Update to 2023-09-13 23:00

2025-04-22 21:23:23 +02:00 · 2023-09-13 23:00:21 +02:00 · 2023-09-13 23:00:21 +02:00 · 3475fdc9bf
commit 3475fdc9bf
parent 758b7f1094
12 changed files with 9 additions and 119 deletions
--- a/roles/matrix_element/defaults/main.yml
+++ b/roles/matrix_element/defaults/main.yml
@ -5,8 +5,8 @@
 element_id: element
 # Version to deploy, and expected sha256
-element_version: 1.11.40
+element_version: 1.11.41
-element_archive_sha256: 7e0d0263ee2c52401f6f8f0ea2c5b76fef82aaa1860c1b4986235971f7b8b731
+element_archive_sha256: b03e59e4c3da71278f1b79df2469cdc25c250129c7669a0531888a0e1ae41529
 # Where to install element
 element_root_dir: /opt/matrix/element
--- a/roles/matrix_synapse/defaults/main.yml
+++ b/roles/matrix_synapse/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 # Synapse version to deploy
-synapse_version: '1.91.2'
+synapse_version: '1.92.1'
 # Should ansible handle Synapse upgrades ? If false, only initial install will be done
 synapse_manage_upgrade: True
--- a/roles/odoo/templates/odoo-server.service.j2
+++ b/roles/odoo/templates/odoo-server.service.j2
@ -17,7 +17,8 @@ SyslogIdentifier=odoo
 Restart=on-failure
 StartLimitInterval=0
 RestartSec=30
-MemoryLimit=2048M
+MemoryHigh=1800M
 MemoryMax=2048M
 [Install]
 WantedBy=multi-user.target
--- a/roles/squid/defaults/main.yml
+++ b/roles/squid/defaults/main.yml
@ -24,11 +24,6 @@ squid_ssl_ports: [ 443, 8006, 8007, 8443, 8448 ]
 # Admin email displayed on denied and error pages
 # squid_admin_email: admin@example.com
 # Should we scan content with ClamAV. Default is disabled
 squid_scan_av: True
 # Files bigger than (in bytes) this won't be scanned
 squid_av_max_size: 5000000
 squid_servers_ip:
  - 10.0.0.0/8
  - 172.16.0.0/12
--- a/roles/squid/files/ufdb.te
+++ b/roles/squid/files/ufdb.te
@ -1,15 +1,17 @@
-module ufdb 1.2;
+module ufdb 1.3;
 require {
        type initrc_tmp_t;
        type initrc_t;
        type tmp_t;
        type squid_t;
        type unconfined_service_t;
        class sock_file write;
        class unix_stream_socket connectto;
 }
 #============= squid_t ==============
 allow squid_t initrc_t:unix_stream_socket connectto;
 allow squid_t unconfined_service_t:unix_stream_socket connectto;
 allow squid_t initrc_tmp_t:sock_file write;
 allow squid_t tmp_t:sock_file write;
--- a/roles/squid/handlers/main.yml
+++ b/roles/squid/handlers/main.yml
@ -6,12 +6,6 @@
 - name: restart squid
  service: name=squid state=restarted
 - name: restart c-icap
  service: name=c-icap state={{ squid_scan_av | ternary('restarted', 'stopped') }}
 - name: restart squid-clamd
  service: name=squid-clamd state={{ squid_scan_av | ternary('restarted', 'stopped') }}
 - name: restart ufdb
  service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('restarted', 'stopped') }}
--- a/roles/squid/meta/main.yml
+++ b/roles/squid/meta/main.yml
@ -1,5 +1,4 @@
 ---
 dependencies:
  - role: httpd_common
  - role: clamav
  - role: mkdir
--- a/roles/squid/tasks/main.yml
+++ b/roles/squid/tasks/main.yml
@ -4,8 +4,6 @@
  yum:
    name:
      - squid
      - c-icap
      - squidclamav
      - ufdbGuard
  notify: restart squid
  tags: proxy
@ -138,43 +136,12 @@
  register: squid_safebrowsing
  tags: proxy
 - name: Deploy clamd config
  template: src=clamd.conf.j2 dest=/etc/clamd.d/squid.conf
  notify: restart squid-clamd
  tags: proxy
 - name: Deploy clamd systemd unit
  template: src=squid-clamd.service.j2 dest=/etc/systemd/system/squid-clamd.service
  register: squid_clam_unit
  notify: restart squid-clamd
  tags: proxy
 - name: Deploy c-icap configuration
  template: src=c-icap.conf.j2 dest=/etc/c-icap/c-icap.conf
  notify: restart c-icap
  tags: proxy
