From 4aff06cc2fecc0b59728d7fc825fb36394b847b7 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 12 Jul 2016 16:45:58 -0400
Subject: git subrepo clone https://leap.se/git/puppet_apache
 puppet/modules/apache

subrepo:
  subdir:   "puppet/modules/apache"
  merged:   "415e950"
upstream:
  origin:   "https://leap.se/git/puppet_apache"
  branch:   "master"
  commit:   "415e950"
git-subrepo:
  version:  "0.3.0"
  origin:   "https://github.com/ingydotnet/git-subrepo"
  commit:   "1e79595"

Change-Id: Iba7353669969a09c0b4bbd63add67e3245b05ede
---
 .../modules/apache/manifests/vhost/php/drupal.pp   | 144 ++++++++++
 .../modules/apache/manifests/vhost/php/gallery2.pp | 141 ++++++++++
 .../manifests/vhost/php/global_exec_bin_dir.pp     |   9 +
 .../modules/apache/manifests/vhost/php/joomla.pp   | 174 ++++++++++++
 .../apache/manifests/vhost/php/mediawiki.pp        | 106 +++++++
 .../apache/manifests/vhost/php/safe_mode_bin.pp    |  17 ++
 .../apache/manifests/vhost/php/silverstripe.pp     | 119 ++++++++
 .../apache/manifests/vhost/php/simplemachine.pp    | 125 +++++++++
 puppet/modules/apache/manifests/vhost/php/spip.pp  | 114 ++++++++
 .../modules/apache/manifests/vhost/php/standard.pp | 304 +++++++++++++++++++++
 puppet/modules/apache/manifests/vhost/php/typo3.pp | 150 ++++++++++
 .../modules/apache/manifests/vhost/php/webapp.pp   | 148 ++++++++++
 .../apache/manifests/vhost/php/wordpress.pp        | 123 +++++++++
 13 files changed, 1674 insertions(+)
 create mode 100644 puppet/modules/apache/manifests/vhost/php/drupal.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/gallery2.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/joomla.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/mediawiki.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/silverstripe.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/simplemachine.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/spip.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/standard.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/typo3.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/webapp.pp
 create mode 100644 puppet/modules/apache/manifests/vhost/php/wordpress.pp

(limited to 'puppet/modules/apache/manifests/vhost/php')

diff --git a/puppet/modules/apache/manifests/vhost/php/drupal.pp b/puppet/modules/apache/manifests/vhost/php/drupal.pp
new file mode 100644
index 00000000..5b15e6a0
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/drupal.pp
@@ -0,0 +1,144 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# php_safe_mode_exec_bins: An array of local binaries which should be linked in the
+#                          safe_mode_exec_bin for this hosting
+#                          *default*: None
+# php_default_charset: default charset header for php.
+#                      *default*: absent, which will set the same as default_charset
+#                                 of apache
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+#
+define apache::vhost::php::drupal(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_drupal/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_directories               = true,
+  $config_webwriteable              = false,
+  $manage_config                    = true,
+  $manage_cron                      = true
+){
+  $documentroot = $path ? {
+      'absent' => $::operatingsystem ? {
+          openbsd => "/var/www/htdocs/${name}/www",
+          default => "/var/www/vhosts/${name}/www"
+      },
+      default => "${path}/www"
+  }
+
+  if $manage_cron {
+    if $domain == 'absent' {
+      $real_domain = $name
+    } else {
+      $real_domain = $domain
+    }
+
+    file{"/etc/cron.d/drupal_cron_${name}":
+      content => "0   *   *   *   *   apache wget -O - -q -t 1 http://${real_domain}/cron.php\n",
+      owner   => root,
+      group   => 0,
+      mode    => '0644';
+    }
+  }
+
+  $std_drupal_php_settings = {
+    magic_quotes_gpc                => 0,
+    register_globals                => 0,
+    'session.auto_start'            => 0,
+    'mbstring.http_input'           => 'pass',
+    'mbstring.http_output'          => 'pass',
+    'mbstring.encoding_translation' => 0,
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => merge($std_drupal_php_settings, $php_settings),
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => false,
+    manage_config                   => false,
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/gallery2.pp b/puppet/modules/apache/manifests/vhost/php/gallery2.pp
new file mode 100644
index 00000000..3acb011d
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/gallery2.pp
@@ -0,0 +1,141 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: (*defaul*) don't activate mod_security
+#    - true: activate mod_security
+#
+# php_safe_mode_exec_bins: An array of local binaries which should be linked in the
+#                          safe_mode_exec_bin for this hosting
+#                          *default*: None
+# php_default_charset: default charset header for php.
+#                      *default*: absent, which will set the same as default_charset
+#                                 of apache
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::gallery2(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = 0640,
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = false,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_gallery2/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true,
+){
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}/www",
+      default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+  $upload_dir = "/var/www/vhosts/${name}/data/upload"
+  $gdata_dir = "/var/www/vhosts/${name}/data/gdata"
+  if $ensure != 'absent' {
+    file{
+      $gdata_dir:
+        ensure  => 'directory',
+        owner   => $documentroot_owner,
+        group   => $documentroot_group,
+        mode    => '0660';
+      $upload_dir:
+        ensure  => 'directory',
+        owner   => $documentroot_owner,
+        group   => $documentroot_group,
+        mode    => '0660';
+    }
+  }
+
+  $gallery_php_settings = {
+    safe_mode        => 'Off',
+    output_buffering => 'Off',
+  }
+  $real_php_settings = merge($gallery_php_settings,$php_settings)
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $real_php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => $manage_directories,
+    manage_config                   => $manage_config,
+    config_file                     => 'config.php',
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp b/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp
new file mode 100644
index 00000000..efcdaf7f
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/global_exec_bin_dir.pp
@@ -0,0 +1,9 @@
+# manage global exec_bin_dir
+class apache::vhost::php::global_exec_bin_dir {
+  file{'/var/www/php_safe_exec_bins':
+    ensure  => directory,
+    owner   => root,
+    group   => apache,
+    mode    => '0640';
+  }
+}
diff --git a/puppet/modules/apache/manifests/vhost/php/joomla.pp b/puppet/modules/apache/manifests/vhost/php/joomla.pp
new file mode 100644
index 00000000..ed0696f8
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/joomla.pp
@@ -0,0 +1,174 @@
+# run_mode: controls in which mode the vhost should be run, there are different
+#           setups possible:
+#   - normal: (*default*) run vhost with the current active worker
+#             (default: prefork) don't setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in
+#          combination with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just
+#                proxies all the requests for the itk setup, that listens only
+#                on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk
+#                setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves
+#                 all the static
+#                 content and proxies the dynamic calls to the itk setup, that
+#                 listens only on the loobpack device
+#                 (Incompatibility: cannot be used in combination with 'itk'
+#                 mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security
+#               module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::joomla(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $php_installation                 = 'system',
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_joomla/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true
+){
+  include ::apache::include::joomla
+
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}/www",
+      default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+
+  if $mod_security_additional_options == 'absent' {
+    $id_str = $::operatingsystem ? {
+      'CentOS'  => $::operatingsystemmajrelease ? {
+        5       => '',
+        default => 'id:1199400,'
+      },
+      default => ''
+    }
+    $real_mod_security_additional_options = "
+    # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html
+    # Exceptions for Joomla Root Directory
+    <LocationMatch \"^/\">
+        SecRuleRemoveById 950013
+    </LocationMatch>
+
+    # Exceptions for Joomla Administration Panel
+    SecRule REQUEST_FILENAME \"/administrator/index2.php\" \"${id_str}allow,phase:1,nolog,ctl:ruleEngine=Off\"
+
+    # Exceptions for Joomla Component Expose
+    <LocationMatch \"^/components/com_expose/expose/manager/amfphp/gateway.php\">
+        SecRuleRemoveById 960010
+    </LocationMatch>
+"
+  } else {
+    $real_mod_security_additional_options = $mod_security_additional_options
+  }
+
+  $std_joomla_php_settings = {
+    'allow_url_fopen'   => 'on',
+    'allow_url_include' => 'off',
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{
+    $name:
+      ensure                          => $ensure,
+      configuration                   => $configuration,
+      domain                          => $domain,
+      domainalias                     => $domainalias,
+      server_admin                    => $server_admin,
+      logmode                         => $logmode,
+      path                            => $path,
+      owner                           => $owner,
+      group                           => $group,
+      documentroot_owner              => $documentroot_owner,
+      documentroot_group              => $documentroot_group,
+      documentroot_mode               => $documentroot_mode,
+      run_mode                        => $run_mode,
+      run_uid                         => $run_uid,
+      run_gid                         => $run_gid,
+      allow_override                  => $allow_override,
+      php_settings                    => merge($std_joomla_php_settings,
+        $php_settings),
+      php_options                     => $php_options,
+      php_installation                => $php_installation,
+      do_includes                     => $do_includes,
+      options                         => $options,
+      additional_options              => $additional_options,
+      default_charset                 => $default_charset,
+      mod_security                    => $mod_security,
+      mod_security_relevantonly       => $mod_security_relevantonly,
+      mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+      mod_security_additional_options => $real_mod_security_additional_options,
+      ssl_mode                        => $ssl_mode,
+      vhost_mode                      => $vhost_mode,
+      template_partial                => $template_partial,
+      vhost_source                    => $vhost_source,
+      vhost_destination               => $vhost_destination,
+      htpasswd_file                   => $htpasswd_file,
+      htpasswd_path                   => $htpasswd_path,
+      manage_directories              => $manage_directories,
+      managed_directories             => [ "${documentroot}/administrator/backups",
+                                            "${documentroot}/administrator/components",
+                                            "${documentroot}/administrator/language",
+                                            "${documentroot}/administrator/modules",
+                                            "${documentroot}/administrator/templates",
+                                            "${documentroot}/components",
+                                            "${documentroot}/dmdocuments",
+                                            "${documentroot}/images",
+                                            "${documentroot}/language",
+                                            "${documentroot}/media",
+                                            "${documentroot}/modules",
+                                            "${documentroot}/plugins",
+                                            "${documentroot}/templates",
+                                            "${documentroot}/cache",
+                                            "${documentroot}/tmp",
+                                            "${documentroot}/administrator/cache" ],
+      manage_config                   => $manage_config,
+      config_webwriteable             => $config_webwriteable,
+      config_file                     => 'configuration.php',
+  }
+
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/mediawiki.pp b/puppet/modules/apache/manifests/vhost/php/mediawiki.pp
new file mode 100644
index 00000000..25881ca1
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/mediawiki.pp
@@ -0,0 +1,106 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::mediawiki(
+  $ensure = present,
+  $configuration = {},
+  $domain = 'absent',
+  $domainalias = 'absent',
+  $server_admin = 'absent',
+  $logmode = 'default',
+  $path = 'absent',
+  $manage_docroot = true,
+  $owner = root,
+  $group = apache,
+  $documentroot_owner = apache,
+  $documentroot_group = 0,
+  $documentroot_mode = 0640,
+  $run_mode = 'normal',
+  $run_uid = 'absent',
+  $run_gid = 'absent',
+  $allow_override = 'FileInfo Limit',
+  $php_settings = {},
+  $php_options = {},
+  $options = 'absent',
+  $additional_options = 'absent',
+  $default_charset = 'absent',
+  $mod_security = true,
+  $mod_security_relevantonly = true,
+  $mod_security_rules_to_disable = [],
+  $mod_security_additional_options = 'absent',
+  $ssl_mode = false,
+  $vhost_mode = 'template',
+  $template_partial = 'apache/vhosts/php_mediawiki/partial.erb',
+  $vhost_source = 'absent',
+  $vhost_destination = 'absent',
+  $htpasswd_file = 'absent',
+  $htpasswd_path = 'absent'
+){
+
+  $mediawiki_php_settings = {
+    safe_mode => false,
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    manage_docroot                  => $manage_docroot,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => merge($mediawiki_php_settings,$php_settings),
+    php_options                     => $php_options,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => false,
+    manage_config                   => false,
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp b/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp
new file mode 100644
index 00000000..1c82e199
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/safe_mode_bin.pp
@@ -0,0 +1,17 @@
+# safe_mode binaries
+define apache::vhost::php::safe_mode_bin(
+  $ensure = 'present',
+  $path
+){
+  $substr=regsubst($name,'^.*\/','','G')
+  $real_path = "${path}/${substr}"
+  $target = $ensure ? {
+    'present' => regsubst($name,'^.*@',''),
+    default => absent,
+  }
+  file{$real_path:
+    ensure => link,
+    target => $target,
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/silverstripe.pp b/puppet/modules/apache/manifests/vhost/php/silverstripe.pp
new file mode 100644
index 00000000..1f19eab4
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/silverstripe.pp
@@ -0,0 +1,119 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::silverstripe(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_silverstripe/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true,
+){
+
+  include ::apache::include::silverstripe
+
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}/www",
+      default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+  $modsec_rules = ['960010']
+  $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules)
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => $manage_directories,
+    managed_directories             =>  [ "${documentroot}/assets" ],
+    manage_config                   => $manage_config,
+  }
+
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/simplemachine.pp b/puppet/modules/apache/manifests/vhost/php/simplemachine.pp
new file mode 100644
index 00000000..3fa11a77
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/simplemachine.pp
@@ -0,0 +1,125 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::simplemachine(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true,
+){
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}/www",
+      default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => $manage_directories,
+    managed_directories             => [
+      "${documentroot}/agreement.txt",
+      "${documentroot}/attachments",
+      "${documentroot}/avatars",
+      "${documentroot}/cache",
+      "${documentroot}/Packages",
+      "${documentroot}/Packages/installed.list",
+      "${documentroot}/Smileys",
+      "${documentroot}/Themes",
+      "${documentroot}/Themes/default/languages/Install.english.php"
+    ],
+    manage_config                   => $manage_config,
+    config_webwriteable             => $config_webwriteable,
+    config_file                     => 'Settings.php',
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/spip.pp b/puppet/modules/apache/manifests/vhost/php/spip.pp
new file mode 100644
index 00000000..e33c1dfe
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/spip.pp
@@ -0,0 +1,114 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::spip(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'FileInfo',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $template_partial                 = 'apache/vhosts/php/partial.erb',
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent'
+){
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}/www",
+      default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    managed_directories             => [
+      "${documentroot}/IMG",
+      "${documentroot}/tmp",
+      "${documentroot}/local",
+      "${documentroot}/config"
+    ],
+    manage_config                   => false,
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/standard.pp b/puppet/modules/apache/manifests/vhost/php/standard.pp
new file mode 100644
index 00000000..3870707a
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/standard.pp
@@ -0,0 +1,304 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::standard(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $logpath                          = 'absent',
+  $logprefix                        = '',
+  $path                             = 'absent',
+  $manage_webdir                    = true,
+  $path_is_webdir                   = false,
+  $manage_docroot                   = true,
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = 0640,
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $php_installation                 = 'system',
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $use_mod_macro                    = false,
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+){
+
+  if $manage_webdir {
+    # create webdir
+    ::apache::vhost::webdir{$name:
+      ensure              => $ensure,
+      path                => $path,
+      owner               => $owner,
+      group               => $group,
+      run_mode            => $run_mode,
+      manage_docroot      => $manage_docroot,
+      documentroot_owner  => $documentroot_owner,
+      documentroot_group  => $documentroot_group,
+      documentroot_mode   => $documentroot_mode,
+    }
+  }
+
+  $real_path = $path ? {
+    'absent' => $::operatingsystem ? {
+      openbsd => "/var/www/htdocs/${name}",
+      default => "/var/www/vhosts/${name}"
+    },
+    default   => $path
+  }
+
+  if $path_is_webdir {
+    $documentroot = $real_path
+  } else {
+    $documentroot = "${real_path}/www"
+  }
+  $logdir = $logpath ? {
+    'absent'  => "${real_path}/logs",
+    default   => $logpath
+  }
+
+  $std_php_options = {
+    smarty  => false,
+    pear    => false,
+  }
+  $real_php_options = merge($std_php_options,$php_options)
+
+  if $real_php_options[smarty] {
+    include php::extensions::smarty
+    $smarty_path = '/usr/share/php/Smarty/:'
+  } else {
+    $smarty_path = ''
+  }
+
+  if $real_php_options[pear] {
+    $pear_path = '/usr/share/pear/:'
+  } else {
+    $pear_path = ''
+  }
+
+  if $logmode != 'nologs' {
+    $php_error_log = "${logdir}/php_error_log"
+  } else {
+    $php_error_log = undef
+  }
+
+  if ('safe_mode_exec_dir' in $php_settings) {
+    $php_safe_mode_exec_dir = $php_settings[safe_mode_exec_dir]
+  } else {
+    $php_safe_mode_exec_dir =  $path ? {
+      'absent' => $::operatingsystem ? {
+        openbsd => "/var/www/htdocs/${name}/bin",
+        default => "/var/www/vhosts/${name}/bin"
+      },
+      default   => "${path}/bin"
+    }
+  }
+  file{$php_safe_mode_exec_dir:
+    recurse => true,
+    force   => true,
+    purge   => true,
+  }
+  if ('safe_mode_exec_bins' in $php_options) {
+    $std_php_settings_safe_mode_exec_dir = $php_safe_mode_exec_dir
+    $ensure_exec = $ensure ? {
+      'present'  => directory,
+      default    => 'absent',
+    }
+    File[$php_safe_mode_exec_dir]{
+      ensure => $ensure_exec,
+      owner  => $documentroot_owner,
+      group  => $documentroot_group,
+      mode   => '0750',
+    }
+    $php_safe_mode_exec_bins_subst = regsubst($php_options[safe_mode_exec_bins],'(.+)',"${name}@\\1")
+    apache::vhost::php::safe_mode_bin{
+      $php_safe_mode_exec_bins_subst:
+        ensure  => $ensure,
+        path    => $php_safe_mode_exec_dir;
+    }
+  } else {
+    $std_php_settings_safe_mode_exec_dir = undef
+    File[$php_safe_mode_exec_dir]{
+      ensure => absent,
+    }
+  }
+
+  if !('default_charset' in $php_settings) and ($default_charset != 'absent') {
+    $std_php_settings_default_charset =  $default_charset ? {
+      'On'    => 'iso-8859-1',
+      default => $default_charset
+    }
+  } else {
+    $std_php_settings_default_charset = undef
+  }
+
+  if ('additional_open_basedir' in $php_options) {
+    $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}:${php_options[additional_open_basedir]}"
+  } else {
+    $the_open_basedir = "${smarty_path}${pear_path}${documentroot}:${real_path}/data:/var/www/upload_tmp_dir/${name}:/var/www/session.save_path/${name}"
+  }
+
+  if $run_mode == 'fcgid' {
+    $safe_mode_gid = $::operatingsystem ? {
+      debian  => undef,
+      default => $php_installation ? {
+        'system'  => 'On',
+        default   => undef,
+      }
+    }
+  } else {
+    $safe_mode_gid = undef
+  }
+
+  $safe_mode = $::operatingsystem ? {
+    debian  => undef,
+    default => $php_installation ? {
+      'system'  => 'On',
+      default   => undef,
+    }
+  }
+  $std_php_settings = {
+    engine              => 'On',
+    upload_tmp_dir      => "/var/www/upload_tmp_dir/${name}",
+    'session.save_path' => "/var/www/session.save_path/${name}",
+    error_log           => $php_error_log,
+    safe_mode           => $safe_mode,
+    safe_mode_gid       => $safe_mode_gid,
+    safe_mode_exec_dir  => $std_php_settings_safe_mode_exec_dir,
+    default_charset     => $std_php_settings_default_charset,
+    open_basedir        => $the_open_basedir,
+  }
+
+  $real_php_settings = merge($std_php_settings,$php_settings)
+
+  if $ensure != 'absent' {
+    case $run_mode {
+      'proxy-itk','static-itk': {
+        include ::php::itk_plus
+      }
+      'itk': { include ::php::itk }
+      'fcgid': {
+        include ::mod_fcgid
+        include ::php::mod_fcgid
+        include apache::include::mod_fcgid
+
+        mod_fcgid::starter {$name:
+          tmp_dir          => $real_php_settings[php_tmp_dir],
+          cgi_type         => 'php',
+          cgi_type_options => delete($real_php_settings, php_tmp_dir),
+          owner            => $run_uid,
+          group            => $run_gid,
+          notify           => Service['apache'],
+        }
+        if $php_installation == 'scl54' {
+          require php::scl::php54
+          Mod_fcgid::Starter[$name]{
+            binary          => '/opt/rh/php54/root/usr/bin/php-cgi',
+            additional_cmds => 'source /opt/rh/php54/enable',
+            rc              => '/opt/rh/php54/root/etc',
+          }
+        } elsif $php_installation == 'scl55' {
+          require php::scl::php55
+          Mod_fcgid::Starter[$name]{
+            binary          => '/opt/rh/php55/root/usr/bin/php-cgi',
+            additional_cmds => 'source /opt/rh/php55/enable',
+            rc              => '/opt/rh/php55/root/etc',
+          }
+        }
+      }
+      default: { include ::php }
+    }
+  }
+
+  ::apache::vhost::phpdirs{$name:
+    ensure                => $ensure,
+    php_upload_tmp_dir    => $real_php_settings[upload_tmp_dir],
+    php_session_save_path => $real_php_settings['session.save_path'],
+    documentroot_owner    => $documentroot_owner,
+    documentroot_group    => $documentroot_group,
+    documentroot_mode     => $documentroot_mode,
+    run_mode              => $run_mode,
+    run_uid               => $run_uid,
+  }
+
+  # create vhost configuration file
+  ::apache::vhost{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    path                            => $path,
+    path_is_webdir                  => $path_is_webdir,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    logpath                         => $logpath,
+    logprefix                       => $logprefix,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    php_settings                    => $real_php_settings,
+    php_options                     => $real_php_options,
+    ssl_mode                        => $ssl_mode,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    use_mod_macro                   => $use_mod_macro,
+    passing_extension               => 'php',
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/typo3.pp b/puppet/modules/apache/manifests/vhost/php/typo3.pp
new file mode 100644
index 00000000..d9e877a6
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/typo3.pp
@@ -0,0 +1,150 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::typo3(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_typo3/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true,
+){
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+        openbsd => "/var/www/htdocs/${name}/www",
+        default => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+
+  $modsec_rules = ['960010']
+  $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,$modsec_rules)
+  if $mod_security_additional_options == 'absent' {
+  $real_mod_security_additional_options = '
+    <Location "/typo3">
+      SecRuleEngine Off
+      SecAuditEngine Off
+    </Location>
+'
+  } else {
+    $real_mod_security_additional_options = $mod_security_additional_options
+  }
+
+  $typo3_php_settings = {
+    # turn allow_url_fopen on for the extension manager fetch
+    allow_url_fopen => 'On'
+  }
+  $real_php_settings = merge($typo3_php_settings,$php_settings)
+
+  # create vhost configuration file
+  ::apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $real_php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $real_mod_security_rules_to_disable,
+    mod_security_additional_options => $real_mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => $manage_directories,
+    managed_directories             =>  [ "${documentroot}/typo3temp",
+                                          "${documentroot}/typo3temp/pics",
+                                          "${documentroot}/typo3temp/temp",
+                                          "${documentroot}/typo3temp/llxml",
+                                          "${documentroot}/typo3temp/cs",
+                                          "${documentroot}/typo3temp/GB",
+                                          "${documentroot}/typo3temp/locks",
+                                          "${documentroot}/typo3conf",
+                                          "${documentroot}/typo3conf/ext",
+                                          "${documentroot}/typo3conf/l10n",
+                                          # "${documentroot}/typo3/ext/", # only needed for ext manager installing global extensions
+                                          "${documentroot}/uploads",
+                                          "${documentroot}/uploads/pics",
+                                          "${documentroot}/uploads/media",
+                                          "${documentroot}/uploads/tf",
+                                          "${documentroot}/fileadmin",
+                                          "${documentroot}/fileadmin/_temp_"
+                                        ],
+    manage_config                   => $manage_config,
+  }
+
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/webapp.pp b/puppet/modules/apache/manifests/vhost/php/webapp.pp
new file mode 100644
index 00000000..695120d0
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/webapp.pp
@@ -0,0 +1,148 @@
+# run_mode: controls in which mode the vhost should be run, there are different setups
+#           possible:
+#   - normal: (*default*) run vhost with the current active worker (default: prefork) don't
+#             setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in combination
+#          with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just proxies all the
+#                requests for the itk setup, that listens only on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves all the static
+#                 content and proxies the dynamic calls to the itk setup, that listens only on
+#                 the loobpack device (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::webapp(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $manage_webdir                    = true,
+  $manage_docroot                   = true,
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'None',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $php_installation                 = 'system',
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial,
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_file                      = 'absent',
+  $config_webwriteable              = false,
+  $manage_directories               = true,
+  $managed_directories              = 'absent',
+){
+  if ($ensure != 'absent') {
+    if $manage_directories and ($managed_directories != 'absent') {
+      ::apache::file::rw{ $managed_directories :
+        owner => $documentroot_owner,
+        group => $documentroot_group,
+      }
+    }
+
+    if $manage_config {
+      if $config_file == 'absent' { fail("No config file defined for ${name} on ${::fqdn}, if you'd like to manage the config, you have to add one!") }
+
+      $real_path = $path ? {
+        'absent' => $::operatingsystem ? {
+          openbsd => "/var/www/htdocs/${name}",
+          default => "/var/www/vhosts/${name}"
+        },
+        default => $path
+      }
+      $documentroot = "${real_path}/www"
+      ::apache::vhost::file::documentrootfile{"configurationfile_${name}":
+        documentroot  => $documentroot,
+        filename      => $config_file,
+        thedomain     => $name,
+        owner         => $documentroot_owner,
+        group         => $documentroot_group,
+      }
+      if $config_webwriteable {
+        Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{
+          mode => '0660',
+        }
+      } else {
+        Apache::Vhost::File::Documentrootfile["configurationfile_${name}"]{
+          mode => '0440',
+        }
+      }
+    }
+  }
+
+  # create vhost configuration file
+  ::apache::vhost::php::standard{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    manage_webdir                   => $manage_webdir,
+    manage_docroot                  => $manage_docroot,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $php_settings,
+    php_options                     => $php_options,
+    php_installation                => $php_installation,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+  }
+}
+
diff --git a/puppet/modules/apache/manifests/vhost/php/wordpress.pp b/puppet/modules/apache/manifests/vhost/php/wordpress.pp
new file mode 100644
index 00000000..a6bbe434
--- /dev/null
+++ b/puppet/modules/apache/manifests/vhost/php/wordpress.pp
@@ -0,0 +1,123 @@
+# run_mode: controls in which mode the vhost should be run, there are different
+#           setups #           possible:
+#   - normal: (*default*) run vhost with the current active worker
+#             (default: prefork) don't setup anything special
+#   - itk: run vhost with the mpm_itk module (Incompatibility: cannot be used in
+#          combination with 'proxy-itk' & 'static-itk' mode)
+#   - proxy-itk: run vhost with a dual prefork/itk setup, where prefork just
+#                proxies all the requests for the itk setup, that listens only
+#                on the loobpack device.
+#                (Incompatibility: cannot be used in combination with the itk
+#                 setup.)
+#   - static-itk: run vhost with a dual prefork/itk setup, where prefork serves
+#                 all the static content and proxies the dynamic calls to the
+#                 itk setup, that listens only on the loobpack device
+#                 (Incompatibility: cannot be used in combination with
+#                 'itk' mode)
+#
+# run_uid: the uid the vhost should run as with the itk module
+# run_gid: the gid the vhost should run as with the itk module
+#
+# mod_security: Whether we use mod_security or not (will include mod_security
+#               module)
+#    - false: don't activate mod_security
+#    - true: (*default*) activate mod_security
+#
+# logmode:
+#   - default: Do normal logging to CustomLog and ErrorLog
+#   - nologs: Send every logging to /dev/null
+#   - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
+#   - semianonym: Don't log ips for CustomLog, log normal ErrorLog
+define apache::vhost::php::wordpress(
+  $ensure                           = present,
+  $configuration                    = {},
+  $domain                           = 'absent',
+  $domainalias                      = 'absent',
+  $server_admin                     = 'absent',
+  $logmode                          = 'default',
+  $path                             = 'absent',
+  $owner                            = root,
+  $group                            = apache,
+  $documentroot_owner               = apache,
+  $documentroot_group               = 0,
+  $documentroot_mode                = '0640',
+  $run_mode                         = 'normal',
+  $run_uid                          = 'absent',
+  $run_gid                          = 'absent',
+  $allow_override                   = 'FileInfo Indexes',
+  $php_settings                     = {},
+  $php_options                      = {},
+  $do_includes                      = false,
+  $options                          = 'absent',
+  $additional_options               = 'absent',
+  $default_charset                  = 'absent',
+  $mod_security                     = true,
+  $mod_security_relevantonly        = true,
+  $mod_security_rules_to_disable    = [],
+  $mod_security_additional_options  = 'absent',
+  $ssl_mode                         = false,
+  $vhost_mode                       = 'template',
+  $template_partial                 = 'apache/vhosts/php_wordpress/partial.erb',
+  $vhost_source                     = 'absent',
+  $vhost_destination                = 'absent',
+  $htpasswd_file                    = 'absent',
+  $htpasswd_path                    = 'absent',
+  $manage_config                    = true,
+  $config_webwriteable              = false,
+  $manage_directories               = true
+){
+
+  $documentroot = $path ? {
+    'absent' => $::operatingsystem ? {
+        'openbsd' => "/var/www/htdocs/${name}/www",
+        default   => "/var/www/vhosts/${name}/www"
+    },
+    default => "${path}/www"
+  }
+  $modsec_rules = ['960010', '950018']
+  $real_mod_security_rules_to_disable = union($mod_security_rules_to_disable,
+                                                $modsec_rules)
+
+  # create vhost configuration file
+  apache::vhost::php::webapp{$name:
+    ensure                          => $ensure,
+    configuration                   => $configuration,
+    domain                          => $domain,
+    domainalias                     => $domainalias,
+    server_admin                    => $server_admin,
+    logmode                         => $logmode,
+    path                            => $path,
+    owner                           => $owner,
+    group                           => $group,
+    documentroot_owner              => $documentroot_owner,
+    documentroot_group              => $documentroot_group,
+    documentroot_mode               => $documentroot_mode,
+    run_mode                        => $run_mode,
+    run_uid                         => $run_uid,
+    run_gid                         => $run_gid,
+    allow_override                  => $allow_override,
+    php_settings                    => $php_settings,
+    php_options                     => $php_options,
+    do_includes                     => $do_includes,
+    options                         => $options,
+    additional_options              => $additional_options,
+    default_charset                 => $default_charset,
+    mod_security                    => $mod_security,
+    mod_security_relevantonly       => $mod_security_relevantonly,
+    mod_security_rules_to_disable   => $real_mod_security_rules_to_disable,
+    mod_security_additional_options => $mod_security_additional_options,
+    ssl_mode                        => $ssl_mode,
+    vhost_mode                      => $vhost_mode,
+    template_partial                => $template_partial,
+    vhost_source                    => $vhost_source,
+    vhost_destination               => $vhost_destination,
+    htpasswd_file                   => $htpasswd_file,
+    htpasswd_path                   => $htpasswd_path,
+    manage_directories              => $manage_directories,
+    managed_directories             => [ "${documentroot}/wp-content/uploads",],
+    manage_config                   => $manage_config,
+    config_webwriteable             => $config_webwriteable,
+    config_file                     => 'wp-config.php',
+  }
+}
+
-- 
cgit v1.2.3