From bac7811d2b35252b7a83a45d75bb344b4b1776a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 02:52:55 +0200
Subject: Upgrade baseline to Debian 10.

---
 roles/common/templates/etc/bacula/bacula-fd.conf.j2          |  5 +++--
 roles/common/templates/etc/munin/munin-node.conf.j2          |  2 +-
 roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 |  2 +-
 roles/common/templates/etc/nftables.conf.j2                  | 10 ++++++++--
 roles/common/templates/etc/ntp.conf.j2                       |  2 ++
 roles/common/templates/etc/postfix/master.cf.j2              |  2 +-
 6 files changed, 16 insertions(+), 7 deletions(-)

(limited to 'roles/common/templates')

diff --git a/roles/common/templates/etc/bacula/bacula-fd.conf.j2 b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
index e06911f..db1960e 100644
--- a/roles/common/templates/etc/bacula/bacula-fd.conf.j2
+++ b/roles/common/templates/etc/bacula/bacula-fd.conf.j2
@@ -1,7 +1,8 @@
 #
 # Default  Bacula File Daemon Configuration file
 #
-#  For Bacula release 5.2.6 (21 February 2012) -- debian jessie/sid
+# For Bacula release 9.4.2 (04 February 2019) -- debian buster/sid
+#
 
 #
 # List Directors who are permitted to contact this File daemon
@@ -25,7 +26,7 @@ Messages {
 FileDaemon {  # define myself
   Name = {{ inventory_hostname_short }}-fd
   Working Directory = /var/lib/bacula
-  Pid Directory = /var/run/bacula
+  Pid Directory = /run/bacula
   Maximum Concurrent Jobs = 20
   FDAddress = {{ ipsec[inventory_hostname_short] }}
   FDPort = 9102
diff --git a/roles/common/templates/etc/munin/munin-node.conf.j2 b/roles/common/templates/etc/munin/munin-node.conf.j2
index 1563526..a1391d9 100644
--- a/roles/common/templates/etc/munin/munin-node.conf.j2
+++ b/roles/common/templates/etc/munin/munin-node.conf.j2
@@ -4,7 +4,7 @@
 
 log_level 4
 log_file /var/log/munin/munin-node.log
-pid_file /var/run/munin/munin-node.pid
+pid_file /run/munin/munin-node.pid
 
 background 1
 setsid 1
diff --git a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2 b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
index 2d434bc..ec471eb 100644
--- a/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
+++ b/roles/common/templates/etc/munin/plugin-conf.d/munin-node.j2
@@ -73,7 +73,7 @@ user root
 [mysql*]
 user root
 env.mysqlopts --defaults-file=/etc/mysql/debian.cnf
-env.mysqluser debian-sys-maint
+env.mysqluser root
 env.mysqlconnection DBI:mysql:mysql;mysql_read_default_file=/etc/mysql/debian.cnf
 
 [postfix_mailqueue_*]
diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index 1e1fde2..3d2a23d 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -86,7 +86,8 @@ table inet filter {
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
-        udp sport 67 ct state related,established accept
+        ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
+        ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
         meta l4proto tcp ip  saddr @fail2ban  counter drop
@@ -115,13 +116,18 @@ table inet filter {
         jump invalid
 
         udp sport  123 udp dport  123 ct state new,related,established accept
+{% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
+{% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
+{% endif %}
+{% endif %}
 
         udp dport 53 ct state new,related,established accept
         tcp dport 53 ct state new,related,established accept
 {% if 'dhclient' in group_names %}
-        udp dport 67 ct state new,related,established accept
+        ip  version 4 udp sport  68 udp dport  67 ct state new,related,established accept
+        ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
 {% endif %}
 
         tcp sport $in-tcp-ports  ct state related,established accept
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2
index 18c03cf..1016d55 100644
--- a/roles/common/templates/etc/ntp.conf.j2
+++ b/roles/common/templates/etc/ntp.conf.j2
@@ -2,6 +2,8 @@
 
 driftfile /var/lib/ntp/ntp.drift
 
+# Leap seconds definition provided by tzdata
+leapfile /usr/share/zoneinfo/leap-seconds.list
 
 # Enable this if you want statistics to be logged.
 #statsdir /var/log/ntpstats/
diff --git a/roles/common/templates/etc/postfix/master.cf.j2 b/roles/common/templates/etc/postfix/master.cf.j2
index a9c73f7..2c00250 100644
--- a/roles/common/templates/etc/postfix/master.cf.j2
+++ b/roles/common/templates/etc/postfix/master.cf.j2
@@ -85,7 +85,7 @@ sympa     unix  -       n       n       -       -       pipe
 
 {% if inst is defined and inst == 'out' %}
 # Client part (lmtp) - amavis
-amavisfeed unix -       -       n       -       5       lmtp
+amavisfeed unix -       -       y       -       5       lmtp
   -o lmtp_destination_recipient_limit=1000
   -o lmtp_send_xforward_command=yes
   -o lmtp_data_done_timeout=1200s
-- 
cgit v1.2.3