diff --git a/CHANGELOG.md b/CHANGELOG.md index 655384e2..af54a0d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Breaking Changes -* **role:apache_httpd, role:apache_tomcat, role:mastodon, role:postgresql_server**: Rename tags to the project-wide naming scheme. `apache_httpd:config` becomes `apache_httpd:configure`, and `apache_tomcat:users`, `mastodon:users`, `postgresql_server:users` and `postgresql_server:databases` lose their trailing `s` (`...:user`, `...:database`). Adjust any `--tags` / `--skip-tags` invocations and automation that reference the old tag names. +* **role:sshd**: Ship hardened SSH defaults that change the behaviour of existing installations on the next run: X11 forwarding, agent forwarding and TCP keepalives are now off, `MaxAuthTries` is lowered to `3`, `ClientAliveCountMax` to `2`, and `LogLevel` is raised to `VERBOSE`. Sessions relying on X11 or agent forwarding stop working, and a client offering more than three keys from its SSH agent can be locked out. Restore the previous behaviour where needed via the new variables: `sshd__x11_forwarding: true`, `sshd__allow_agent_forwarding: true`, `sshd__tcp_keep_alive: true`, `sshd__max_auth_tries: 6`, `sshd__client_alive_count_max: 3`, `sshd__log_level: 'INFO'`. Additionally configurable are `sshd__allow_tcp_forwarding` and `sshd__max_sessions`. +* **role:apache_httpd, role:apache_solr, role:freeipa_server, role:grav, role:icingaweb2, role:influxdb, role:mariadb_server, role:mongodb, role:nextcloud, role:opensearch**: Align section tags to the controlled vocabulary, which uses plural names for sections that manage multiple objects. The `:user` tags become `:users`, the `:database` tags become `:databases`, and `apache_httpd:config` becomes `apache_httpd:configure`. Adjust any `--tags` / `--skip-tags` invocations and automation that reference the old tag names. * **role:minio_client, role:objectstore_backup**: Both roles and their playbooks (`playbooks/minio_client.yml`, `playbooks/objectstore_backup.yml`) have been removed, along with the corresponding role blocks in `playbooks/setup_nextcloud.yml` and the `setup_nextcloud__skip_minio_client` / `setup_nextcloud__skip_objectstore_backup` variables. MinIO Server has been archived as no-longer-maintained since February 2026, and we are moving away from using object storage for critical data. Users relying on these roles must replace the MinIO-based object-store backup with their own solution (e.g. `rclone`); the `mc` binary, its config under `/etc/mc/`, the `objectstore-backup` systemd timer/service, and `/usr/local/bin/mc-mirror.sh` are no longer managed by lfops and will remain on existing hosts until removed manually ([#241](https://github.com/Linuxfabrik/lfops/issues/241)). * **role:infomaniak_vm**: Always create a managed port for every entry in `infomaniak_vm__networks`, even when no `fixed_ip` is set. Previously only networks with a `fixed_ip` got a managed port; networks without one relied on OpenStack's auto-created port. To avoid creating unused (but billed) managed ports on VMs provisioned under the old behavior, make sure to manually rename the existing port in OpenStack to match the `port_name`. Note that this port will not survive VM deletion / detachment, since it was automatically created and therefore is owned by OpenStack, not the user. @@ -72,7 +73,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * **role:icinga2_master, role:icingadb**: Validate the Icinga 2 configuration before restarting the service. A faulty config now fails the playbook run loudly instead of bouncing the daemon into a broken state and leaving Icinga 2 down. * **role:nextcloud**: Automatic app updates are now enabled by default (`nextcloud__timer_app_update_enabled`). The scheduled app update only switches Nextcloud into maintenance mode when an app update is actually pending, so an instance that is already up to date keeps serving requests without interruption. After updating, the recommended database migrations are applied automatically. A failed run no longer leaves the instance stuck in maintenance mode. * **role:clamav**: Now runs on Debian and Ubuntu in addition to Red Hat-family systems, and works on RHEL 10. The role seeds the signature database on first install so the scanner starts reliably, and runs an EICAR self-test (also available on its own via the `clamav:test` tag) that confirms detection actually works. -* **role:sshd**: Ship hardened SSH defaults: X11 forwarding, agent forwarding and TCP keepalives are now off, `MaxAuthTries` is `3`, `ClientAliveCountMax` is `2`, and the log level is `VERBOSE`. All are overridable via the new `sshd__allow_agent_forwarding`, `sshd__allow_tcp_forwarding`, `sshd__client_alive_count_max`, `sshd__max_auth_tries`, `sshd__max_sessions`, `sshd__tcp_keep_alive` and `sshd__x11_forwarding` variables. Note: a client offering more than three keys from its SSH agent can be rejected by `MaxAuthTries 3`; use an explicit identity on the client or raise `sshd__max_auth_tries`. * **role:acme_sh**: Issue ECDSA P-256 certificates by default instead of RSA-4096, for faster TLS handshakes at equivalent security. Certificates previously issued as RSA are reissued as ECDSA on the next run, and the superseded RSA certificate is dropped from renewal. Set `acme_sh__key_length` to an RSA value such as `4096` to keep RSA. * **playbooks**: Enable the CRB repository on Rocky 10 too, not just Rocky 9. Previously Rocky 10 hosts silently skipped this step, which could leave dependencies such as `python3-virtualenv` uninstallable. * **role:grafana**: Apply the systemd/chkconfig workaround on RHEL 10 as well, not just RHEL 9. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b7d60894..e2b36537 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -401,7 +401,7 @@ LFOps overrides the project-agnostic "Changelog" rule above (alphabetical sortin #### Tags * Naming scheme: `role_name` and `role_name:section`. For example `apache_httpd` and `apache_httpd:vhosts`. -* The role should only do what one expects from the tag name. For example, the `mariadb:user` tag only manages MariaDB users. +* The role should only do what one expects from the tag name. For example, the `mariadb:users` tag only manages MariaDB users. * The README of a role should provide a list of the available tags and what they do. * The tags should be set in the role itself. Do not set them in the playbook. * Blocks/tasks that install base packages do not require tags such as `apache:pkgs`, `apache:setup` or `apache:install`. There is no real world scenario where it makes sense to only run the installation via Ansible, some configuration is always required. @@ -414,7 +414,7 @@ Controlled vocabulary of standard `role_name:section` tags (alphabetical): * `role_name:configure`: Renders and deploys the role's configuration files and applies settings. The most common section; everything that is neither install, state, nor one of the more specific sections below belongs here. * `role_name:containers`: Manages the role's containers and their systemd container units. * `role_name:cron`: Deploys the role's scheduled jobs (cron entries or systemd timers). -* `role_name:database`: Creates, updates and deletes the databases managed by the role. +* `role_name:databases`: Creates, updates and deletes the databases managed by the role. * `role_name:dump`: Sets up scheduled dumps / backups of the role's data. * `role_name:enroll`: Registers (enrolls) the node with a remote service or controller. * `role_name:firewalls`: Manages the cloud provider firewall / security-group rules (VM provisioning roles). @@ -426,7 +426,7 @@ Controlled vocabulary of standard `role_name:section` tags (alphabetical): * `role_name:state`: Manages the runtime state of the role's services, timers and sockets (start / stop / enable / disable). * `role_name:update`: Updates the managed application to a newer version. * `role_name:upgrade`: Runs the post-update migration / upgrade steps after the package itself was updated. -* `role_name:user`: Creates, updates and deletes the application or service user accounts managed by the role. +* `role_name:users`: Creates, updates and deletes the application or service user accounts managed by the role. The Ansible built-in tags `always` and `never` are reserved for their built-in meaning: tag the platform-variable loading and `assert` validation tasks with `always` so the variables and checks are present even when the role runs with a specific `--tags` selection. diff --git a/playbooks/README.md b/playbooks/README.md index a34ccf51..63dab9aa 100644 --- a/playbooks/README.md +++ b/playbooks/README.md @@ -171,6 +171,7 @@ Calls the following roles (in order): Calls the following roles (in order): +* [kernel_settings](https://github.com/Linuxfabrik/lfops/tree/main/roles/kernel_settings): `core_dumps__skip_kernel_settings` * [core_dumps](https://github.com/Linuxfabrik/lfops/tree/main/roles/core_dumps) @@ -1008,6 +1009,7 @@ Calls the following roles (in order): * [policycoreutils](https://github.com/Linuxfabrik/lfops/tree/main/roles/policycoreutils): `setup_basic__skip_policycoreutils` * [selinux](https://github.com/Linuxfabrik/lfops/tree/main/roles/selinux): `setup_basic__skip_selinux` * [kernel_modules](https://github.com/Linuxfabrik/lfops/tree/main/roles/kernel_modules): `setup_basic__skip_kernel_modules` +* [kernel_settings](https://github.com/Linuxfabrik/lfops/tree/main/roles/kernel_settings): `setup_basic__skip_kernel_settings` * [core_dumps](https://github.com/Linuxfabrik/lfops/tree/main/roles/core_dumps): `setup_basic__skip_core_dumps` * [systemd_journald](https://github.com/Linuxfabrik/lfops/tree/main/roles/systemd_journald): `setup_basic__skip_systemd_journald` * [hostname](https://github.com/Linuxfabrik/lfops/tree/main/roles/hostname): `setup_basic__skip_hostname` diff --git a/playbooks/core_dumps.yml b/playbooks/core_dumps.yml index 1b8e6a1f..877b09e1 100644 --- a/playbooks/core_dumps.yml +++ b/playbooks/core_dumps.yml @@ -18,6 +18,11 @@ roles: + - role: 'linuxfabrik.lfops.kernel_settings' + kernel_settings__sysctl__dependent_var: '{{ core_dumps__kernel_settings__sysctl__dependent_var | d([]) }}' + when: + - 'not core_dumps__skip_kernel_settings | d(false)' + - role: 'linuxfabrik.lfops.core_dumps' diff --git a/playbooks/setup_basic.yml b/playbooks/setup_basic.yml index a02fd462..d59e10f0 100644 --- a/playbooks/setup_basic.yml +++ b/playbooks/setup_basic.yml @@ -57,6 +57,13 @@ when: - 'not setup_basic__skip_kernel_modules | d(false)' + - role: 'linuxfabrik.lfops.kernel_settings' + kernel_settings__sysctl__dependent_var: '{{ + (not setup_basic__skip_core_dumps | d(false)) | ternary(core_dumps__kernel_settings__sysctl__dependent_var, []) | d([]) + }}' + when: + - 'not setup_basic__skip_kernel_settings | d(false)' + - role: 'linuxfabrik.lfops.core_dumps' when: - 'not setup_basic__skip_core_dumps | d(false)' diff --git a/roles/apache_solr/README.md b/roles/apache_solr/README.md index 82b8e1b8..47d8a18e 100644 --- a/roles/apache_solr/README.md +++ b/roles/apache_solr/README.md @@ -31,7 +31,7 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE * Manages the state of `solr.service`. * Triggers: none. -`apache_solr:user` +`apache_solr:users` * Generates hashed passwords and deploys `security.json`. * Triggers: solr.service restart. diff --git a/roles/apache_solr/tasks/main.yml b/roles/apache_solr/tasks/main.yml index 8df22b55..2ce10c63 100644 --- a/roles/apache_solr/tasks/main.yml +++ b/roles/apache_solr/tasks/main.yml @@ -199,4 +199,4 @@ tags: - 'apache_solr' - - 'apache_solr:user' + - 'apache_solr:users' diff --git a/roles/apache_tomcat/README.md b/roles/apache_tomcat/README.md index ec5d151d..97c632a8 100644 --- a/roles/apache_tomcat/README.md +++ b/roles/apache_tomcat/README.md @@ -151,7 +151,7 @@ ansible-playbook --inventory=myinv linuxfabrik.lfops.shell * Configure access to optional web apps. * Triggers: tomcat.service restart. -`apache_tomcat:user` +`apache_tomcat:users` * Create users and roles. * Triggers: tomcat.service restart. diff --git a/roles/apache_tomcat/tasks/main.yml b/roles/apache_tomcat/tasks/main.yml index 3e086bfe..bd733209 100644 --- a/roles/apache_tomcat/tasks/main.yml +++ b/roles/apache_tomcat/tasks/main.yml @@ -42,7 +42,7 @@ tags: - 'apache_tomcat' - 'apache_tomcat:configure' - - 'apache_tomcat:user' + - 'apache_tomcat:users' - 'apache_tomcat:state' @@ -178,7 +178,7 @@ tags: - 'apache_tomcat' - - 'apache_tomcat:user' + - 'apache_tomcat:users' - block: diff --git a/roles/core_dumps/README.md b/roles/core_dumps/README.md index 8b4c5717..09c1df6f 100644 --- a/roles/core_dumps/README.md +++ b/roles/core_dumps/README.md @@ -11,10 +11,17 @@ This role hardens a system by disabling core dumps. Core dumps can leak sensitiv The role disables core dumps through the three mechanisms a modern Linux system uses, following the CIS Benchmark recommendations: * `* hard core 0` in `/etc/security/limits.d/` stops the shell / PAM from writing core dumps. -* `fs.suid_dumpable = 0` (sysctl) prevents core dumps of setuid / setgid processes. +* `fs.suid_dumpable = 0` (sysctl) prevents core dumps of setuid / setgid processes. This value is not written by this role directly; it is handed to the `kernel_settings` role, which owns sysctl management. * `Storage=none` and `ProcessSizeMax=0` in `/etc/systemd/coredump.conf.d/` keep `systemd-coredump` from storing core dumps. -The `hard core` limit applies to login sessions started after the change. The sysctl value is applied immediately via `sysctl --system`. +The `hard core` limit applies to login sessions started after the change. + + +## Dependent Roles + +Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook's skip variables. + +* The `fs.suid_dumpable` sysctl is applied through the `kernel_settings` role (role: [kernel_settings](https://github.com/Linuxfabrik/lfops/tree/main/roles/kernel_settings)). ## Tags @@ -22,7 +29,7 @@ The `hard core` limit applies to login sessions started after the change. The sy `core_dumps` * Deploys the core dump configuration. -* Triggers: `sysctl --system`. +* Triggers: none. ## Optional Role Variables @@ -33,12 +40,6 @@ The `hard core` limit applies to login sessions started after the change. The sy * Type: Number. * Default: `0` -`core_dumps__sysctl_suid_dumpable` - -* The `fs.suid_dumpable` sysctl value. `0` prevents core dumps of setuid / setgid processes. -* Type: Number. -* Default: `0` - `core_dumps__systemd_process_size_max` * The `ProcessSizeMax` value in `/etc/systemd/coredump.conf.d/`. `0` disables processing of core dumps by `systemd-coredump`. @@ -55,7 +56,6 @@ Example: ```yaml # optional core_dumps__limits_hard_core: 0 -core_dumps__sysctl_suid_dumpable: 0 core_dumps__systemd_process_size_max: 0 core_dumps__systemd_storage: 'none' ``` diff --git a/roles/core_dumps/defaults/main.yml b/roles/core_dumps/defaults/main.yml index 7515ffb2..369bb8aa 100644 --- a/roles/core_dumps/defaults/main.yml +++ b/roles/core_dumps/defaults/main.yml @@ -1,4 +1,10 @@ core_dumps__limits_hard_core: 0 -core_dumps__sysctl_suid_dumpable: 0 core_dumps__systemd_process_size_max: 0 core_dumps__systemd_storage: 'none' + +# Injected into the kernel_settings role by the playbook, so that fs.suid_dumpable +# is managed through the single sysctl path provided by kernel_settings. Override via +# kernel_settings__sysctl__host_var / __group_var if a non-zero value is ever needed. +core_dumps__kernel_settings__sysctl__dependent_var: + - name: 'fs.suid_dumpable' + value: 0 diff --git a/roles/core_dumps/handlers/main.yml b/roles/core_dumps/handlers/main.yml deleted file mode 100644 index 2ea76c2b..00000000 --- a/roles/core_dumps/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: 'core_dumps: sysctl --system' - ansible.builtin.command: 'sysctl --system' diff --git a/roles/core_dumps/meta/argument_specs.yml b/roles/core_dumps/meta/argument_specs.yml index 406fa245..b66cded3 100644 --- a/roles/core_dumps/meta/argument_specs.yml +++ b/roles/core_dumps/meta/argument_specs.yml @@ -10,18 +10,6 @@ argument_specs: `hard core` limit in `/etc/security/limits.d/`. `0` disables core dumps for all users. - core_dumps__sysctl_suid_dumpable: - type: 'int' - required: false - default: 0 - choices: - - 0 - - 1 - - 2 - description: >- - `fs.suid_dumpable` sysctl. `0` prevents core dumps of setuid / - setgid processes. - core_dumps__systemd_process_size_max: type: 'int' required: false diff --git a/roles/core_dumps/tasks/main.yml b/roles/core_dumps/tasks/main.yml index 6253a2b7..e8fdbf6f 100644 --- a/roles/core_dumps/tasks/main.yml +++ b/roles/core_dumps/tasks/main.yml @@ -9,15 +9,8 @@ group: 'root' mode: 0o644 - - name: 'Deploy /etc/sysctl.d/linuxfabrik-core-dumps.conf' - ansible.builtin.template: - backup: true - src: 'etc/sysctl.d/linuxfabrik-core-dumps.conf.j2' - dest: '/etc/sysctl.d/linuxfabrik-core-dumps.conf' - owner: 'root' - group: 'root' - mode: 0o644 - notify: 'core_dumps: sysctl --system' + # fs.suid_dumpable is set via the kernel_settings role (see the playbook), + # not here, so sysctl management stays in a single place. - name: 'mkdir -p /etc/systemd/coredump.conf.d' ansible.builtin.file: diff --git a/roles/core_dumps/templates/etc/sysctl.d/linuxfabrik-core-dumps.conf.j2 b/roles/core_dumps/templates/etc/sysctl.d/linuxfabrik-core-dumps.conf.j2 deleted file mode 100644 index b6d1fc42..00000000 --- a/roles/core_dumps/templates/etc/sysctl.d/linuxfabrik-core-dumps.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} -# 2026060601 - -fs.suid_dumpable = {{ core_dumps__sysctl_suid_dumpable }} diff --git a/roles/example/README.md b/roles/example/README.md index 26253955..95c7c4a4 100644 --- a/roles/example/README.md +++ b/roles/example/README.md @@ -145,7 +145,7 @@ The example role is a single standalone service, so it has no walkthrough. * Manages optional example plugins (install/remove). * Triggers: none. -`example:user` +`example:users` * Manages application users via the REST API. * Triggers: none. diff --git a/roles/example/defaults/main.yml b/roles/example/defaults/main.yml index 647b2cd5..5cca9543 100644 --- a/roles/example/defaults/main.yml +++ b/roles/example/defaults/main.yml @@ -39,10 +39,7 @@ example__maintenance_cron_minute: '{{ 59 | random(seed=inventory_hostname) }}' example__service_enabled: true example__service_state: 'started' -# recommended-but-optional: gates the backup cron. empty default = no backups taken. example__backup_target: '' - -# simple config directive, used to demonstrate the variable-subgroup README section. example__conf_tls_protocols: 'TLSv1.2 TLSv1.3' diff --git a/roles/example/tasks/main.yml b/roles/example/tasks/main.yml index 2db21f64..b63d4ca3 100644 --- a/roles/example/tasks/main.yml +++ b/roles/example/tasks/main.yml @@ -458,7 +458,7 @@ tags: - 'example' - - 'example:user' + - 'example:users' - block: @@ -473,4 +473,4 @@ - 'example:configure' - 'example:plugins' - 'example:state' - - 'example:user' + - 'example:users' diff --git a/roles/freeipa_server/README.md b/roles/freeipa_server/README.md index 60994f23..14614cb6 100644 --- a/roles/freeipa_server/README.md +++ b/roles/freeipa_server/README.md @@ -78,7 +78,7 @@ Manual steps: * Deploys `/etc/systemd/system/pki-tomcatd@.service.d/override.conf`. * Triggers: none. -`freeipa_server:user` +`freeipa_server:users` * Manages FreeIPA users and their group memberships. * Triggers: none. diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml index 1fd8c589..e09e9e56 100644 --- a/roles/freeipa_server/tasks/main.yml +++ b/roles/freeipa_server/tasks/main.yml @@ -195,7 +195,7 @@ tags: - 'freeipa_server' - 'freeipa_server:configure' - - 'freeipa_server:user' + - 'freeipa_server:users' # HBAC rule management diff --git a/roles/grav/README.md b/roles/grav/README.md index 3411ea37..42f9bcb1 100644 --- a/roles/grav/README.md +++ b/roles/grav/README.md @@ -61,7 +61,7 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE * `systemctl enable/disable grav-update.timer --now`. * Triggers: none. -`grav:user` +`grav:users` * Install the Administration Panel plugin for Grav. * Create Grav User Accounts. diff --git a/roles/grav/tasks/main.yml b/roles/grav/tasks/main.yml index dc4b92d5..8e80072b 100644 --- a/roles/grav/tasks/main.yml +++ b/roles/grav/tasks/main.yml @@ -114,7 +114,7 @@ - 'not grav__skip_admin' tags: - 'grav' - - 'grav:user' + - 'grav:users' - block: diff --git a/roles/icingaweb2/README.md b/roles/icingaweb2/README.md index 50310a3c..d59cafd0 100644 --- a/roles/icingaweb2/README.md +++ b/roles/icingaweb2/README.md @@ -41,7 +41,7 @@ Manual steps: * Deploys `/etc/icingaweb2/resources.ini`. * Triggers: none. -`icingaweb2:user` +`icingaweb2:users` * Creates user accounts and deploys the role config. * Triggers: none. diff --git a/roles/icingaweb2/tasks/main.yml b/roles/icingaweb2/tasks/main.yml index 0acec317..14234afa 100644 --- a/roles/icingaweb2/tasks/main.yml +++ b/roles/icingaweb2/tasks/main.yml @@ -6,7 +6,7 @@ - 'icingaweb2' - 'icingaweb2:configure' - 'icingaweb2:resources' - - 'icingaweb2:user' + - 'icingaweb2:users' - block: @@ -239,4 +239,4 @@ tags: - 'icingaweb2' - - 'icingaweb2:user' + - 'icingaweb2:users' diff --git a/roles/influxdb/README.md b/roles/influxdb/README.md index 65676687..057aef2a 100644 --- a/roles/influxdb/README.md +++ b/roles/influxdb/README.md @@ -27,7 +27,7 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE * Deploys the /etc/influxdb/influxdb.conf config file. * Triggers: influxdb.service restart. -`influxdb:database` +`influxdb:databases` * Creates or deletes InfluxDB databases. * Triggers: none. @@ -42,7 +42,7 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE * Manages the state of the InfluxDB service. * Triggers: none. -`influxdb:user` +`influxdb:users` * Creates, updates or deletes InfluxDB users. * Triggers: none. diff --git a/roles/influxdb/tasks/main.yml b/roles/influxdb/tasks/main.yml index bbf91fff..65995fdb 100644 --- a/roles/influxdb/tasks/main.yml +++ b/roles/influxdb/tasks/main.yml @@ -181,7 +181,7 @@ tags: - 'influxdb' - - 'influxdb:database' + - 'influxdb:databases' - name: 'Create, update or delete influxdb users' @@ -200,4 +200,4 @@ ansible_python_interpreter: '/opt/python-venv/influxdb/bin/python3' tags: - 'influxdb' - - 'influxdb:user' + - 'influxdb:users' diff --git a/roles/mariadb_server/README.md b/roles/mariadb_server/README.md index e90163fa..eb6638a5 100644 --- a/roles/mariadb_server/README.md +++ b/roles/mariadb_server/README.md @@ -74,7 +74,7 @@ Manual steps: * Deploys the keyfile for the [File Key Management Encryption Plugin](https://mariadb.com/kb/en/file-key-management-encryption-plugin/) and restarts MariaDB if necessary. * Triggers: mariadb.service restart. -`mariadb_server:database` +`mariadb_server:databases` * Create or delete mariadb databases. * Triggers: none. @@ -121,7 +121,7 @@ Manual steps: * Must be explicitly called. * Triggers: mariadb.service restart. -`mariadb_server:user` +`mariadb_server:users` * Create DBA. * Create, update or delete MariaDB users. diff --git a/roles/mariadb_server/tasks/main.yml b/roles/mariadb_server/tasks/main.yml index b97a168c..8b33cc5f 100644 --- a/roles/mariadb_server/tasks/main.yml +++ b/roles/mariadb_server/tasks/main.yml @@ -112,14 +112,14 @@ - 'mariadb_server:clone_datadir' - 'mariadb_server:configure' - 'mariadb_server:dare' - - 'mariadb_server:database' + - 'mariadb_server:databases' - 'mariadb_server:dump' - 'mariadb_server:galera_new_cluster' - 'mariadb_server:secure_installation' - 'mariadb_server:state' - 'mariadb_server:sys_schema' - 'mariadb_server:upgrade' - - 'mariadb_server:user' + - 'mariadb_server:users' - block: @@ -488,7 +488,7 @@ tags: - 'mariadb_server' - - 'mariadb_server:user' + - 'mariadb_server:users' # mysql_secure_installation including some CIS hardenings @@ -726,7 +726,7 @@ tags: - 'mariadb_server' - - 'mariadb_server:database' + - 'mariadb_server:databases' # user management @@ -801,7 +801,7 @@ tags: - 'mariadb_server' - - 'mariadb_server:user' + - 'mariadb_server:users' # sys schema @@ -888,10 +888,10 @@ tags: - 'mariadb_server' - 'mariadb_server:configure' - - 'mariadb_server:database' + - 'mariadb_server:databases' - 'mariadb_server:dump' - 'mariadb_server:secure_installation' - 'mariadb_server:state' - 'mariadb_server:sys_schema' - 'mariadb_server:upgrade' - - 'mariadb_server:user' + - 'mariadb_server:users' diff --git a/roles/mastodon/README.md b/roles/mastodon/README.md index 4ab80ae0..d93c536c 100644 --- a/roles/mastodon/README.md +++ b/roles/mastodon/README.md @@ -64,7 +64,7 @@ Manual steps: * Deploys the Elasticsearch indices. * Triggers: none. -`mastodon:user` +`mastodon:users` * Creates Mastodon users. * Triggers: none. diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml index 6956b442..4487b320 100644 --- a/roles/mastodon/tasks/main.yml +++ b/roles/mastodon/tasks/main.yml @@ -77,4 +77,4 @@ tags: - 'mastodon' - - 'mastodon:user' + - 'mastodon:users' diff --git a/roles/mongodb/README.md b/roles/mongodb/README.md index e88c7652..cfed9f4c 100644 --- a/roles/mongodb/README.md +++ b/roles/mongodb/README.md @@ -55,7 +55,7 @@ To setup a replica set from scratch: * Manages the state of the mongod service. * Triggers: none. -`mongodb:user` +`mongodb:users` * Manages the MongoDB users. * Triggers: none. diff --git a/roles/mongodb/tasks/main.yml b/roles/mongodb/tasks/main.yml index 241b00c8..2e28b8a6 100644 --- a/roles/mongodb/tasks/main.yml +++ b/roles/mongodb/tasks/main.yml @@ -172,7 +172,7 @@ tags: - 'mongodb' - 'mongodb:dump' - - 'mongodb:user' + - 'mongodb:users' - 'mongodb:status' - block: @@ -224,7 +224,7 @@ - 'mongodb__is_writable_primary_result["transformed_output"]' tags: - 'mongodb' - - 'mongodb:user' + - 'mongodb:users' - block: @@ -254,7 +254,7 @@ tags: - 'mongodb' - 'mongodb:dump' - - 'mongodb:user' + - 'mongodb:users' - block: diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 2c5e5f00..46990d3c 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -216,7 +216,7 @@ tags: - 'nextcloud' - - 'nextcloud:user' + - 'nextcloud:users' - block: diff --git a/roles/opensearch/README.md b/roles/opensearch/README.md index f84879e6..e56198a0 100644 --- a/roles/opensearch/README.md +++ b/roles/opensearch/README.md @@ -228,7 +228,7 @@ curl 'https://localhost:9200' --user admin:your-password --insecure * Manages the state of the OpenSearch service (`systemctl enable/disable --now`). * Triggers: none. -`opensearch:user` +`opensearch:users` * Manages internal users (generates hashed passwords, deploys `internal_users.yml`). * Triggers: opensearch.service restart, `securityadmin.sh`. diff --git a/roles/opensearch/tasks/main.yml b/roles/opensearch/tasks/main.yml index 30f2d290..e4ab796b 100644 --- a/roles/opensearch/tasks/main.yml +++ b/roles/opensearch/tasks/main.yml @@ -156,7 +156,7 @@ tags: - 'opensearch' - 'opensearch:configure' - - 'opensearch:user' + - 'opensearch:users' notify: 'opensearch: /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh ...' when: @@ -183,7 +183,7 @@ tags: - 'opensearch' - 'opensearch:configure' - - 'opensearch:user' + - 'opensearch:users' # this is completely unrelated to the rest of the tasks, just a convenience feature to help the admin generate TLS certificates. diff --git a/roles/php/templates/etc/php-fpm.d/Debian-pool.conf.j2 b/roles/php/templates/etc/php-fpm.d/Debian-pool.conf.j2 index 8c31121d..3aef6674 100644 --- a/roles/php/templates/etc/php-fpm.d/Debian-pool.conf.j2 +++ b/roles/php/templates/etc/php-fpm.d/Debian-pool.conf.j2 @@ -1,6 +1,6 @@ #jinja2:block_start_string:'[%', block_end_string:'%]' ; {{ ansible_managed }} -; 2026012901 +; 2026060901 [% if item["by_role"] | default() %] ; Generated by Ansible role: {{ item["by_role"] }} [% endif %] @@ -466,7 +466,10 @@ request_terminate_timeout = {{ php__fpm_pool_conf_request_terminate_timeout__com ; the current environment. ; Default Value: clean env ;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin +; A defined PATH is required so PHP code can locate system binaries via getenv("PATH"). +; With clear_env at its default (yes) the worker environment is emptied, leaving +; getenv("PATH") empty, which trips tools that shell out and Nextcloud's "PHP getenv" setup check. +env[PATH] = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ;env[TMP] = /tmp ;env[TMPDIR] = /tmp ;env[TEMP] = /tmp diff --git a/roles/postgresql_server/README.md b/roles/postgresql_server/README.md index 8920ec02..a2ea64a7 100644 --- a/roles/postgresql_server/README.md +++ b/roles/postgresql_server/README.md @@ -26,12 +26,12 @@ Any [LFOps playbook](https://github.com/Linuxfabrik/lfops/blob/main/playbooks/RE * Manages the state of the PostgreSQL service. * Triggers: none. -`postgresql_server:user` +`postgresql_server:users` * Creates, updates and deletes PostgreSQL users. * Triggers: none. -`postgresql_server:database` +`postgresql_server:databases` * Creates, updates and deletes PostgreSQL databases. * Triggers: none. diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml index a2238fa2..904c8f8b 100644 --- a/roles/postgresql_server/tasks/main.yml +++ b/roles/postgresql_server/tasks/main.yml @@ -137,7 +137,7 @@ tags: - 'postgresql_server' - - 'postgresql_server:user' + - 'postgresql_server:users' - block: @@ -159,7 +159,7 @@ tags: - 'postgresql_server' - - 'postgresql_server:database' + - 'postgresql_server:databases' - block: