||||||
|
rm -f $LOCK_FILE
|
||||||
|
else
|
||||||
|
echo "$DATE: another backup is running, exiting" > $LOG_FILE
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,14 @@
|
||||||
|
# although called exclude, this file is actually a globbing file list
|
||||||
|
# duplicity accepts some globbing patterns, even including ones here
|
||||||
|
# here is an example, this incl. only 'dir/bar' except it's subfolder 'foo'
|
||||||
|
# - dir/bar/foo
|
||||||
|
# + dir/bar
|
||||||
|
# - **
|
||||||
|
# for more details see duplicity manpage, section File Selection
|
||||||
|
# http://duplicity.nongnu.org/duplicity.1.html#sect9
|
||||||
|
{% for dir in duply_additional_targets %}
|
||||||
|
{{ dir }}
|
||||||
|
{% endfor %}
|
||||||
|
{% for ddir in duply_default_targets %}
|
||||||
|
{{ ddir }}
|
||||||
|
{% endfor %}
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Run a DB dump before the backup
|
||||||
|
if [ -x /usr/local/sbin/postgresql-backup ] ; then
|
||||||
|
/usr/local/sbin/postgresql-backup
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -x /usr/local/sbin/mysql-backup ] ; then
|
||||||
|
/usr/local/sbin/mysql-backup
|
||||||
|
fi
|
||||||
|
|
|
@ -0,0 +1,150 @@
|
||||||
|
# gpg encryption settings, simple settings:
|
||||||
|
# GPG_KEY='disabled' - disables encryption alltogether
|
||||||
|
# GPG_KEY='<key1>[,<key2>]'; GPG_PW='pass' - encrypt with keys,
|
||||||
|
# sign if secret key of key1 is available use GPG_PW for sign & decrypt
|
||||||
|
# Note: you can specify keys via all methods described in gpg manpage,
|
||||||
|
# section "How to specify a user ID", escape commas (,) via backslash (\)
|
||||||
|
# e.g. 'Mueller, Horst', 'Bernd' -> 'Mueller\, Horst, Bernd'
|
||||||
|
# as they are used to separate the entries
|
||||||
|
# GPG_PW='passphrase' - symmetric encryption using passphrase only
|
||||||
|
#GPG_KEY='_KEY_ID_'
|
||||||
|
GPG_PW='{{ duplicity_passphrase }}'
|
||||||
|
# gpg encryption settings in detail (extended settings)
|
||||||
|
# the above settings translate to the following more specific settings
|
||||||
|
# GPG_KEYS_ENC='<keyid1>[,<keyid2>,...]' - list of pubkeys to encrypt to
|
||||||
|
# GPG_KEY_SIGN='<keyid1>|disabled' - a secret key for signing
|
||||||
|
# GPG_PW='<passphrase>' - needed for signing, decryption and symmetric
|
||||||
|
# encryption. If you want to deliver different passphrases for e.g.
|
||||||
|
# several keys or symmetric encryption plus key signing you can use
|
||||||
|
# gpg-agent. Simply make sure that GPG_AGENT_INFO is set in environment.
|
||||||
|
# also see "A NOTE ON SYMMETRIC ENCRYPTION AND SIGNING" in duplicity manpage
|
||||||
|
# notes on en/decryption
|
||||||
|
# private key and passphrase will only be needed for decryption or signing.
|
||||||
|
# decryption happens on restore and incrementals (compare archdir contents).
|
||||||
|
# for security reasons it makes sense to separate the signing key from the
|
||||||
|
# encryption keys. https://answers.launchpad.net/duplicity/+question/107216
|
||||||
|
#GPG_KEYS_ENC='<pubkey1>,<pubkey2>,...'
|
||||||
|
#GPG_KEY_SIGN='<prvkey>'
|
||||||
|
# set if signing key passphrase differs from encryption (key) passphrase
|
||||||
|
# NOTE: available since duplicity 0.6.14, translates to SIGN_PASSPHRASE
|
||||||
|
#GPG_PW_SIGN='<signpass>'
|
||||||
|
|
||||||
|
|
||||||
|
# gpg options passed from duplicity to gpg process (default='')
|
||||||
|
# e.g. "--trust-model pgp|classic|direct|always"
|
||||||
|
# or "--compress-algo=bzip2 --bzip2-compress-level=9"
|
||||||
|
# or "--personal-cipher-preferences AES256,AES192,AES..."
|
||||||
|
# or "--homedir ~/.duply" - keep keyring and gpg settings duply specific
|
||||||
|
#GPG_OPTS=''
|
||||||
|
|
||||||
|
# disable preliminary tests with the following setting
|
||||||
|
#GPG_TEST='disabled'
|
||||||
|
|
||||||
|
# credentials & server address of the backup target (URL-Format)
|
||||||
|
# syntax is
|
||||||
|
# scheme://[user:password@]host[:port]/[/]path
|
||||||
|
# for details see duplicity manpage, section URL Format
|
||||||
|
# http://duplicity.nongnu.org/duplicity.1.html#sect8
|
||||||
|
# probably one out of
|
||||||
|
# # for cloudfiles backend user id is CLOUDFILES_USERNAME, password is
|
||||||
|
# # CLOUDFILES_APIKEY, you might need to set CLOUDFILES_AUTHURL manually
|
||||||
|
# cf+http://[user:password@]container_name
|
||||||
|
# dpbx:///some_dir
|
||||||
|
# file://[relative|/absolute]/local/path
|
||||||
|
# ftp[s]://user[:password]@other.host[:port]/some_dir
|
||||||
|
# gdocs://user[:password]@other.host/some_dir
|
||||||
|
# # for the google cloud storage (since duplicity 0.6.22)
|
||||||
|
# # user/password are GS_ACCESS_KEY_ID/GS_SECRET_ACCESS_KEY
|
||||||
|
# gs://bucket[/prefix]
|
||||||
|
# hsi://user[:password]@other.host/some_dir
|
||||||
|
# imap[s]://user[:password]@host.com[/from_address_prefix]
|
||||||
|
# mega://user[:password]@mega.co.nz/some_dir
|
||||||
|
# rsync://user[:password]@host.com[:port]::[/]module/some_dir
|
||||||
|
# # rsync over ssh (only keyauth)
|
||||||
|
# rsync://user@host.com[:port]/[relative|/absolute]_path
|
||||||
|
# # for the s3 user/password are AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY
|
||||||
|
# s3://[user:password@]host/bucket_name[/prefix]
|
||||||
|
# s3+http://[user:password@]bucket_name[/prefix]
|
||||||
|
# # scp and sftp are aliases for the ssh backend
|
||||||
|
# ssh://user[:password]@other.host[:port]/[/]some_dir
|
||||||
|
# # for authenticated swift define TARGET_USER or SWIFT_USERNAME,
|
||||||
|
# # TARGET_PASS or SWIFT_PASSWORD, SWIFT_AUTHURL (mandatory, the path to
|
||||||
|
# # your identity service, omitting leads to an error with swift),
|
||||||
|
# # optionally SWIFT_AUTHVERSION (which defaults to "1")
|
||||||
|
# swift://container_name
|
||||||
|
# tahoe://alias/directory
|
||||||
|
# webdav[s]://user[:password]@other.host/some_dir
|
||||||
|
# ATTENTION: characters other than A-Za-z0-9.-_.~ in the URL have
|
||||||
|
# to be replaced by their url encoded pendants, see
|
||||||
|
# http://en.wikipedia.org/wiki/Url_encoding
|
||||||
|
# if you define the credentials as TARGET_USER, TARGET_PASS below
|
||||||
|
# duply will try to url_encode them for you if the need arises
|
||||||
|
{% if duplicity_use_ftps %}
|
||||||
|
TARGET='ftps://{{ duplicity_backup_server }}/{{ duplicity_backup_dest_dir }}'
|
||||||
|
{% else %}
|
||||||
|
TARGET='{{ duplicity_target_protocol }}://{{ duplicity_backup_server }}/{{ duplicity_backup_dest_dir }}'
|
||||||
|
{% endif %}
|
||||||
|
# optionally the username/password can be defined as extra variables
|
||||||
|
# setting them here _and_ in TARGET results in an error
|
||||||
|
{% if not duplicity_use_ssh_keys %}
|
||||||
|
TARGET_USER='{{ duplicity_backup_user }}'
|
||||||
|
TARGET_PASS='{{ duplicity_ftp_password }}'
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# base directory to backup
|
||||||
|
SOURCE='/'
|
||||||
|
|
||||||
|
# a command that runs duplicity e.g.
|
||||||
|
# shape bandwidth use via trickle
|
||||||
|
# "trickle -s -u 640 -d 5120" # 5Mb up, 40Mb down"
|
||||||
|
#DUPL_PRECMD=""
|
||||||
|
|
||||||
|
# exclude folders containing exclusion file (since duplicity 0.5.14)
|
||||||
|
# Uncomment the following two lines to enable this setting.
|
||||||
|
#FILENAME='.duplicity-ignore'
|
||||||
|
#DUPL_PARAMS="$DUPL_PARAMS --exclude-if-present '$FILENAME'"
|
||||||
|
|
||||||
|
# Time frame for old backups to keep, Used for the "purge" command.
|
||||||
|
# see duplicity man page, chapter TIME_FORMATS)
|
||||||
|
MAX_AGE={{ duplicity_max_backup_age }}
|
||||||
|
|
||||||
|
# Number of full backups to keep. Used for the "purge-full" command.
|
||||||
|
# See duplicity man page, action "remove-all-but-n-full".
|
||||||
|
MAX_FULL_BACKUPS={{ duplicity_max_full_backups }}
|
||||||
|
|
||||||
|
# Number of full backups for which incrementals will be kept for.
|
||||||
|
# Used for the "purge-incr" command.
|
||||||
|
# See duplicity man page, action "remove-all-inc-of-but-n-full".
|
||||||
|
MAX_FULLS_WITH_INCRS={{ duplicity_max_full_with_incrs }}
|
||||||
|
|
||||||
|
# activates duplicity --full-if-older-than option (since duplicity v0.4.4.RC3)
|
||||||
|
# forces a full backup if last full backup reaches a specified age, for the
|
||||||
|
# format of MAX_FULLBKP_AGE see duplicity man page, chapter TIME_FORMATS
|
||||||
|
# Uncomment the following two lines to enable this setting.
|
||||||
|
#MAX_FULLBKP_AGE=1M
|
||||||
|
#DUPL_PARAMS="$DUPL_PARAMS --full-if-older-than $MAX_FULLBKP_AGE "
|
||||||
|
|
||||||
|
# sets duplicity --volsize option (available since v0.4.3.RC7)
|
||||||
|
# set the size of backup chunks to VOLSIZE MB instead of the default 25MB.
|
||||||
|
# VOLSIZE must be number of MB's to set the volume size to.
|
||||||
|
# Uncomment the following two lines to enable this setting.
|
||||||
|
VOLSIZE={{ duplicity_volsize }}
|
||||||
|
DUPL_PARAMS="$DUPL_PARAMS --volsize $VOLSIZE "
