Browse Source

Update to 2021-03-08 16:00

master
Daniel Berteaud 3 months ago
parent
commit
8e89323abb
  1. 1
      ansible.cfg
  2. 4
      roles/crowdsec/defaults/main.yml
  3. 1
      roles/crowdsec/meta/main.yml
  4. 2
      roles/crowdsec/tasks/conf.yml
  5. 7
      roles/crowdsec/tasks/install.yml
  6. 3
      roles/crowdsec_firewall_bouncer/vars/Debian.yml
  7. 3
      roles/crowdsec_firewall_bouncer/vars/RedHat.yml
  8. 18
      roles/g2cs/files/g2cs.pl
  9. 1
      roles/g2cs/templates/g2cs.service.j2
  10. 1
      roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2
  11. 2
      roles/lemonldap_ng/defaults/main.yml
  12. 2
      roles/miniflux/tasks/conf.yml
  13. 2
      roles/miniflux/templates/miniflux.conf.j2
  14. 1
      roles/nginx/templates/nginx.conf.j2
  15. 3
      roles/squid/files/acl/software_various.domains
  16. 1
      roles/squid/files/acl/software_windows.domains

1
ansible.cfg

@ -4,6 +4,7 @@ private_key_file = ssh/id_rsa
ansible_managed = Managed by ansible, manual modifications will be lost
ask_vault_pass = True
remote_tmp = /tmp/.ansible-${USER}/tmp
timeout = 30
[privilege_escalation]
become=True

4
roles/crowdsec/defaults/main.yml

@ -1,11 +1,11 @@
---
# Version to install
cs_version: 1.0.8
cs_version: 1.0.9
# URL of the archive
cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ cs_version }}/crowdsec-release.tgz
# Expected sha1 of the archive
cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6
cs_archive_sha1: 708ccb239680aab59f121f24452a4351f828ebf4
# Crowdsec usually should run as root to be able to access all your logs
# but in some situations, when all your logs are readable by a less privileged user, you can run

1
roles/crowdsec/meta/main.yml

@ -1,5 +1,6 @@
---
dependencies:
- role: mkdir
- role: mysql_server
when: cs_db_server in ['localhost','127.0.0.1']

2
roles/crowdsec/tasks/conf.yml

@ -72,7 +72,7 @@
tags: cs
- name: Upgrade parsers
command: csscli parsers upgrade {{ item }}
command: cscli parsers upgrade {{ item }}
loop: "{{ cs_parsers }}"
when: cs_install_mode == 'upgrade'
notify: reload crowdsec

7
roles/crowdsec/tasks/install.yml

@ -1,5 +1,12 @@
---
- name: Install needed tools
package:
name:
- tar
- zstd
tags: cs
- when: cs_install_mode != 'none'
block:
- name: Download crowdsec

3
roles/crowdsec_firewall_bouncer/vars/Debian.yml

@ -0,0 +1,3 @@
---
cs_iptables_service: netfilter-persistent

3
roles/crowdsec_firewall_bouncer/vars/RedHat.yml

@ -0,0 +1,3 @@
---
cs_iptables_service: iptables

18
roles/g2cs/files/g2cs.pl

@ -30,6 +30,18 @@ if (not -d $logdir){
# Remove trailing / of the logdir, it's not nice in the logs when you have double /
$logdir =~ s/\/$//;
# Create files so crowdsec can open them before any lines are written
foreach my $dir (qw(nginx httpd zimbra)){
if (not -d $logdir . '/' . $dir){
make_path($logdir . '/' . $dir)
}
}
foreach my $file (qw(syslog.log nginx/access.log nginx/error.log httpd/access.log httpd/error.log zimbra/mailbox.log)){
open(FILE, '>', $logdir . '/' . $file);
print FILE '';
close FILE;
}
# List of syslog_identifier we're not intersted in
my @ignored_syslog_id = qw(
c-icap
@ -158,12 +170,6 @@ while (1) {
$msg .= ': ' . $fields->{msg};
}
# Create the log sub dir if needed
my $dir = dirname($logfile);
if (not -d $dir){
make_path($dir);
}
defined $loghandles->{$logfile} or open($loghandles->{$logfile}, ">>", $logfile);
# Truncate the file so it's not growing too large
# Crowdsec will read it in nearly real time anyway

1
roles/g2cs/templates/g2cs.service.j2

@ -1,6 +1,7 @@
[Unit]
Description=Graylog to Crowdsec syslog daemon
After=syslog.target
Before=crowdsec.service
[Service]
Type=simple

1
roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2

@ -34,6 +34,7 @@ php_admin_value[error_log] = syslog
php_admin_value[memory_limit] = {{ conf.memory_limit | default('128M') }}
php_admin_value[session.save_path] = {{ conf.session_save_path | default('/var/lib/php/session') }}
php_admin_value[upload_tmp_dir] = {{ conf.tmp_dir | default('/tmp') }}
php_admin_value[sys_temp_dir] = {{ conf.tmp_dir | default('/tmp') }}
php_admin_value[post_max_size] = {{ conf.post_max_size | default('5M') }}
php_admin_value[upload_max_filesize] = {{ conf.upload_max_filesize | default('5M') }}
php_admin_value[disable_functions] = {{ conf.disable_functions | default([ 'system', 'show_source', 'symlink', 'exec', 'dl', 'shell_exec', 'passthru', 'phpinfo', 'escapeshellarg', 'escapeshellcmd' ]) | difference(conf.enable_functions | default([]) ) | join(', ') }}

2
roles/lemonldap_ng/defaults/main.yml

@ -63,4 +63,4 @@ llng_handler_db_user: lemonldapnghandler
# llng_handler_db_pass
# Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much
llng_fcgi_workers: 5
llng_fcgi_workers: 6

2
roles/miniflux/tasks/conf.yml

@ -2,4 +2,6 @@
- name: Deploy configuration
template: src=miniflux.conf.j2 dest={{ miniflux_root_dir }}/etc/miniflux.conf group={{ miniflux_user }} mode=640
notify:
- restart miniflux
tags: miniflux

2
roles/miniflux/templates/miniflux.conf.j2

@ -10,7 +10,7 @@ PROXY_IMAGES=all
{% if miniflux_oidc %}
OAUTH2_PROVIDER=oidc
OAUTH2_CLIENT_ID={{ miniflux_oidc_id | quote }}
OAUTH2_CLIENT_SECRET={{ minifluxçoidc_secret | quote }}
OAUTH2_CLIENT_SECRET={{ miniflux_oidc_secret | quote }}
OAUTH2_REDIRECT_URL={{ miniflux_oidc_callback_url }}
OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux_oidc_disco_url }}
OAUTH2_USER_CREATION=1

1
roles/nginx/templates/nginx.conf.j2

@ -1,7 +1,6 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/dev/log,nohostname;
pid /run/nginx.pid;
{% if nginx_openresty %}

3
roles/squid/files/acl/software_various.domains

@ -343,3 +343,6 @@ www.cloudflare.com
# Metabase
static.metabase.com
downloads.metabase.com
# Zimbra / Zextras
go.zextras.com

1
roles/squid/files/acl/software_windows.domains

@ -20,6 +20,7 @@ go.microsoft.com
dl.delivery.mp.microsoft.com
dmd.metaservices.microsoft.com
activation-v2.sls.microsoft.com
download.visualstudio.microsoft.com
# comon CRL / OCSP
crl.microsoft.com

Loading…
Cancel
Save