Update to 2021-03-08 16:00

ansible.cfg

@@ -4,6 +4,7 @@ private_key_file = ssh/id_rsa
 ansible_managed  = Managed by ansible, manual modifications will be lost
 ask_vault_pass   = True
 remote_tmp       = /tmp/.ansible-${USER}/tmp
+timeout          = 30
 
 [privilege_escalation]
 become=True

roles/crowdsec/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version to install
-cs_version: 1.0.8
+cs_version: 1.0.9
 # URL of the archive
 cs_archive_url: https://github.com/crowdsecurity/crowdsec/releases/download/v{{ cs_version }}/crowdsec-release.tgz
 # Expected sha1 of the archive
-cs_archive_sha1: 060782df0b6a8a799c1c0e6efc874b26ca9988e6
+cs_archive_sha1: 708ccb239680aab59f121f24452a4351f828ebf4
 
 # Crowdsec usually should run as root to be able to access all your logs
 # but in some situations, when all your logs are readable by a less privileged user, you can run

roles/crowdsec/meta/main.yml

@@ -1,5 +1,6 @@
 ---
 
 dependencies:
+  - role: mkdir
   - role: mysql_server
     when: cs_db_server in ['localhost','127.0.0.1']

roles/crowdsec/tasks/conf.yml

@@ -72,7 +72,7 @@
   tags: cs
 
 - name: Upgrade parsers
-  command: csscli parsers upgrade {{ item }}
+  command: cscli parsers upgrade {{ item }}
   loop: "{{ cs_parsers }}"
   when: cs_install_mode == 'upgrade'
   notify: reload crowdsec

roles/crowdsec/tasks/install.yml

@@ -1,5 +1,12 @@
 ---
 
+- name: Install needed tools
+  package:
+    name:
+      - tar
+      - zstd
+  tags: cs
+
 - when: cs_install_mode != 'none'
   block:
     - name: Download crowdsec

roles/crowdsec_firewall_bouncer/vars/Debian.yml

@@ -0,0 +1,3 @@
+---
+
+cs_iptables_service: netfilter-persistent

roles/crowdsec_firewall_bouncer/vars/RedHat.yml

@@ -0,0 +1,3 @@
+---
+
+cs_iptables_service: iptables

roles/g2cs/files/g2cs.pl

@@ -30,6 +30,18 @@ if (not -d $logdir){
 # Remove trailing / of the logdir, it's not nice in the logs when you have double /
 $logdir =~ s/\/$//;
 
+# Create files so crowdsec can open them before any lines are written
+foreach my $dir (qw(nginx httpd zimbra)){
+  if (not -d $logdir . '/' . $dir){
+    make_path($logdir . '/' . $dir)
+  }
+}
+foreach my $file (qw(syslog.log nginx/access.log nginx/error.log httpd/access.log httpd/error.log zimbra/mailbox.log)){
+  open(FILE, '>', $logdir . '/' . $file);
+  print FILE '';
+  close FILE;
+}
+
 # List of syslog_identifier we're not intersted in
 my @ignored_syslog_id = qw(
   c-icap
@@ -158,12 +170,6 @@ while (1) {
     $msg .= ': ' . $fields->{msg};
   }
 
-  # Create the log sub dir if needed
-  my $dir = dirname($logfile);
-  if (not -d $dir){
-    make_path($dir);
-  }
-
   defined $loghandles->{$logfile} or open($loghandles->{$logfile}, ">>", $logfile);
   # Truncate the file so it's not growing too large
   # Crowdsec will read it in nearly real time anyway

roles/g2cs/templates/g2cs.service.j2

@@ -1,6 +1,7 @@
 [Unit]
 Description=Graylog to Crowdsec syslog daemon
 After=syslog.target
+Before=crowdsec.service
 
 [Service]
 Type=simple

roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2

@@ -34,6 +34,7 @@ php_admin_value[error_log] = syslog
 php_admin_value[memory_limit] = {{ conf.memory_limit | default('128M') }}
 php_admin_value[session.save_path] = {{ conf.session_save_path | default('/var/lib/php/session') }}
 php_admin_value[upload_tmp_dir] = {{ conf.tmp_dir | default('/tmp') }}
+php_admin_value[sys_temp_dir] = {{ conf.tmp_dir | default('/tmp') }}
 php_admin_value[post_max_size] = {{ conf.post_max_size | default('5M') }}
 php_admin_value[upload_max_filesize] = {{ conf.upload_max_filesize | default('5M') }}
 php_admin_value[disable_functions] = {{ conf.disable_functions | default([ 'system', 'show_source', 'symlink', 'exec', 'dl', 'shell_exec', 'passthru', 'phpinfo', 'escapeshellarg', 'escapeshellcmd' ]) | difference(conf.enable_functions | default([]) ) | join(', ') }}

roles/lemonldap_ng/defaults/main.yml

@@ -63,4 +63,4 @@ llng_handler_db_user: lemonldapnghandler
 # llng_handler_db_pass
 
 # Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much
-llng_fcgi_workers: 5
+llng_fcgi_workers: 6

roles/miniflux/tasks/conf.yml

@@ -2,4 +2,6 @@
 
 - name: Deploy configuration
   template: src=miniflux.conf.j2 dest={{ miniflux_root_dir }}/etc/miniflux.conf group={{ miniflux_user }} mode=640
+  notify:
+    - restart miniflux
   tags: miniflux

roles/miniflux/templates/miniflux.conf.j2

@@ -10,7 +10,7 @@ PROXY_IMAGES=all
 {% if miniflux_oidc %}
 OAUTH2_PROVIDER=oidc
 OAUTH2_CLIENT_ID={{ miniflux_oidc_id | quote }}
-OAUTH2_CLIENT_SECRET={{ minifluxçoidc_secret | quote }}
+OAUTH2_CLIENT_SECRET={{ miniflux_oidc_secret | quote }}
 OAUTH2_REDIRECT_URL={{ miniflux_oidc_callback_url }}
 OAUTH2_OIDC_DISCOVERY_ENDPOINT={{ miniflux_oidc_disco_url }}
 OAUTH2_USER_CREATION=1

roles/nginx/templates/nginx.conf.j2

@@ -1,7 +1,6 @@
 user nginx;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
-error_log syslog:server=unix:/dev/log,nohostname;
 pid /run/nginx.pid;
 
 {% if nginx_openresty %}

roles/squid/files/acl/software_various.domains

@@ -343,3 +343,6 @@ www.cloudflare.com
 # Metabase
 static.metabase.com
 downloads.metabase.com
+
+# Zimbra / Zextras
+go.zextras.com

roles/squid/files/acl/software_windows.domains

@@ -20,6 +20,7 @@ go.microsoft.com
 dl.delivery.mp.microsoft.com
 dmd.metaservices.microsoft.com
 activation-v2.sls.microsoft.com
+download.visualstudio.microsoft.com
 
 # comon CRL / OCSP
 crl.microsoft.com