From 3e63ce3c71620433dc135959b2743aa010b28fe1 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 17 May 2016 12:52:57 +0200 Subject: update submodules so "rake test" doesnt complain anymore --- puppet/modules/apache | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/apache/manifests/vhost/php') diff --git a/puppet/modules/apache b/puppet/modules/apache index 117bed9a..415e9504 160000 --- a/puppet/modules/apache +++ b/puppet/modules/apache @@ -1 +1 @@ -Subproject commit 117bed9a9263c21d253d86b667eb165948efdc24 +Subproject commit 415e9504f99dca3ccaa4dfd389dde24ad9d0e01c -- cgit v1.2.3 From 7ce3190986cf8e5fe037a7ccd4c1076505b117f4 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:41:59 -0400 Subject: remove submodules in preparation for move to subrepos Change-Id: Ia7655153b556337f676e3d909559c4a7306bedd6 --- puppet/modules/apache | 1 - 1 file changed, 1 deletion(-) delete mode 160000 puppet/modules/apache (limited to 'puppet/modules/apache/manifests/vhost/php') diff --git a/puppet/modules/apache b/puppet/modules/apache deleted file mode 160000 index 415e9504..00000000 --- a/puppet/modules/apache +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 415e9504f99dca3ccaa4dfd389dde24ad9d0e01c -- cgit v1.2.3 From 4aff06cc2fecc0b59728d7fc825fb36394b847b7 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 12 Jul 2016 16:45:58 -0400 Subject: git subrepo clone https://leap.se/git/puppet_apache puppet/modules/apache subrepo: subdir: "puppet/modules/apache" merged: "415e950" upstream: origin: "https://leap.se/git/puppet_apache" branch: "master" commit: "415e950" git-subrepo: version: "0.3.0" origin: "https://github.com/ingydotnet/git-subrepo" commit: "1e79595" Change-Id: Iba7353669969a09c0b4bbd63add67e3245b05ede --- .../modules/apache/manifests/vhost/php/drupal.pp | 144 ++++++++++ .../modules/apache/manifests/vhost/php/gallery2.pp | 141 ++++++++++ .../manifests/vhost/php/global_exec_bin_dir.pp | 9 + .../modules/apache/manifests/vhost/php/joomla.pp | 174 ++++++++++++ .../apache/manifests/vhost/php/mediawiki.pp | 106 +++++++ .../apache/manifests/vhost/php/safe_mode_bin.pp | 17 ++ .../apache/manifests/vhost/php/silverstripe.pp | 119 ++++++++ .../apache/manifests/vhost/php/simplemachine.pp | 125 +++++++++ puppet/modules/apache/manifests/vhost/php/spip.pp | 114 ++++++++ .../modules/apache/manifests/vhost/php/standard.pp | 304 +++++++++++++++++++++ puppet/modules/apache/manifests/vhost/php/typo3.pp | 150 ++++++++++ .../modules/apache/manifests/vhost/php/webapp.pp | 148 ++++++++++ .../apache/manifests/vhost/php/wordpress.pp | 123 +++++++++ 13 files changed, 1674 insertions(+) create mode 100644 puppet/modules/apache/manifests/vhost/php/drupal.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/gallery2.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/joomla.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/mediawiki.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/silverstripe.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/simplemachine.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/spip.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/standard.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/typo3.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/webapp.pp create mode 100644 puppet/modules/apache/manifests/vhost/php/wordpress.pp (limited to 'puppet/modules/apache/manifests/vhost/php') diff --git a/puppet/modules/apache/manifests/vhost/php/drupal.pp b/puppet/modules/apache/manifests/vhost/php/drupal.pp new file mode 100644 index 00000000..5b15e6a0 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/drupal.pp @@ -0,0 +1,144 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# php_safe_mode_exec_bins: An array of local binaries which should be linked in the +# safe_mode_exec_bin for this hosting +# *default*: None +# php_default_charset: default charset header for php. +# *default*: absent, which will set the same as default_charset +# of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +# +define apache::vhost::php::drupal( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_drupal/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_directories = true, + $config_webwriteable = false, + $manage_config = true, + $manage_cron = true +){ + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + + if $manage_cron { + if $domain == 'absent' { + $real_domain = $name + } else { + $real_domain = $domain + } + + file{"/etc/cron.d/drupal_cron_${name}": + content => "0 * * * * apache wget -O - -q -t 1 http://${real_domain}/cron.php\n", + owner => root, + group => 0, + mode => '0644'; + } + } + + $std_drupal_php_settings = { + magic_quotes_gpc => 0, + register_globals => 0, + 'session.auto_start' => 0, + 'mbstring.http_input' => 'pass', + 'mbstring.http_output' => 'pass', + 'mbstring.encoding_translation' => 0, + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($std_drupal_php_settings, $php_settings), + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/gallery2.pp b/puppet/modules/apache/manifests/vhost/php/gallery2.pp new file mode 100644 index 00000000..3acb011d --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/gallery2.pp @@ -0,0 +1,141 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: (*defaul*) don't activate mod_security +# - true: activate mod_security +# +# php_safe_mode_exec_bins: An array of local binaries which should be linked in the +# safe_mode_exec_bin for this hosting +# *default*: None +# php_default_charset: default charset header for php. +# *default*: absent, which will set the same as default_charset +# of apache +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::gallery2( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_gallery2/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, +){ + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $upload_dir = "/var/www/vhosts/${name}/data/upload" + $gdata_dir = "/var/www/vhosts/${name}/data/gdata" + if $ensure != 'absent' { + file{ + $gdata_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + $upload_dir: + ensure => 'directory', + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0660'; + } + } + + $gallery_php_settings = { + safe_mode => 'Off', + output_buffering => 'Off', + } + $real_php_settings = merge($gallery_php_settings,$php_settings) + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + manage_config => $manage_config, + config_file => 'config.php', + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp b/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp new file mode 100644 index 00000000..efcdaf7f --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp @@ -0,0 +1,9 @@ +# manage global exec_bin_dir +class apache::vhost::php::global_exec_bin_dir { + file{'/var/www/php_safe_exec_bins': + ensure => directory, + owner => root, + group => apache, + mode => '0640'; + } +} diff --git a/puppet/modules/apache/manifests/vhost/php/joomla.pp b/puppet/modules/apache/manifests/vhost/php/joomla.pp new file mode 100644 index 00000000..ed0696f8 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/joomla.pp @@ -0,0 +1,174 @@ +# run_mode: controls in which mode the vhost should be run, there are different +# setups possible: +# - normal: (*default*) run vhost with the current active worker +# (default: prefork) don't setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in +# combination with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just +# proxies all the requests for the itk setup, that listens only +# on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk +# setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves +# all the static +# content and proxies the dynamic calls to the itk setup, that +# listens only on the loobpack device +# (Incompatibility: cannot be used in combination with 'itk' +# mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security +# module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::joomla( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $php_installation = 'system', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_joomla/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true +){ + include ::apache::include::joomla + + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + + if $mod_security_additional_options == 'absent' { + $id_str = $::operatingsystem ? { + 'CentOS' => $::operatingsystemmajrelease ? { + 5 => '', + default => 'id:1199400,' + }, + default => '' + } + $real_mod_security_additional_options = " + # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + + SecRuleRemoveById 950013 + + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\" + + # Exceptions for Joomla Component Expose + + SecRuleRemoveById 960010 + +" + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + $std_joomla_php_settings = { + 'allow_url_fopen' => 'on', + 'allow_url_include' => 'off', + } + + # create vhost configuration file + ::apache::vhost::php::webapp{ + $name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($std_joomla_php_settings, + $php_settings), + php_options => $php_options, + php_installation => $php_installation, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/administrator/backups", + "${documentroot}/administrator/components", + "${documentroot}/administrator/language", + "${documentroot}/administrator/modules", + "${documentroot}/administrator/templates", + "${documentroot}/components", + "${documentroot}/dmdocuments", + "${documentroot}/images", + "${documentroot}/language", + "${documentroot}/media", + "${documentroot}/modules", + "${documentroot}/plugins", + "${documentroot}/templates", + "${documentroot}/cache", + "${documentroot}/tmp", + "${documentroot}/administrator/cache" ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'configuration.php', + } + +} + diff --git a/puppet/modules/apache/manifests/vhost/php/mediawiki.pp b/puppet/modules/apache/manifests/vhost/php/mediawiki.pp new file mode 100644 index 00000000..25881ca1 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/mediawiki.pp @@ -0,0 +1,106 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::mediawiki( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo Limit', + $php_settings = {}, + $php_options = {}, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_mediawiki/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' +){ + + $mediawiki_php_settings = { + safe_mode => false, + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => merge($mediawiki_php_settings,$php_settings), + php_options => $php_options, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => false, + manage_config => false, + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp b/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp new file mode 100644 index 00000000..1c82e199 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp @@ -0,0 +1,17 @@ +# safe_mode binaries +define apache::vhost::php::safe_mode_bin( + $ensure = 'present', + $path +){ + $substr=regsubst($name,'^.*\/','','G') + $real_path = "${path}/${substr}" + $target = $ensure ? { + 'present' => regsubst($name,'^.*@',''), + default => absent, + } + file{$real_path: + ensure => link, + target => $target, + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/silverstripe.pp b/puppet/modules/apache/manifests/vhost/php/silverstripe.pp new file mode 100644 index 00000000..1f19eab4 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/silverstripe.pp @@ -0,0 +1,119 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::silverstripe( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_silverstripe/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, +){ + + include ::apache::include::silverstripe + + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/assets" ], + manage_config => $manage_config, + } + +} + diff --git a/puppet/modules/apache/manifests/vhost/php/simplemachine.pp b/puppet/modules/apache/manifests/vhost/php/simplemachine.pp new file mode 100644 index 00000000..3fa11a77 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/simplemachine.pp @@ -0,0 +1,125 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::simplemachine( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, +){ + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ + "${documentroot}/agreement.txt", + "${documentroot}/attachments", + "${documentroot}/avatars", + "${documentroot}/cache", + "${documentroot}/Packages", + "${documentroot}/Packages/installed.list", + "${documentroot}/Smileys", + "${documentroot}/Themes", + "${documentroot}/Themes/default/languages/Install.english.php" + ], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'Settings.php', + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/spip.pp b/puppet/modules/apache/manifests/vhost/php/spip.pp new file mode 100644 index 00000000..e33c1dfe --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/spip.pp @@ -0,0 +1,114 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::spip( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo', + $php_settings = {}, + $php_options = {}, + $template_partial = 'apache/vhosts/php/partial.erb', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent' +){ + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + managed_directories => [ + "${documentroot}/IMG", + "${documentroot}/tmp", + "${documentroot}/local", + "${documentroot}/config" + ], + manage_config => false, + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/standard.pp b/puppet/modules/apache/manifests/vhost/php/standard.pp new file mode 100644 index 00000000..3870707a --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/standard.pp @@ -0,0 +1,304 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::standard( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $logpath = 'absent', + $logprefix = '', + $path = 'absent', + $manage_webdir = true, + $path_is_webdir = false, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = 0640, + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $php_installation = 'system', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $use_mod_macro = false, + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', +){ + + if $manage_webdir { + # create webdir + ::apache::vhost::webdir{$name: + ensure => $ensure, + path => $path, + owner => $owner, + group => $group, + run_mode => $run_mode, + manage_docroot => $manage_docroot, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + } + } + + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + + if $path_is_webdir { + $documentroot = $real_path + } else { + $documentroot = "${real_path}/www" + } + $logdir = $logpath ? { + 'absent' => "${real_path}/logs", + default => $logpath + } + + $std_php_options = { + smarty => false, + pear => false, + } + $real_php_options = merge($std_php_options,$php_options) + + if $real_php_options[smarty] { + include php::extensions::smarty + $smarty_path = '/usr/share/php/Smarty/:' + } else { + $smarty_path = '' + } + + if $real_php_options[pear] { + $pear_path = '/usr/share/pear/:' + } else { + $pear_path = '' + } + + if $logmode != 'nologs' { + $php_error_log = "${logdir}/php_error_log" + } else { + $php_error_log = undef + } + + if ('safe_mode_exec_dir' in $php_settings) { + $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir] + } else { + $php_safe_mode_exec_dir = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/bin", + default => "/var/www/vhosts/${name}/bin" + }, + default => "${path}/bin" + } + } + file{$php_safe_mode_exec_dir: + recurse => true, + force => true, + purge => true, + } + if ('safe_mode_exec_bins' in $php_options) { + $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir + $ensure_exec = $ensure ? { + 'present' => directory, + default => 'absent', + } + File[$php_safe_mode_exec_dir]{ + ensure => $ensure_exec, + owner => $documentroot_owner, + group => $documentroot_group, + mode => '0750', + } + $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],'(.+)',"${name}@\\1") + apache::vhost::php::safe_mode_bin{ + $php_safe_mode_exec_bins_subst: + ensure => $ensure, + path => $php_safe_mode_exec_dir; + } + } else { + $std_php_settings_safe_mode_exec_dir = undef + File[$php_safe_mode_exec_dir]{ + ensure => absent, + } + } + + if !('default_charset' in $php_settings) and ($default_charset != 'absent') { + $std_php_settings_default_charset = $default_charset ? { + 'On' => 'iso-8859-1', + default => $default_charset + } + } else { + $std_php_settings_default_charset = undef + } + + if ('additional_open_basedir' in $php_options) { + $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}" + } else { + $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}" + } + + if $run_mode == 'fcgid' { + $safe_mode_gid = $::operatingsystem ? { + debian => undef, + default => $php_installation ? { + 'system' => 'On', + default => undef, + } + } + } else { + $safe_mode_gid = undef + } + + $safe_mode = $::operatingsystem ? { + debian => undef, + default => $php_installation ? { + 'system' => 'On', + default => undef, + } + } + $std_php_settings = { + engine => 'On', + upload_tmp_dir => "/var/www/upload_tmp_dir/${name}", + 'session.save_path' => "/var/www/session.save_path/${name}", + error_log => $php_error_log, + safe_mode => $safe_mode, + safe_mode_gid => $safe_mode_gid, + safe_mode_exec_dir => $std_php_settings_safe_mode_exec_dir, + default_charset => $std_php_settings_default_charset, + open_basedir => $the_open_basedir, + } + + $real_php_settings = merge($std_php_settings,$php_settings) + + if $ensure != 'absent' { + case $run_mode { + 'proxy-itk','static-itk': { + include ::php::itk_plus + } + 'itk': { include ::php::itk } + 'fcgid': { + include ::mod_fcgid + include ::php::mod_fcgid + include apache::include::mod_fcgid + + mod_fcgid::starter {$name: + tmp_dir => $real_php_settings[php_tmp_dir], + cgi_type => 'php', + cgi_type_options => delete($real_php_settings, php_tmp_dir), + owner => $run_uid, + group => $run_gid, + notify => Service['apache'], + } + if $php_installation == 'scl54' { + require php::scl::php54 + Mod_fcgid::Starter[$name]{ + binary => '/opt/rh/php54/root/usr/bin/php-cgi', + additional_cmds => 'source /opt/rh/php54/enable', + rc => '/opt/rh/php54/root/etc', + } + } elsif $php_installation == 'scl55' { + require php::scl::php55 + Mod_fcgid::Starter[$name]{ + binary => '/opt/rh/php55/root/usr/bin/php-cgi', + additional_cmds => 'source /opt/rh/php55/enable', + rc => '/opt/rh/php55/root/etc', + } + } + } + default: { include ::php } + } + } + + ::apache::vhost::phpdirs{$name: + ensure => $ensure, + php_upload_tmp_dir => $real_php_settings[upload_tmp_dir], + php_session_save_path => $real_php_settings['session.save_path'], + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + } + + # create vhost configuration file + ::apache::vhost{$name: + ensure => $ensure, + configuration => $configuration, + path => $path, + path_is_webdir => $path_is_webdir, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + logpath => $logpath, + logprefix => $logprefix, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + php_settings => $real_php_settings, + php_options => $real_php_options, + ssl_mode => $ssl_mode, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + use_mod_macro => $use_mod_macro, + passing_extension => 'php', + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/typo3.pp b/puppet/modules/apache/manifests/vhost/php/typo3.pp new file mode 100644 index 00000000..d9e877a6 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/typo3.pp @@ -0,0 +1,150 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::typo3( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_typo3/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true, +){ + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + + $modsec_rules = ['960010'] + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = ' + + SecRuleEngine Off + SecAuditEngine Off + +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } + + $typo3_php_settings = { + # turn allow_url_fopen on for the extension manager fetch + allow_url_fopen => 'On' + } + $real_php_settings = merge($typo3_php_settings,$php_settings) + + # create vhost configuration file + ::apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $real_php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/typo3temp", + "${documentroot}/typo3temp/pics", + "${documentroot}/typo3temp/temp", + "${documentroot}/typo3temp/llxml", + "${documentroot}/typo3temp/cs", + "${documentroot}/typo3temp/GB", + "${documentroot}/typo3temp/locks", + "${documentroot}/typo3conf", + "${documentroot}/typo3conf/ext", + "${documentroot}/typo3conf/l10n", + # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions + "${documentroot}/uploads", + "${documentroot}/uploads/pics", + "${documentroot}/uploads/media", + "${documentroot}/uploads/tf", + "${documentroot}/fileadmin", + "${documentroot}/fileadmin/_temp_" + ], + manage_config => $manage_config, + } + +} + diff --git a/puppet/modules/apache/manifests/vhost/php/webapp.pp b/puppet/modules/apache/manifests/vhost/php/webapp.pp new file mode 100644 index 00000000..695120d0 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/webapp.pp @@ -0,0 +1,148 @@ +# run_mode: controls in which mode the vhost should be run, there are different setups +# possible: +# - normal: (*default*) run vhost with the current active worker (default: prefork) don't +# setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination +# with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the +# requests for the itk setup, that listens only on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static +# content and proxies the dynamic calls to the itk setup, that listens only on +# the loobpack device (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::webapp( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $manage_webdir = true, + $manage_docroot = true, + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'None', + $php_settings = {}, + $php_options = {}, + $php_installation = 'system', + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial, + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_file = 'absent', + $config_webwriteable = false, + $manage_directories = true, + $managed_directories = 'absent', +){ + if ($ensure != 'absent') { + if $manage_directories and ($managed_directories != 'absent') { + ::apache::file::rw{ $managed_directories : + owner => $documentroot_owner, + group => $documentroot_group, + } + } + + if $manage_config { + if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") } + + $real_path = $path ? { + 'absent' => $::operatingsystem ? { + openbsd => "/var/www/htdocs/${name}", + default => "/var/www/vhosts/${name}" + }, + default => $path + } + $documentroot = "${real_path}/www" + ::apache::vhost::file::documentrootfile{"configurationfile_${name}": + documentroot => $documentroot, + filename => $config_file, + thedomain => $name, + owner => $documentroot_owner, + group => $documentroot_group, + } + if $config_webwriteable { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0660', + } + } else { + Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{ + mode => '0440', + } + } + } + } + + # create vhost configuration file + ::apache::vhost::php::standard{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + manage_webdir => $manage_webdir, + manage_docroot => $manage_docroot, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + php_installation => $php_installation, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + } +} + diff --git a/puppet/modules/apache/manifests/vhost/php/wordpress.pp b/puppet/modules/apache/manifests/vhost/php/wordpress.pp new file mode 100644 index 00000000..a6bbe434 --- /dev/null +++ b/puppet/modules/apache/manifests/vhost/php/wordpress.pp @@ -0,0 +1,123 @@ +# run_mode: controls in which mode the vhost should be run, there are different +# setups # possible: +# - normal: (*default*) run vhost with the current active worker +# (default: prefork) don't setup anything special +# - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in +# combination with 'proxy-itk' & 'static-itk' mode) +# - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just +# proxies all the requests for the itk setup, that listens only +# on the loobpack device. +# (Incompatibility: cannot be used in combination with the itk +# setup.) +# - static-itk: run vhost with a dual prefork/itk setup, where prefork serves +# all the static content and proxies the dynamic calls to the +# itk setup, that listens only on the loobpack device +# (Incompatibility: cannot be used in combination with +# 'itk' mode) +# +# run_uid: the uid the vhost should run as with the itk module +# run_gid: the gid the vhost should run as with the itk module +# +# mod_security: Whether we use mod_security or not (will include mod_security +# module) +# - false: don't activate mod_security +# - true: (*default*) activate mod_security +# +# logmode: +# - default: Do normal logging to CustomLog and ErrorLog +# - nologs: Send every logging to /dev/null +# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null +# - semianonym: Don't log ips for CustomLog, log normal ErrorLog +define apache::vhost::php::wordpress( + $ensure = present, + $configuration = {}, + $domain = 'absent', + $domainalias = 'absent', + $server_admin = 'absent', + $logmode = 'default', + $path = 'absent', + $owner = root, + $group = apache, + $documentroot_owner = apache, + $documentroot_group = 0, + $documentroot_mode = '0640', + $run_mode = 'normal', + $run_uid = 'absent', + $run_gid = 'absent', + $allow_override = 'FileInfo Indexes', + $php_settings = {}, + $php_options = {}, + $do_includes = false, + $options = 'absent', + $additional_options = 'absent', + $default_charset = 'absent', + $mod_security = true, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', + $ssl_mode = false, + $vhost_mode = 'template', + $template_partial = 'apache/vhosts/php_wordpress/partial.erb', + $vhost_source = 'absent', + $vhost_destination = 'absent', + $htpasswd_file = 'absent', + $htpasswd_path = 'absent', + $manage_config = true, + $config_webwriteable = false, + $manage_directories = true +){ + + $documentroot = $path ? { + 'absent' => $::operatingsystem ? { + 'openbsd' => "/var/www/htdocs/${name}/www", + default => "/var/www/vhosts/${name}/www" + }, + default => "${path}/www" + } + $modsec_rules = ['960010', '950018'] + $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable, + $modsec_rules) + + # create vhost configuration file + apache::vhost::php::webapp{$name: + ensure => $ensure, + configuration => $configuration, + domain => $domain, + domainalias => $domainalias, + server_admin => $server_admin, + logmode => $logmode, + path => $path, + owner => $owner, + group => $group, + documentroot_owner => $documentroot_owner, + documentroot_group => $documentroot_group, + documentroot_mode => $documentroot_mode, + run_mode => $run_mode, + run_uid => $run_uid, + run_gid => $run_gid, + allow_override => $allow_override, + php_settings => $php_settings, + php_options => $php_options, + do_includes => $do_includes, + options => $options, + additional_options => $additional_options, + default_charset => $default_charset, + mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, + ssl_mode => $ssl_mode, + vhost_mode => $vhost_mode, + template_partial => $template_partial, + vhost_source => $vhost_source, + vhost_destination => $vhost_destination, + htpasswd_file => $htpasswd_file, + htpasswd_path => $htpasswd_path, + manage_directories => $manage_directories, + managed_directories => [ "${documentroot}/wp-content/uploads",], + manage_config => $manage_config, + config_webwriteable => $config_webwriteable, + config_file => 'wp-config.php', + } +} + -- cgit v1.2.3