diff --git a/roles/float-base-docker/tasks/podman_debian.yml b/roles/float-base-docker/tasks/podman_debian.yml
index ba4e212ffbd294664946519a7d997b247cd9d42c..3ed64cc68e63533b81c8266ed2f391f01834306e 100644
--- a/roles/float-base-docker/tasks/podman_debian.yml
+++ b/roles/float-base-docker/tasks/podman_debian.yml
@@ -3,10 +3,6 @@
# Install Podman using packages from the Debian distribution
# (available starting with Bullseye).
-- fail:
- msg: "Debian packages for Podman are only present in Bullseye"
- when: "float_debian_dist in ('stretch', 'buster')"
-
- name: Remove podman Kubic repository key
file:
path: "/etc/apt/trusted.gpg.d/kubic.gpg"
diff --git a/roles/float-base-docker/templates/run.sh.j2 b/roles/float-base-docker/templates/run.sh.j2
index e8afd0f74b6a0939bb0cc8edc1d5739b434f59d7..4e08780895806cf82445648b1549f021170ec20f 100644
--- a/roles/float-base-docker/templates/run.sh.j2
+++ b/roles/float-base-docker/templates/run.sh.j2
@@ -114,12 +114,7 @@ done
# option to get rid of the useless 'podman' process.
{% if container_runtime == 'podman' %}
exec /usr/bin/podman run \
-{% if float_debian_dist in ('stretch', 'buster') %}
- --cgroup-manager=cgroupfs \
- --cgroup-parent /system.slice/docker-{{ item.tag }}.service \
-{% else %}
--cgroups=disabled \
-{% endif %}
--replace \
--sdnotify=conmon \
{% elif container_runtime == 'docker' %}
diff --git a/roles/float-base-docker/templates/systemd.j2 b/roles/float-base-docker/templates/systemd.j2
index 4ed55446931bdbda79d903023f35a7d33415cf48..1d45fc12e4cc520ec2bcaf715a5cec4936d81453 100644
--- a/roles/float-base-docker/templates/systemd.j2
+++ b/roles/float-base-docker/templates/systemd.j2
@@ -21,12 +21,8 @@ SyslogIdentifier={{ item.service }}-{{ item.container.name }}
{% if item.container.resources is defined %}
{% if item.container.resources.ram is defined %}
MemoryMax={{ item.container.resources.ram }}
-{% if float_debian_dist == 'buster' %}
-ExecStartPost=+/bin/sh -c "echo 0 > /sys/fs/cgroup/memory/system.slice/%n/memory.swappiness"
-{% else %}
MemorySwapMax=0
{% endif %}
-{% endif %}
{% if item.container.resources.cpu is defined %}
CPUQuota={{ 100 * item.container.resources.cpu }}%
{% endif %}
diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 688c869f629d5483dfdc13b90efb7a420e634b4b..5a0a5fb589ff168c8c1eff9063761b393291f240 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -83,13 +83,11 @@
state: present
when: "testing|default(True)"
-# mtail 3.0.0~rc19-2 on Buster is broken when reading from named pipes
-# Pin mtail to ai3 repo that ships mtail 3.0.0~rc5-1~bpo9+1
-- name: Force mtail version on buster
- copy:
- src: "mtail.apt-preferences"
- dest: "/etc/apt/preferences.d/99float-syslog"
- when: float_debian_dist == 'buster'
+# Remove legacy stretch/buster mtail package pin.
+- name: Cleanup mtail package pin
+ file:
+ path: "/etc/apt/preferences.d/99float-syslog"
+ state: absent
- name: Install base packages
apt:
@@ -124,6 +122,7 @@
- auditd
- audisp-json
- prometheus-node-exporter
+ - prometheus-node-exporter-collectors
- assetmon
- name: Install extra packages
diff --git a/roles/float-base/tasks/harden.yml b/roles/float-base/tasks/harden.yml
index aa3de5658d78e107d4157f8306ca9fd50468d4e3..3202889f0645a380f1d0ac66f570dbee94ba01a5 100644
--- a/roles/float-base/tasks/harden.yml
+++ b/roles/float-base/tasks/harden.yml
@@ -63,7 +63,7 @@
- name: Audispd plugins configured
copy:
src: "audit/plugins.d/{{ item }}"
- dest: "/etc/{{ 'audisp' if float_debian_dist in ('stretch', 'buster') else 'audit' }}/plugins.d/{{ item }}"
+ dest: "/etc/audit/plugins.d/{{ item }}"
with_items:
- syslog.conf
- json.conf
diff --git a/roles/float-base/tasks/prometheus.yml b/roles/float-base/tasks/prometheus.yml
index 8fd76e922be1df3b87f4250960a14420f7437cdb..3b63c70b176e38ec02d86313f3c92f32feb994a0 100644
--- a/roles/float-base/tasks/prometheus.yml
+++ b/roles/float-base/tasks/prometheus.yml
@@ -7,13 +7,6 @@
notify:
- reload prometheus-node-exporter
-- name: Install prometheus node extra package
- apt:
- name:
- - prometheus-node-exporter-collectors
- state: present
- when: "float_debian_dist not in ('stretch', 'buster')"
-
- name: Add static metrics
template:
src: "{{ item }}.j2"
diff --git a/roles/float-base/templates/sources.list.j2 b/roles/float-base/templates/sources.list.j2
index de7b2e130c67916c99b7a76fce31c0579d9e6994..939e9edc983f5fba9dde15227dc13d464ee9f5e3 100644
--- a/roles/float-base/templates/sources.list.j2
+++ b/roles/float-base/templates/sources.list.j2
@@ -1,10 +1,5 @@
{% if apt_sources_list_override is defined %}{{ apt_sources_list_override }}{% else %}
deb http://deb.debian.org/debian {{ float_debian_dist }} main contrib non-free
deb http://deb.debian.org/debian {{ float_debian_dist }}-updates main contrib non-free
-{% if float_debian_dist in ('stretch', 'buster') %}
-deb http://deb.debian.org/debian {{ float_debian_dist }}-backports main
-deb http://security.debian.org/ {{ float_debian_dist }}/updates main contrib non-free
-{% else %}
deb http://security.debian.org/debian-security {{ float_debian_dist }}-security main contrib non-free
{% endif %}
-{% endif %}
diff --git a/roles/float-infra-dns/templates/bind/named.conf.local b/roles/float-infra-dns/templates/bind/named.conf.local
index 08eb7af0c189993851303ca0994b8ecf5a890f18..baa7da72d83bdf1eb103d82094c7bd98189eb845 100644
--- a/roles/float-infra-dns/templates/bind/named.conf.local
+++ b/roles/float-infra-dns/templates/bind/named.conf.local
@@ -8,10 +8,6 @@ view "internal-in" in {
{% endfor %}
};
recursion yes;
-{% if float_debian_dist == 'buster' %}
- additional-from-auth yes;
- additional-from-cache yes;
-{% endif %}
zone-statistics no;
// Send minimal responses, to avoid problems with the Spamassassin
@@ -33,13 +29,6 @@ view "external-in" in {
recursion no;
zone-statistics yes;
-{% if float_debian_dist == 'buster' %}
- // Do not trust the cache when generating additional records
- // for our authoritative zones.
- additional-from-auth no;
- additional-from-cache no;
-
-{% endif %}
// Include manually-maintained zones.
include "/etc/bind/named.conf.external-custom-zones";
diff --git a/roles/float-infra-dns/templates/bind/named.conf.options b/roles/float-infra-dns/templates/bind/named.conf.options
index c15c35f3c1d3dd4a00a10a739c41838d778b45a4..fb34501e6e02e674010df011619797faa4e30d86 100644
--- a/roles/float-infra-dns/templates/bind/named.conf.options
+++ b/roles/float-infra-dns/templates/bind/named.conf.options
@@ -28,9 +28,6 @@ options {
listen-on-v6 { any; };
{% endif %}
-{% if float_debian_dist == 'buster' %}
- dnssec-enable yes;
-{% endif %}
dnssec-validation auto;
notify no;
diff --git a/roles/float-infra-haproxy/templates/haproxy.cfg.j2 b/roles/float-infra-haproxy/templates/haproxy.cfg.j2
index e8dce8b4f3ab8529c2be8758f877a027fdf2bc9d..4fe5770d07b8d5644e33cc8ecf0f4917dd6b7c01 100644
--- a/roles/float-infra-haproxy/templates/haproxy.cfg.j2
+++ b/roles/float-infra-haproxy/templates/haproxy.cfg.j2
@@ -4,11 +4,9 @@ global
group haproxy
chroot /var/lib/haproxy
daemon
-{% if float_debian_dist != 'buster' %}
# use journald-compatibile short format, and don't send 'emerg' level out
# http://cbonte.github.io/haproxy-dconv/2.2/configuration.html#3.1-log
log stdout format short local4 info alert
-{% endif %}
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
defaults
diff --git a/roles/float-infra-nginx/templates/nginx-upstream.j2 b/roles/float-infra-nginx/templates/nginx-upstream.j2
index caae9648ef01fe55951e33799489e5fa7affd7f7..1b3e6bc984d20eef687c48d41bfecfae532b07b0 100644
--- a/roles/float-infra-nginx/templates/nginx-upstream.j2
+++ b/roles/float-infra-nginx/templates/nginx-upstream.j2
@@ -15,10 +15,8 @@ upstream {{ upstream.name }}{% if shard %}_{{ shard }}{% endif %} {
{% endif %}
keepalive 8;
-{% if float_debian_dist != 'buster' %}
keepalive_timeout 300s;
keepalive_requests 1000;
-{% endif %}
}
{% endmacro %}