diff --git a/provisioning/requirements.yml b/provisioning/requirements.yml
index def5ae627..c3abb735b 100644
--- a/provisioning/requirements.yml
+++ b/provisioning/requirements.yml
@@ -2,7 +2,7 @@
- src: arknoll.selenium
version: 1.3.0
- src: franklinkim.newrelic
- version: 1.2.0
+ version: 1.4.0
- src: geerlingguy.adminer
version: 1.1.0
- src: geerlingguy.apache
@@ -18,9 +18,9 @@
- src: geerlingguy.drupal-console
version: 1.0.7
- src: geerlingguy.drush
- version: 1.1.2
+ version: 1.1.3
- src: geerlingguy.elasticsearch
- version: 2.1.0
+ version: 2.1.1
- src: geerlingguy.firewall
version: 1.0.9
- src: geerlingguy.git
@@ -34,7 +34,7 @@
- src: geerlingguy.mysql
version: 2.3.1
- src: geerlingguy.nginx
- version: 1.9.2
+ version: 1.9.3
- src: geerlingguy.nodejs
version: 3.2.0
- src: geerlingguy.php
@@ -62,7 +62,7 @@
- src: geerlingguy.ruby
version: 2.3.1
- src: geerlingguy.security
- version: 1.2.0
+ version: 1.4.0
- src: geerlingguy.solr
version: 3.1.3
- src: geerlingguy.varnish
diff --git a/provisioning/roles/franklinkim.newrelic/CHANGELOG.md b/provisioning/roles/franklinkim.newrelic/CHANGELOG.md
index 2b6672b66..eded3d13a 100644
--- a/provisioning/roles/franklinkim.newrelic/CHANGELOG.md
+++ b/provisioning/roles/franklinkim.newrelic/CHANGELOG.md
@@ -1,3 +1,29 @@
+
+## 1.4.0 (2016-08-05)
+
+
+#### Features
+
+* add label settings ([169d3867](https://github.com/weareinteractive/ansible-newrelic/commit/169d386710aba0d7d1397cb68ef7f8426d1fac80))
+
+
+
+
+## 1.3.0 (2016-07-04)
+
+
+
+
+
+### 1.2.1 (2016-04-10)
+
+
+#### Bug Fixes
+
+* default groups breaks install when docker monitoring is enabled ([3e507b30](https://github.com/weareinteractive/ansible-newrelic/commit/3e507b3080fa8040a3659577f1bdc25c3d97508a))
+
+
+
## 1.2.0 (2016-02-13)
diff --git a/provisioning/roles/franklinkim.newrelic/README.md b/provisioning/roles/franklinkim.newrelic/README.md
index 9650109b1..5b4902f72 100644
--- a/provisioning/roles/franklinkim.newrelic/README.md
+++ b/provisioning/roles/franklinkim.newrelic/README.md
@@ -33,7 +33,7 @@ $ git clone https://github.com/weareinteractive/ansible-newrelic.git franklinkim
## Dependencies
-* Ansible >= 1.9
+* Ansible >= 2.0
## Variables
@@ -62,6 +62,10 @@ newrelic_disable_docker: yes
newrelic_service_enabled: yes
# current state: started, stopped
newrelic_service_state: started
+# use default hostname, set a value to override the default hostname
+newrelic_override_hostname: ~
+# A series of label_type/label_value pairings: label_type:label_value
+newrelic_labels: ~
```
@@ -99,16 +103,17 @@ This is an example playbook:
```
+
## Testing
```shell
$ git clone https://github.com/weareinteractive/ansible-newrelic.git
$ cd ansible-newrelic
-$ vagrant up
+$ make test
```
## Contributing
-In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.
+In lieu of a formal style guide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality.
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)
diff --git a/provisioning/roles/franklinkim.newrelic/defaults/main.yml b/provisioning/roles/franklinkim.newrelic/defaults/main.yml
index 7195e1f1c..6ce045658 100644
--- a/provisioning/roles/franklinkim.newrelic/defaults/main.yml
+++ b/provisioning/roles/franklinkim.newrelic/defaults/main.yml
@@ -20,3 +20,7 @@ newrelic_disable_docker: yes
newrelic_service_enabled: yes
# current state: started, stopped
newrelic_service_state: started
+# use default hostname, set a value to override the default hostname
+newrelic_override_hostname: ~
+# A series of label_type/label_value pairings: label_type:label_value
+newrelic_labels: ~
diff --git a/provisioning/roles/franklinkim.newrelic/meta/main.yml b/provisioning/roles/franklinkim.newrelic/meta/main.yml
index a1cbde7de..89849bcf4 100644
--- a/provisioning/roles/franklinkim.newrelic/meta/main.yml
+++ b/provisioning/roles/franklinkim.newrelic/meta/main.yml
@@ -3,102 +3,140 @@ galaxy_info:
author: franklin
company: We Are Interactive
description: Installs and configure newrelic
- min_ansible_version: 1.9
+ min_ansible_version: 2.0
license: MIT
+ # Optionally specify the branch Galaxy will use when accessing the GitHub
+ # repo for this role. During role install, if no tags are available,
+ # Galaxy will use this branch. During import Galaxy will access files on
+ # this branch. If travis integration is cofigured, only notification for this
+ # branch will be accepted. Otherwise, in all cases, the repo's default branch
+ # (usually master) will be used.
+ github_branch: master
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
platforms:
- - name: EL
- versions:
- # - all
- # - 5
- # - 6
- - 7
- # - name: GenericUNIX
- # versions:
- # - all
- # - any
- # - name: Fedora
- # versions:
- # - all
- # - 16
- # - 17
- # - 18
- # - 19
- # - 20
- # - name: opensuse
- # versions:
- # - all
- # - 12.1
- # - 12.2
- # - 12.3
- # - 13.1
- # - 13.2
- # - name: GenericBSD
- # versions:
- # - all
- # - any
- # - name: FreeBSD
- # versions:
- # - all
- # - 8.0
- # - 8.1
- # - 8.2
- # - 8.3
- # - 8.4
- # - 9.0
- # - 9.1
- # - 9.1
- # - 9.2
- - name: Ubuntu
- versions:
- - all
- # - lucid
- # - maverick
- # - natty
- # - oneiric
- # - precise
- # - quantal
- # - raring
- # - saucy
- # - trusty
- # - name: SLES
- # versions:
- # - all
- # - 10SP3
- # - 10SP4
- # - 11
- # - 11SP1
- # - 11SP2
- # - 11SP3
- # - name: GenericLinux
- # versions:
- # - all
- # - any
- - name: Debian
- versions:
- - all
- # - etch
- # - lenny
- # - squeeze
- # - wheezy
+ - name: EL
+ versions:
+ - all
+ # - 5
+ # - 6
+ # - 7
+ #- name: GenericUNIX
+ # versions:
+ # - all
+ # - any
+ #- name: Solaris
+ # versions:
+ # - all
+ # - 10
+ # - 11.0
+ # - 11.1
+ # - 11.2
+ # - 11.3
+ #- name: Fedora
+ # versions:
+ # - all
+ # - 16
+ # - 17
+ # - 18
+ # - 19
+ # - 20
+ # - 21
+ # - 22
+ # - 23
+ #- name: Windows
+ # versions:
+ # - all
+ # - 2012R2
+ #- name: SmartOS
+ # versions:
+ # - all
+ # - any
+ #- name: opensuse
+ # versions:
+ # - all
+ # - 12.1
+ # - 12.2
+ # - 12.3
+ # - 13.1
+ # - 13.2
+ #- name: Amazon
+ # versions:
+ # - all
+ # - 2013.03
+ # - 2013.09
+ #- name: GenericBSD
+ # versions:
+ # - all
+ # - any
+ #- name: FreeBSD
+ # versions:
+ # - all
+ # - 10.0
+ # - 10.1
+ # - 10.2
+ # - 8.0
+ # - 8.1
+ # - 8.2
+ # - 8.3
+ # - 8.4
+ # - 9.0
+ # - 9.1
+ # - 9.1
+ # - 9.2
+ # - 9.3
+ - name: Ubuntu
+ versions:
+ - all
+ # - lucid
+ # - maverick
+ # - natty
+ # - oneiric
+ # - precise
+ # - quantal
+ # - raring
+ # - saucy
+ # - trusty
+ # - utopic
+ # - vivid
+ # - wily
+ #- name: SLES
+ # versions:
+ # - all
+ # - 10SP3
+ # - 10SP4
+ # - 11
+ # - 11SP1
+ # - 11SP2
+ # - 11SP3
+ #- name: GenericLinux
+ # versions:
+ # - all
+ # - any
+ - name: Debian
+ versions:
+ - all
+ # - etch
+ # - jessie
+ # - lenny
+ # - squeeze
+ # - wheezy categories:
#
- # Below are all categories currently available. Just as with
- # the platforms above, uncomment those that apply to your role.
- #
- # The number of tags imported by Galaxy is limited to 20,
- # and tag values containing non-alphanumeric characters will be ignored.
- # Tag values containing a : will be split into multiple tags.
- # The tag cloud:ec2, for example, will become two tags: cloud and ec2.
+ # List tags for your role here, one per line. A tag is
+ # a keyword that describes and categorizes the role.
+ # Users find roles by searching for tags. Be sure to
+ # remove the '[]' above if you add tags to this list.
#
+ # NOTE: A tag is limited to a single word comprised of
+ # alphanumeric characters. Maximum 20 tags per role.
galaxy_tags:
- monitoring
- newrelic
+# List your role dependencies here, one per line. Only
+# dependencies available via galaxy should be listed here.
+# Be sure to remove the '[]' above if you add dependencies
+# to this list.
dependencies: []
- # List your role dependencies here, one per line. Only
- # dependencies available via galaxy should be listed here.
- # Be sure to remove the '[]' above if you add dependencies
- # to this list.
diff --git a/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2 b/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2
index 4185604f3..37a8eac3a 100644
--- a/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2
+++ b/provisioning/roles/franklinkim.newrelic/templates/etc/newrelic/nrsysmond.cfg.j2
@@ -187,6 +187,9 @@ logfile={{ newrelic_logfile }}
# Default: none
#
#labels=label_type:label_value
+{% if newrelic_labels %}
+labels={{ newrelic_labels }}
+{% endif %}
#
# Option : disable_nfs
@@ -203,3 +206,14 @@ disable_nfs={{ newrelic_disable_nfs | to_nice_json }}
# Default: false
#
disable_docker={{ newrelic_disable_docker | to_nice_json }}
+
+#
+# Option : override_hostname
+# Type : string
+# Value : Set to a non-empty value to use as the hostname that will be reported to New Relic
+# Default: none
+#
+#hostname=newrelic.com
+{% if newrelic_override_hostname %}
+hostname={{ newrelic_override_hostname }}
+{% endif %}
diff --git a/provisioning/roles/geerlingguy.drush/meta/main.yml b/provisioning/roles/geerlingguy.drush/meta/main.yml
index 46be0d34d..0e0d58174 100644
--- a/provisioning/roles/geerlingguy.drush/meta/main.yml
+++ b/provisioning/roles/geerlingguy.drush/meta/main.yml
@@ -11,36 +11,36 @@ galaxy_info:
license: "license (BSD, MIT)"
min_ansible_version: 1.4
platforms:
- - name: EL
- versions:
- - all
- - name: GenericUNIX
- versions:
- - all
- - name: Fedora
- versions:
- - all
- - name: opensuse
- versions:
- - all
- - name: GenericBSD
- versions:
- - all
- - name: FreeBSD
- versions:
- - all
- - name: Ubuntu
- versions:
- - all
- - name: SLES
- versions:
- - all
- - name: GenericLinux
- versions:
- - all
- - name: Debian
- versions:
- - all
- categories:
+ - name: EL
+ versions:
+ - all
+ - name: GenericUNIX
+ versions:
+ - all
+ - name: Fedora
+ versions:
+ - all
+ - name: opensuse
+ versions:
+ - all
+ - name: GenericBSD
+ versions:
+ - all
+ - name: FreeBSD
+ versions:
+ - all
+ - name: Ubuntu
+ versions:
+ - all
+ - name: SLES
+ versions:
+ - all
+ - name: GenericLinux
+ versions:
+ - all
+ - name: Debian
+ versions:
+ - all
+ galaxy_tags:
- development
- web
diff --git a/provisioning/roles/geerlingguy.drush/tasks/main.yml b/provisioning/roles/geerlingguy.drush/tasks/main.yml
index 5b907aa64..287fa6505 100644
--- a/provisioning/roles/geerlingguy.drush/tasks/main.yml
+++ b/provisioning/roles/geerlingguy.drush/tasks/main.yml
@@ -35,3 +35,4 @@
command: "{{ drush_path }}"
register: drush_result
changed_when: "'Execute a drush command' not in drush_result.stdout"
+ become: no
diff --git a/provisioning/roles/geerlingguy.drush/tests/test.yml b/provisioning/roles/geerlingguy.drush/tests/test.yml
index df2c5033f..da27b634a 100644
--- a/provisioning/roles/geerlingguy.drush/tests/test.yml
+++ b/provisioning/roles/geerlingguy.drush/tests/test.yml
@@ -1,8 +1,11 @@
---
- hosts: localhost
remote_user: root
+
vars:
+ php_enable_webserver: false
php_opcache_enable: "0"
+
roles:
- geerlingguy.php
- geerlingguy.composer
diff --git a/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml b/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml
index 8285a4b94..5be9d380b 100644
--- a/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml
+++ b/provisioning/roles/geerlingguy.elasticsearch/meta/main.yml
@@ -1,6 +1,6 @@
---
dependencies:
- - { role: geerlingguy.java }
+ - geerlingguy.java
galaxy_info:
author: geerlingguy
diff --git a/provisioning/roles/geerlingguy.nginx/README.md b/provisioning/roles/geerlingguy.nginx/README.md
index 854fa3294..e19da5b00 100644
--- a/provisioning/roles/geerlingguy.nginx/README.md
+++ b/provisioning/roles/geerlingguy.nginx/README.md
@@ -41,6 +41,10 @@ An example of a fully-populated nginx_vhosts entry, using a `|` to declare a blo
Whether to remove the 'default' virtualhost configuration supplied by Nginx. Useful if you want the base `/` URL to be directed at one of your own virtual hosts configured in a separate .conf file.
+ nginx_vhosts_filename: "vhosts.conf"
+
+The filename to use to store vhosts configuration. If you run the role multiple times (e.g. include the role with `with_items`), you can change the name for each run, effectively creating a separate vhosts file per vhost configuration.
+
nginx_upstreams: []
If you are configuring Nginx as a load balancer, you can define one or more upstream sets using this variable. In addition to defining at least one upstream, you would need to configure one of your server blocks to proxy requests through the defined upstream (e.g. `proxy_pass http://myapp1;`). See the commented example in `defaults/main.yml` for more information.
diff --git a/provisioning/roles/geerlingguy.nginx/defaults/main.yml b/provisioning/roles/geerlingguy.nginx/defaults/main.yml
index 620dc098e..f0bda616b 100644
--- a/provisioning/roles/geerlingguy.nginx/defaults/main.yml
+++ b/provisioning/roles/geerlingguy.nginx/defaults/main.yml
@@ -45,6 +45,7 @@ nginx_extra_http_options: ""
# proxy_set_header Host $http_host;
nginx_remove_default_vhost: false
+nginx_vhosts_filename: "vhosts.conf"
nginx_vhosts: []
# Example vhost below, showing all available options:
# - listen: "80 default_server" # default: "80 default_server"
diff --git a/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml b/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml
index 583ff7773..1be63942f 100644
--- a/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml
+++ b/provisioning/roles/geerlingguy.nginx/tasks/vhosts.yml
@@ -10,7 +10,7 @@
- name: Add managed vhost config file (if any vhosts are configured).
template:
src: vhosts.j2
- dest: "{{ nginx_vhost_path }}/vhosts.conf"
+ dest: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}"
mode: 0644
when: nginx_vhosts|length > 0
notify:
@@ -18,9 +18,8 @@
- name: Remove managed vhost config file (if no vhosts are configured).
file:
- path: "{{ nginx_vhost_path }}/vhosts.conf"
+ path: "{{ nginx_vhost_path }}/{{ nginx_vhosts_filename }}"
state: absent
when: nginx_vhosts|length == 0
notify:
- reload nginx
-
diff --git a/provisioning/roles/geerlingguy.security/README.md b/provisioning/roles/geerlingguy.security/README.md
index 15afb12f1..0c8974b5c 100644
--- a/provisioning/roles/geerlingguy.security/README.md
+++ b/provisioning/roles/geerlingguy.security/README.md
@@ -34,10 +34,11 @@ Available variables are listed below, along with default values (see `defaults/m
The port through which you'd like SSH to be accessible. The default is port 22, but if you're operating a server on the open internet, and have no firewall blocking access to port 22, you'll quickly find that thousands of login attempts per day are not uncommon. You can change the port to a nonstandard port (e.g. 2849) if you want to avoid these thousands of automated penetration attempts.
- security_ssh_password_authentication: 'no'
- security_ssh_permit_root_login: 'no'
+ security_ssh_password_authentication: "no"
+ security_ssh_permit_root_login: "no"
+ security_ssh_usedns: "no"
-Security settings for SSH authentication. It's best to leave these both set to `'no'`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or both may be safely set to `'yes'`.
+Security settings for SSH authentication. It's best to leave these set to `"no"`, but there are times (especially during initial server configuration or when you don't have key-based authentication in place) when one or all may be safely set to `'yes'`.
security_sudoers_passwordless: []
security_sudoers_passworded: []
@@ -48,6 +49,11 @@ A list of users who should be added to the sudoers file so they can run any comm
Whether to install/enable `yum-cron` (RedHat-based systems) or `unattended-upgrades` (Debian-based systems). System restarts will not happen automatically in any case, and automatic upgrades are no excuse for sloppy patch and package management, but automatic updates can be helpful as yet another security measure.
+ security_autoupdate_mail_to: ""
+ security_autoupdate_mail_on_error: true
+
+(Debian/Ubuntu only) If `security_autoupdate_mail_to` is set to an non empty value, unattended upgrades will send an e-mail to that address when some error occurs. You may either set this to a full email: `ops@example.com` or to something like `root`, which will use `/etc/aliases` to route the message. If you set `security_autoupdate_mail_on_error` to `false` you'll get an email after every package install.
+
security_fail2ban_enabled: true
Wether to install/enable `fail2ban`. You might not want to use fail2ban if you're already using some other service for login and intrusion detection (e.g. [ConfigServer](http://configserver.com/cp/csf.html)).
diff --git a/provisioning/roles/geerlingguy.security/defaults/main.yml b/provisioning/roles/geerlingguy.security/defaults/main.yml
index 9954803c9..6caf48817 100644
--- a/provisioning/roles/geerlingguy.security/defaults/main.yml
+++ b/provisioning/roles/geerlingguy.security/defaults/main.yml
@@ -2,9 +2,19 @@
security_ssh_port: 22
security_ssh_password_authentication: "no"
security_ssh_permit_root_login: "no"
+security_ssh_usedns: "no"
+security_ssh_permit_empty_password: "no"
+security_ssh_challenge_response_auth: "no"
+security_ssh_gss_api_authentication: "no"
+security_ssh_x11_forwarding: "no"
security_sudoers_passwordless: []
security_sudoers_passworded: []
security_autoupdate_enabled: true
+
+# Autoupdate mail settings used on Debian/Ubuntu only.
+security_autoupdate_mail_to: ""
+security_autoupdate_mail_on_error: true
+
security_fail2ban_enabled: true
diff --git a/provisioning/roles/geerlingguy.security/tasks/ssh.yml b/provisioning/roles/geerlingguy.security/tasks/ssh.yml
index 57f53f4a2..0f85032c3 100644
--- a/provisioning/roles/geerlingguy.security/tasks/ssh.yml
+++ b/provisioning/roles/geerlingguy.security/tasks/ssh.yml
@@ -12,6 +12,16 @@
line: "PermitRootLogin {{ security_ssh_permit_root_login }}"
- regexp: "^Port"
line: "Port {{ security_ssh_port }}"
+ - regexp: "^UseDNS"
+ line: "UseDNS {{ security_ssh_usedns }}"
+ - regexp: "^PermitEmptyPasswords"
+ line: "PermitEmptyPasswords {{ security_ssh_permit_empty_password }}"
+ - regexp: "^ChallengeResponseAuthentication"
+ line: "ChallengeResponseAuthentication {{ security_ssh_challenge_response_auth }}"
+ - regexp: "^GSSAPIAuthentication"
+ line: "GSSAPIAuthentication {{ security_ssh_gss_api_authentication }}"
+ - regexp: "^X11Forwarding"
+ line: "X11Forwarding {{ security_ssh_x11_forwarding }}"
notify: restart ssh
- name: Add configured user accounts to passwordless sudoers.
diff --git a/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2 b/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2
index c1b7d48df..59e01cdbb 100644
--- a/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2
+++ b/provisioning/roles/geerlingguy.security/templates/50unattended-upgrades.j2
@@ -1,5 +1,12 @@
Unattended-Upgrade::Automatic-Reboot "false";
+{% if security_autoupdate_mail_to %}
+Unattended-Upgrade::Mail "{{ security_autoupdate_mail_to }}";
+{% if security_autoupdate_mail_on_error %}
+Unattended-Upgrade::MailOnlyOnError "true";
+{% endif %}
+{% endif %}
+
Unattended-Upgrade::Allowed-Origins {
"${distro_id} ${distro_codename}-security";
// "${distro_id} ${distro_codename}-updates";