diff --git a/ansible.cfg b/ansible.cfg index b0c85de..5fdbbb5 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,6 +4,7 @@ private_key_file = ssh/id_rsa ansible_managed = Managed by ansible, manual modifications will be lost ask_vault_pass = True remote_tmp = /tmp/.ansible-${USER}/tmp +timeout = 30 [privilege_escalation] become=True diff --git a/roles/crowdsec/defaults/main.yml b/roles/crowdsec/defaults/main.yml index 0ddbc46..4364449 100644 --- a/roles/crowdsec/defaults/main.yml +++ b/roles/crowdsec/defaults/main.yml @@ -1,11 +1,11 @@ --- # Version to install -cs_version: 1.0.8 +cs_version: 1.0.9 # URL of the archive cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ cs_version }}/crowdsec-release.tgz # Expected sha1 of the archive -cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6 +cs_archive_sha1: 708ccb239680aab59f121f24452a4351f828ebf4 # Crowdsec usually should run as root to be able to access all your logs # but in some situations, when all your logs are readable by a less privileged user, you can run diff --git a/roles/crowdsec/meta/main.yml b/roles/crowdsec/meta/main.yml index 9e7d40e..e397f4e 100644 --- a/roles/crowdsec/meta/main.yml +++ b/roles/crowdsec/meta/main.yml @@ -1,5 +1,6 @@ --- dependencies: + - role: mkdir - role: mysql_server when: cs_db_server in ['localhost','127.0.0.1'] diff --git a/roles/crowdsec/tasks/conf.yml b/roles/crowdsec/tasks/conf.yml index c87fadb..465719a 100644 --- a/roles/crowdsec/tasks/conf.yml +++ b/roles/crowdsec/tasks/conf.yml @@ -72,7 +72,7 @@ tags: cs - name: Upgrade parsers - command: csscli parsers upgrade {{ item }} + command: cscli parsers upgrade {{ item }} loop: "{{ cs_parsers }}" when: cs_install_mode == 'upgrade' notify: reload crowdsec diff --git a/roles/crowdsec/tasks/install.yml b/roles/crowdsec/tasks/install.yml index fb2063f..6e2bb6f 100644 --- a/roles/crowdsec/tasks/install.yml +++ b/roles/crowdsec/tasks/install.yml @@ -1,5 +1,12 @@ --- +- name: Install needed tools + package: + name: + - tar + - zstd + tags: cs + - when: cs_install_mode != 'none' block: - name: Download crowdsec diff --git a/roles/crowdsec_firewall_bouncer/vars/Debian.yml b/roles/crowdsec_firewall_bouncer/vars/Debian.yml new file mode 100644 index 0000000..c77c3eb --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/vars/Debian.yml @@ -0,0 +1,3 @@ +--- + +cs_iptables_service: netfilter-persistent diff --git a/roles/crowdsec_firewall_bouncer/vars/RedHat.yml b/roles/crowdsec_firewall_bouncer/vars/RedHat.yml new file mode 100644 index 0000000..3201c17 --- /dev/null +++ b/roles/crowdsec_firewall_bouncer/vars/RedHat.yml @@ -0,0 +1,3 @@ +--- + +cs_iptables_service: iptables diff --git a/roles/g2cs/files/g2cs.pl b/roles/g2cs/files/g2cs.pl index 20a1cad..46d4ab6 100644 --- a/roles/g2cs/files/g2cs.pl +++ b/roles/g2cs/files/g2cs.pl @@ -30,6 +30,18 @@ if (not -d $logdir){ # Remove trailing / of the logdir, it's not nice in the logs when you have double / $logdir =~ s/\/$//; +# Create files so crowdsec can open them before any lines are written +foreach my $dir (qw(nginx httpd zimbra)){ + if (not -d $logdir . '/' . $dir){ + make_path($logdir . '/' . $dir) + } +} +foreach my $file (qw(syslog.log nginx/access.log nginx/error.log httpd/access.log httpd/error.log zimbra/mailbox.log)){ + open(FILE, '>', $logdir . '/' . $file); + print FILE ''; + close FILE; +} + # List of syslog_identifier we're not intersted in my @ignored_syslog_id = qw( c-icap @@ -158,12 +170,6 @@ while (1) { $msg .= ': ' . $fields->{msg}; } - # Create the log sub dir if needed - my $dir = dirname($logfile); - if (not -d $dir){ - make_path($dir); - } - defined $loghandles->{$logfile} or open($loghandles->{$logfile}, ">>", $logfile); # Truncate the file so it's not growing too large # Crowdsec will read it in nearly real time anyway diff --git a/roles/g2cs/templates/g2cs.service.j2 b/roles/g2cs/templates/g2cs.service.j2 index f102b8a..21fc99b 100644 --- a/roles/g2cs/templates/g2cs.service.j2 +++ b/roles/g2cs/templates/g2cs.service.j2 @@ -1,6 +1,7 @@ [Unit] Description=Graylog to Crowdsec syslog daemon After=syslog.target +Before=crowdsec.service [Service] Type=simple diff --git a/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2 b/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2 index ea0c9c5..36869b6 100644 --- a/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2 +++ b/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2 @@ -34,6 +34,7 @@ php_admin_value[error_log] = syslog php_admin_value[memory_limit] = {{ conf.memory_limit | default('128M') }} php_admin_value[session.save_path] = {{ conf.session_save_path | default('/var/lib/php/session') }} php_admin_value[upload_tmp_dir] = {{ conf.tmp_dir | default('/tmp') }} +php_admin_value[sys_temp_dir] = {{ conf.tmp_dir | default('/tmp') }} php_admin_value[post_max_size] = {{ conf.post_max_size | default('5M') }} php_admin_value[upload_max_filesize] = {{ conf.upload_max_filesize | default('5M') }} php_admin_value[disable_functions] = {{ conf.disable_functions | default([ 'system', 'show_source', 'symlink', 'exec', 'dl', 'shell_exec', 'passthru', 'phpinfo', 'escapeshellarg', 'escapeshellcmd' ]) | difference(conf.enable_functions | default([]) ) | join(', ') }} diff --git a/roles/lemonldap_ng/defaults/main.yml b/roles/lemonldap_ng/defaults/main.yml index e4e8de7..c135287 100644 --- a/roles/lemonldap_ng/defaults/main.yml +++ b/roles/lemonldap_ng/defaults/main.yml @@ -63,4 +63,4 @@ llng_handler_db_user: lemonldapnghandler # llng_handler_db_pass # Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much -llng_fcgi_workers: 5 +llng_fcgi_workers: 6 diff --git a/roles/miniflux/tasks/conf.yml b/roles/miniflux/tasks/conf.yml index 2c352b5..07ee158 100644 --- a/roles/miniflux/tasks/conf.yml +++ b/roles/miniflux/tasks/conf.yml @@ -2,4 +2,6 @@ - name: Deploy configuration template: src=miniflux.conf.j2 dest={{ miniflux_root_dir }}/etc/miniflux.conf group={{ miniflux_user }} mode=640 + notify: + - restart miniflux tags: miniflux diff --git a/roles/miniflux/templates/miniflux.conf.j2 b/roles/miniflux/templates/miniflux.conf.j2 index fca4960..ac0a775 100644 --- a/roles/miniflux/templates/miniflux.conf.j2 +++ b/roles/miniflux/templates/miniflux.conf.j2 @@ -10,7 +10,7 @@ PROXY_IMAGES=all {% if miniflux_oidc %} OAUTH2_PROVIDER=oidc OAUTH2_CLIENT_ID={{ miniflux_oidc_id | quote }} -OAUTH2_CLIENT_SECRET={{ minifluxçoidc_secret | quote }} +OAUTH2_CLIENT_SECRET={{ miniflux_oidc_secret | quote }} OAUTH2_REDIRECT_URL={{ miniflux_oidc_callback_url }} OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux_oidc_disco_url }} OAUTH2_USER_CREATION=1 diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index bdce823..d5649ca 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -1,7 +1,6 @@ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; -error_log syslog:server=unix:/dev/log,nohostname; pid /run/nginx.pid; {% if nginx_openresty %} diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains index b710a32..00adc25 100644 --- a/roles/squid/files/acl/software_various.domains +++ b/roles/squid/files/acl/software_various.domains @@ -343,3 +343,6 @@ www.cloudflare.com # Metabase static.metabase.com downloads.metabase.com + +# Zimbra / Zextras +go.zextras.com diff --git a/roles/squid/files/acl/software_windows.domains b/roles/squid/files/acl/software_windows.domains index 61db91c..21a6dd1 100644 --- a/roles/squid/files/acl/software_windows.domains +++ b/roles/squid/files/acl/software_windows.domains @@ -20,6 +20,7 @@ go.microsoft.com dl.delivery.mp.microsoft.com dmd.metaservices.microsoft.com activation-v2.sls.microsoft.com +download.visualstudio.microsoft.com # comon CRL / OCSP crl.microsoft.com