Update to 2023-09-13 23:00

2025-04-12 00:03:17 +02:00 · 2023-09-13 23:00:21 +02:00 · 2023-09-13 23:00:21 +02:00 · 3475fdc9bf
commit 3475fdc9bf
parent 758b7f1094
12 changed files with 9 additions and 119 deletions
--- a/roles/matrix_element/defaults/main.yml
+++ b/roles/matrix_element/defaults/main.yml
@ -5,8 +5,8 @@
 element_id: element

 # Version to deploy, and expected sha256
-element_version: 1.11.40
-element_archive_sha256: 7e0d0263ee2c52401f6f8f0ea2c5b76fef82aaa1860c1b4986235971f7b8b731
+element_version: 1.11.41
+element_archive_sha256: b03e59e4c3da71278f1b79df2469cdc25c250129c7669a0531888a0e1ae41529

 # Where to install element
 element_root_dir: /opt/matrix/element
--- a/roles/matrix_synapse/defaults/main.yml
+++ b/roles/matrix_synapse/defaults/main.yml
@ -1,7 +1,7 @@
 ---

 # Synapse version to deploy
-synapse_version: '1.91.2'
+synapse_version: '1.92.1'

 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True
--- a/roles/odoo/templates/odoo-server.service.j2
+++ b/roles/odoo/templates/odoo-server.service.j2
@ -17,7 +17,8 @@ SyslogIdentifier=odoo
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=30
-MemoryLimit=2048M
+MemoryHigh=1800M
+MemoryMax=2048M

 [Install]
 WantedBy=multi-user.target
--- a/roles/squid/defaults/main.yml
+++ b/roles/squid/defaults/main.yml
@ -24,11 +24,6 @@ squid_ssl_ports: [ 443, 8006, 8007, 8443, 8448 ]
 # Admin email displayed on denied and error pages
 # squid_admin_email: admin@example.com

-# Should we scan content with ClamAV. Default is disabled
-squid_scan_av: True
-# Files bigger than (in bytes) this won't be scanned
-squid_av_max_size: 5000000
-
 squid_servers_ip:
  - 10.0.0.0/8
  - 172.16.0.0/12
--- a/roles/squid/files/ufdb.te
+++ b/roles/squid/files/ufdb.te
@ -1,15 +1,17 @@
-module ufdb 1.2;
+module ufdb 1.3;

 require {
        type initrc_tmp_t;
        type initrc_t;
        type tmp_t;
        type squid_t;
+        type unconfined_service_t;
        class sock_file write;
        class unix_stream_socket connectto;
 }

 #============= squid_t ==============
 allow squid_t initrc_t:unix_stream_socket connectto;
+allow squid_t unconfined_service_t:unix_stream_socket connectto;
 allow squid_t initrc_tmp_t:sock_file write;
 allow squid_t tmp_t:sock_file write;
--- a/roles/squid/handlers/main.yml
+++ b/roles/squid/handlers/main.yml
@ -6,12 +6,6 @@
 - name: restart squid
  service: name=squid state=restarted

- name: restart c-icap
-  service: name=c-icap state={{ squid_scan_av | ternary('restarted', 'stopped') }}
-
- name: restart squid-clamd
-  service: name=squid-clamd state={{ squid_scan_av | ternary('restarted', 'stopped') }}
-
 - name: restart ufdb
  service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('restarted', 'stopped') }}

--- a/roles/squid/meta/main.yml
+++ b/roles/squid/meta/main.yml
@ -1,5 +1,4 @@
 ---
 dependencies:
  - role: httpd_common
-  - role: clamav
  - role: mkdir
--- a/roles/squid/tasks/main.yml
+++ b/roles/squid/tasks/main.yml
@ -4,8 +4,6 @@
  yum:
    name:
      - squid
-      - c-icap
-      - squidclamav
      - ufdbGuard
  notify: restart squid
  tags: proxy
@ -138,43 +136,12 @@
  register: squid_safebrowsing
  tags: proxy

- name: Deploy clamd config
-  template: src=clamd.conf.j2 dest=/etc/clamd.d/squid.conf
-  notify: restart squid-clamd
-  tags: proxy
-
- name: Deploy clamd systemd unit
-  template: src=squid-clamd.service.j2 dest=/etc/systemd/system/squid-clamd.service
-  register: squid_clam_unit
-  notify: restart squid-clamd
-  tags: proxy
-
- name: Deploy c-icap configuration
-  template: src=c-icap.conf.j2 dest=/etc/c-icap/c-icap.conf
-  notify: restart c-icap
-  tags: proxy
-
 - name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/{{ item }}.service.d state=directory
  loop:
-    - c-icap
    - squid
  tags: proxy

- name: Deploy a systemd unit snippet for c-icap
-  copy:
-    content: |
-      [Service]
-      User=c-icap
-      Group=c-icap
-      Restart=on-failure
-      StartLimitInterval=0
-      RestartSec=1
-    dest: /etc/systemd/system/c-icap.service.d/user.conf
-  register: squid_c_icap_unit
-  notify: restart c-icap
-  tags: proxy
-
 - name: Deploy a systemd unit snipet for squid
  copy:
    content: |
@ -186,14 +153,9 @@
  register: squid_unit
  tags: proxy

- name: Deploy squidclamav configuration
-  template: src=squidclamav.conf.j2 dest=/etc/c-icap/squidclamav.conf mode=644
-  notify: restart c-icap
-  tags: proxy
-
 - name: Reload systemd
  command: systemctl daemon-reload
-  when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
+  when: squid_unit.changed
  tags: proxy

 - include_tasks: selinux.yml
@ -252,14 +214,6 @@
  service: name=squid state=started enabled=True
  tags: proxy

- name: Start and enable c-icap
-  service: name=c-icap state=started enabled=True
-  tags: proxy
-
- name: Handle squid-clamd daemon
-  service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
-  tags: proxy
-
 - name: Handle ufdb daemon
  service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
  tags: proxy
--- a/roles/squid/templates/c-icap.conf.j2
+++ b/roles/squid/templates/c-icap.conf.j2
@ -1,17 +0,0 @@
-ServerAdmin {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
-ServerName {{ inventory_hostname }}
-TmpDir /tmp
-MaxMemObject 1048576
-Module logger sys_logger.so
-Logger sys_logger
-DebugLevel 0
-Port 127.0.0.1:1344
-TemplateDir /usr/share/c_icap/templates/
-{% if squid_scan_av %}
-Service squidclamav squidclamav.so
-{% endif %}
-
-MaxKeepAliveRequests 1000
-MaxServers 20
-ThreadsPerChild 50
-MaxRequestsPerChild 100000
--- a/roles/squid/templates/clamd.conf.j2
+++ b/roles/squid/templates/clamd.conf.j2
@ -1,8 +0,0 @@
-LogSyslog yes
-LogVerbose yes
-ExtendedDetectionInfo yes
-LocalSocket /var/run/clamav/squid.sock
-LocalSocketMode 666
-ExitOnOOM yes
-Foreground yes
-DetectBrokenExecutables yes
--- a/roles/squid/templates/squid-clamd.service.j2
+++ b/roles/squid/templates/squid-clamd.service.j2
@ -1,15 +0,0 @@
-[Unit]
-Description=ClamAV antivirus daemon for squid
-After=syslog.target network.target
-
-[Service]
-Type=simple
-ExecStart=/usr/sbin/clamd -c /etc/clamd.d/squid.conf
-User=clamav
-Group=clamav
-Restart=on-failure
-PrivateTmp=true
-
-[Install]
-WantedBy=multi-user.target
-
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@ -58,21 +58,6 @@ quick_abort_min -1

 max_filedesc 8192

-icap_enable on
-icap_send_client_ip on
-icap_send_client_username on
-icap_client_username_encode off
-icap_client_username_header X-Authenticated-User
-icap_preview_enable on
-icap_preview_size 1024
-
-{% if squid_scan_av %}
-icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
-adaptation_access service_avi_req allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_req av_src
-icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
-adaptation_access service_avi_resp allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_rep av_src
-{% endif %}
-
 {% if squid_filter_url %}
 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
 url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid/