From a256a03c79e89b1f647688589af6623f135f2aa1 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Mon, 30 Nov 2020 12:00:07 +0100 Subject: [PATCH] Update to 2020-11-30 12:00 --- roles/funkwhale/meta/main.yml | 6 +++- roles/funkwhale/vars/CentOS-8.yml | 2 +- roles/jitsi/defaults/main.yml | 3 +- roles/jitsi/templates/prosody.cfg.lua.j2 | 4 +-- roles/mongodb_server/tasks/main.yml | 3 -- roles/mongodb_server/templates/mongod.conf.j2 | 1 + roles/onlyoffice_document_server/tasks/install.yml | 4 +++ roles/onlyoffice_document_server/tasks/main.yml | 1 + roles/openxpki/tasks/selinux.yml | 2 +- roles/openxpki/templates/perms.sh.j2 | 4 +++ roles/postfix/templates/main.cf.j2 | 1 + roles/repo_base/tasks/main.yml | 9 +----- roles/repo_xsendfile/tasks/main.yml | 37 ++++++++++++++++++++++ roles/seadrive/files/seadrive.te | 10 ++++++ roles/seadrive/tasks/main.yml | 4 +++ roles/seadrive/tasks/selinux.yml | 19 +++++++++++ roles/unifi/meta/main.yml | 6 ++++ roles/unifi/tasks/main.yml | 25 ++++++++++++--- roles/unifi/templates/post-backup.sh.j2 | 3 ++ roles/unifi/templates/pre-backup.sh.j2 | 4 +++ roles/unifi/vars/CentOS-7.yml | 5 +++ roles/unifi/vars/CentOS-8.yml | 6 ++++ roles/wordpress/templates/post-backup.sh.j2 | 1 - roles/wordpress/templates/pre-backup.sh.j2 | 7 ++-- roles/zabbix_proxy/files/zabbix_proxy.te | 4 ++- roles/zimbra/tasks/cas.yml | 8 ++--- 26 files changed, 147 insertions(+), 32 deletions(-) create mode 100644 roles/repo_xsendfile/tasks/main.yml create mode 100644 roles/seadrive/files/seadrive.te create mode 100644 roles/seadrive/tasks/selinux.yml create mode 100644 roles/unifi/templates/post-backup.sh.j2 create mode 100644 roles/unifi/templates/pre-backup.sh.j2 create mode 100644 roles/unifi/vars/CentOS-7.yml create mode 100644 roles/unifi/vars/CentOS-8.yml diff --git a/roles/funkwhale/meta/main.yml b/roles/funkwhale/meta/main.yml index 3bb0569..f16e6b1 100644 --- a/roles/funkwhale/meta/main.yml +++ b/roles/funkwhale/meta/main.yml @@ -1,7 +1,11 @@ --- allow_duplicates: true dependencies: - - role: repo_remi # for ffmpeg + - role: repo_rpmfusion # for ffmpeg + - role: repo_xsendfile # mod_xsendfile is not available in base repo for EL8 + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','>=') - role: httpd_common - role: redis_server when: funkwhale_redis_url | urlsplit('hostname') == 'localhost' or funkwhale_redis_url | urlsplit('hostname') == '127.0.0.1' diff --git a/roles/funkwhale/vars/CentOS-8.yml b/roles/funkwhale/vars/CentOS-8.yml index 99b03de..8320024 100644 --- a/roles/funkwhale/vars/CentOS-8.yml +++ b/roles/funkwhale/vars/CentOS-8.yml @@ -13,4 +13,4 @@ funkwhale_packages: - python3-virtualenv - python3-pip - ffmpeg - #- mod_xsendfile + - mod_xsendfile diff --git a/roles/jitsi/defaults/main.yml b/roles/jitsi/defaults/main.yml index f999ee3..75d0921 100644 --- a/roles/jitsi/defaults/main.yml +++ b/roles/jitsi/defaults/main.yml @@ -69,7 +69,8 @@ jitsi_meet_conf_base: muc: conference.{{ jitsi_domain }} bosh: '//{{ jitsi_domain }}/http-bind' # websocket support is broken on prosody 0.11.7 when running lua 5.1 (on EL7), so disable it for now so it fallback to BOSH - websocket: "{{ (ansible_os_family == 'RedHat' and ansible_distribution_major_version is version ('8','<')) | ternary(False,'wss://{{ jitsi_domain }}/xmpp-websocket') }}" + # websocket: wss://{{ jitsi_domain }}/xmpp-websocket + websocket: False clientNode: http://jitsi.org/jitsimeet focusUserJid: "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" disableAudioLevels: True diff --git a/roles/jitsi/templates/prosody.cfg.lua.j2 b/roles/jitsi/templates/prosody.cfg.lua.j2 index 0ceec1e..9173a4e 100644 --- a/roles/jitsi/templates/prosody.cfg.lua.j2 +++ b/roles/jitsi/templates/prosody.cfg.lua.j2 @@ -1,7 +1,7 @@ muc_mapper_domain_base = "{{ jitsi_domain }}"; -admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" } -http_default_host = "{{ jitsi_domain }}" +admins = { "{{ jitsi_jicofo_xmpp_user }}@{{ jitsi_auth_domain }}" }; +http_default_host = "{{ jitsi_domain }}"; {% if jitsi_turn_secret is defined %} turncredentials_secret = "{{ jitsi_turn_secret }}"; diff --git a/roles/mongodb_server/tasks/main.yml b/roles/mongodb_server/tasks/main.yml index 5e823e0..f598e0d 100644 --- a/roles/mongodb_server/tasks/main.yml +++ b/roles/mongodb_server/tasks/main.yml @@ -62,12 +62,9 @@ copy: content: | [Service] - Type=simple PrivateTmp=yes ProtectSystem=full ProtectHome=yes - NoNewPrivileges=yes - SyslogIdentifier=mongod Restart=on-failure StartLimitInterval=0 RestartSec=30 diff --git a/roles/mongodb_server/templates/mongod.conf.j2 b/roles/mongodb_server/templates/mongod.conf.j2 index c8c208a..c7d7a18 100644 --- a/roles/mongodb_server/templates/mongod.conf.j2 +++ b/roles/mongodb_server/templates/mongod.conf.j2 @@ -4,3 +4,4 @@ pidfilepath = /var/run/mongodb/mongod.pid unixSocketPrefix = /var/run/mongodb dbpath = {{ mongo_db_path }} syslog = true +fork = true diff --git a/roles/onlyoffice_document_server/tasks/install.yml b/roles/onlyoffice_document_server/tasks/install.yml index 26a4da3..a543a45 100644 --- a/roles/onlyoffice_document_server/tasks/install.yml +++ b/roles/onlyoffice_document_server/tasks/install.yml @@ -42,6 +42,10 @@ - log4js/production.json tags: oo +- name: Set permission on config directory + file: path=/etc/onlyoffice state=directory mode=755 + tags: oo + - name: Fix permissions on data dir command: chown -R ds:ds /var/lib/onlyoffice/documentserver/ args: diff --git a/roles/onlyoffice_document_server/tasks/main.yml b/roles/onlyoffice_document_server/tasks/main.yml index 50c03ff..6a57ac0 100644 --- a/roles/onlyoffice_document_server/tasks/main.yml +++ b/roles/onlyoffice_document_server/tasks/main.yml @@ -4,6 +4,7 @@ - include: directories.yml - include: facts.yml - include: install.yml +- include: conf.yml - include: selinux.yml when: ansible_selinux.status == 'enabled' - include: services.yml diff --git a/roles/openxpki/tasks/selinux.yml b/roles/openxpki/tasks/selinux.yml index 332d5b3..ecbdb6e 100644 --- a/roles/openxpki/tasks/selinux.yml +++ b/roles/openxpki/tasks/selinux.yml @@ -31,7 +31,7 @@ cd /etc/selinux/targeted/local/ checkmodule -M -m -o openxpki.mod openxpki.te semodule_package -o openxpki.pp -m openxpki.mod + semodule -i /etc/selinux/targeted/local/openxpki.pp when: pki_selinux_policy.changed tags: pki - diff --git a/roles/openxpki/templates/perms.sh.j2 b/roles/openxpki/templates/perms.sh.j2 index 93c1c03..fb9e685 100644 --- a/roles/openxpki/templates/perms.sh.j2 +++ b/roles/openxpki/templates/perms.sh.j2 @@ -2,3 +2,7 @@ chown -R {{ pki_user }}:{{ pki_user }} {{ pki_root_dir }}/etc/ssl chmod 700 {{ pki_root_dir }}/etc/ssl +# The root key is not used by OpenXPKI itself, protect it +chown root:root {{ pki_root_dir }}/etc/ssl/root/signer-key-1.pem +# Restrict access to the different keys +chmod 600 {{ pki_root_dir }}/etc/ssl/*/*key*.pem diff --git a/roles/postfix/templates/main.cf.j2 b/roles/postfix/templates/main.cf.j2 index 6e2a8c0..c74597b 100644 --- a/roles/postfix/templates/main.cf.j2 +++ b/roles/postfix/templates/main.cf.j2 @@ -16,6 +16,7 @@ inet_protocols = ipv4 mydestination = {{ postfix_mydestination | default(['$myhostname', 'localhost.$mydomain', 'localhost']) | join(', ') }} mynetworks = {{ postfix_mynetworks | default([ '127.0.0.0/8' ]) | join (', ') }} +smtpd_recipient_restrictions = permit_mynetworks {% if postfix_relay_host is defined %} relayhost = {{ postfix_relay_host }} diff --git a/roles/repo_base/tasks/main.yml b/roles/repo_base/tasks/main.yml index d374752..a9fb294 100644 --- a/roles/repo_base/tasks/main.yml +++ b/roles/repo_base/tasks/main.yml @@ -27,14 +27,7 @@ tags: repo - name: Configure latest PostgreSQL repository - yum_repository: - name: postgresql-client - description: PostgreSQL - baseurl: https://download.postgresql.org/pub/repos/yum/13/redhat/rhel-$releasever-$basearch - gpgcheck: True - gpgkey: https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-13 - state: "{{ repo_postgres | ternary('present','absent') }}" - includepkgs: postgresql13 postgresql13-libs + template: src=postgresql-client.repo.j2 dest=/etc/yum.repos.d/postgresql-client.repo tags: repo - name: Remove obsolete repo diff --git a/roles/repo_xsendfile/tasks/main.yml b/roles/repo_xsendfile/tasks/main.yml new file mode 100644 index 0000000..43fa82f --- /dev/null +++ b/roles/repo_xsendfile/tasks/main.yml @@ -0,0 +1,37 @@ +--- + +- name: Configure CentOS SIG Cloud GPG Key + copy: + content: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v2.0.22 (GNU/Linux) + + mQENBFVWcCcBCACfm3eQ0526/I0/p7HpR0NjK7K307XHhnbcbZv1sDUjQABDaqh0 + N4gnZcovf+3fj6pcdOmeOpGI0cKE7Fh68RbEIqyjB7l7+j1grjewR0oCFFZ38KGm + j+DWQrj1IJW7JU5fH/G0Cu66ix+dJPcuTB3PJTqXN3ce+4TuG09D+epgwfbHlqaT + pH2qHCu2uiGj/AaRSM/ZZzcInMaeleHSB+NChvaQ0W/m+kK5d/20d7sfkaTfI/pY + SrodCfVTYxfKAd0TLW03kimHs5/Rdz+iZWecVKv6aFxzaywbrOjmOsy2q0kEWIwX + MTZrq6cBRRuWyiXsI2zT2YHQ4UK44IxINiaJABEBAAG0WkNlbnRPUyBDbG91ZCBT + SUcgKGh0dHA6Ly93aWtpLmNlbnRvcy5vcmcvU3BlY2lhbEludGVyZXN0R3JvdXAv + Q2xvdWQpIDxzZWN1cml0eUBjZW50b3Mub3JnPokBOQQTAQIAIwUCVVZwJwIbAwcL + CQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPm5/ud2RCnmATUH/3HDtWxpFkmy + FiA3VGkMt5dp3bgCRSd84X6Orfx1LARowpI4LomCGglGBGXVJePBacwcclorbLaz + uWrW/wU0efz0aDB5c4NPg/yXfNvujvlda8ADJwZXVBQphzvaIKwl4PqBsEnxC10I + 93T/0iyphAhfMRJ5R8AbEHMj7uF+TWTX/JoyQagllMqWTwoP4DFRutPdOmmjwvSV + kWItH7hq6z9+M4dhlqeoOvPbL5oCxX7TVmLck02Q5gI4syULOa7sqntzUQKFkhWp + 9U0+5KrBQBKezrurrrkq/WZR3WNE1KQfNQ77f7S2JcXJdOaKgJ7xe7Y2flPq98Aq + wKXK7l1c3dc= + =W6yF + -----END PGP PUBLIC KEY BLOCK----- + dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud + tags: repo + +- name: Configure Openstack repo for mod_xsendfile + yum_repository: + name: xsendfile + description: Cloud SIG repo for mod_xsendfile + baseurl: http://mirror.centos.org/$contentdir/$releasever/cloud/$basearch/openstack-train/ + gpgcheck: True + gpgkey: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Cloud + includepkgs: mod_xsendfile + tags: repo diff --git a/roles/seadrive/files/seadrive.te b/roles/seadrive/files/seadrive.te new file mode 100644 index 0000000..eadc991 --- /dev/null +++ b/roles/seadrive/files/seadrive.te @@ -0,0 +1,10 @@ +module seadrive 1.0; + +require { + type init_t; + type fusermount_exec_t; + class file execute; +} + +#============= init_t ============== +allow init_t fusermount_exec_t:file execute; diff --git a/roles/seadrive/tasks/main.yml b/roles/seadrive/tasks/main.yml index 0baebf7..7d4b855 100644 --- a/roles/seadrive/tasks/main.yml +++ b/roles/seadrive/tasks/main.yml @@ -16,6 +16,7 @@ loop: - /etc/seadrive - /var/cache/seadrive + - /opt/seadrive tags: seadrive - name: Create cache directories @@ -68,6 +69,9 @@ loop: "{{ seadrive_remove_instances }}" tags: seadrive +- include: selinux.yml + when: ansible_selinux.status == 'enabled' + - name: Obtain API Tokens uri: url: "{{ item.server }}/api2/auth-token/" diff --git a/roles/seadrive/tasks/selinux.yml b/roles/seadrive/tasks/selinux.yml new file mode 100644 index 0000000..5d790bf --- /dev/null +++ b/roles/seadrive/tasks/selinux.yml @@ -0,0 +1,19 @@ +--- + +- name: Copy SELinux policy + copy: src=seadrive.te dest=/etc/selinux/targeted/local/ + register: seadrive_selinux_policy + tags: seadrive + +- name: Compile SELinux policy + shell: | + cd /etc/selinux/targeted/local/ + checkmodule -M -m -o seadrive.mod seadrive.te + semodule_package -o seadrive.pp -m seadrive.mod + when: seadrive_selinux_policy.changed + tags: seadrive + +- name: Load SELinux policy + command: semodule -i /etc/selinux/targeted/local/seadrive.pp + when: seadrive_selinux_policy.changed + tags: seadrive diff --git a/roles/unifi/meta/main.yml b/roles/unifi/meta/main.yml index dc58dfa..03d2f55 100644 --- a/roles/unifi/meta/main.yml +++ b/roles/unifi/meta/main.yml @@ -2,3 +2,9 @@ dependencies: - role: mkdir + - role: repo_mongodb # MongoDB isn't in base repo anymore on EL8 + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','>=') + vars: + - mongo_major_version: 3.4 # Unifi recommends Mong 3.4 diff --git a/roles/unifi/tasks/main.yml b/roles/unifi/tasks/main.yml index 3d60c20..7425750 100644 --- a/roles/unifi/tasks/main.yml +++ b/roles/unifi/tasks/main.yml @@ -1,14 +1,18 @@ --- +- include_vars: "{{ item }}" + with_first_found: + - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml + - vars/{{ ansible_distribution }}.yml + - vars/{{ ansible_os_family }}.yml + tags: unifi + - name: Set default install mode to none set_fact: unifi_install_mode="none" tags: unifi - name: Install dependencies - yum: - name: - - java-1.8.0-openjdk-headless - - mongodb-server + yum: name={{ unifi_packages }} tags: unifi - name: Create a system account to run unifi @@ -184,6 +188,19 @@ when: unifi_unit.changed tags: unifi + # Only supported on el8 as el7 provides mongodb-server but no mongodump + # It'd be possible to migrate existing el7 server from base mongodb to + # the one provided by upstream repo though +- name: Deploy pre and post backup hooks + template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/unifi mode=755 + loop: + - pre + - post + when: + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','>=') + tags: unifi + - name: Start and enable the service service: name=unifi state=started enabled=True tags: unifi diff --git a/roles/unifi/templates/post-backup.sh.j2 b/roles/unifi/templates/post-backup.sh.j2 new file mode 100644 index 0000000..56a736d --- /dev/null +++ b/roles/unifi/templates/post-backup.sh.j2 @@ -0,0 +1,3 @@ +#!/bin/bash + +rm -rf {{ unifi_root_dir }}/backup/mongo/* diff --git a/roles/unifi/templates/pre-backup.sh.j2 b/roles/unifi/templates/pre-backup.sh.j2 new file mode 100644 index 0000000..a46bda5 --- /dev/null +++ b/roles/unifi/templates/pre-backup.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/bash -e + +mkdir -p {{ unifi_root_dir }}/backup/mongo +mongodump --quiet --port 27117 --out {{ unifi_root_dir }}/backup/mongo diff --git a/roles/unifi/vars/CentOS-7.yml b/roles/unifi/vars/CentOS-7.yml new file mode 100644 index 0000000..579134e --- /dev/null +++ b/roles/unifi/vars/CentOS-7.yml @@ -0,0 +1,5 @@ +--- + +unifi_packages: + - java-1.8.0-openjdk-headless + - mongodb-server diff --git a/roles/unifi/vars/CentOS-8.yml b/roles/unifi/vars/CentOS-8.yml new file mode 100644 index 0000000..a1771e9 --- /dev/null +++ b/roles/unifi/vars/CentOS-8.yml @@ -0,0 +1,6 @@ +--- + +unifi_packages: + - java-1.8.0-openjdk-headless + - mongodb-org-server + - mongodb-org diff --git a/roles/wordpress/templates/post-backup.sh.j2 b/roles/wordpress/templates/post-backup.sh.j2 index 5d3f0d9..2e71b6e 100644 --- a/roles/wordpress/templates/post-backup.sh.j2 +++ b/roles/wordpress/templates/post-backup.sh.j2 @@ -1,4 +1,3 @@ #!/bin/bash -umount /home/lbkp/wordpress_{{ wp_id }} rm -f {{ wp_root_dir }}/backup/* diff --git a/roles/wordpress/templates/pre-backup.sh.j2 b/roles/wordpress/templates/pre-backup.sh.j2 index b6e4cd4..3341f85 100644 --- a/roles/wordpress/templates/pre-backup.sh.j2 +++ b/roles/wordpress/templates/pre-backup.sh.j2 @@ -1,15 +1,12 @@ #!/bin/bash -e -mkdir -p /home/lbkp/wordpress_{{ wp_id }} - /usr/bin/mysqldump \ -{% if wp_db_server != 'localhost' and wp_db_server != '127.0.0.1' %} +{% if not wp_db_server in ['localhost', '127.0.0.1'] %} --user='{{ wp_db_user }}' \ --password='{{ wp_db_pass }}' \ --host='{{ wp_db_server }}' \ --port='{{ wp_db_port }}' \ {% endif %} --quick --single-transaction \ - --add-drop-table '{{ wp_db_name }}' | zstd -T0 > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst + --add-drop-table '{{ wp_db_name }}' | zstd -c > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst -mountpoint -q /home/lbkp/wordpress_{{ wp_id }}/ || mount -o bind,ro {{ wp_root_dir }}/backup/ /home/lbkp/wordpress_{{ wp_id }} diff --git a/roles/zabbix_proxy/files/zabbix_proxy.te b/roles/zabbix_proxy/files/zabbix_proxy.te index a9b0393..79bfd77 100644 --- a/roles/zabbix_proxy/files/zabbix_proxy.te +++ b/roles/zabbix_proxy/files/zabbix_proxy.te @@ -1,4 +1,4 @@ -module zabbix_proxy 1.0; +module zabbix_proxy 1.1; require { type zabbix_var_run_t; @@ -8,6 +8,7 @@ require { class sock_file { create unlink }; class unix_stream_socket connectto; class file { getattr read }; + class capability dac_override; } #============= ping_t ============== @@ -16,3 +17,4 @@ allow ping_t zabbix_var_lib_t:file { getattr read }; #============= zabbix_t ============== allow zabbix_t self:unix_stream_socket connectto; allow zabbix_t zabbix_var_run_t:sock_file { create unlink }; +allow zabbix_t self:capability dac_override; diff --git a/roles/zimbra/tasks/cas.yml b/roles/zimbra/tasks/cas.yml index 98f33d7..11a6f47 100644 --- a/roles/zimbra/tasks/cas.yml +++ b/roles/zimbra/tasks/cas.yml @@ -22,13 +22,13 @@ - name: Install preauth pages template: src=cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra loop: "{{ zcs_preauthkeys.results }}" - notify: restart zmmailboxd + notify: restart zimbra tags: zcs - name: Install admin preauth pages template: src=cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra loop: "{{ zcs_preauthkeys.results }}" - notify: restart zmmailboxd + notify: restart zimbra tags: zcs - name: Configure CAS filters @@ -123,7 +123,7 @@ marker: '' insertafter: '' validate: xmllint %s - notify: restart zmmailboxd + notify: restart zimbra tags: zcs - name: Configure CAS admin filters @@ -219,7 +219,7 @@ marker: '' insertafter: '' validate: xmllint %s - notify: restart zmmailboxd + notify: restart zimbra tags: zcs - name: Configure login and logout URL