 - name: Create systemd unit snippet dir
  file: path=/etc/systemd/system/{{ item }}.service.d state=directory
  loop:
    - c-icap
    - squid
  tags: proxy
 - name: Deploy a systemd unit snippet for c-icap
  copy:
    content: |
      [Service]
      User=c-icap
      Group=c-icap
      Restart=on-failure
      StartLimitInterval=0
      RestartSec=1
    dest: /etc/systemd/system/c-icap.service.d/user.conf
  register: squid_c_icap_unit
  notify: restart c-icap
  tags: proxy
 - name: Deploy a systemd unit snipet for squid
  copy:
    content: |
@ -186,14 +153,9 @@
  register: squid_unit
  tags: proxy
 - name: Deploy squidclamav configuration
  template: src=squidclamav.conf.j2 dest=/etc/c-icap/squidclamav.conf mode=644
  notify: restart c-icap
  tags: proxy
 - name: Reload systemd
  command: systemctl daemon-reload
-  when: squid_clam_unit.changed or squid_c_icap_unit.changed or squid_unit.changed
+  when: squid_unit.changed
  tags: proxy
 - include_tasks: selinux.yml
@ -252,14 +214,6 @@
  service: name=squid state=started enabled=True
  tags: proxy
 - name: Start and enable c-icap
  service: name=c-icap state=started enabled=True
  tags: proxy
 - name: Handle squid-clamd daemon
  service: name=squid-clamd state={{ squid_scan_av | ternary('started','stopped') }} enabled={{ squid_scan_av | ternary(True,False) }}
  tags: proxy
 - name: Handle ufdb daemon
  service: name={{ squid_ufdb_unit.stat.exists | ternary('ufdbGuard','ufdb') }} state={{ squid_filter_url | ternary('started','stopped') }} enabled={{ squid_filter_url | ternary(True,False) }}
  tags: proxy
--- a/roles/squid/templates/c-icap.conf.j2
+++ b/roles/squid/templates/c-icap.conf.j2
@ -1,17 +0,0 @@
 ServerAdmin {{ squid_admin_email | default(system_admin_email) | default('admin@' + ansible_domain) }}
 ServerName {{ inventory_hostname }}
 TmpDir /tmp
 MaxMemObject 1048576
 Module logger sys_logger.so
 Logger sys_logger
 DebugLevel 0
 Port 127.0.0.1:1344
 TemplateDir /usr/share/c_icap/templates/
 {% if squid_scan_av %}
 Service squidclamav squidclamav.so
 {% endif %}
 MaxKeepAliveRequests 1000
 MaxServers 20
 ThreadsPerChild 50
 MaxRequestsPerChild 100000
--- a/roles/squid/templates/clamd.conf.j2
+++ b/roles/squid/templates/clamd.conf.j2
@ -1,8 +0,0 @@
 LogSyslog yes
 LogVerbose yes
 ExtendedDetectionInfo yes
 LocalSocket /var/run/clamav/squid.sock
 LocalSocketMode 666
 ExitOnOOM yes
 Foreground yes
 DetectBrokenExecutables yes
--- a/roles/squid/templates/squid-clamd.service.j2
+++ b/roles/squid/templates/squid-clamd.service.j2
@ -1,15 +0,0 @@
 [Unit]
 Description=ClamAV antivirus daemon for squid
 After=syslog.target network.target
 [Service]
 Type=simple
 ExecStart=/usr/sbin/clamd -c /etc/clamd.d/squid.conf
 User=clamav
 Group=clamav
 Restart=on-failure
 PrivateTmp=true
 [Install]
 WantedBy=multi-user.target
--- a/roles/squid/templates/squid.conf.j2
+++ b/roles/squid/templates/squid.conf.j2
@ -58,21 +58,6 @@ quick_abort_min -1
 max_filedesc 8192
 icap_enable on
 icap_send_client_ip on
 icap_send_client_username on
 icap_client_username_encode off
 icap_client_username_header X-Authenticated-User
 icap_preview_enable on
 icap_preview_size 1024
 {% if squid_scan_av %}
 icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
 adaptation_access service_avi_req allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_req av_src
 icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=on
 adaptation_access service_avi_resp allow !admins_src !local_whitelist_domains !local_whitelist_urls !no_av_scan_rep av_src
 {% endif %}
 {% if squid_filter_url %}
 url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""
 url_rewrite_program /usr/sbin/ufdbgclient -m 4 -l /var/log/squid/