From 7116a237630e0281e82ba913535c4b6641d1d0b3 Mon Sep 17 00:00:00 2001 From: Jeff Geerling Date: Tue, 16 Aug 2016 15:13:24 -0500 Subject: [PATCH] Bump all role requirements to latest versions. --- provisioning/requirements.yml | 10 +- .../roles/franklinkim.newrelic/CHANGELOG.md | 26 +++ .../roles/franklinkim.newrelic/README.md | 11 +- .../franklinkim.newrelic/defaults/main.yml | 4 + .../roles/franklinkim.newrelic/meta/main.yml | 210 +++++++++++------- .../templates/etc/newrelic/nrsysmond.cfg.j2 | 14 ++ .../roles/geerlingguy.drush/meta/main.yml | 62 +++--- .../roles/geerlingguy.drush/tasks/main.yml | 1 + .../roles/geerlingguy.drush/tests/test.yml | 3 + .../geerlingguy.elasticsearch/meta/main.yml | 2 +- .../roles/geerlingguy.nginx/README.md | 4 + .../roles/geerlingguy.nginx/defaults/main.yml | 1 + .../roles/geerlingguy.nginx/tasks/vhosts.yml | 5 +- .../roles/geerlingguy.security/README.md | 12 +- .../geerlingguy.security/defaults/main.yml | 10 + .../roles/geerlingguy.security/tasks/ssh.yml | 10 + .../templates/50unattended-upgrades.j2 | 7 + 17 files changed, 260 insertions(+), 132 deletions(-) diff --git a/provisioning/requirements.yml b/provisioning/requirements.yml index def5ae627..c3abb735b 100644 --- a/provisioning/requirements.yml +++ b/provisioning/requirements.yml @@ -2,7 +2,7 @@ - src: arknoll.selenium version: 1.3.0 - src: franklinkim.newrelic - version: 1.2.0 + version: 1.4.0 - src: geerlingguy.adminer version: 1.1.0 - src: geerlingguy.apache @@ -18,9 +18,9 @@ - src: geerlingguy.drupal-console version: 1.0.7 - src: geerlingguy.drush - version: 1.1.2 + version: 1.1.3 - src: geerlingguy.elasticsearch - version: 2.1.0 + version: 2.1.1 - src: geerlingguy.firewall version: 1.0.9 - src: geerlingguy.git @@ -34,7 +34,7 @@ - src: geerlingguy.mysql version: 2.3.1 - src: geerlingguy.nginx - version: 1.9.2 + version: 1.9.3 - src: geerlingguy.nodejs version: 3.2.0 - src: geerlingguy.php @@ -62,7 +62,7 @@ - src: geerlingguy.ruby version: 2.3.1 - src: geerlingguy.security - version: 1.2.0 + version: 1.4.0 - src: geerlingguy.solr version: 3.1.3 - src: geerlingguy.varnish diff --git a/provisioning/roles/franklinkim.newrelic/CHANGELOG.md b/provisioning/roles/franklinkim.newrelic/CHANGELOG.md index 2b6672b66..eded3d13a 100644 --- a/provisioning/roles/franklinkim.newrelic/CHANGELOG.md +++ b/provisioning/roles/franklinkim.newrelic/CHANGELOG.md @@ -1,3 +1,29 @@ + +## 1.4.0 (2016-08-05) + + +#### Features + +* add label settings ([169d3867](https://github.com/weareinteractive/ansible-newrelic/commit/169d386710aba0d7d1397cb68ef7f8426d1fac80)) + + + + +## 1.3.0 (2016-07-04) + + + + + +### 1.2.1 (2016-04-10) + + +#### Bug Fixes + +* default groups breaks install when docker monitoring is enabled ([3e507b30](https://github.com/weareinteractive/ansible-newrelic/commit/3e507b3080fa8040a3659577f1bdc25c3d97508a)) + + + ## 1.2.0 (2016-02-13) diff --git a/provisioning/roles/franklinkim.newrelic/README.md b/provisioning/roles/franklinkim.newrelic/README.md index 9650109b1..5b4902f72 100644 --- a/provisioning/roles/franklinkim.newrelic/README.md +++ b/provisioning/roles/franklinkim.newrelic/README.md @@ -33,7 +33,7 @@ $ git clone https://github.com/weareinteractive/ansible-newrelic.git franklinkim ## Dependencies -* Ansible >= 1.9 +* Ansible >= 2.0 ## Variables @@ -62,6 +62,10 @@ newrelic_disable_docker: yes newrelic_service_enabled: yes # current state: started, stopped newrelic_service_state: started +# use default hostname, set a value to override the default hostname +newrelic_override_hostname: ~ +# A series of label_type/label_value pairings: label_type:label_value +newrelic_labels: ~ ``` @@ -99,16 +103,17 @@ This is an example playbook: ``` + ## Testing ```shell $ git clone https://github.com/weareinteractive/ansible-newrelic.git $ cd ansible-newrelic -$ vagrant up +$ make test ``` ## Contributing -In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. +In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. 1. Fork it 2. Create your feature branch (`git checkout -b my-new-feature`) diff --git a/provisioning/roles/franklinkim.newrelic/defaults/main.yml b/provisioning/roles/franklinkim.newrelic/defaults/main.yml index 7195e1f1c..6ce045658 100644 --- a/provisioning/roles/franklinkim.newrelic/defaults/main.yml +++ b/provisioning/roles/franklinkim.newrelic/defaults/main.yml @@ -20,3 +20,7 @@ newrelic_disable_docker: yes newrelic_service_enabled: yes # current state: started, stopped newrelic_service_state: started +# use default hostname, set a value to override the default hostname +newrelic_override_hostname: ~ +# A series of label_type/label_value pairings: label_type:label_value +newrelic_labels: ~ diff --git a/provisioning/roles/franklinkim.newrelic/meta/main.yml b/provisioning/roles/franklinkim.newrelic/meta/main.yml index a1cbde7de..89849bcf4 100644 --- a/provisioning/roles/franklinkim.newrelic/meta/main.yml +++ b/provisioning/roles/franklinkim.newrelic/meta/main.yml @@ -3,102 +3,140 @@ galaxy_info: author: franklin company: We Are Interactive description: Installs and configure newrelic - min_ansible_version: 1.9 + min_ansible_version: 2.0 license: MIT + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + github_branch: master # # Below are all platforms currently available. Just uncomment # the ones that apply to your role. If you don't see your # platform on this list, let us know and we'll get it added! # platforms: - - name: EL - versions: - # - all - # - 5 - # - 6 - - 7 - # - name: GenericUNIX - # versions: - # - all - # - any - # - name: Fedora - # versions: - # - all - # - 16 - # - 17 - # - 18 - # - 19 - # - 20 - # - name: opensuse - # versions: - # - all - # - 12.1 - # - 12.2 - # - 12.3 - # - 13.1 - # - 13.2 - # - name: GenericBSD - # versions: - # - all - # - any - # - name: FreeBSD - # versions: - # - all - # - 8.0 - # - 8.1 - # - 8.2 - # - 8.3 - # - 8.4 - # - 9.0 - # - 9.1 - # - 9.1 - # - 9.2 - - name: Ubuntu - versions: - - all - # - lucid - # - maverick - # - natty - # - oneiric - # - precise - # - quantal - # - raring - # - saucy - # - trusty - # - name: SLES - # versions: - # - all - # - 10SP3 - # - 10SP4 - # - 11 - # - 11SP1 - # - 11SP2 - # - 11SP3 - # - name: GenericLinux - # versions: - # - all - # - any - - name: Debian - versions: - - all - # - etch - # - lenny - # - squeeze - # - wheezy + - name: EL + versions: + - all + # - 5 + # - 6 + # - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + - name: Ubuntu + versions: + - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + - name: Debian + versions: + - all + # - etch + # - jessie + # - lenny + # - squeeze + # - wheezy categories: # - # Below are all categories currently available. Just as with - # the platforms above, uncomment those that apply to your role. - # - # The number of tags imported by Galaxy is limited to 20, - # and tag values containing non-alphanumeric characters will be ignored. - # Tag values containing a : will be split into multiple tags. - # The tag cloud:ec2, for example, will become two tags: cloud and ec2. + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. galaxy_tags: - monitoring - newrelic +# List your role dependencies here, one per line. Only +# dependencies available via galaxy should be listed here. +# Be sure to remove the '[]' above if you add dependencies +# to this list. dependencies: [] - # List your role dependencies here, one per line. Only - # dependencies available via galaxy should be listed here. - # Be sure to remove the '[]' above if you add dependencies - # to this list. diff --git a/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2 b/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2 index 4185604f3..37a8eac3a 100644 --- a/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2 +++ b/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2 @@ -187,6 +187,9 @@ logfile={{ newrelic_logfile }} # Default: none # #labels=label_type:label_value +{% if newrelic_labels %} +labels={{ newrelic_labels }} +{% endif %} # # Option : disable_nfs @@ -203,3 +206,14 @@ disable_nfs={{ newrelic_disable_nfs | to_nice_json }} # Default: false # disable_docker={{ newrelic_disable_docker | to_nice_json }} + +# +# Option : override_hostname +# Type : string +# Value : Set to a non-empty value to use as the hostname that will be reported to New Relic +# Default: none +# +#hostname=newrelic.com +{% if newrelic_override_hostname %} +hostname={{ newrelic_override_hostname }} +{% endif %} diff --git a/provisioning/roles/geerlingguy.drush/meta/main.yml b/provisioning/roles/geerlingguy.drush/meta/main.yml index 46be0d34d..0e0d58174 100644 --- a/provisioning/roles/geerlingguy.drush/meta/main.yml +++ b/provisioning/roles/geerlingguy.drush/meta/main.yml @@ -11,36 +11,36 @@ galaxy_info: license: "license (BSD, MIT)" min_ansible_version: 1.4 platforms: - - name: EL - versions: - - all - - name: GenericUNIX - versions: - - all - - name: Fedora - versions: - - all - - name: opensuse - versions: - - all - - name: GenericBSD - versions: - - all - - name: FreeBSD - versions: - - all - - name: Ubuntu - versions: - - all - - name: SLES - versions: - - all - - name: GenericLinux - versions: - - all - - name: Debian - versions: - - all - categories: + - name: EL + versions: + - all + - name: GenericUNIX + versions: + - all + - name: Fedora + versions: + - all + - name: opensuse + versions: + - all + - name: GenericBSD + versions: + - all + - name: FreeBSD + versions: + - all + - name: Ubuntu + versions: + - all + - name: SLES + versions: + - all + - name: GenericLinux + versions: + - all + - name: Debian + versions: + - all + galaxy_tags: - development - web diff --git a/provisioning/roles/geerlingguy.drush/tasks/main.yml b/provisioning/roles/geerlingguy.drush/tasks/main.yml index 5b907aa64..287fa6505 100644 --- a/provisioning/roles/geerlingguy.drush/tasks/main.yml +++ b/provisioning/roles/geerlingguy.drush/tasks/main.yml @@ -35,3 +35,4 @@ command: "{{ drush_path }}" register: drush_result changed_when: "'Execute a drush command' not in drush_result.stdout" + become: no diff --git a/provisioning/roles/geerlingguy.drush/tests/test.yml b/provisioning/roles/geerlingguy.drush/tests/test.yml index df2c5033f..da27b634a 100644 --- a/provisioning/roles/geerlingguy.drush/tests/test.yml +++ b/provisioning/roles/geerlingguy.drush/tests/test.yml @@ -1,8 +1,11 @@ --- - hosts: localhost remote_user: root + vars: + php_enable_webserver: false php_opcache_enable: "0" + roles: - geerlingguy.php - geerlingguy.composer diff --git a/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml b/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml index 8285a4b94..5be9d380b 100644 --- a/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml +++ b/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml @@ -1,6 +1,6 @@ --- dependencies: - - { role: geerlingguy.java } + - geerlingguy.java galaxy_info: author: geerlingguy diff --git a/provisioning/roles/geerlingguy.nginx/README.md b/provisioning/roles/geerlingguy.nginx/README.md index 854fa3294..e19da5b00 100644 --- a/provisioning/roles/geerlingguy.nginx/README.md +++ b/provisioning/roles/geerlingguy.nginx/README.md @@ -41,6 +41,10 @@ An example of a fully-populated nginx_vhosts entry, using a `|` to declare a blo Whether to remove the 'default' virtualhost configuration supplied by Nginx. Useful if you want the base `/` URL to be directed at one of your own virtual hosts configured in a separate .conf file. + nginx_vhosts_filename: "vhosts.conf" + +The filename to use to store vhosts configuration. If you run the role multiple times (e.g. include the role with `with_items`), you can change the name for each run, effectively creating a separate vhosts file per vhost configuration. + nginx_upstreams: [] If you are configuring Nginx as a load balancer, you can define one or more upstream sets using this variable. In addition to defining at least one upstream, you would need to configure one of your server blocks to proxy requests through the defined upstream (e.g. `proxy_pass http://myapp1;`). See the commented example in `defaults/main.yml` for more information. diff --git a/provisioning/roles/geerlingguy.nginx/defaults/main.yml b/provisioning/roles/geerlingguy.nginx/defaults/main.yml index 620dc098e..f0bda616b 100644 --- a/provisioning/roles/geerlingguy.nginx/defaults/main.yml +++ b/provisioning/roles/geerlingguy.nginx/defaults/main.yml @@ -45,6 +45,7 @@ nginx_extra_http_options: "" # proxy_set_header Host $http_host; nginx_remove_default_vhost: false +nginx_vhosts_filename: "vhosts.conf" nginx_vhosts: [] # Example vhost below, showing all available options: # - listen: "80 default_server" # default: "80 default_server" diff --git a/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml b/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml index 583ff7773..1be63942f 100644 --- a/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml +++ b/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml @@ -10,7 +10,7 @@ - name: Add managed vhost config file (if any vhosts are configured). template: src: vhosts.j2 - dest: "{{ nginx_vhost_path }}/vhosts.conf" + dest: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}" mode: 0644 when: nginx_vhosts|length > 0 notify: @@ -18,9 +18,8 @@ - name: Remove managed vhost config file (if no vhosts are configured). file: - path: "{{ nginx_vhost_path }}/vhosts.conf" + path: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}" state: absent when: nginx_vhosts|length == 0 notify: - reload nginx - diff --git a/provisioning/roles/geerlingguy.security/README.md b/provisioning/roles/geerlingguy.security/README.md index 15afb12f1..0c8974b5c 100644 --- a/provisioning/roles/geerlingguy.security/README.md +++ b/provisioning/roles/geerlingguy.security/README.md @@ -34,10 +34,11 @@ Available variables are listed below, along with default values (see `defaults/m The port through which you'd like SSH to be accessible. The default is port 22, but if you're operating a server on the open internet, and have no firewall blocking access to port 22, you'll quickly find that thousands of login attempts per day are not uncommon. You can change the port to a nonstandard port (e.g. 2849) if you want to avoid these thousands of automated penetration attempts. - security_ssh_password_authentication: 'no' - security_ssh_permit_root_login: 'no' + security_ssh_password_authentication: "no" + security_ssh_permit_root_login: "no" + security_ssh_usedns: "no" -Security settings for SSH authentication. It's best to leave these both set to `'no'`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or both may be safely set to `'yes'`. +Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`. security_sudoers_passwordless: [] security_sudoers_passworded: [] @@ -48,6 +49,11 @@ A list of users who should be added to the sudoers file so they can run any comm Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgrades` (Debian-based systems). System restarts will not happen automatically in any case, and automatic upgrades are no excuse for sloppy patch and package management, but automatic updates can be helpful as yet another security measure. + security_autoupdate_mail_to: "" + security_autoupdate_mail_on_error: true + +(Debian/Ubuntu only) If `security_autoupdate_mail_to` is set to an non empty value, unattended upgrades will send an e-mail to that address when some error occurs. You may either set this to a full email: `ops@example.com` or to something like `root`, which will use `/etc/aliases` to route the message. If you set `security_autoupdate_mail_on_error` to `false` you'll get an email after every package install. + security_fail2ban_enabled: true Wether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)). diff --git a/provisioning/roles/geerlingguy.security/defaults/main.yml b/provisioning/roles/geerlingguy.security/defaults/main.yml index 9954803c9..6caf48817 100644 --- a/provisioning/roles/geerlingguy.security/defaults/main.yml +++ b/provisioning/roles/geerlingguy.security/defaults/main.yml @@ -2,9 +2,19 @@ security_ssh_port: 22 security_ssh_password_authentication: "no" security_ssh_permit_root_login: "no" +security_ssh_usedns: "no" +security_ssh_permit_empty_password: "no" +security_ssh_challenge_response_auth: "no" +security_ssh_gss_api_authentication: "no" +security_ssh_x11_forwarding: "no" security_sudoers_passwordless: [] security_sudoers_passworded: [] security_autoupdate_enabled: true + +# Autoupdate mail settings used on Debian/Ubuntu only. +security_autoupdate_mail_to: "" +security_autoupdate_mail_on_error: true + security_fail2ban_enabled: true diff --git a/provisioning/roles/geerlingguy.security/tasks/ssh.yml b/provisioning/roles/geerlingguy.security/tasks/ssh.yml index 57f53f4a2..0f85032c3 100644 --- a/provisioning/roles/geerlingguy.security/tasks/ssh.yml +++ b/provisioning/roles/geerlingguy.security/tasks/ssh.yml @@ -12,6 +12,16 @@ line: "PermitRootLogin {{ security_ssh_permit_root_login }}" - regexp: "^Port" line: "Port {{ security_ssh_port }}" + - regexp: "^UseDNS" + line: "UseDNS {{ security_ssh_usedns }}" + - regexp: "^PermitEmptyPasswords" + line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}" + - regexp: "^ChallengeResponseAuthentication" + line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}" + - regexp: "^GSSAPIAuthentication" + line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}" + - regexp: "^X11Forwarding" + line: "X11Forwarding {{ security_ssh_x11_forwarding }}" notify: restart ssh - name: Add configured user accounts to passwordless sudoers. diff --git a/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2 b/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2 index c1b7d48df..59e01cdbb 100644 --- a/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2 +++ b/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2 @@ -1,5 +1,12 @@ Unattended-Upgrade::Automatic-Reboot "false"; +{% if security_autoupdate_mail_to %} +Unattended-Upgrade::Mail "{{ security_autoupdate_mail_to }}"; +{% if security_autoupdate_mail_on_error %} +Unattended-Upgrade::MailOnlyOnError "true"; +{% endif %} +{% endif %} + Unattended-Upgrade::Allowed-Origins { "${distro_id} ${distro_codename}-security"; // "${distro_id} ${distro_codename}-updates";