|
||||||
|
|
||||||
|
# verbosity of output (error 0, warning 1-2, notice 3-4, info 5-8, debug 9)
|
||||||
|
# default is 4, if not set
|
||||||
|
VERBOSITY={{ duplicity_verbosity }}
|
||||||
|
|
||||||
|
# temporary file space. at least the size of the biggest file in backup
|
||||||
|
# for a successful restoration process. (default is '/tmp', if not set)
|
||||||
|
TEMP_DIR={{ duplicity_temp_dir }}
|
||||||
|
|
||||||
|
# Modifies archive-dir option (since 0.6.0) Defines a folder that holds
|
||||||
|
# unencrypted meta data of the backup, enabling new incrementals without the
|
||||||
|
# need to decrypt backend metadata first. If empty or deleted somehow, the
|
||||||
|
# private key and it's password are needed.
|
||||||
|
# NOTE: This is confidential data. Put it somewhere safe. It can grow quite
|
||||||
|
# big over time so you might want to put it not in the home dir.
|
||||||
|
# default '~/.cache/duplicity/duply_<profile>/'
|
||||||
|
# if set '${ARCH_DIR}/<profile>'
|
||||||
|
#ARCH_DIR=/some/space/safe/.duply-cache
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
centos_install_epel: true
|
||||||
|
centos_epel_repo_url: epel-release
|
||||||
|
centos_pkg_state: latest
|
||||||
|
|
||||||
|
centos_install_release_scl: False
|
||||||
|
|
||||||
|
rh_install_elrepo: false
|
||||||
|
rh_elrepo_repo_url: "http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm"
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: Install the epel repository
|
||||||
|
yum: name={{ centos_epel_repo_url }} state={{ centos_pkg_state }}
|
||||||
|
when: centos_install_epel
|
||||||
|
tags: [ 'centos', 'repo' ]
|
||||||
|
|
||||||
|
- name: Install the SCL release to access the latest versions of some software
|
||||||
|
yum: name=centos-release-scl state=present
|
||||||
|
when: centos_install_release_scl
|
||||||
|
tags: [ 'centos', 'scl', 'repo' ]
|
||||||
|
|
||||||
|
- name: Install the elrepo repository
|
||||||
|
yum: name={{ rh_elrepo_repo_url }} state=present
|
||||||
|
when: rh_install_elrepo
|
||||||
|
tags: [ 'centos', 'rhel', 'repo' ]
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
# NOTICE Jail started without 'journalmatch' set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
|
||||||
|
fail2ban_logtarget: SYSLOG
|
||||||
|
fail2ban_bantime: 600000
|
||||||
|
fail2ban_findtime: 4800
|
||||||
|
fail2ban_maxretry: 2
|
||||||
|
fail2ban_enabled: True
|
||||||
|
fail2ban_sshd_enabled: True
|
||||||
|
fail2ban_sshd_ddos_enabled: True
|
||||||
|
fail2ban_nginx_auth_enabled: False
|
||||||
|
fail2ban_apache_auth_enabled: False
|
||||||
|
fail2ban_php_url_fopen_enabled: False
|
||||||
|
fail2ban_vsftpd_enabled: False
|
||||||
|
|
||||||
|
fail2ban_packages:
|
||||||
|
- fail2ban
|
||||||
|
- fail2ban-server
|
||||||
|
- fail2ban-systemd
|
||||||
|
- fail2ban-firewalld
|
||||||
|
- fail2ban-sendmail
|
|
@ -0,0 +1,25 @@
|
||||||
|
|
||||||
|
module fail2ban-journal-sepol 1.0;
|
||||||
|
|
||||||
|
require {
|
||||||
|
type fail2ban_client_exec_t;
|
||||||
|
type logrotate_t;
|
||||||
|
type fail2ban_t;
|
||||||
|
type var_run_t;
|
||||||
|
type syslogd_t;
|
||||||
|
type syslogd_var_run_t;
|
||||||
|
class dir read;
|
||||||
|
class file { ioctl read execute execute_no_trans open getattr };
|
||||||
|
}
|
||||||
|
|
||||||
|
#============= fail2ban_t ==============
|
||||||
|
|
||||||
|
allow fail2ban_t var_run_t:file { read getattr open };
|
||||||
|
allow fail2ban_t syslogd_var_run_t:dir read;
|
||||||
|
allow fail2ban_t syslogd_var_run_t:file { read getattr open };
|
||||||
|
|
||||||
|
#============= syslogd_t ==============
|
||||||
|
allow syslogd_t var_run_t:file { read getattr open };
|
||||||
|
|
||||||
|
#============= logrotate_t ==============
|
||||||
|
allow logrotate_t fail2ban_client_exec_t:file { ioctl read execute execute_no_trans open };
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: Enable and start fail2ban
|
||||||
|
service: name=fail2ban state=started enabled=yes
|
||||||
|
|
||||||
|
- name: Reload fail2ban
|
||||||
|
service: name=fail2ban state=reloaded
|
||||||
|
|
||||||
|
- name: Restart fail2ban
|
||||||
|
service: name=fail2ban state=restarted
|
||||||
|
|
||||||
|
- name: Enable and start firewalld
|
||||||
|
service: name=firewalld state=started enabled=yes
|
|
@ -0,0 +1,40 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install fail2ban
|
||||||
|
yum: name={{ fail2ban_packages }} state=present
|
||||||
|
notify:
|
||||||
|
- Enable and start fail2ban
|
||||||
|
- Enable and start firewalld
|
||||||
|
|
||||||
|
- name: Install fail2ban local config
|
||||||
|
template: src={{ item }}.j2 dest=/etc/fail2ban/{{ item }} owner=root group=root mode=0444
|
||||||
|
with_items: fail2ban.local
|
||||||
|
notify: Reload fail2ban
|
||||||
|
|
||||||
|
- name: Install fail2ban jail custom configuration
|
||||||
|
template: src=jail-d-{{ item }}.j2 dest=/etc/fail2ban/jail.d/{{ item }} owner=root group=root mode=0444
|
||||||
|
with_items: customization.local
|
||||||
|
notify: Reload fail2ban
|
||||||
|
|
||||||
|
- name: Install the selinux policy file for fail2ban
|
||||||
|
copy: src=fail2ban-journal-sepol.te dest=/usr/local/etc/fail2ban-journal-sepol.te
|
||||||
|
register: fail2ban_selinux_policy
|
||||||
|
|
||||||
|
- name: Activate the selinux policy for fail2ban
|
||||||
|
shell: checkmodule -M -m -o /usr/local/etc/fail2ban-journal-sepol.mod /usr/local/etc/fail2ban-journal-sepol.te ; semodule_package -o /usr/local/etc/fail2ban-journal-sepol.pp -m /usr/local/etc/fail2ban-journal-sepol.mod ; semodule -i /usr/local/etc/fail2ban-journal-sepol.pp
|
||||||
|
args:
|
||||||
|
creates: /usr/local/etc/fail2ban-journal-sepol.pp
|
||||||
|
when: fail2ban_selinux_policy is changed
|
||||||
|
|
||||||
|
- name: Ensure that fail2ban and firewalld are started and enabled
|
||||||
|
service: name={{ item }} state=started enabled=yes
|
||||||
|
with_items:
|
||||||
|
- fail2ban
|
||||||
|
- firewalld
|
||||||
|
|
||||||
|
when: centos_install_epel
|
||||||
|
tags:
|
||||||
|
- centos
|
||||||
|
- rhel
|
||||||
|
- fail2ban
|
||||||
|
- selinux
|
|
@ -0,0 +1,2 @@
|
||||||
|
[Definition]
|
||||||
|
logtarget = {{ fail2ban_logtarget }}
|
|
@ -0,0 +1,28 @@
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# "bantime" is the number of seconds that a host is banned.
|
||||||
|
bantime = {{ fail2ban_bantime }}
|
||||||
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||||
|
# seconds.
|
||||||
|
findtime = {{ fail2ban_findtime }}
|
||||||
|
# "maxretry" is the number of failures before a host get banned.
|
||||||
|
maxretry = {{ fail2ban_maxretry }}
|
||||||
|
|
||||||
|
[sshd]
|
||||||
|
enabled={{ fail2ban_sshd_enabled }}
|
||||||
|
|
||||||
|
[sshd-ddos]
|
||||||
|
enabled={{ fail2ban_sshd_ddos_enabled }}
|
||||||
|
|
||||||
|
[nginx-http-auth]
|
||||||
|
enabled={{ fail2ban_nginx_auth_enabled }}
|
||||||
|
|
||||||
|
[apache-auth]
|
||||||
|
enabled={{ fail2ban_apache_auth_enabled }}
|
||||||
|
|
||||||
|
[php-url-fopen]
|
||||||
|
enabled={{ fail2ban_php_url_fopen_enabled }}
|
||||||
|
|
||||||
|
[vsftpd]
|
||||||
|
enabled={{ fail2ban_vsftpd_enabled }}
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
firewalld_enabled: True
|
||||||
|
firewalld_default_zone: public
|
||||||
|
firewalld_ssh_enabled_on_default_zone: True
|
||||||
|
|
||||||
|
firewalld_rules:
|
||||||
|
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||||
|
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||||
|
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||||
|
|
||||||
|
#firewalld_new_services:
|
||||||
|
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||||
|
|
||||||
|
# We execute direct rules as they are written
|
||||||
|
# firewalld_direct_rules:
|
||||||
|
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
|
||||||
|
|
||||||
|
# firewalld_zones_interfaces:
|
||||||
|
# - { interface: 'eth1', zone: 'internal' }
|
|
@ -0,0 +1,16 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<service>
|
||||||
|
<short>Mosh SSH service</short>
|
||||||
|
<description>This allows mosh to send and receive datagram connections.</description>
|
||||||
|
<port protocol="udp" port="60000"/>
|
||||||
|
<port protocol="udp" port="60001"/>
|
||||||
|
<port protocol="udp" port="60002"/>
|
||||||
|
<port protocol="udp" port="60003"/>
|
||||||
|
<port protocol="udp" port="60004"/>
|
||||||
|
<port protocol="udp" port="60005"/>
|
||||||
|
<port protocol="udp" port="60006"/>
|
||||||
|
<port protocol="udp" port="60007"/>
|
||||||
|
<port protocol="udp" port="60008"/>
|
||||||
|
<port protocol="udp" port="60009"/>
|
||||||
|
<port protocol="udp" port="60010"/>
|
||||||
|
</service>
|
|
@ -0,0 +1,7 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<service>
|
||||||
|
<short>ports needed by traceroute</short>
|
||||||
|
<description>This allows the host to be reached by traceroute.</description>
|
||||||
|
<port protocol="udp" port="33434"/>
|
||||||
|
<port protocol="udp" port="33523"/>
|
||||||
|
</service>
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
- name: Enable and start firewalld
|
||||||
|
service: name=firewalld state=started enabled=yes
|
||||||
|
when: firewalld_enabled
|
||||||
|
|
||||||
|
- name: Reload firewall config
|
||||||
|
command: firewall-cmd --reload
|
||||||
|
notify: Restart fail2ban
|
||||||
|
when: firewalld_enabled
|
||||||
|
|
||||||
|
- name: Restart fail2ban
|
||||||
|
service: name=fail2ban state=restarted
|
||||||
|
when:
|
||||||
|
- fail2ban_enabled is defined and fail2ban_enabled
|
||||||
|
- centos_install_epel
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
|
||||||
|
service: name=firewalld state=stopped enabled=no
|
||||||
|
when: not firewalld_enabled
|
||||||
|
tags: [ 'iptables', 'firewall', 'firewalld' ]
|
|
@ -0,0 +1,91 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Ensure that the service is enabled and started
|
||||||
|
service: name=firewalld state=started enabled=yes
|
||||||
|
notify: Restart fail2ban
|
||||||
|
|
||||||
|
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
|
||||||
|
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
|
||||||
|
when: firewalld_ssh_enabled_on_default_zone
|
||||||
|
|
||||||
|
- name: Set the firewalld default zone.
|
||||||
|
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
||||||
|
|
||||||
|
- name: Add sources to the availability zones, if any
|
||||||
|
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_src_rules | default([]) }}'
|
||||||
|
|
||||||
|
- name: Assign interfaces to firewalld zones if needed
|
||||||
|
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
|
||||||
|
when:
|
||||||
|
- firewalld_zones_interfaces is defined
|
||||||
|
- item.interface is defined
|
||||||
|
- item.zone is defined
|
||||||
|
|
||||||
|
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
|
||||||
|
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_rules }}'
|
||||||
|
when:
|
||||||
|
- firewalld_rules is defined
|
||||||
|
- item.service is defined
|
||||||
|
|
||||||
|
- name: Save the ports firewalld rules that need to be permanent
|
||||||
|
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_rules }}'
|
||||||
|
when:
|
||||||
|
- firewalld_rules is defined
|
||||||
|
- item.port is defined
|
||||||
|
- item.protocol is defined
|
||||||
|
|
||||||
|
- name: Save the rich_rules firewalld rules that need to be permanent
|
||||||
|
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_rules }}'
|
||||||
|
when:
|
||||||
|
- firewalld_rules is defined
|
||||||
|
- item.rich_rule is defined
|
||||||
|
notify: Reload firewall config
|
||||||
|
|
||||||
|
- name: Enable the firewall-cmd direct passthrough rules
|
||||||
|
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
|
||||||
|
with_items: '{{ firewalld_direct_rules }}'
|
||||||
|
args:
|
||||||
|
creates: /etc/firewalld/.{{ item.label }}
|
||||||
|
when:
|
||||||
|
- firewalld_direct_rules is defined
|
||||||
|
- item.action is defined
|
||||||
|
|
||||||
|
- name: Set the firewall-cmd direct passthrough rules as permanent ones
|
||||||
|
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
|
||||||
|
with_items: '{{ firewalld_direct_rules }}'
|
||||||
|
when:
|
||||||
|
- firewalld_direct_rules is defined
|
||||||
|
- item.action is defined
|
||||||
|
|
||||||
|
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
|
||||||
|
command: firewall-cmd --new-service={{ item.name }} --permanent
|
||||||
|
args:
|
||||||
|
creates: '/etc/firewalld/services/{{ item.name }}.xml'
|
||||||
|
with_items: '{{ firewalld_new_services }}'
|
||||||
|
when: firewalld_new_services is defined
|
||||||
|
notify: Reload firewall config
|
||||||
|
|
||||||
|
- name: Install the custom firewall services
|
||||||
|
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
|
||||||
|
with_items: '{{ firewalld_new_services }}'
|
||||||
|
when: firewalld_new_services is defined
|
||||||
|
notify: Reload firewall config
|
||||||
|
|
||||||
|
- name: Manage the custom services firewalld rules.
|
||||||
|
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
||||||
|
with_items: '{{ firewalld_new_services }}'
|
||||||
|
when:
|
||||||
|
- firewalld_new_services is defined
|
||||||
|
- item.name is defined
|
||||||
|
notify: Reload firewall config
|
||||||
|
|
||||||
|
# Last one to not take ourselves out
|
||||||
|
- name: Set the firewalld default zone.
|
||||||
|
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
||||||
|
|
||||||
|
tags: [ 'iptables', 'firewall', 'firewalld' ]
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- import_tasks: firewalld_rules.yml
|
||||||
|
when: firewalld_enabled
|
||||||
|
|
||||||
|
- import_tasks: disable_firewalld.yml
|
||||||
|
when: not firewalld_enabled
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
# Installation and cofiguration notes:
|
||||||
|
# https://github.com/jfut/ganeti-rpm/blob/master/doc/install-rhel.rst
|
||||||
|
#
|
||||||
|
integ_ganeti_centos_version: 7
|
||||||
|
integ_ganeti_repo_url: 'http://jfut.integ.jp/linux/ganeti/{{ integ_ganeti_centos_version }}/x86_64/integ-ganeti-release-{{ integ_ganeti_centos_version }}-1.el{{ integ_ganeti_centos_version }}.noarch.rpm'
|
||||||
|
integ_ganeti_repo_file: '/etc/yum.repos.d/integ-ganeti.repo'
|
||||||
|
integ_ganeti_repo:
|
||||||
|
- { name: 'integ-ganeti', value: '1' }
|
||||||
|
|
||||||
|
# Ganeti needs packages from the elrepo repository. drbd, specifically
|
||||||
|
rh_install_elrepo: True
|
||||||
|
|
||||||
|
integ_ganeti_packages:
|
||||||
|
- ganeti
|
||||||
|
|
||||||
|
integ_ganeti_drbd_packages:
|
||||||
|
- drbd84-utils
|
||||||
|
- kmod-drbd84
|
||||||
|
|
||||||
|
ganeti_cluster_name: "gnt_cluster"
|
||||||
|
ganeti_cluster: True
|
||||||
|
ganeti_use_drbd: True
|
||||||
|
ganeti_first_node: False
|
||||||
|
ganeti_pkg_state: latest
|
||||||
|
ganeti_link_int: br0
|
||||||
|
ganeti_master_netdev: eth0
|
||||||
|
ganeti_vg_name: vgxen
|
||||||
|
ganeti_enabled_hypervisors: "kvm,lxc"
|
||||||
|
ganeti_drbd_conf: "minor_count=128 usermode_helper=/bin/true"
|
||||||
|
# ganeti does not use the libvirtd service
|
||||||
|
virtualization_enable_libvirtd: False
|
||||||
|
|
||||||
|
ganeti_drbd_sysctl_tuning:
|
||||||
|
- { name: 'net.ipv4.tcp_rmem', value: '131072 131072 10485760', state: 'present' }
|
||||||
|
- { name: 'net.ipv4.tcp_wmem', value: '131072 131072 10485760', state: 'present' }
|
||||||
|
- { name: 'vm.dirty_ratio', value: '10', state: 'present' }
|
||||||
|
- { name: 'vm.dirty_background_ratio', value: '4', state: 'present' }
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- { role: '../../library/roles/kvm' }
|
|
@ -0,0 +1,114 @@
|
||||||
|
---
|
||||||
|
- name: "*** Install the Integ ganeti repo ***"
|
||||||
|
yum: name={{ integ_ganeti_repo_url }} state=present
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- kvm
|
||||||
|
|
||||||
|
- name: "*** Enable Integ ganeti repo ***"
|
||||||
|
ini_file: dest={{ integ_ganeti_repo_file }} section={{ item.1.name }} option=enabled value={{ item.1.value }}
|
||||||
|
with_nested:
|
||||||
|
- integ_ganeti_centos_version
|
||||||
|
- integ_ganeti_repo
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- kvm
|
||||||
|
|
||||||
|
- name: Install the ganeti packages
|
||||||
|
yum: name={{ item }} state={{ ganeti_pkg_state }}
|
||||||
|
with_items: integ_ganeti_packages
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- kvm
|
||||||
|
|
||||||
|
- name: Install drbd
|
||||||
|
yum: name={{ item }} state={{ ganeti_pkg_state }}
|
||||||
|
with_items: integ_ganeti_drbd_packages
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Tell the system that we want the drbd module loaded
|
||||||
|
copy: content="drbd\n" dest=/etc/modules-load.d/drbd.conf
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Tell modprobe that the drbd kernel module needs some parameters
|
||||||
|
copy: content="options drbd {{ ganeti_drbd_conf }}\n" dest=/etc/modprobe.d/drbd.conf
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Tell modprobe that the drbd kernel module needs some parameters on centos < 6
|
||||||
|
copy: content='ADD_MOD_PARAM="{{ ganeti_drbd_conf }}\n"' dest=/etc/default/drbd
|
||||||
|
when:
|
||||||
|
- integ_ganeti_centos_version < '7'
|
||||||
|
- ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Tell lvm to ignore the drbd devices
|
||||||
|
lineinfile: name=/etc/lvm/lvm.conf regexp="^\ \ \ \ filter\ =.*$" line=" filter = [ \"r|/dev/cdrom|\", \"r|/dev/drbd[0-9]+|\" ]"
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Ensure that systemd loads the drbd module
|
||||||
|
service: name=systemd-modules-load state=started
|
||||||
|
when:
|
||||||
|
- integ_ganeti_centos_version == '7'
|
||||||
|
- ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Load the drbd module on CentOS < 7
|
||||||
|
command: modprobe drbd
|
||||||
|
when:
|
||||||
|
- integ_ganeti_centos_version < '7'
|
||||||
|
- ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- drbd
|
||||||
|
|
||||||
|
- name: Change some kernel parameters to optimize the drbd performances
|
||||||
|
sysctl: name={{ item.name }} state={{ item.state }} value={{ item.value }} sysctl_file=/etc/sysctl.d/60-drbd-tuning.conf reload=yes sysctl_set=yes
