New features/improvements:

* Tests have been updated to work with latest Molecule/Testinfra as

  part of the Ansible upgrade process.

* ``common`` role

  * The ``pip`` requirements upgrade checks are now performed once per

    day instead of once per hour.

  * The ``pip`` requirements upgrade checks now do not output warning

    in case deployed ``.in`` file does not have a matching ``.txt``

    file.

2.0.0

-----

Upgrade to Ansible 2.3.x, minor bug fixes and updates needed for the upgrade.

Breaking changes:

* Switched to Ansible 2.3.x, removing support for Ansible 1.9.x. All

  documentation has been updated.

  can reach them provided they have appropriate read/write rights on the file

  itself, and provided they know the exact path of the file.

* Deploys CA certificate files, normally used for truststore purposes, to

  ``/usr/local/share/ca-certificates/``.

* Installs ``ferm`` (for iptables management), configuring a basic firewall

  which allows ICMP echo requests (PING), incoming connection on TCP port 22

  (SSH), and also introduces rate-limitting for incoming ICMP echo request

  pacakges and (new) TCP connections. The rate-limitting is based on the source

  IP address, using the ``iptables hashlimit`` module.

* Sets-up system for performing checks on certificates (currently only if they

  expire within less than 30 days). Roles that want their certificates checked

  should deploy a ``.conf`` to directory ``/etc/check_certificate/`` with paths

* Deploys ``apticron`` package that performs checks for available package

  upgrades on daily basis. Mails are delivered to local ``root`` account, and

  can be redirected elsewhere via aliases. If using ``mail_forwarder`` or

  ``mail_server`` roles on the same server, aliases can be set-up through them.

* Sets-up system for performing checks on pip requirements files. Roles that

  want their requirements files checked should create a sub-directory inside of

  ``/etc/pip_check_requirements_upgrades``, and place ``.txt`` and ``.in`` files

  inside (with same base name). The ``.txt`` files should be standard

  requirements files with fixed versions (the ones installed by the role). The

  ``.in`` files should contain only the top-level packages (no

  dependencies). Avoid hard-coding versions in the ``.in`` file unless really

  needed. For packages where you want to stick to stable/LTS version branch, you

6. Ok, time to re-run the playbooks again... Wait a minute, something

   is missing here... Oh, right, I forgot to mention one thing - Majic

   Ansible Roles use TLS throughout wherever possible. In other words,

   you *must* have TLS private keys and certificates issued by some CA

   for all servers in order to be able to use most of the roles

   (actually, you need them issued per *service*). This includes

   ``ldap_server`` too. So, let's make a slight detour to create a CA

   of our own, plus the necessary server certificate for the LDAP

   service...

   .. note::

      Another useful feature the roles implement is a check to see if

   1. Let's first install a couple of more tools on the Ansible server, since we

      will be using ``certtool`` for our improvised CA needs (run this as

      ``root``)::

        apt-get install -y gnutls-bin

   2. Create directory where the private keys and certificates will be stored

      at (you can switch back to the ``ansible`` user now)::

        mkdir ~/mysite/tls/

$program accepts the following options:

    -e period

        Number of days before certificate expires after which the certificate

        should be considered as about to expire. Value is used in the following

        check types: expiration.

    -c certificate_file

        Path to certificate file for which the checks should be run. This option

        can be specified multiple times on the command line in order to verify

        multiple certificates.

    -d

        Enable debug output.

    -v

        Show script version and licensing information.

    -h

        Show usage help.

Please report bugs and send feature requests to <branko@majic.rs>.

else

    _text_bold=""

    _text_white=""

    _text_blue=""

    _text_green=""

    _text_yellow=""

    _text_red=""

    _text_reset=""

fi

# Set-up functions for printing coloured messages.

function debug() {

}

function info() {

}

function success() {

}

function warning() {

    echo "${_text_bold}${_text_yellow}[WARN] ${_text_reset}" "$@"

}

function error() {

    echo "${_text_bold}${_text_red}[ERROR]${_text_reset}" "$@" >&2

}

#

# Checks expiration of passed-in certificate file.

#

# Arguments:

#

#   $1 - Path to certificate file to check

#

# Returns:

#

#   0 if check has passed, 1 if check has not passed.

#

function check_expiration() {

    local certificate_file="$1"

    local expiration_period_seconds

    let expiration_period_seconds="$expiration_period"*24*60*60

    debug "Running expiration check for file: $certificate_file"

    debug "Expiration period set to: $expiration_period"

    if openssl x509 -noout -in "$certificate_file" -checkend "$expiration_period_seconds" > /dev/null; then

	return 0

    else

	return 1

    fi

}

# Exit codes

ERROR_SUCCESS=0

ERROR_PARAMETERS=1

ERROR_FAILED_CHECK=2

# If no arguments were given, just show usage help.

if [[ -z $1 ]]; then

    usage

    exit $ERROR_SUCCESS

fi

# Disable debug by default.

DEBUG=0

# Set-up default option values.

let expiration_period=30

# List of certificate files to check.

certificate_files=()

configuration_directory="/etc/check_certificate"

# Parse the arguments

    case "$opt" in

	e) let expiration_period="$OPTARG";;

	c) certificate_files+=("$OPTARG");;

	C) configuration_directory="$OPTARG";;

	d) DEBUG=1;;

        v) version

           exit $ERROR_SUCCESS;;

        h) usage

           exit $ERROR_SUCCESS;;

        *) usage

           exit $ERROR_PARAMETERS;;

    esac

done

i=$OPTIND

shift $(($i-1))

if [[ ${#certificate_files[@]} == 0 ]]; then

    for configuration_file in "$configuration_directory"/*.conf; do

	if [[ -f $configuration_file ]]; then

	    DONE=false

	    until "$DONE"; do

		read line || DONE=true

		[[ ! $line =~ ^[[:blank:]]*$ ]] && certificate_files+=("$line")

	    done < "$configuration_file"

	fi

    done

fi

if [[ ${#certificate_files[@]} == 0 ]]; then

fi

# Process the certificate files.

result=$ERROR_SUCCESS

for certificate_file in "${certificate_files[@]}"; do

    for check in "$@"; do

	if ! check_"$check" "${certificate_file}"; then

	    result=$ERROR_FAILED_CHECK

	fi

    done

done

    path: "/etc/check_certificate"

    state: "directory"

    owner: root

    group: root

    mode: 0755

- name: Deploy crontab entry for checking certificates

  cron:

    name: "check_certificate"

    cron_file: "check_certificate"

    hour: 0

    minute: 0

    state: present

    user: nobody

- name: Install apticron (for checking available upgrades)

  apt:

    name: apticron

    state: present

# Implementation for checking pip requirements files via via pip-tools.

- name: Install virtualenv for pip requirements checks

  apt:

    name: virtualenv