diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 | 12 | ||||
| -rw-r--r-- | roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades | 2 | ||||
| -rw-r--r-- | roles/common/files/etc/apt/listchanges.conf | 2 | ||||
| -rw-r--r-- | roles/common/files/etc/default/rkhunter | 2 | ||||
| -rw-r--r-- | roles/common/files/etc/logcheck/logcheck.conf | 2 | ||||
| -rw-r--r-- | roles/common/files/etc/rkhunter.conf | 2 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 2 | ||||
| -rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 2 | ||||
| -rw-r--r-- | roles/munin-master/templates/etc/munin/munin.conf.j2 | 2 | ||||
| -rw-r--r-- | roles/out/templates/etc/postfix/canonical.j2 | 2 |
10 files changed, 15 insertions, 15 deletions
diff --git a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 index ab22375..7d862d3 100644 --- a/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 +++ b/roles/bacula-dir/templates/etc/bacula/bacula-dir.conf.j2 @@ -611,50 +611,50 @@ Pool { AutoPrune = yes Volume Retention = 3 months Maximum Volume Bytes = 5GB Label Format = "database-${NumVols:p/4/0/r}" } # Generic catalog service Catalog { Name = MyCatalog Password = "" DB Name = bacula User = bacula } # Reasonable message delivery -- send most everything to email address and to the console Messages { Name = Standard MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail = admin@fripost.org = all, !skipped + Mail = root@fripost.org = all, !skipped OperatorCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: Intervention needed for %j\" %r" - Operator = admin@fripost.org = mount + Operator = root@fripost.org = mount Console = all, !skipped, !saved Append = "/var/log/bacula/bacula.log" = all, !skipped Catalog = all } # Report upon error only Messages { Name = Quiet MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail On Success = admin@fripost.org = all, !info, !fatal, !skipped, !notsaved, !restored + Mail On Success = root@fripost.org = all, !info, !fatal, !skipped, !notsaved, !restored MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: %t %e of %n %l\" %r" - Mail On Error = admin@fripost.org = all, !skipped + Mail On Error = root@fripost.org = all, !skipped OperatorCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula: Intervention needed for %j\" %r" - Operator = admin@fripost.org = mount + Operator = root@fripost.org = mount Console = all, !info, !restored, !skipped, !saved Append = "/var/lib/bacula/log" = all, !skipped Catalog = all } # Message delivery for daemon messages (no job). Messages { Name = Daemon MailCommand = "/usr/sbin/bsmtp -h localhost:16132 -f \"\(Bacula\) \<bacula@fripost.org\>\" -s \"Bacula daemon message\" %r" - Mail = admin@fripost.org = all, !skipped + Mail = root@fripost.org = all, !skipped Console = all, !skipped, !saved Append = "/var/log/bacula/bacula.log" = all, !skipped } diff --git a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades index fd7cf1d..6f71ce6 100644 --- a/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades +++ b/roles/common/files/etc/apt/apt.conf.d/50unattended-upgrades @@ -74,41 +74,41 @@ Unattended-Upgrade::Package-Blacklist { // they can be interrupted with SIGTERM. This makes the upgrade // a bit slower but it has the benefit that shutdown while a upgrade // is running is possible (with a small delay) //Unattended-Upgrade::MinimalSteps "true"; // Install all updates when the machine is shutting down // instead of doing it in the background while the machine is running. // This will (obviously) make shutdown slower. // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s. // This allows more time for unattended-upgrades to shut down gracefully // or even install a few packages in InstallOnShutdown mode, but is still a // big step back from the 30 minutes allowed for InstallOnShutdown previously. // Users enabling InstallOnShutdown mode are advised to increase // InhibitDelayMaxSec even further, possibly to 30 minutes. //Unattended-Upgrade::InstallOnShutdown "false"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" -Unattended-Upgrade::Mail "admin@fripost.org"; +Unattended-Upgrade::Mail "root@fripost.org"; // Set this value to one of: // "always", "only-on-error" or "on-change" // If this is not set, then any legacy MailOnlyOnError (boolean) value // is used to chose between "only-on-error" and "on-change" //Unattended-Upgrade::MailReport "on-change"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade diff --git a/roles/common/files/etc/apt/listchanges.conf b/roles/common/files/etc/apt/listchanges.conf index cee0648..e17e36d 100644 --- a/roles/common/files/etc/apt/listchanges.conf +++ b/roles/common/files/etc/apt/listchanges.conf @@ -1,9 +1,9 @@ [apt] frontend=mail -email_address=admin@fripost.org +email_address=root@fripost.org confirm=0 save_seen=/var/lib/apt/listchanges.db which=news email_format=text headers=false reverse=false diff --git a/roles/common/files/etc/default/rkhunter b/roles/common/files/etc/default/rkhunter index 2e7fae7..49a63e8 100644 --- a/roles/common/files/etc/default/rkhunter +++ b/roles/common/files/etc/default/rkhunter @@ -1,34 +1,34 @@ # Defaults for rkhunter automatic tasks # sourced by /etc/cron.*/rkhunter and /etc/apt/apt.conf.d/90rkhunter # # This is a POSIX shell fragment # # Set this to yes to enable rkhunter daily runs # (default: false) CRON_DAILY_RUN="yes" # Set this to yes to enable rkhunter weekly database updates # (default: false) CRON_DB_UPDATE="yes" # Set this to yes to enable reports of weekly database updates # (default: false) DB_UPDATE_EMAIL="false" # Set this to the email address where reports and run output should be sent # (default: root) -REPORT_EMAIL="admin@fripost.org" +REPORT_EMAIL="root@fripost.org" # Set this to yes to enable automatic database updates # (default: false) APT_AUTOGEN="false" # Nicenesses range from -20 (most favorable scheduling) to 19 (least favorable) # (default: 0) NICE="10" # Should daily check be run when running on battery # powermgmt-base is required to detect if running on battery or on AC power # (default: false) RUN_CHECK_ON_BATTERY="false" diff --git a/roles/common/files/etc/logcheck/logcheck.conf b/roles/common/files/etc/logcheck/logcheck.conf index 4c7ff10..6e06450 100644 --- a/roles/common/files/etc/logcheck/logcheck.conf +++ b/roles/common/files/etc/logcheck/logcheck.conf @@ -8,41 +8,41 @@ # Controls the presence of boilerplate at the top of each message: # Alternatively, set to "0" to disable the introduction. # # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt # are present their contents will be read and used as the header and # footer of any generated mails. INTRO=0 # Controls the level of filtering: # Can be Set to "workstation", "server" or "paranoid" for different # levels of filtering. Defaults to server if not set. REPORTLEVEL="server" # Controls the address mail goes to: # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddress@some.domain.tld" -SENDMAILTO="admin@fripost.org" +SENDMAILTO="root@fripost.org" # Send the results as attachment or not. # 0=not as attachment; 1=as attachment; 2=as gzip attachment # Default is 0 MAILASATTACH=0 # Should the hostname in the subject of generated mails be fully qualified? FQDN=1 # Controls whether "sort -u" is used on log entries (which will # eliminate duplicates but destroy the original ordering); the # default is to use "sort -k 1,3 -s": # Alternatively, set to "1" to enable unique sorting #SORTUNIQ=0 # Controls whether /etc/logcheck/cracking.ignore.d is scanned for # exceptions to the rules in /etc/logcheck/cracking.d: diff --git a/roles/common/files/etc/rkhunter.conf b/roles/common/files/etc/rkhunter.conf index e76ab77..8040c88 100644 --- a/roles/common/files/etc/rkhunter.conf +++ b/roles/common/files/etc/rkhunter.conf @@ -116,41 +116,41 @@ UPDATE_MIRRORS=0 # # Local and remote mirrors can be defined in the mirrors file by using the # 'local=' and 'remote=' keywords respectively. # # The default value is '0'. # MIRRORS_MODE=1 # # Email a message to this address if a warning is found when the system is # being checked. Multiple addresses may be specified simply be separating # them with a space. To disable the option, simply set it to the null string # or comment it out. # # The option may be specified more than once. # # The default value is the null string. # # Also see the MAIL_CMD option. # -MAIL-ON-WARNING=admin@fripost.org +MAIL-ON-WARNING=root@fripost.org # # This option specifies the mail command to use if MAIL-ON-WARNING is set. # # NOTE: Double quotes are not required around the command, but are required # around the subject line if it contains spaces. # # The default is to use the 'mail' command, with a subject line # of '[rkhunter] Warnings found for ${HOST_NAME}'. # #MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" # # This option specifies the directory to use for temporary files. # # NOTE: Do not use '/tmp' as your temporary directory. Some important files # will be written to this directory, so be sure that the directory permissions # are secure. # # The installer program will set the default directory. If this default is diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index 72102f4..aecdaaf 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -145,41 +145,41 @@ fi if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then config=$(mktemp) || exit 2 trap 'rm -f "$config"' EXIT # see /usr/share/ssl-cert/ssleay.cnf cat >"$config" <<- EOF [ req ] distinguished_name = req_distinguished_name prompt = no policy = policy_anything req_extensions = v3_req x509_extensions = v3_req [ req_distinguished_name ] organizationName = Fripost organizationalUnitName = SSLcerts $(echo "$ou") commonName = ${cn:-/} [ v3_req ] - subjectAltName = email:admin@fripost.org${dns:+, $dns} + subjectAltName = email:root@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} subjectKeyIdentifier = hash EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2 openssl $genkey $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && exit fi if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then pubkey=$(mktemp) openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 cat "$pubkey" >>"$privkey" || exit 2 diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 3cd19cc..2759611 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -1,28 +1,28 @@ # {{ ansible_managed }} # Do NOT edit this file directly! [DEFAULT] # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. -destemail = admin@fripost.org +destemail = root@fripost.org # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }} banaction = nftables-allports # must match nftables.conf's blackholes timeouts bantime = 10m # # JAILS # [sshd] enabled = true [postfix] enabled = {{ 'MX' in group_names }} diff --git a/roles/munin-master/templates/etc/munin/munin.conf.j2 b/roles/munin-master/templates/etc/munin/munin.conf.j2 index b53ef0e..cdf659c 100644 --- a/roles/munin-master/templates/etc/munin/munin.conf.j2 +++ b/roles/munin-master/templates/etc/munin/munin.conf.j2 @@ -70,38 +70,38 @@ html_strategy cgi # munin-update runs in parallel. # # The default max number of processes is 16, and is probably ok for you. # # If set too high, it might hit some process/ram/filedesc limits. # If set too low, munin-update might take more than 5 min. # # If you want munin-update to not be parallel set it to 0. # #max_processes 16 # RRD updates are per default, performed directly on the rrd files. # To reduce IO and enable the use of the rrdcached, uncomment it and set it to # the location of the socket that rrdcached uses. # rrdcached_socket /run/rrdcached.sock # Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime # something changes (OK -> WARNING, CRITICAL -> OK, etc) -contact.admin.command mail -s "Munin notification" admin@fripost.org +contact.admin.command mail -s "Munin notification" root@fripost.org # # For those with Nagios, the following might come in handy. In addition, # the services must be defined in the Nagios server as well. #contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf {% for node in groups.all | sort %} [all;{{ hostvars[node].inventory_hostname_short }}] address {{ ipsec[ hostvars[node].inventory_hostname_short ] }} port 4994 {% for g in hostvars[node].group_names | sort %} [{{ g }};{{ hostvars[node].inventory_hostname_short }}] update no {% endfor %} {% endfor %} diff --git a/roles/out/templates/etc/postfix/canonical.j2 b/roles/out/templates/etc/postfix/canonical.j2 index ed8bb4d..14ef6e7 100644 --- a/roles/out/templates/etc/postfix/canonical.j2 +++ b/roles/out/templates/etc/postfix/canonical.j2 @@ -1,10 +1,10 @@ # {{ ansible_managed }} # Do NOT edit this file directly! # Addresses under $myhostname are typically not valid as envelope # recipients (eg, logcheck@, root@, etc.). This breaks the sender # address verification, so we use the admin team's address in the # envelope. {% for host in groups.all | sort %} -@{{ hostvars[host].inventory_hostname }} admin@fripost.org +@{{ hostvars[host].inventory_hostname }} root@fripost.org {% endfor %} |