|
||||||
|
with_items: ganeti_drbd_sysctl_tuning
|
||||||
|
when: ganeti_use_drbd
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
|
||||||
|
# Important: we need a way to get the ssh keys and store them without a manual intervention.
|
||||||
|
- name: Create a ssh key for root on the ganeti first node
|
||||||
|
user: name=root generate_ssh_key=yes ssh_key_bits=2048 ssh_key_comment="ganeti {{ ganeti_cluster_name }}"
|
||||||
|
when: ganeti_first_node
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
|
||||||
|
- name: Copy the ssh private key on the first node
|
||||||
|
copy: content="{{ id_rsa }}" dest=/root/.ssh/id_rsa mode=0600
|
||||||
|
when: ganeti_first_node
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- ssh_priv
|
||||||
|
|
||||||
|
- name: Ensure the first node public key is distributed on all the other ganeti nodes
|
||||||
|
authorized_key: user=root key="{{ ganeti_cluster_key }}" state=present
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
|
||||||
|
- name: Install a script that initializes the ganeti cluster on the first node
|
||||||
|
template: src={{ item }}.sh.j2 dest=/usr/local/sbin/{{ item }} owner=root mode=0550
|
||||||
|
with_items:
|
||||||
|
- ganeti_cluster_init
|
||||||
|
when: ganeti_first_node
|
||||||
|
tags:
|
||||||
|
- ganeti
|
||||||
|
- gnt_init
|
|
@ -0,0 +1,84 @@
|
||||||
|
---
|
||||||
|
httpd_service_enabled: True
|
||||||
|
httpd_pkg_state: latest
|
||||||
|
httpd_base_conf_dir: /etc/httpd
|
||||||
|
httpd_base_document_root: /var/www
|
||||||
|
httpd_document_root: '{{ httpd_base_document_root }}/html'
|
||||||
|
|
||||||
|
httpd_main_packages:
|
||||||
|
- httpd
|
||||||
|
- httpd-tools
|
||||||
|
|
||||||
|
httpd_ssl_enabled: True
|
||||||
|
httpd_ssl_packages:
|
||||||
|
- mod_ssl
|
||||||
|
|
||||||
|
httpd_listen_ports:
|
||||||
|
- 80
|
||||||
|
- 443
|
||||||
|
|
||||||
|
httpd_user: apache
|
||||||
|
httpd_group: apache
|
||||||
|
httpd_server_admin: root@localhost
|
||||||
|
|
||||||
|
httpd_base_document_root_override: None
|
||||||
|
httpd_base_document_root_access: 'denied'
|
||||||
|
|
||||||
|
httpd_document_root_options: 'Indexes FollowSymLinks'
|
||||||
|
httpd_document_root_override: 'None'
|
||||||
|
httpd_document_root_access: 'granted'
|
||||||
|
|
||||||
|
httpd_cgi_enabled: False
|
||||||
|
httpd_sendfile_enabled: 'on'
|
||||||
|
httpd_mmap_enabled: 'on'
|
||||||
|
httpd_use_canonicalname: 'off'
|
||||||
|
httpd_servertokens: 'OS'
|
||||||
|
httpd_hostname_lookups: 'off'
|
||||||
|
httpd_default_charset: 'UTF-8'
|
||||||
|
httpd_languages:
|
||||||
|
- en
|
||||||
|
- it
|
||||||
|
|
||||||
|
httpd_timeout: 60
|
||||||
|
httpd_keepalive_enabled: True
|
||||||
|
httpd_keepalive_timeout: 5
|
||||||
|
httpd_keepalive_requests: 100
|
||||||
|
|
||||||
|
# Options: prefork, worker, event
|
||||||
|
httpd_mpm_mode: "worker"
|
||||||
|
httpd_startservers: 8
|
||||||
|
httpd_maxclients: 300
|
||||||
|
httpd_min_spare: 25
|
||||||
|
httpd_max_spare: 75
|
||||||
|
httpd_max_requests_per_child: 0
|
||||||
|
httpd_threads_per_child: 25
|
||||||
|
httpd_serverlimit: 256
|
||||||
|
|
||||||
|
httpd_modules:
|
||||||
|
- { name: 'systemd' }
|
||||||
|
- { name: 'alias' }
|
||||||
|
- { name: 'allowmethods' }
|
||||||
|
- { name: 'auth_basic' }
|
||||||
|
- { name: 'deflate' }
|
||||||
|
- { name: 'headers' }
|
||||||
|
- { name: 'include' }
|
||||||
|
- { name: 'log_config' }
|
||||||
|
- { name: 'logio' }
|
||||||
|
- { name: 'mime_magic' }
|
||||||
|
- { name: 'mime' }
|
||||||
|
- { name: 'remoteip' }
|
||||||
|
- { name: 'reqtimeout' }
|
||||||
|
- { name: 'rewrite' }
|
||||||
|
- { name: 'setenvif' }
|
||||||
|
- { name: 'socache_memcache' }
|
||||||
|
- { name: 'socache_shmcb' }
|
||||||
|
- { name: 'unixd' }
|
||||||
|
- { name: 'vhost_alias' }
|
||||||
|
|
||||||
|
apache_letsencrypt_managed: True
|
||||||
|
apache_letsencrypt_proxy_modules:
|
||||||
|
- proxy
|
||||||
|
- proxy_http
|
||||||
|
|
||||||
|
apache_letsencrypt_proxy_conf:
|
||||||
|
- letsencrypt-proxy.conf
|
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
DATE=$( date )
|
||||||
|
|
||||||
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
|
echo "$DATE" >> $LE_LOG_DIR/apache.log
|
||||||
|
|
||||||
|
if [ -f /etc/default/letsencrypt ] ; then
|
||||||
|
. /etc/default/letsencrypt
|
||||||
|
else
|
||||||
|
echo "No letsencrypt default file" >> $LE_LOG_DIR/apache.log
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Reload the apache service" >> $LE_LOG_DIR/apache.log
|
||||||
|
if [ -x /bin/systemctl ] ; then
|
||||||
|
systemctl reload httpd >> $LE_LOG_DIR/apache.log 2>&1
|
||||||
|
else
|
||||||
|
service httpd reload >> $LE_LOG_DIR/apache.log 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Done." >> $LE_LOG_DIR/apache.log
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: httpd reload
|
||||||
|
service: name=httpd state=reloaded
|
||||||
|
|
||||||
|
- name: httpd restart
|
||||||
|
service: name=httpd state=restarted
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Enable the proxy modules needed by letsencrypt
|
||||||
|
apache2_module: name={{ item }} state=present
|
||||||
|
with_items: '{{ apache_letsencrypt_proxy_modules }}'
|
||||||
|
notify: httpd reload
|
||||||
|
|
||||||
|
- name: Install the apache letsencrypt directives
|
||||||
|
template: src={{ item }}.j2 dest=/etc/httpd/conf.d/00-{{ item }} owner=root group=root mode=0644
|
||||||
|
with_items: '{{ apache_letsencrypt_proxy_conf }}'
|
||||||
|
notify: httpd reload
|
||||||
|
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
|
|
||||||
|
- name: Install a letsencrypt hook for apache
|
||||||
|
copy: src=apache-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/httpd owner=root group=root mode=4555
|
||||||
|
|
||||||
|
when:
|
||||||
|
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||||
|
- apache_letsencrypt_managed
|
||||||
|
tags: [ 'apache', 'letsencrypt' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Disable the letsencrypt conf
|
||||||
|
file: dest=/etc/apache2/conf.d/letsencrypt-proxy.conf state=absent
|
||||||
|
notify: apache2 reload
|
||||||
|
|
||||||
|
- name: Remove the letsencrypt hook for apache
|
||||||
|
file: path={{ letsencrypt_acme_services_scripts_dir }}/httpd state=absent
|
||||||
|
|
||||||
|
when: not apache_letsencrypt_managed
|
||||||
|
tags: [ 'apache', 'letsencrypt' ]
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: install the apache httpd packages
|
||||||
|
yum: name={{ item }} state={{ httpd_pkg_state }}
|
||||||
|
with_items: '{{ httpd_main_packages }}'
|
||||||
|
|
||||||
|
- name: install the apache httpd mod_ssl packages
|
||||||
|
yum: name={{ item }} state={{ httpd_pkg_state }}
|
||||||
|
when: httpd_ssl_enabled
|
||||||
|
with_items: '{{ httpd_ssl_packages }}'
|
||||||
|
|
||||||
|
- name: Install the main httpd configuration file
|
||||||
|
template: src=httpd.conf.j2 dest={{ httpd_base_conf_dir }}/conf/httpd.conf
|
||||||
|
notify: httpd reload
|
||||||
|
|
||||||
|
- name: Enable the modules we want active
|
||||||
|
apache2_module: name={{ item.name }} state={{ item.state | default('present') }}
|
||||||
|
with_items: '{{ httpd_modules }}'
|
||||||
|
|
||||||
|
- name: Manage additional modules, if any
|
||||||
|
apache2_module: name={{ item.name }} state={{ item.state | default('present') }}
|
||||||
|
with_items: '{{ httpd_additional_modules | default([])}}'
|
||||||
|
|
||||||
|
- name: Set the MPM mode
|
||||||
|
template: src=00-mpm.conf.j2 dest={{ httpd_base_conf_dir }}/conf.modules.d/00-mpm.conf mode=0444 owner=root group=root
|
||||||
|
notify: httpd reload
|
||||||
|
|
||||||
|
- name: Ensure that httpd is stopped if it is not meant to be running
|
||||||
|
service: name=httpd state=stopped enabled=no
|
||||||
|
when: not httpd_service_enabled
|
||||||
|
|
||||||
|
- name: Ensure that httpd is running and enabled
|
||||||
|
service: name=httpd state=started enabled=yes
|
||||||
|
|
||||||
|
when: httpd_service_enabled
|
||||||
|
tags: [ 'httpd', 'apache' ]
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- import_tasks: httpd.yml
|
||||||
|
- import_tasks: httpd-letsencrypt.yml
|
||||||
|
when: apache_letsencrypt_managed
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
LoadModule mpm_{{ httpd_mpm_mode }}_module modules/mod_mpm_{{ http_mpm_mode }}.so
|
|
@ -0,0 +1,395 @@
|
||||||
|
#
|
||||||
|
# This is the main Apache HTTP server configuration file. It contains the
|
||||||
|
# configuration directives that give the server its instructions.
|
||||||
|
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
|
||||||
|
# In particular, see
|
||||||
|
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
|
||||||
|
# for a discussion of each configuration directive.
|
||||||
|
#
|
||||||
|
# Do NOT simply read the instructions in here without understanding
|
||||||
|
# what they do. They're here only as hints or reminders. If you are unsure
|
||||||
|
# consult the online docs. You have been warned.
|
||||||
|
#
|
||||||
|
# Configuration and logfile names: If the filenames you specify for many
|
||||||
|
# of the server's control files begin with "/" (or "drive:/" for Win32), the
|
||||||
|
# server will use that explicit path. If the filenames do *not* begin
|
||||||
|
# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
|
||||||
|
# with ServerRoot set to '/www' will be interpreted by the
|
||||||
|
# server as '/www/log/access_log', where as '/log/access_log' will be
|
||||||
|
# interpreted as '/log/access_log'.
|
||||||
|
|
||||||
|
#
|
||||||
|
# ServerRoot: The top of the directory tree under which the server's
|
||||||
|
# configuration, error, and log files are kept.
|
||||||
|
#
|
||||||
|
# Do not add a slash at the end of the directory path. If you point
|
||||||
|
# ServerRoot at a non-local disk, be sure to specify a local disk on the
|
||||||
|
# Mutex directive, if file-based mutexes are used. If you wish to share the
|
||||||
|
# same ServerRoot for multiple httpd daemons, you will need to change at
|
||||||
|
# least PidFile.
|
||||||
|
#
|
||||||
|
ServerRoot "{{ httpd_base_conf_dir }}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Listen: Allows you to bind Apache to specific IP addresses and/or
|
||||||
|
# ports, instead of the default. See also the <VirtualHost>
|
||||||
|
# directive.
|
||||||
|
#
|
||||||
|
# Change this to Listen on specific IP addresses as shown below to
|
||||||
|
# prevent Apache from glomming onto all bound IP addresses.
|
||||||
|
#
|
||||||
|
#Listen 12.34.56.78:80
|
||||||
|
{% for port in httpd_listen_ports %}
|
||||||
|
Listen {{ port }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Dynamic Shared Object (DSO) Support
|
||||||
|
#
|
||||||
|
# To be able to use the functionality of a module which was built as a DSO you
|
||||||
|
# have to place corresponding `LoadModule' lines at this location so the
|
||||||
|
# directives contained in it are actually available _before_ they are used.
|
||||||
|
# Statically compiled modules (those listed by `httpd -l') do not need
|
||||||
|
# to be loaded here.
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
# LoadModule foo_module modules/mod_foo.so
|
||||||
|
#
|
||||||
|
Include conf.modules.d/*.conf
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you wish httpd to run as a different user or group, you must run
|
||||||
|
# httpd as root initially and it will switch.
|
||||||
|
#
|
||||||
|
# User/Group: The name (or #number) of the user/group to run httpd as.
|
||||||
|
# It is usually good practice to create a dedicated user and group for
|
||||||
|
# running httpd, as with most system services.
|
||||||
|
#
|
||||||
|
User {{ httpd_user }}
|
||||||
|
Group {{ httpd_group }}
|
||||||
|
|
||||||
|
# 'Main' server configuration
|
||||||
|
#
|
||||||
|
# The directives in this section set up the values used by the 'main'
|
||||||
|
# server, which responds to any requests that aren't handled by a
|
||||||
|
# <VirtualHost> definition. These values also provide defaults for
|
||||||
|
# any <VirtualHost> containers you may define later in the file.
|
||||||
|
#
|
||||||
|
# All of these directives may appear inside <VirtualHost> containers,
|
||||||
|
# in which case these default settings will be overridden for the
|
||||||
|
# virtual host being defined.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# ServerAdmin: Your address, where problems with the server should be
|
||||||
|
# e-mailed. This address appears on some server-generated pages, such
|
||||||
|
# as error documents. e.g. admin@your-domain.com
|
||||||
|
#
|
||||||
|
ServerAdmin {{ httpd_server_admin }}
|
||||||
|
|
||||||
|
#
|
||||||
|
# ServerName gives the name and port that the server uses to identify itself.
|
||||||
|
# This can often be determined automatically, but we recommend you specify
|
||||||
|
# it explicitly to prevent problems during startup.
|
||||||
|
#
|
||||||
|
# If your host doesn't have a registered DNS name, enter its IP address here.
|
||||||
|
#
|
||||||
|
#ServerName www.example.com:80
|
||||||
|
|
||||||
|
#
|
||||||
|
# Deny access to the entirety of your server's filesystem. You must
|
||||||
|
# explicitly permit access to web content directories in other
|
||||||
|
# <Directory> blocks below.
|
||||||
|
#
|
||||||
|
<Directory />
|
||||||
|
AllowOverride none
|
||||||
|
Require all denied
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Note that from this point forward you must specifically allow
|
||||||
|
# particular features to be enabled - so if something's not working as
|
||||||
|
# you might expect, make sure that you have specifically enabled it
|
||||||
|
# below.
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# DocumentRoot: The directory out of which you will serve your
|
||||||
|
# documents. By default, all requests are taken from this directory, but
|
||||||
|
# symbolic links and aliases may be used to point to other locations.
|
||||||
|
#
|
||||||
|
DocumentRoot "{{ httpd_document_root }}"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Regulate access to the main root directories
|
||||||
|
#
|
||||||
|
<Directory "{{ httpd_base_document_root }}">
|
||||||
|
AllowOverride {{ httpd_base_document_root_override }}
|
||||||
|
# Allow open access:
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Further relax access to the default document root:
|
||||||
|
<Directory "/var/www/html">
|
||||||
|
#
|
||||||
|
# Possible values for the Options directive are "None", "All",
|
||||||
|
# or any combination of:
|
||||||
|
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
|
||||||
|
#
|
||||||
|
# Note that "MultiViews" must be named *explicitly* --- "Options All"
|
||||||
|
# doesn't give it to you.
|
||||||
|
#
|
||||||
|
# The Options directive is both complicated and important. Please see
|
||||||
|
# http://httpd.apache.org/docs/2.4/mod/core.html#options
|
||||||
|
# for more information.
|
||||||
|
#
|
||||||
|
Options {{ httpd_document_root_options }}
|
||||||
|
|
||||||
|
#
|
||||||
|
# AllowOverride controls what directives may be placed in .htaccess files.
|
||||||
|
# It can be "All", "None", or any combination of the keywords:
|
||||||
|
# Options FileInfo AuthConfig Limit
|
||||||
|
#
|
||||||
|
AllowOverride {{ httpd_document_root_override }}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Controls who can get stuff from this server.
|
||||||
|
#
|
||||||
|
Require all {{ httpd_document_root_access }}
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
#
|
||||||
|
# DirectoryIndex: sets the file that Apache will serve if a directory
|
||||||
|
# is requested.
|
||||||
|
#
|
||||||
|
<IfModule dir_module>
|
||||||
|
DirectoryIndex index.html
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following lines prevent .htaccess and .htpasswd files from being
|
||||||
|
# viewed by Web clients.
|
||||||
|
#
|
||||||
|
<Files ".ht*">
|
||||||
|
Require all denied
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
#
|
||||||
|
# ErrorLog: The location of the error log file.
|
||||||
|
# If you do not specify an ErrorLog directive within a <VirtualHost>
|
||||||
|
# container, error messages relating to that virtual host will be
|
||||||
|
# logged here. If you *do* define an error logfile for a <VirtualHost>
|
||||||
|
# container, that host's errors will be logged there and not here.
|
||||||
|
#
|
||||||
|
ErrorLog "logs/error_log"
|
||||||
|
|
||||||
|
#
|
||||||
|
# LogLevel: Control the number of messages logged to the error_log.
|
||||||
|
# Possible values include: debug, info, notice, warn, error, crit,
|
||||||
|
# alert, emerg.
|
||||||
|
#
|
||||||
|
LogLevel warn
|
||||||
|
|
||||||
|
<IfModule log_config_module>
|
||||||
|
#
|
||||||
|
# The following directives define some format nicknames for use with
|
||||||
|
# a CustomLog directive (see below).
|
||||||
|
#
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
||||||
|
|
||||||
|
<IfModule logio_module>
|
||||||
|
# You need to enable mod_logio.c to use %I and %O
|
||||||
|
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
#
|
||||||
|
# The location and format of the access logfile (Common Logfile Format).
|
||||||
|
# If you do not define any access logfiles within a <VirtualHost>
|
||||||
|
# container, they will be logged here. Contrariwise, if you *do*
|
||||||
|
# define per-<VirtualHost> access logfiles, transactions will be
|
||||||
|
# logged therein and *not* in this file.
|
||||||
|
#
|
||||||
|
#CustomLog "logs/access_log" common
|
||||||
|
|
||||||
|
#
|
||||||
|
# If you prefer a logfile with access, agent, and referer information
|
||||||
|
# (Combined Logfile Format) you can use the following directive.
|
||||||
|
#
|
||||||
|
CustomLog "logs/access_log" combined
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
{% if httpd_cgi_enabled %}
|
||||||
|
<IfModule alias_module>
|
||||||
|
#
|
||||||
|
# Redirect: Allows you to tell clients about documents that used to
|
||||||
|
# exist in your server's namespace, but do not anymore. The client
|
||||||
|
# will make a new request for the document at its new location.
|
||||||
|
# Example:
|
||||||
|
# Redirect permanent /foo http://www.example.com/bar
|
||||||
|
|
||||||
|
#
|
||||||
|
# Alias: Maps web paths into filesystem paths and is used to
|
||||||
|
# access content that does not live under the DocumentRoot.
|
||||||
|
# Example:
|
||||||
|
# Alias /webpath /full/filesystem/path
|
||||||
|
#
|
||||||
|
# If you include a trailing / on /webpath then the server will
|
||||||
|
# require it to be present in the URL. You will also likely
|
||||||
|
# need to provide a <Directory> section to allow access to
|
||||||
|
# the filesystem path.
|
||||||
|
|
||||||
|
#
|
||||||
|
# ScriptAlias: This controls which directories contain server scripts.
|
||||||
|
# ScriptAliases are essentially the same as Aliases, except that
|
||||||
|
# documents in the target directory are treated as applications and
|
||||||
|
# run by the server when requested rather than as documents sent to the
|
||||||
|
# client. The same rules about trailing "/" apply to ScriptAlias
|
||||||
|
# directives as to Alias.
|
||||||
|
#
|
||||||
|
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
|
||||||
|
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
#
|
||||||
|
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
|
||||||
|
# CGI directory exists, if you have that configured.
|
||||||
|
#
|
||||||
|
<Directory "/var/www/cgi-bin">
|
||||||
|
AllowOverride None
|
||||||
|
Options None
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
{% endif %}
|
||||||
|
<IfModule mime_module>
|
||||||
|
#
|
||||||
|
# TypesConfig points to the file containing the list of mappings from
|
||||||
|
# filename extension to MIME-type.
|
||||||
|
#
|
||||||
|
TypesConfig /etc/mime.types
|
||||||
|
|
||||||
|
#
|
||||||
|
# AddType allows you to add to or override the MIME configuration
|
||||||
|
# file specified in TypesConfig for specific file types.
|
||||||
|
#
|
||||||
|
#AddType application/x-gzip .tgz
|
||||||
|
#
|
||||||
|
# AddEncoding allows you to have certain browsers uncompress
|
||||||
|
# information on the fly. Note: Not all browsers support this.
|
||||||
|
#
|
||||||
|
#AddEncoding x-compress .Z
|
||||||
|
#AddEncoding x-gzip .gz .tgz
|
||||||
|
#
|
||||||
|
# If the AddEncoding directives above are commented-out, then you
|
||||||
|
# probably should define those extensions to indicate media types:
|
||||||
|
#
|
||||||
|
AddType application/x-compress .Z
|
||||||
|
AddType application/x-gzip .gz .tgz
|
||||||
|
|
||||||
|
#
|
||||||
|
# AddHandler allows you to map certain file extensions to "handlers":
|
||||||
|
# actions unrelated to filetype. These can be either built into the server
|
||||||
|
# or added with the Action directive (see below)
|
||||||
|
#
|
||||||
|
# To use CGI scripts outside of ScriptAliased directories:
|
||||||
|
# (You will also need to add "ExecCGI" to the "Options" directive.)
|
||||||
|
#
|
||||||
|
#AddHandler cgi-script .cgi
|
||||||
|
|
||||||
|
# For type maps (negotiated resources):
|
||||||
|
#AddHandler type-map var
|
||||||
|
|
||||||
|
#
|
||||||
|
# Filters allow you to process content before it is sent to the client.
|
||||||
|
#
|
||||||
|
# To parse .shtml files for server-side includes (SSI):
|
||||||
|
# (You will also need to add "Includes" to the "Options" directive.)
|
||||||
|
#
|
||||||
|
AddType text/html .shtml
|
||||||
|
AddOutputFilter INCLUDES .shtml
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Specify a default charset for all content served; this enables
|
||||||
|
# interpretation of all content as UTF-8 by default. To use the
|
||||||
|
# default browser choice (ISO-8859-1), or to allow the META tags
|
||||||
|
# in HTML content to override this choice, comment out this
|
||||||
|
# directive:
|
||||||
|
#
|
||||||
|
AddDefaultCharset UTF-8
|
||||||
|
|
||||||
|
<IfModule mime_magic_module>
|
||||||
|
#
|
||||||
|
# The mod_mime_magic module allows the server to use various hints from the
|
||||||
|
# contents of the file itself to determine its type. The MIMEMagicFile
|
||||||
|
# directive tells the module where the hint definitions are located.
|
||||||
|
#
|
||||||
|
MIMEMagicFile conf/magic
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
#
|
||||||
|
# Customizable error responses come in three flavors:
|
||||||
|
# 1) plain text 2) local redirects 3) external redirects
|
||||||
|
#
|
||||||
|
# Some examples:
|
||||||
|
#ErrorDocument 500 "The server made a boo boo."
|
||||||
|
#ErrorDocument 404 /missing.html
|
||||||
|
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
|
||||||
|
#ErrorDocument 402 http://www.example.com/subscription_info.html
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# EnableMMAP and EnableSendfile: On systems that support it,
|
||||||
|
# memory-mapping or the sendfile syscall may be used to deliver
|
||||||
|
# files. This usually improves server performance, but must
|
||||||
|
# be turned off when serving from networked-mounted
|
||||||
|
# filesystems or if support for these functions is otherwise
|
||||||
|
# broken on your system.
|
||||||
|
# Defaults if commented: EnableMMAP On, EnableSendfile Off
|
||||||
|
#
|
||||||
|
EnableMMAP {{ httpd_mmap_enabled }}
|
||||||
|
EnableSendfile {{ httpd_mmap_enabled }}
|
||||||
|
|
||||||
|
ServerTokens {{ httpd_servertokens }}
|
||||||
|
UseCanonicalName {{ httpd_use_canonicalname }}
|
||||||
|
HostnameLookups {{ httpd_hostname_lookups }}
|
||||||
|
AddDefaultCharset {{ httpd_default_charset}}
|
||||||
|
{% for lang in httpd_languages %}
|
||||||
|
AddLanguage {{ lang }} .{{ lang }}
|
||||||
|
{% endfor %}
|
||||||
|
Timeout {{ httpd_timeout }}
|
||||||
|
|
||||||
|
{% if httpd_keepalive_enabled %}
|
||||||
|
KeepAlive On
|
||||||
|
MaxKeepAliveRequests {{ httpd_keepalive_requests }}
|
||||||
|
KeepAliveTimeout {{ httpd_keepalive_timeout }}
|
||||||
|
{% else %}
|
||||||
|
KeepAlive Off
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if httpd_mpm_mode == 'prefork' %}
|
||||||
|
<IfModule prefork.c>
|
||||||
|
StartServers {{ httpd_startservers }}
|
||||||
|
MinSpareServers {{ httpd_min_spare }}
|
||||||
|
MaxSpareServers {{ httpd_max_spare }}
|
||||||
|
ServerLimit {{ httpd_serverlimit }}
|
||||||
|
MaxClients {{ httpd_maxclients }}
|
||||||
|
MaxRequestsPerChild {{ httpd_max_requests_per_child }}
|
||||||
|
</IfModule>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if httpd_mpm_mode == 'worker' %}
|
||||||
|
<IfModule worker.c>
|
||||||
|
StartServers {{ httpd_startservers }}
|
||||||
|
MaxClients {{ httpd_maxclients }}
|
||||||
|
MinSpareThreads {{ httpd_min_spare }}
|
||||||
|
MaxSpareThreads {{ httpd_max_spare }}
|
||||||
|
ThreadsPerChild {{ httpd_threads_per_child }}
|
||||||
|
MaxRequestsPerChild {{ httpd_max_requests_per_child }}
|
||||||
|
</IfModule>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Supplemental configuration
|
||||||
|
#
|
||||||
|
# Load config files in the "/etc/httpd/conf.d" directory, if any.
|
||||||
|
IncludeOptional conf.d/*.conf
|
|
@ -0,0 +1 @@
|
||||||
|
ProxyPass "/.well-known/acme-challenge" "http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge"
|
|
@ -0,0 +1,51 @@
|
||||||
|
---
|
||||||
|
virtualization_pkg_state: latest
|
||||||
|
|
||||||
|
virtualization_packages:
|
||||||
|
- qemu-kvm
|
||||||
|
- libvirt
|
||||||
|
- bridge-utils
|
||||||
|
- virt-install
|
||||||
|
|
||||||
|
virtualization_centos6_packages:
|
||||||
|
- python-virtinst
|
||||||
|
|
||||||
|
virtualization_centos_netinst_url: "http://mi.mirror.garr.it/mirrors/CentOS/7/os/x86_64/"
|
||||||
|
virtualization_os_boot_dir: /var/lib/libvirt/boot
|
||||||
|
virtualization_os_boot_images:
|
||||||
|
- "http://mi.mirror.garr.it/mirrors/CentOS/7.0.1406/isos/x86_64/CentOS-7.0-1406-x86_64-Minimal.iso"
|
||||||
|
- "http://mi.mirror.garr.it/mirrors/CentOS/5.11/isos/x86_64/CentOS-5.11-x86_64-netinstall.iso"
|
||||||
|
- "http://cdimage.debian.org/debian-cd/7.7.0/amd64/iso-cd/debian-7.7.0-amd64-netinst.iso"
|
||||||
|
- "http://releases.ubuntu.com/14.04.1/ubuntu-14.04.1-server-amd64.iso"
|
||||||
|
|
||||||
|
virtualization_activate_forwarding: True
|
||||||
|
|
||||||
|
virtualization_disable_nfs: True
|
||||||
|
virtualization_nfs_services_to_be_disabled:
|
||||||
|
- nfslock
|
||||||
|
- rpcbind
|
||||||
|
- gssproxy
|
||||||
|
|
||||||
|
virtualization_disable_iscsi: True
|
||||||
|
virtualization_iscsi_services_to_be_disabled:
|
||||||
|
- iprupdate
|
||||||
|
- iprinit
|
||||||
|
- iprdump
|
||||||
|
- iscsid
|
||||||
|
|
||||||
|
# Set this to false if ganeti is used for VM management
|
||||||
|
virtualization_enable_libvirtd: True
|
||||||
|
virtualization_services_to_be_enabled:
|
||||||
|
- libvirtd
|
||||||
|
|
||||||
|
virtualization_sysctl_tuning:
|
||||||
|
- { name: 'net.ipv4.ip_forward', value: '1', state: 'present' }
|
||||||
|
|
||||||
|
virtualization_kvm_create_lvm_pv: False
|
||||||
|
virtualization_kvm_create_lvm_vg: False
|
||||||
|
virtualization_kvm_lvm_pv:
|
||||||
|
- /dev/fake_disk_1
|
||||||
|
virtualization_kvm_lvm_vg: vgxen
|
||||||
|
|
||||||
|
# Disable tuned on the host
|
||||||
|
centos_tuned_enabled: False
|
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
- name: Install the virtualization packages
|
||||||
|
yum: name={{ item }} state={{ virtualization_pkg_state }}
|
||||||
|
with_items: virtualization_packages
|
||||||
|
tags: kvm
|
||||||
|
|
||||||
|
- name: Enable libvirtd when needed
|
||||||
|
service: name={{ item }} state=started enabled=yes
|
||||||
|
with_items: virtualization_services_to_be_enabled
|
||||||
|
when: virtualization_enable_libvirtd
|
||||||
|
tags: [ 'kvm', 'libvirt' ]
|
||||||
|
|
||||||
|
- name: Disable nfs
|
||||||
|
service: name={{ item }} state=stopped enabled=no
|
||||||
|
with_items: virtualization_nfs_services_to_be_disabled
|
||||||
|
when: virtualization_disable_nfs
|
||||||
|
tags: [ 'kvm', 'nfs' ]
|
||||||
|
|
||||||
|
- name: Disable iscsi
|
||||||
|
service: name={{ item }} state=stopped enabled=no
|
||||||
|
with_items: virtualization_iscsi_services_to_be_disabled
|
||||||
|
when: virtualization_disable_iscsi
|
||||||
|
tags: [ 'kvm' , 'iscsi' ]
|
||||||
|
|
||||||
|
- name: Set some kernel parameters needed by virtualization. IP forwarding for example, if we need NAT
|
||||||
|
sysctl: name={{ item.name }} state={{ item.state }} value={{ item.value }} sysctl_file=/etc/sysctl.d/90-virtualization.conf reload=yes sysctl_set=yes
|
||||||
|
with_items: virtualization_sysctl_tuning
|
||||||
|
tags: kvm
|
||||||
|
|
||||||
|
- name: Collect the ISO boot images
|
||||||
|
get_url: url="{{ item }}" dest={{ virtualization_os_boot_dir }}/
|
||||||
|
with_items: virtualization_os_boot_images
|
||||||
|
tags: [ 'kvm', 'iso_images' ]
|
||||||
|
|
||||||
|
- name: Create the LVM PV
|
||||||
|
command: pvcreate {{ item }}
|
||||||
|
with_items: virtualization_kvm_lvm_pv
|
||||||
|
when: virtualization_kvm_create_lvm_pv
|
||||||
|
tags: [ 'kvm', 'lvm_pv' ]
|
||||||
|
|
||||||
|
- name: Create the LVM VG to be used by the virtual guests
|
||||||
|
lvg: vg={{ virtualization_kvm_lvm_vg }} pvs={{ item }}
|
||||||
|
with_items: virtualization_kvm_lvm_pv
|
||||||
|
when: virtualization_kvm_create_lvm_vg
|
||||||
|
tags: [ 'kvm', 'lvm_vg' ]
|
||||||
|
|
||||||
|
- name: Fix the /dev/kvm permissions
|
||||||
|
file: dest=/dev/kvm owner=root group=kvm mode=0660
|
||||||
|
tags: kvm
|
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
# https://copr.fedorainfracloud.org/coprs/hlandau/acmetool/
|
||||||
|
letsencrypt_acme_install: True
|
||||||
|
letsencrypt_acme_pkgs:
|
||||||
|
- acmetool
|
||||||
|
- libcap
|
||||||
|
letsencrypt_acme_repo_ver: 7
|
||||||
|
letsencrypt_acme_repo_name: 'hlandau-acmetool-epel-{{ letsencrypt_acme_repo_ver }}.repo'
|
||||||
|
letsencrypt_acme_repo_url: 'https://copr.fedorainfracloud.org/coprs/hlandau/acmetool/repo/epel-{{ letsencrypt_acme_repo_ver }}/{{ letsencrypt_acme_repo_name }}'
|
||||||
|
letsencrypt_acme_user: acme
|
||||||
|
letsencrypt_acme_user_home: /var/lib/acme
|
||||||
|
letsencrypt_acme_log_dir: /var/log/acme
|
||||||
|
|
||||||
|
letsencrypt_acme_command: acmetool
|
||||||
|
letsencrypt_acme_command_opts: '--batch --xlog.syslog --xlog.severity=info'
|
||||||
|
letsencrypt_acme_config_dir: '{{ letsencrypt_acme_user_home }}/conf'
|
||||||
|
letsencrypt_acme_certsconf_dir: '{{ letsencrypt_acme_user_home }}/desired'
|
||||||
|
letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}'
|
||||||
|
# The various services maintainers need to put the reconfigure/restart scripts there
|
||||||
|
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
|
||||||
|
|
||||||
|
# responses parameters
|
||||||
|
letsencrypt_tos_url: 'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
|
||||||
|
letsencrypt_acme_agree_tos: true
|
||||||
|
letsencrypt_acme_rsa_key_size: 4096
|
||||||
|
# rsa|ecdsa
|
||||||
|
letsencrypt_acme_key_type: ecdsa
|
||||||
|
letsencrypt_acme_ecdsa_curve: nistp256
|
||||||
|
letsencrypt_acme_email: sysadmin@example.com
|
||||||
|
# We 'listener' or 'proxy'. Use 'listener' if we need a certificate for a non web service or before the web service has been configured.
|
||||||
|
# Need to set cap_net_bind_service=+ep for the acmetool binary so that it is able to bind port 80 in that case.
|
||||||
|
letsencrypt_acme_authenticator: listener
|
||||||
|
|
||||||
|
# desired parameters
|
||||||
|
letsencrypt_acme_domains:
|
||||||
|
- '{{ ansible_fqdn }}'
|
||||||
|
letsencrypt_acme_standalone_port: 4402
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Initialize letsencrypt acmetool
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
command: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1'
|
||||||
|
when: letsencrypt_acme_install
|
||||||
|
ignore_errors: True
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- role: '../../library/centos/roles/self-signed-cert'
|
|
@ -0,0 +1,76 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the letsencrypt acmetool repo on CentOS
|
||||||
|
get_url: url={{ letsencrypt_acme_repo_url }} dest=/etc/yum.repos.d/{{ letsencrypt_acme_repo_name }}
|
||||||
|
notify: Initialize letsencrypt acmetool
|
||||||
|
|
||||||
|
- name: Create the letsencrypt acme user
|
||||||
|
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/nologin system=yes
|
||||||
|
|
||||||
|
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
|
||||||
|
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
|
||||||
|
|
||||||
|
- name: Install the letsencrypt acmetool package and some deps
|
||||||
|
yum: pkg={{ letsencrypt_acme_pkgs }} state=present
|
||||||
|
|
||||||
|
- name: Create the letsencrypt acme config directory
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
|
||||||
|
|
||||||
|
- name: Create the letsencrypt acme desired domains directory
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
|
||||||
|
|
||||||
|
- name: Create the letsencrypt acme hooks directory
|
||||||
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
|
||||||
|
|
||||||
|
- name: Install a default file that shell scripts can include
|
||||||
|
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
||||||
|
|
||||||
|
- name: Install the letsencrypt acme responses file
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
|
||||||
|
tags: [ 'letsencrypt', 'letsencrypt_responses' ]
|
||||||
|
|
||||||
|
- name: Install the letsencrypt acme certs config file
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
|
||||||
|
|
||||||
|
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
|
||||||
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
||||||
|
when:
|
||||||
|
- letsencrypt_acme_install
|
||||||
|
- letsencrypt_acme_authenticator == 'listener'
|
||||||
|
|
||||||
|
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
||||||
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
|
||||||
|
when:
|
||||||
|
- letsencrypt_acme_install
|
||||||
|
- letsencrypt_acme_authenticator != 'listener'
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
- name: Install the sudoers config needed to run the acmetool hooks
|
||||||
|
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
|
||||||
|
|
||||||
|
- name: Create a directory where to put the cron job and hooks logs
|
||||||
|
file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
|
||||||
|
|
||||||
|
- name: Install a script that requests the certificates and manage the self signed certificate
|
||||||
|
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
||||||
|
|
||||||
|
- name: Install a daily cron job to renew the certificates when needed
|
||||||
|
cron: name="Letsencrypt certificate renewal" special_time=daily job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" user={{ letsencrypt_acme_user }}
|
||||||
|
|
||||||
|
- name: letsencrypt acmetool request the first certificate
|
||||||
|
become: True
|
||||||
|
become_user: '{{ letsencrypt_acme_user }}'
|
||||||
|
shell: '/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-init.log 2>&1'
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
|
when: letsencrypt_acme_install
|
||||||
|
tags: letsencrypt
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
TMP_DIR=/var/tmp/acmetool
|
||||||
|
BASE_DIR=/var/lib/acme
|
||||||
|
RETVAL=
|
||||||
|
|
||||||
|
if [ -d $BASE_DIR/keys/fakeselfsignedcert -a -d $BASE_DIR/certs/fakeselfsignedcert ] ; then
|
||||||
|
mkdir -p $TMP_DIR/{keys,certs}
|
||||||
|
mv $BASE_DIR/keys/fakeselfsignedcert $TMP_DIR/keys
|
||||||
|
mv $BASE_DIR/certs/fakeselfsignedcert $TMP_DIR/certs
|
||||||
|
/bin/rm live/{{ ansible_fqdn }}
|
||||||
|
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart
|
||||||
|
fi
|
||||||
|
|
||||||
|
{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile
|
||||||
|
RETVAL=$?
|
||||||
|
|
||||||
|
if [ -d $TMP_DIR ] ; then
|
||||||
|
if [ $RETVAL -ne 0 ] ; then
|
||||||
|
mv $TMP_DIR/keys/fakeselfsignedcert $BASE_DIR/keys
|
||||||
|
mv $TMP_DIR/certs/fakeselfsignedcert $BASE_DIR/certs
|
||||||
|
cd $BASE_DIR/live
|
||||||
|
ln -s ../certs/fakeselfsignedcert {{ ansible_fqdn }}
|
||||||
|
fi
|
||||||
|
rm -fr $TMP_DIR
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit $RETVAL
|
|
@ -0,0 +1,2 @@
|
||||||
|
{{ letsencrypt_acme_user }} ALL=(root) NOPASSWD: {{ letsencrypt_acme_services_scripts_dir }}/
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
satisfy:
|
||||||
|
names:
|
||||||
|
{% for d in letsencrypt_acme_domains %}
|
||||||
|
- {{ d }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
request:
|
||||||
|
challenge:
|
||||||
|
http-ports:
|
||||||
|
- {{ letsencrypt_acme_standalone_port }}
|
||||||
|
|
||||||
|
key:
|
||||||
|
type: {{ letsencrypt_acme_key_type }}
|
||||||
|
{% if letsencrypt_acme_key_type == 'rsa' %}
|
||||||
|
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
|
||||||
|
{% else %}
|
||||||
|
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
LE_EMAIL={{ letsencrypt_acme_email }}
|
||||||
|
LE_SERVICES_SCRIPT_DIR={{ letsencrypt_acme_services_scripts_dir }}
|
||||||
|
LE_CERTS_DIR={{ letsencrypt_acme_certs_dir }}
|
||||||
|
LE_LOG_DIR={{ letsencrypt_acme_log_dir }}
|
|
@ -0,0 +1,13 @@
|
||||||
|
"acme-enter-email": "{{ letsencrypt_acme_email }}"
|
||||||
|
"acme-agreement:{{ letsencrypt_tos_url }}": {{ letsencrypt_acme_agree_tos }}
|
||||||
|
# https://acme-staging.api.letsencrypt.org/directory is the staging site.
|
||||||
|
# This is the production site
|
||||||
|
"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
|
||||||
|
"acmetool-quickstart-choose-method": {{ letsencrypt_acme_authenticator }}
|
||||||
|
"acmetool-quickstart-complete": true
|
||||||
|
"acmetool-quickstart-install-cronjob": false
|
||||||
|
"acmetool-quickstart-install-haproxy-script": false
|
||||||
|
"acmetool-quickstart-install-redirector-systemd": false
|
||||||
|
"acmetool-quickstart-key-type": {{ letsencrypt_acme_key_type }}
|
||||||
|
"acmetool-quickstart-rsa-key-size": {{ letsencrypt_acme_rsa_key_size }}
|
||||||
|
"acmetool-quickstart-ecdsa-curve": {{ letsencrypt_acme_ecdsa_curve }}
|
|
@ -0,0 +1,49 @@
|
||||||
|
---
|
||||||
|
mysql_server_install: False
|
||||||
|
mysql_enabled: True
|
||||||
|
mysql_pkg_state: present
|
||||||
|
mysql_conf_dir: /etc/mysql/conf.d
|
||||||
|
mysql_socket: /var/run/mysqld/mysqld.sock
|
||||||
|
mysql_data_dir: /var/lib/mysql
|
||||||
|
mysql_log_dir: /var/log/mysql
|
||||||
|
|
||||||
|
# MySQL-python is needed by ansible to manage users and databases
|
||||||
|
mysql_packages_list:
|
||||||
|
- mariadb
|
||||||
|
- mariadb-server
|
||||||
|
- innotop
|
||||||
|
- mytop
|
||||||
|
- MySQL-python
|
||||||
|
|
||||||
|
mysql_db_name: db_name
|
||||||
|
mysql_db_user: db_user
|
||||||
|
mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
|
||||||
|
|
||||||
|
# Alternatives: utf8
|
||||||
|
mysql_default_encoding: utf8mb4
|
||||||
|
# Alternatives: utf8_unicode_ci utf8_bin
|
||||||
|
mysql_default_collation: utf8mb4_unicode_ci
|
||||||
|
mysql_db_host: localhost
|
||||||
|
mysql_db_port: 3306
|
||||||
|
mysql_db_max_connections: 100
|
||||||
|
mysqld_db_read_buffer_size: 128K
|
||||||
|
mysql_db_read_rnd_buffer_size: 256K
|
||||||
|
mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
|
||||||
|
mysql_db_innodb_buffer_pool_size: 256M
|
||||||
|
mysql_db_innodb_additional_mem_pool_size: 5M
|
||||||
|
# Set .._log_file_size to 25 % of buffer pool size
|
||||||
|
mysql_db_innodb_log_file_size: 64M
|
||||||
|
mysql_db_innodb_log_buffer_size: 9M
|
||||||
|
mysql_safe_open_files_limit: 1024
|
||||||
|
|
||||||
|
mysql_listen_on_ext_int: False
|
||||||
|
#mysql_db_data:
|
||||||
|
# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32' ] }
|
||||||
|
|
||||||
|
mysql_backup_use_nagios: True
|
||||||
|
mysql_backup_logdir: '{{ mysql_log_dir }}'
|
||||||
|
mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log'
|
||||||
|
mysql_backup_retain_copies: 2
|
||||||
|
mysql_backup_destdir: /var/lib/mysql-backup
|
||||||
|
mysql_backup_exclude_list: "performance_schema"
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
LOG_FILE=/var/log/mysql-backup.log
|
||||||
|
if [ -x /etc/cron.daily/duplicity_backup ] ; then
|
||||||
|
echo "duplicity backups active. Exiting" > $LOG_FILE
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,77 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
RETVAL=0
|
||||||
|
|
||||||
|
MY_BACKUP_USE_NAGIOS="False"
|
||||||
|
MY_BACKUP_DIR=/var/lib/mysql-backup
|
||||||
|
MY_DATA_DIR=/var/lib/mysql
|
||||||
|
N_DAYS_TO_SPARE=7
|
||||||
|
# Exclude list
|
||||||
|
EXCLUDE_LIST='performance_schema'
|
||||||
|
|
||||||
|
if [ -f /etc/sysconfig/mysql_backup ] ; then
|
||||||
|
. /etc/sysconfig/mysql_backup
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /root/.my.cnf ] ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
umask 0077
|
||||||
|
# Year month day - hour minute second
|
||||||
|
SAVE_TIME=$( date +%Y%m%d-%H%M%S )
|
||||||
|
TIMESTAMP=
|
||||||
|
TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp
|
||||||
|
|
||||||
|
if [ ! -d $MY_BACKUP_DIR ] ; then
|
||||||
|
mkdir -p $MY_BACKUP_DIR
|
||||||
|
fi
|
||||||
|
if [ ! -d $MY_BACKUP_LOG_DIR ] ; then
|
||||||
|
mkdir -p $MY_BACKUP_LOG_DIR
|
||||||
|
fi
|
||||||
|
if [ ! -d $MY_BACKUP_DIR/history ] ; then
|
||||||
|
mkdir -p $MY_BACKUP_DIR/history
|
||||||
|
fi
|
||||||
|
chmod 700 $MY_BACKUP_DIR
|
||||||
|
LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
|
||||||
|
NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status
|
||||||
|
|
||||||
|
if [ ! -f $LOCKFILE ] ; then
|
||||||
|
touch $LOCKFILE
|
||||||
|
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||||
|
> $NAGIOS_LOG
|
||||||
|
fi
|
||||||
|
for db in $( mysql -Bse "show databases;" | grep -v $EXCLUDE_LIST ) ; do
|
||||||
|
mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
|
||||||
|
DUMP_RESULT=$?
|
||||||
|
chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME}
|
||||||
|
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||||
|
if [ $DUMP_RESULT -ne 0 ] ; then
|
||||||
|
echo "$db:FAILED" >> $NAGIOS_LOG
|
||||||
|
RETVAL=$DUMP_RESULT
|
||||||
|
else
|
||||||
|
echo "$db:OK" >> $NAGIOS_LOG
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1
|
||||||
|
rm -f $db.sql
|
||||||
|
ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql
|
||||||
|
popd >/dev/null 2>&1
|
||||||
|
done
|
||||||
|
# Do a "flush-hosts" after the backup
|
||||||
|
mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log
|
||||||
|
TIMESTAMP=$( date +%s )
|
||||||
|
echo "$TIMESTAMP" > $TIMESTAMP_LOG
|
||||||
|
rm -f $LOCKFILE
|
||||||
|
else
|
||||||
|
echo "Old backup still running" > /var/log/mysql-backup.log
|
||||||
|
RETVAL=2
|
||||||
|
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||||
|
echo "old backup still running:WARNING" >> $NAGIOS_LOG
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Remove the old backups
|
||||||
|
find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \;
|
||||||
|
|
||||||
|
exit $RETVAL
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Restart mariadb
|
||||||
|
service: name=mariadb state=restarted
|
||||||
|
|
||||||
|
- name: Reload mariadb
|
||||||
|
service: name=mariadb state=reloaded
|
|
@ -0,0 +1,46 @@
|
||||||
|
---
|
||||||
|
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
|
||||||
|
- name: Secure the mysql root user
|
||||||
|
mysql_user: name=root host={{ item }} password={{ mysql_root_password }}
|
||||||
|
when: mysql_root_password is defined
|
||||||
|
with_items:
|
||||||
|
- '{{ ansible_hostname }}'
|
||||||
|
- 127.0.0.1
|
||||||
|
- ::1
|
||||||
|
- localhost
|
||||||
|
ignore_errors: True
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
||||||
|
- name: Secure the mysql root user
|
||||||
|
mysql_user: name=root host={{ item }} password=""
|
||||||
|
when: mysql_root_password is not defined
|
||||||
|
with_items:
|
||||||
|
- '{{ ansible_hostname }}'
|
||||||
|
- 127.0.0.1
|
||||||
|
- ::1
|
||||||
|
- localhost
|
||||||
|
ignore_errors: True
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
||||||
|
- name: Install the .my.cnf file with root password credentials
|
||||||
|
template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
|
||||||
|
when: mysql_root_password is defined
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
||||||
|
- name: delete anonymous MySQL server user for {{ server_hostname }}
|
||||||
|
mysql_user: user="" host="{{ ansible_hostname }}" state="absent"
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
||||||
|
- name: delete anonymous MySQL server user for localhost
|
||||||
|
mysql_user: user="" state="absent"
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
|
||||||
|
- name: remove the MySQL test database
|
||||||
|
mysql_db: db=test state=absent
|
||||||
|
tags:
|
||||||
|
- mysql
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Stop and disable the mariadb server if we do not want it running
|
||||||
|
service: name=mariadb state=stopped enabled=no
|
||||||
|
when: not mysql_enabled
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mariadb
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
- import_tasks: packages.yml
|
||||||
|
- import_tasks: mysql-conf.yml
|
||||||
|
when: mysql_enabled
|
||||||
|
- import_tasks: disable-mariadb-service.yml
|
||||||
|
when: not mysql_enabled
|
||||||
|
- import_tasks: configure_root_access.yml
|
||||||
|
when: mysql_enabled
|
||||||
|
- import_tasks: manage_my_db.yml
|
||||||
|
when: mysql_enabled
|
||||||
|
- import_tasks: mysql-backup.yml
|
||||||
|
when: mysql_enabled
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- name: Add databases to mysql, if any
|
||||||
|
mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present
|
||||||
|
with_items: '{{ mysql_db_data }}'
|
||||||
|
when:
|
||||||
|
- mysql_db_data is defined
|
||||||
|
- item.name is defined
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mysql_db
|
||||||
|
|
||||||
|
- name: Add a user for the databases
|
||||||
|
mysql_user: name={{ item.user }} password={{ item.pwd }} host={{ item.allowed_hosts }} priv={{ item.name }}.*:{{ item.user_grant }} state=present
|
||||||
|
with_items: '{{ mysql_db_data }}'
|
||||||
|
when:
|
||||||
|
- mysql_db_data is defined
|
||||||
|
- item.name is defined
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mysql_db
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: Install a script that performs mysql dumps
|
||||||
|
copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
|
||||||
|
tags: [ 'mysql', 'mysql_backup' ]
|
||||||
|
|
||||||
|
- name: Install the mysql backup defaults
|
||||||
|
template: src=mysql_backup-default.j2 dest=/etc/sysconfig/mysql_backup owner=root group=root mode=0440
|
||||||
|
tags: [ 'mysql', 'mysql_backup' ]
|
||||||
|
|
||||||
|
- name: Cron job that executes mysql nightly backups
|
||||||
|
copy: src=mysql-backup.cron dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
|
||||||
|
tags: [ 'mysql', 'mysql_backup' ]
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
- name: Install the main configuration files.
|
||||||
|
template: src={{ item }}.cnf.j2 dest=/etc/my.cnf.d/{{ item }}.cnf owner=root group=root mode=0644
|
||||||
|
with_items:
|
||||||
|
- client
|
||||||
|
- server
|
||||||
|
- mysql-clients
|
||||||
|
when: mysql_enabled
|
||||||
|
notify: Restart mariadb
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mariadb
|
||||||
|
- mysql-conf
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: install the mariadb packages
|
||||||
|
yum: pkg={{ item }} state={{ mysql_pkg_state }}
|
||||||
|
with_items: mysql_packages_list
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mariadb
|
||||||
|
|
||||||
|
- name: Ensure that the mariadb server is enabled and running
|
||||||
|
service: name=mariadb state=started enabled=yes
|
||||||
|
when: mysql_enabled
|
||||||
|
tags:
|
||||||
|
- mysql
|
||||||
|
- mariadb
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
# The following options will be passed to all MariaDB clients
|
||||||
|
[client]
|
||||||
|
#password = your_password
|
||||||
|
port = 3306
|
||||||
|
socket = /var/lib/mysql/mysql.sock
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
[client]
|
||||||
|
user=root
|
||||||
|
password={{ mysql_root_password }}
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
|
||||||
|
[mysql]
|
||||||
|
|
||||||
|
[mysql_upgrade]
|
||||||
|
|
||||||
|
[mysqladmin]
|
||||||
|
|
||||||
|
[mysqlbinlog]
|
||||||
|
|
||||||
|
[mysqlcheck]
|
||||||
|
|
||||||
|
[mysqldump]
|
||||||
|
quick
|
||||||
|
max_allowed_packet = 16M
|
||||||
|
|
||||||
|
[mysqlimport]
|
||||||
|
|
||||||
|
[mysqlshow]
|
||||||
|
|
||||||
|
[mysqlslap]
|
|
@ -0,0 +1,8 @@
|
||||||
|
MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}'
|
||||||
|
MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}'
|
||||||
|
MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}'
|
||||||
|
N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}'
|
||||||
|
MY_BACKUP_DIR='{{ mysql_backup_destdir }}'
|
||||||
|
MY_DATA_DIR='{{ mysql_data_dir }}'
|
||||||
|
# Exclude list
|
||||||
|
EXCLUDE_LIST='{{ mysql_backup_exclude_list }}'
|
|
@ -0,0 +1,52 @@
|
||||||
|
# Here follows entries for some specific programs
|
||||||
|
|
||||||
|
# The MariaDB server
|
||||||
|
[mysqld]
|
||||||
|
port = {{ mysql_db_port }}
|
||||||
|
socket = /var/lib/mysql/mysql.sock
|
||||||
|
max_connections = {{ mysql_db_max_connections }}
|
||||||
|
skip-external-locking
|
||||||
|
key_buffer_size = 16M
|
||||||
|
max_allowed_packet = 1M
|
||||||
|
table_open_cache = 512
|
||||||
|
sort_buffer_size = 8M
|
||||||
|
net_buffer_length = 8K
|
||||||
|
read_buffer_size = {{ mysqld_db_read_buffer_size }}
|
||||||
|
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
|
||||||
|
myisam_sort_buffer_size = 16M
|
||||||
|
|
||||||
|
# Point the following paths to different dedicated disks
|
||||||
|
#tmpdir = /tmp/
|
||||||
|
|
||||||
|
# Don't listen on a TCP/IP port at all. This can be a security enhancement,
|
||||||
|
# if all processes that need to connect to mysqld run on the same host.
|
||||||
|
# All interaction with mysqld must be made via Unix sockets or named pipes.
|
||||||
|
# Note that using this option without enabling named pipes on Windows
|
||||||
|
# (via the "enable-named-pipe" option) will render mysqld useless!
|
||||||
|
#
|
||||||
|
#skip-networking
|
||||||
|
|
||||||
|
# Enable binary logging. This is required for acting as a MASTER in a
|
||||||
|
# replication configuration. You also need the binary log if you need
|
||||||
|
# the ability to do point in time recovery from your latest backup.
|
||||||
|
log-bin=mysql-bin
|
||||||
|
|
||||||
|
# binary logging format - mixed recommended
|
||||||
|
binlog_format=mixed
|
||||||
|
|
||||||
|
# Uncomment the following if you are using InnoDB tables
|
||||||
|
innodb_data_home_dir = /var/lib/mysql
|
||||||
|
innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
|
||||||
|
innodb_log_group_home_dir = /var/lib/mysql
|
||||||
|
# You can set .._buffer_pool_size up to 50 - 80 %
|
||||||
|
# of RAM but beware of setting memory usage too high
|
||||||
|
innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
|
||||||
|
innodb_additional_mem_pool_size = {{ mysql_db_innodb_additional_mem_pool_size }}
|
||||||
|
# Set .._log_file_size to 25 % of buffer pool size
|
||||||
|
innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
|
||||||
|
innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
|
||||||
|
innodb_flush_log_at_trx_commit = 1
|
||||||
|
innodb_lock_wait_timeout = 50
|
||||||
|
|
||||||
|
[mysqld_safe]
|
||||||
|
open-files-limit = {{ mysql_safe_open_files_limit }}
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
mc_pkg_state: present
|
||||||
|
mc_enabled: True
|
||||||
|
|
||||||
|
mc_port: 11211
|
||||||
|
mc_user: memcached
|
||||||
|
mc_maxconn: 1024
|
||||||
|
mc_cachesize: 256
|
||||||
|
mc_options: ""
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
- name: Restart memcached
|
||||||
|
service: name=memcached state=restarted
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
---
|
||||||
|
- name: Install the memcached package
|
||||||
|
yum: pkg={{ item }} state={{ mc_pkg_state }}
|
||||||
|
with_items:
|
||||||
|
- memcached
|
||||||
|
tags:
|
||||||
|
- memcache
|
||||||
|
- memcached
|
||||||
|
|
||||||
|
- name: Install the memcached sysconfig file
|
||||||
|
template: src={{ item }}.sysconfig.j2 dest=/etc/sysconfig/{{ item }} owner=root group=root mode=0444
|
||||||
|
with_items:
|
||||||
|
- memcached
|
||||||
|
notify: Restart memcached
|
||||||
|
tags:
|
||||||
|
- memcache
|
||||||
|
- memcached
|
||||||
|
|
||||||
|
- name: Ensure that the memcached service is started and enabled
|
||||||
|
service: name=memcached state=started enabled=yes
|
||||||
|
when: mc_enabled
|
||||||
|
tags:
|
||||||
|
- memcache
|
||||||
|
- memcached
|
||||||
|
|
||||||
|
- name: Ensure that the memcached service is stopped and disabled
|
||||||
|
service: name=memcached state=stopped enabled=no
|
||||||
|
when: not mc_enabled
|
||||||
|
tags:
|
||||||
|
- memcache
|
||||||
|
- memcached
|
|
@ -0,0 +1,5 @@
|
||||||
|
PORT="{{ mc_port }}"
|
||||||
|
USER="{{ mc_user }}"
|
||||||
|
MAXCONN="{{ mc_maxconn }}"
|
||||||
|
CACHESIZE="{{ mc_cachesize }}"
|
||||||
|
OPTIONS="{{ mc_options }}"
|
|
@ -0,0 +1,113 @@
|
||||||
|
---
|
||||||
|
nginx_enabled: True
|
||||||
|
nginx_package_state: installed
|
||||||
|
# See https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
|
nginx_ssl_level: intermediate
|
||||||
|
|
||||||
|
nginx_snippets_dir: /etc/nginx/snippets
|
||||||
|
nginx_default_conf_dir: /etc/nginx/default.d
|
||||||
|
|
||||||
|
nginx_conf_snippets:
|
||||||
|
- nginx-compression.conf
|
||||||
|
- nginx-websockets.conf
|
||||||
|
- nginx-browser-cache.conf
|
||||||
|
- letsencrypt-proxy.conf
|
||||||
|
- nginx-proxy-params.conf
|
||||||
|
- nginx-server-ssl.conf
|
||||||
|
- nginx-cors.conf
|
||||||
|
|
||||||
|
nginx_old_snippets:
|
||||||
|
- compression.conf
|
||||||
|
|
||||||
|
nginx_workers: 4
|
||||||
|
nginx_worker_connections: 1024
|
||||||
|
nginx_multi_accept: 'off'
|
||||||
|
nginx_worker_rlimit_nofile: 2048
|
||||||
|
nginx_server_tokens: 'off'
|
||||||
|
|
||||||
|
nginx_large_client_header_buffers: 4 8k
|
||||||
|
|
||||||
|
nginx_enable_compression: True
|
||||||
|
nginx_gzip_vary: "on"
|
||||||
|
nginx_gzip_proxied: any
|
||||||
|
nginx_gzip_comp_level: 6
|
||||||
|
nginx_gzip_buffers: 16 8k
|
||||||
|
nginx_gzip_http_version: 1.1
|
||||||
|
nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript"
|
||||||
|
|
||||||
|
nginx_enable_browser_cache: True
|
||||||
|
nginx_cache_control: public
|
||||||
|
nginx_html_cache_expire: -1
|
||||||
|
nginx_feed_cache_expire_enabled: False
|
||||||
|
nginx_feed_cache_expire: 1h
|
||||||
|
nginx_media_cache_expire: 1M
|
||||||
|
nginx_css_js_cache_expire: -1
|
||||||
|
|
||||||
|
nginx_reverse_proxy: False
|
||||||
|
nginx_define_x_real_ip: False
|
||||||
|
nginx_proxy_buffering: "on"
|
||||||
|
nginx_proxy_redirect: "off"
|
||||||
|
nginx_proxy_buffer_size: 128k
|
||||||
|
nginx_proxy_buffers: '4 {{ nginx_proxy_buffer_size }}'
|
||||||
|
nginx_proxy_busy_buffers_size: 256k
|
||||||
|
nginx_proxy_connect_timeout: 30s
|
||||||
|
nginx_proxy_read_timeout: 480s
|
||||||
|
nginx_proxy_send_timeout: 120s
|
||||||
|
nginx_proxy_temp_file_write_size: '{{ nginx_proxy_buffer_size }}'
|
||||||
|
nginx_client_max_body_size: 100M
|
||||||
|
nginx_client_body_timeout: 240s
|
||||||
|
|
||||||
|
nginx_cors_limit_origin: True
|
||||||
|
nginx_cors_extended_rules: False
|
||||||
|
nginx_cors_acl_origin: 'http?://(localhost)'
|
||||||
|
|
||||||
|
# Find a set of acceptable defaults for the cache setup
|
||||||
|
nginx_cache_enabled: False
|
||||||
|
|
||||||
|
nginx_use_ldap_pam_auth: False
|
||||||
|
nginx_pam_svc_name: nginx
|
||||||
|
nginx_ldap_uri: "ldap://ldap.example.org"
|
||||||
|
nginx_ldap_base_dn: "dc=example,dc=org"
|
||||||
|
nginx_basic_auth: False
|
||||||
|
nginx_basic_auth_users:
|
||||||
|
- { name: 'test', pwd: 'hide inside a vault file', file: '/etc/nginx/htpasswd' }
|
||||||
|
# nginx_ldap_login_attribute: uid
|
||||||
|
# nginx_ldap_pam_groupdn:
|
||||||
|
nginx_letsencrypt_managed: True
|
||||||
|
nginx_websockets_support: False
|
||||||
|
nginx_use_common_virthost: False
|
||||||
|
# Use 'ssl http2' if the nginx version supports it
|
||||||
|
nginx_ssl_type: ssl http2
|
||||||
|
# When we do not use letsencrypt:
|
||||||
|
# nginx_ssl_cert_file: '{{ pki_dir }}/certs/nginx.crt'
|
||||||
|
# nginx_ssl_cert_key: '{{ pki_dir }}/keys/nginx.key'
|
||||||
|
|
||||||
|
# Virtualhost example
|
||||||
|
# nginx_virthosts:
|
||||||
|
# - virthost_name: '{{ ansible_fqdn }}'
|
||||||
|
# listen: '{{ http_port }}'
|
||||||
|
# server_name: '{{ ansible_fqdn }}'
|
||||||
|
# server_aliases: ''
|
||||||
|
# index: index.html
|
||||||
|
# error_page: /path_to_error_page.html
|
||||||
|
# ssl_enabled: False
|
||||||
|
# ssl_only: False
|
||||||
|
# ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
|
||||||
|
# root: /usr/share/nginx/html/
|
||||||
|
# server_tokens: 'off'
|
||||||
|
# proxy_standard_setup: True
|
||||||
|
# proxy_additional_options:
|
||||||
|
# - 'proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;'
|
||||||
|
# proxies:
|
||||||
|
# - location: /
|
||||||
|
# target: http://localhost:{{ local_http_port }};
|
||||||
|
#
|
||||||
|
# extra_parameters: |
|
||||||
|
# location ~ \.php$ {
|
||||||
|
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
# fastcgi_pass unix:/var/run/php5-fpm.sock;
|
||||||
|
# fastcgi_index index.php;
|
||||||
|
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
# include fastcgi_params;
|
||||||
|
# }
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
DATE=$( date )
|
||||||
|
|
||||||
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
|
echo "$DATE" >> $LE_LOG_DIR/nginx.log
|
||||||
|
|
||||||
|
if [ -f /etc/default/letsencrypt ] ; then
|
||||||
|
. /etc/default/letsencrypt
|
||||||
|
else
|
||||||
|
echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log
|
||||||
|
if [ -x /bin/systemctl ] ; then
|
||||||
|
systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1
|
||||||
|
else
|
||||||
|
service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Done." >> $LE_LOG_DIR/nginx.log
|
||||||
|
|
||||||
|
exit 0
|
|
@ -0,0 +1,26 @@
|
||||||
|
|
||||||
|
#
|
||||||
|
auth [success=2 default=ignore] pam_unix.so nullok_secure
|
||||||
|
auth [success=1 default=ignore] pam_ldap.so
|
||||||
|
auth requisite pam_deny.so
|
||||||
|
auth required pam_permit.so
|
||||||
|
|
||||||
|
#
|
||||||
|
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
|
||||||
|
account [success=1 default=ignore] pam_ldap.so
|
||||||
|
account requisite pam_deny.so
|
||||||
|
account required pam_permit.so
|
||||||
|
|
||||||
|
#
|
||||||
|
password [success=1 default=ignore] pam_unix.so obscure sha512
|
||||||
|
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
|
||||||
|
password requisite pam_deny.so
|
||||||
|
password required pam_permit.so
|
||||||
|
|
||||||
|
#
|
||||||
|
session [default=1] pam_permit.so
|
||||||
|
session requisite pam_deny.so
|
||||||
|
session required pam_permit.so
|
||||||
|
session optional pam_umask.so
|
||||||
|
session required pam_unix.so
|
||||||
|
session optional pam_ldap.so
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Reload nginx
|
||||||
|
service: name=nginx state=reloaded
|
||||||
|
|
||||||
|
- name: Restart nginx
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install the python passlib library
|
||||||
|
apt: pkg=python-passlib state=present update_cache=yes cache_valid_time=3600
|
||||||
|
|
||||||
|
- name: Create the htpasswd file needed by the basic auth
|
||||||
|
htpasswd: path={{ item.file | default ('/etc/nginx/htpasswd') }} name={{ item.name }} password={{ item.pwd }} state={{ item.state | default('present') }} crypt_scheme={{ item.crypt | default('sha256_crypt') }}
|
||||||
|
with_items: '{{ nginx_basic_auth_users }}'
|
||||||
|
|
||||||
|
when: nginx_basic_auth
|
||||||
|
tags: nginx
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
- import_tasks: nginx.yml
|
||||||
|
- import_tasks: nginx-config.yml
|
||||||
|
- import_tasks: nginx-virtualhosts.yml
|
||||||
|
when: nginx_use_common_virthost
|
||||||
|
- import_tasks: nginx-letsencrypt.yml
|
||||||
|
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||||
|
- import_tasks: basic-auth.yml
|
||||||
|
- import_tasks: pam-ldap.yml
|
||||||
|
|
||||||
|
- name: Ensure that the webserver is running and enabled at boot time
|
||||||
|
service: name=nginx state=started enabled=yes
|
||||||
|
when: nginx_enabled
|
||||||
|
ignore_errors: True
|
||||||
|
tags: nginx
|
||||||
|
|
||||||
|
- name: Ensure that the webserver is stopped and disabled
|
||||||
|
service: name=nginx state=stopped enabled=no
|
||||||
|
when: not nginx_enabled
|
||||||
|
ignore_errors: True
|
||||||
|
tags: nginx
|
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the snippets directory
|
||||||
|
file: dest={{ nginx_snippets_dir }} state=directory
|
||||||
|
|
||||||
|
- name: Create the pki directory
|
||||||
|
file: dest={{ {{ pki_dir }}/nginx }} state=directory
|
||||||
|
|
||||||
|
- name: Create a dhparams file 2048 bits long
|
||||||
|
shell: openssl dhparam -out {{ pki_dir }}/nginx/dhparams.pem 2048
|
||||||
|
args:
|
||||||
|
creates: '{{ pki_dir }}/nginx/dhparams.pem'
|
||||||
|
when: nginx_ssl_level == 'intermediate'
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Install the supported configuration snippets
|
||||||
|
template: src={{ item }}.j2 dest=/etc/nginx/snippets/{{ item }} owner=root group=root mode=0444
|
||||||
|
with_items: '{{ nginx_conf_snippets }}'
|
||||||
|
|
||||||
|
- name: Install the main nginx.conf
|
||||||
|
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=444
|
||||||
|
notify: Reload nginx
|
||||||
|
|
||||||
|
- name: Remove the old configuration snippets
|
||||||
|
file: dest=/etc/nginx/conf.d/{{ item }} state=absent
|
||||||
|
with_items: '{{ nginx_old_snippets }}'
|
||||||
|
|
||||||
|
when: nginx_enabled
|
||||||
|
tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ]
|
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||||
|
|
||||||
|
- name: Install a letsencrypt hook for nginx
|
||||||
|
copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555
|
||||||
|
|
||||||
|
when:
|
||||||
|
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||||
|
- nginx_letsencrypt_managed
|
||||||
|
tags: [ 'nginx', 'letsencrypt' ]
|
||||||
|
|
||||||
|
- block:
|
||||||
|
- name: Remove the letsencrypt hook for nginx
|
||||||
|
file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent
|
||||||
|
|
||||||
|
when: not nginx_letsencrypt_managed
|
||||||
|
tags: [ 'nginx', 'letsencrypt' ]
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Install the nginx virtualhost files
|
||||||
|
template: src=nginx-virthost.j2 dest=/etc/nginx/conf.d/{{ item.virthost_name }}.conf owner=root group=root mode=0444
|
||||||
|
with_items: '{{ nginx_virthosts | default(omit) }}'
|
||||||
|
notify: Reload nginx
|
||||||
|
tags: [ 'nginx', 'virtualhost' ]
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Install the nginx web server
|
||||||
|
yum: pkg={{ item }} state={{ nginx_package_state }}
|
||||||
|
with_items:
|
||||||
|
- nginx
|
||||||
|
tags: nginx
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
- name: Install pam service for nginx
|
||||||
|
copy: src=nginx.pam dest=/etc/pam.d/{{ nginx_pam_svc_name }}
|
||||||
|
notify: Reload nginx
|
||||||
|
when: nginx_use_ldap_pam_auth
|
||||||
|
tags:
|
||||||
|
- nginx
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
# The distinguished name of the search base.
|
||||||
|
base {{ nginx_ldap_base_dn }}
|
||||||
|
|
||||||
|
# Another way to specify your LDAP server is to provide an
|
||||||
|
uri {{ nginx_ldap_uri }}
|
||||||
|
if {% nginx_ldap_login_attribute is defined %}
|
||||||
|
pam_login_attribute {{ nginx_ldap_login_attribute }}
|
||||||
|
{% endif %}
|
||||||
|
if {% nginx_ldap_pam_groupdn is defined %}
|
||||||
|
pam_groupdn
|
||||||
|
{% endif %}
|
||||||
|
# The LDAP version to use (defaults to 3
|
||||||
|
# if supported by client library)
|
||||||
|
ldap_version 3
|
||||||
|
|
||||||
|
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Include this one inside a "server" directive listening on port 80, this way:
|
||||||
|
# include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
||||||
|
location ^~ /.well-known/acme-challenge {
|
||||||
|
proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port | default('4402') }}/.well-known/acme-challenge;
|
||||||
|
access_log /var/log/nginx/letsencrypt_acmetool_access.log;
|
||||||
|
error_log /var/log/nginx/letsencrypt_acmetool_error.log;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
# include inside a 'server' directive
|
||||||
|
#
|
||||||
|
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
|
||||||
|
expires {{ nginx_html_cache_expire }};
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if nginx_feed_cache_expire_enabled %}
|
||||||
|
#
|
||||||
|
location ~* \.(?:rss|atom)$ {
|
||||||
|
expires {{ nginx_feed_cache_expire }};
|
||||||
|
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
#
|
||||||
|
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
|
||||||
|
expires {{ nginx_media_cache_expire }};
|
||||||
|
access_log off;
|
||||||
|
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
location ~* \.(?:css|js)$ {
|
||||||
|
expires {{ nginx_css_js_cache_expire }};
|
||||||
|
access_log off;
|
||||||
|
add_header Cache-Control "{{ nginx_cache_control }}";
|
||||||
|
}
|
|
@ -0,0 +1,6 @@
|
||||||
|
gzip_vary {{ nginx_gzip_vary }};
|
||||||
|
gzip_proxied {{ nginx_gzip_proxied }};
|
||||||
|
gzip_comp_level {{ nginx_gzip_comp_level }};
|
||||||
|
gzip_buffers {{ nginx_gzip_buffers }};
|
||||||
|
gzip_http_version {{ nginx_gzip_http_version }};
|
||||||
|
gzip_types {{ nginx_gzip_types }};
|
|
@ -0,0 +1,60 @@
|
||||||
|
{% if nginx_cors_extended_rules %}
|
||||||
|
if ($request_method = 'OPTIONS') {
|
||||||
|
{% if nginx_cors_limit_origin %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||||
|
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||||
|
{% else %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
|
{% endif %}
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||||
|
#
|
||||||
|
# Custom headers and headers various browsers *should* be OK with but aren't
|
||||||
|
#
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||||
|
#
|
||||||
|
# Tell client that this pre-flight info is valid for 20 days
|
||||||
|
#
|
||||||
|
add_header 'Access-Control-Max-Age' 1728000;
|
||||||
|
add_header 'Content-Type' 'text/plain charset=UTF-8';
|
||||||
|
add_header 'Content-Length' 0;
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
if ($request_method = 'POST') {
|
||||||
|
{% if nginx_cors_limit_origin %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||||
|
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||||
|
{% else %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
|
{% endif %}
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||||
|
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||||
|
}
|
||||||
|
if ($request_method = 'GET') {
|
||||||
|
{% if nginx_cors_limit_origin %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||||
|
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||||
|
{% else %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
|
{% endif %}
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||||
|
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
{% if nginx_cors_limit_origin %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '{{ nginx_cors_acl_origin | default("$http_origin") }}';
|
||||||
|
add_header 'Access-Control-Allow-Credentials' 'true';
|
||||||
|
{% else %}
|
||||||
|
add_header 'Access-Control-Allow-Origin' '*';
|
||||||
|
{% endif %}
|
||||||
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||||
|
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Mx-ReqToken,X-Requested-With';
|
||||||
|
{% if nginx_cors_limit_origin %}
|
||||||
|
}
|
||||||
|
if ($request_method = 'OPTIONS') {
|
||||||
|
return 204;
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Proxy stuff
|
||||||
|
# include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
{% if haproxy_ips is defined %}
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Host $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Server $host;
|
||||||
|
{% else %}
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
{% if nginx_define_x_real_ip %}
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_buffering {{ nginx_proxy_buffering }};
|
||||||
|
proxy_buffer_size {{ nginx_proxy_buffer_size }};
|
||||||
|
proxy_buffers {{ nginx_proxy_buffers }};
|
||||||
|
proxy_busy_buffers_size {{ nginx_proxy_busy_buffers_size }};
|
||||||
|
proxy_temp_file_write_size {{ nginx_proxy_temp_file_write_size }};
|
||||||
|
proxy_redirect {{ nginx_proxy_redirect }};
|
||||||
|
proxy_connect_timeout {{ nginx_proxy_connect_timeout }};
|
||||||
|
proxy_read_timeout {{ nginx_proxy_read_timeout }};
|
||||||
|
proxy_send_timeout {{ nginx_proxy_send_timeout }};
|
|
@ -0,0 +1,24 @@
|
||||||
|
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
||||||
|
ssl_certificate {{ letsencrypt_acme_certs_dir }}/fullchain;
|
||||||
|
ssl_certificate_key {{ letsencrypt_acme_certs_dir }}/privkey;
|
||||||
|
{% else %}
|
||||||
|
ssl_certificate {{ nginx_ssl_cert_file | default('/etc/nginx/ssl/server.crt') }};
|
||||||
|
ssl_certificate_key {{ nginx_ssl_cert_key | default ('/etc/nginx/ssl/server.key') }};
|
||||||
|
{% endif %}
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 10m;
|
||||||
|
{% if nginx_ssl_level == 'intermediate' %}
|
||||||
|
ssl_dhparam {{ pki_dir }}/nginx/dhparams.pem;
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||||
|
{% endif %}
|
||||||
|
{% if nginx_ssl_level == 'modern' %}
|
||||||
|
ssl_session_tickets off;
|
||||||
|
# modern configuration. tweak to your needs.
|
||||||
|
ssl_protocols TLSv1.2;
|
||||||
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
|
{% endif %}
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
add_header Strict-Transport-Security max-age=15768000;
|
|
@ -0,0 +1,184 @@
|
||||||
|
server {
|
||||||
|
listen {{ item.http_port | default (80) }};
|
||||||
|
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
||||||
|
{% if letsencrypt_acme_install %}
|
||||||
|
include /etc/nginx/snippets/letsencrypt-proxy.conf;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.access_log is defined %}
|
||||||
|
access_log {{ item.access_log }};
|
||||||
|
{% else %}
|
||||||
|
access_log /var/log/nginx/{{ item.server_name }}_access.log;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.error_log is defined %}
|
||||||
|
error_log {{ item.error_log }};
|
||||||
|
{% else %}
|
||||||
|
error_log /var/log/nginx/{{ item.server_name }}_error.log;
|
||||||
|
{% endif %}
|
||||||
|
server_tokens {{ item.server_tokens | default('off') }};
|
||||||
|
{% if item.ssl_enabled and item.ssl_only %}
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ item.server_name }}$request_uri;
|
||||||
|
}
|
||||||
|
{% else %}
|
||||||
|
# This is the default for nginx on Ubuntu 14.04
|
||||||
|
root {{ item.root | default('/usr/share/nginx/html/') }};
|
||||||
|
index {{ item.index | default('index.html index.htm') }};
|
||||||
|
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
||||||
|
location = /50x.html {
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
}
|
||||||
|
location = /favicon.ico {
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
location = /robots.txt {
|
||||||
|
allow all;
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
{% if haproxy_ips is defined %}
|
||||||
|
# We are behind haproxy
|
||||||
|
{% for ip in haproxy_ips %}
|
||||||
|
set_real_ip_from {{ ip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header X-Forwarded-For;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.max_body is defined %}
|
||||||
|
client_max_body_size {{ item.max_body }};
|
||||||
|
{% else %}
|
||||||
|
client_max_body_size {{ nginx_client_max_body_size }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.body_timeout is defined %}
|
||||||
|
client_body_timeout {{ item.body_timeout }};
|
||||||
|
{% else %}
|
||||||
|
client_body_timeout {{ nginx_client_body_timeout }};
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if item.additional_options is defined %}
|
||||||
|
{% for add_opt in item.additional_options %}
|
||||||
|
|
||||||
|
{{ add_opt }};
|
||||||
|
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% if item.websockets is defined and item.websockets %}
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
||||||
|
# Proxy stuff
|
||||||
|
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||||
|
{% if item.proxy_additional_options is defined %}
|
||||||
|
{% for popt in item.proxy_additional_options %}
|
||||||
|
{{ popt }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.locations is defined %}
|
||||||
|
{% for location in item.locations %}
|
||||||
|
location {{ location.location }} {
|
||||||
|
{% if location.target is defined %}
|
||||||
|
proxy_pass {{ location.target }};
|
||||||
|
{% endif %}
|
||||||
|
{% if location.extra_conf is defined %}
|
||||||
|
{{ location.extra_conf }}
|
||||||
|
{% endif %}
|
||||||
|
{% if location.other_opts is defined %}
|
||||||
|
{% for opt in location.other_opts %}
|
||||||
|
{{ opt }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.extra_parameters is defined %}
|
||||||
|
{{ item.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
{% if item.ssl_enabled %}
|
||||||
|
server {
|
||||||
|
listen {{ https_port | default(443) }} {{ nginx_ssl_type }};
|
||||||
|
server_name {{ item.server_name }} {% if item.serveraliases is defined %}{{ item.serveraliases }}{% endif %};
|
||||||
|
{% if item.access_log is defined %}
|
||||||
|
access_log {{ item.access_log }};
|
||||||
|
{% else %}
|
||||||
|
access_log /var/log/nginx/{{ item.server_name }}_ssl_access.log;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.error_log is defined %}
|
||||||
|
error_log {{ item.error_log }};
|
||||||
|
{% else %}
|
||||||
|
error_log /var/log/nginx/{{ item.server_name }}_ssl_error.log;
|
||||||
|
{% endif %}
|
||||||
|
root {{ item.root | default('/usr/share/nginx/html/') }};
|
||||||
|
index {{ item.index | default('index.html index.htm') }};
|
||||||
|
error_page 500 502 503 504 {{ item.error_page | default('/50x.html') }};
|
||||||
|
location = /50x.html {
|
||||||
|
root /usr/share/nginx/html;
|
||||||
|
}
|
||||||
|
location = /favicon.ico {
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
location = /robots.txt {
|
||||||
|
allow all;
|
||||||
|
log_not_found off;
|
||||||
|
access_log off;
|
||||||
|
}
|
||||||
|
{% if haproxy_ips is defined %}
|
||||||
|
# We are behind haproxy
|
||||||
|
{% for ip in haproxy_ips %}
|
||||||
|
set_real_ip_from {{ ip }};
|
||||||
|
{% endfor %}
|
||||||
|
real_ip_header X-Forwarded-For;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.max_body is defined %}
|
||||||
|
client_max_body_size {{ item.max_body }};
|
||||||
|
{% else %}
|
||||||
|
client_max_body_size {{ nginx_client_max_body_size }};
|
||||||
|
{% endif %}
|
||||||
|
{% if item.body_timeout is defined %}
|
||||||
|
client_body_timeout {{ item.body_timeout }};
|
||||||
|
{% else %}
|
||||||
|
client_body_timeout {{ nginx_client_body_timeout }};
|
||||||
|
{% endif %}
|
||||||
|
server_tokens {{ item.server_tokens | default('off') }};
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/nginx-server-ssl.conf;
|
||||||
|
|
||||||
|
{% if item.websockets is defined and item.websockets %}
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade;
|
||||||
|
{% endif %}
|
||||||
|
{% if item.proxy_standard_setup is defined and item.proxy_standard_setup %}
|
||||||
|
# Proxy stuff
|
||||||
|
include /etc/nginx/snippets/nginx-proxy-params.conf;
|
||||||
|
{% if item.proxy_additional_options is defined %}
|
||||||
|
{% for popt in item.proxy_additional_options %}
|
||||||
|
{{ popt }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.locations is defined %}
|
||||||
|
{% for location in item.locations %}
|
||||||
|
location {{ location.location }} {
|
||||||
|
{% if location.target is defined %}
|
||||||
|
proxy_pass {{ location.target }};
|
||||||
|
{% endif %}
|
||||||
|
{% if location.other_opts is defined %}
|
||||||
|
{% for opt in location.other_opts %}
|
||||||
|
{{ opt }};
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.extra_parameters is defined %}
|
||||||
|
{{ item.extra_parameters }}
|
||||||
|
{% endif %}
|
||||||
|
}
|
||||||
|
|
||||||
|
{% endif %}
|
|
@ -0,0 +1,4 @@
|
||||||
|
map $http_upgrade $connection_upgrade {
|
||||||
|
default upgrade;
|
||||||
|
'' close;
|
||||||
|
}
|
|
@ -0,0 +1,102 @@
|
||||||
|
# For more information on configuration, see:
|
||||||
|
# * Official English Documentation: http://nginx.org/en/docs/
|
||||||
|
# * Official Russian Documentation: http://nginx.org/ru/docs/
|
||||||
|
|
||||||
|
user nginx;
|
||||||
|
worker_processes auto;
|
||||||
|
error_log /var/log/nginx/error.log;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
|
||||||
|
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
|
||||||
|
include /usr/share/nginx/modules/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections {{ nginx_worker_connections }};
|
||||||
|
multi_accept {{ nginx_multi_accept }};
|
||||||
|
}
|
||||||
|
worker_rlimit_nofile {{ nginx_worker_rlimit_nofile }};
|
||||||
|
|
||||||
|
http {
|
||||||
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||||
|
'$status $body_bytes_sent "$http_referer" '
|
||||||
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log main;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
server_tokens {{ nginx_server_tokens }};
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
large_client_header_buffers {{ nginx_large_client_header_buffers }};
|
||||||
|
|
||||||
|
{% if nginx_enable_compression %}
|
||||||
|
include /etc/nginx/snippets/nginx-compression.conf;
|
||||||
|
{% endif %}
|
||||||
|
{% if nginx_websockets_support %}
|
||||||
|
include /etc/nginx/snippets/nginx-websockets.conf;
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
# Load modular configuration files from the /etc/nginx/conf.d directory.
|
||||||
|
# See http://nginx.org/en/docs/ngx_core_module.html#include
|
||||||
|
# for more information.
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
|
# server {
|
||||||
|
# listen 80 default_server;
|
||||||
|
# listen [::]:80 default_server;
|
||||||
|
# server_name _;
|
||||||
|
# root /usr/share/nginx/html;
|
||||||
|
|
||||||
|
# # Load configuration files for the default server block.
|
||||||
|
# include /etc/nginx/default.d/*.conf;
|
||||||
|
|
||||||
|
# location / {
|
||||||
|
# }
|
||||||
|
|
||||||
|
# error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
# }
|
||||||
|
|
||||||
|
# error_page 500 502 503 504 /50x.html;
|
||||||
|
# location = /50x.html {
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
# Settings for a TLS enabled server.
|
||||||
|
#
|
||||||
|
# server {
|
||||||
|
# listen 443 ssl http2 default_server;
|
||||||
|
# listen [::]:443 ssl http2 default_server;
|
||||||
|
# server_name _;
|
||||||
|
# root /usr/share/nginx/html;
|
||||||
|
#
|
||||||
|
# ssl_certificate "/etc/pki/nginx/server.crt";
|
||||||
|
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
|
||||||
|
# ssl_session_cache shared:SSL:1m;
|
||||||
|
# ssl_session_timeout 10m;
|
||||||
|
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
# ssl_prefer_server_ciphers on;
|
||||||
|
#
|
||||||
|
# # Load configuration files for the default server block.
|
||||||
|
# include /etc/nginx/default.d/*.conf;
|
||||||
|
#
|
||||||
|
# location / {
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# error_page 404 /404.html;
|
||||||
|
# location = /40x.html {
|
||||||
|
# }
|
||||||
|
#
|
||||||
|
# error_page 500 502 503 504 /50x.html;
|
||||||
|
# location = /50x.html {
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
openjdk_install: False
|
||||||
|
openjdk_default: 7
|
||||||
|
openjdk_default_version: '1.{{ openjdk_default }}.0'
|
||||||
|
openjdk_pkg_state: latest
|
||||||
|
openjdk_version:
|
||||||
|
- '{{ openjdk_default_version }}'
|
||||||
|
|
||||||
|
jdk_java_home: '/usr/lib/jvm/java-{{ openjdk_default_version }}-openjdk'
|
||||||
|
|
||||||
|
# -devel is needed if we want javac.
|
||||||
|
openjdk_pkgs:
|
||||||
|
- openjdk-headless
|
||||||
|
- openjdk-devel
|
||||||
|
|
||||||
|
openjdk_commands:
|
||||||
|
- java
|
||||||
|
- javac
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue