From 4aff06cc2fecc0b59728d7fc825fb36394b847b7 Mon Sep 17 00:00:00 2001
From: Micah <micah@leap.se>
Date: Tue, 12 Jul 2016 16:45:58 -0400
Subject: git subrepo clone https://leap.se/git/puppet_apache
 puppet/modules/apache

subrepo:
  subdir:   "puppet/modules/apache"
  merged:   "415e950"
upstream:
  origin:   "https://leap.se/git/puppet_apache"
  branch:   "master"
  commit:   "415e950"
git-subrepo:
  version:  "0.3.0"
  origin:   "https://github.com/ingydotnet/git-subrepo"
  commit:   "1e79595"

Change-Id: Iba7353669969a09c0b4bbd63add67e3245b05ede
---
 .../apache/templates/default/default_index.erb     | 13 ++++
 .../templates/include.d/ssl_defaults.inc.erb       | 78 ++++++++++++++++++++++
 .../itk_plus/CentOS/00-listen-ssl.conf.erb         |  6 ++
 .../templates/itk_plus/CentOS/00-listen.conf.erb   |  8 +++
 .../apache/templates/vhosts/0-default_ssl.conf.erb | 21 ++++++
 puppet/modules/apache/templates/vhosts/default.erb | 44 ++++++++++++
 .../apache/templates/vhosts/gitweb/partial.erb     | 16 +++++
 .../modules/apache/templates/vhosts/itk_plus.erb   |  6 ++
 .../apache/templates/vhosts/itk_plus/partial.erb   | 31 +++++++++
 .../templates/vhosts/partials/authentication.erb   |  6 ++
 .../templates/vhosts/partials/header_default.erb   | 22 ++++++
 .../apache/templates/vhosts/partials/logs.erb      | 18 +++++
 .../templates/vhosts/partials/mod_security.erb     | 27 ++++++++
 .../templates/vhosts/partials/php_settings.erb     | 20 ++++++
 .../apache/templates/vhosts/partials/ssl.erb       |  8 +++
 .../vhosts/partials/std_override_options.erb       |  4 ++
 .../apache/templates/vhosts/passenger/partial.erb  |  7 ++
 .../apache/templates/vhosts/perl/partial.erb       | 14 ++++
 .../apache/templates/vhosts/php/partial.erb        |  5 ++
 .../apache/templates/vhosts/php_drupal/partial.erb | 22 ++++++
 .../templates/vhosts/php_gallery2/partial.erb      | 14 ++++
 .../apache/templates/vhosts/php_joomla/partial.erb | 30 +++++++++
 .../templates/vhosts/php_mediawiki/partial.erb     |  7 ++
 .../templates/vhosts/php_silverstripe/partial.erb  | 12 ++++
 .../apache/templates/vhosts/php_typo3/partial.erb  | 10 +++
 .../templates/vhosts/php_wordpress/partial.erb     | 19 ++++++
 .../apache/templates/vhosts/proxy/partial.erb      |  8 +++
 .../apache/templates/vhosts/redirect/partial.erb   |  1 +
 .../apache/templates/vhosts/static/partial.erb     |  4 ++
 .../apache/templates/vhosts/webdav/partial.erb     | 21 ++++++
 .../templates/webfiles/autoconfig/config.shtml.erb | 58 ++++++++++++++++
 31 files changed, 560 insertions(+)
 create mode 100644 puppet/modules/apache/templates/default/default_index.erb
 create mode 100644 puppet/modules/apache/templates/include.d/ssl_defaults.inc.erb
 create mode 100644 puppet/modules/apache/templates/itk_plus/CentOS/00-listen-ssl.conf.erb
 create mode 100644 puppet/modules/apache/templates/itk_plus/CentOS/00-listen.conf.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/0-default_ssl.conf.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/default.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/gitweb/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/itk_plus.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/itk_plus/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/authentication.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/header_default.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/logs.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/mod_security.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/php_settings.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/ssl.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/partials/std_override_options.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/passenger/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/perl/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_drupal/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_gallery2/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_joomla/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_mediawiki/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_silverstripe/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_typo3/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/php_wordpress/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/proxy/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/redirect/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/static/partial.erb
 create mode 100644 puppet/modules/apache/templates/vhosts/webdav/partial.erb
 create mode 100644 puppet/modules/apache/templates/webfiles/autoconfig/config.shtml.erb

(limited to 'puppet/modules/apache/templates')

diff --git a/puppet/modules/apache/templates/default/default_index.erb b/puppet/modules/apache/templates/default/default_index.erb
new file mode 100644
index 00000000..b35ecd91
--- /dev/null
+++ b/puppet/modules/apache/templates/default/default_index.erb
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+<head>
+  <title><%= scope.lookupvar('::hostname') %></title>
+  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
+</head>
+<body>
+  <h1> No page @ this location</h1>
+  <p>
+    <small><em><%= scope.lookupvar('::hostname') %></em></small>
+  </p>
+</body>
+</html>
diff --git a/puppet/modules/apache/templates/include.d/ssl_defaults.inc.erb b/puppet/modules/apache/templates/include.d/ssl_defaults.inc.erb
new file mode 100644
index 00000000..77f8e77a
--- /dev/null
+++ b/puppet/modules/apache/templates/include.d/ssl_defaults.inc.erb
@@ -0,0 +1,78 @@
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+# List the enable protocol levels with which clients will be able to
+# connect.  Disable SSLv2 access by default:
+SSLProtocol All -SSLv2 -SSLv3
+
+#   SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+SSLCipherSuite "<%= scope.lookupvar('apache::ssl_cipher_suite') %>"
+
+SSLHonorCipherOrder on
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+</Files>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is send or allowed to received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is send and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+SetEnvIf User-Agent ".*MSIE.*" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
diff --git a/puppet/modules/apache/templates/itk_plus/CentOS/00-listen-ssl.conf.erb b/puppet/modules/apache/templates/itk_plus/CentOS/00-listen-ssl.conf.erb
new file mode 100644
index 00000000..83f7beeb
--- /dev/null
+++ b/puppet/modules/apache/templates/itk_plus/CentOS/00-listen-ssl.conf.erb
@@ -0,0 +1,6 @@
+<IfDefine HttpdLocal>
+Listen 127.0.0.1:443
+</IfDefine>
+<IfDefine !HttpdLocal>
+Listen <%= scope.lookupvar('::ipaddress') %>:443
+</IfDefine>
diff --git a/puppet/modules/apache/templates/itk_plus/CentOS/00-listen.conf.erb b/puppet/modules/apache/templates/itk_plus/CentOS/00-listen.conf.erb
new file mode 100644
index 00000000..30b20466
--- /dev/null
+++ b/puppet/modules/apache/templates/itk_plus/CentOS/00-listen.conf.erb
@@ -0,0 +1,8 @@
+<IfDefine HttpdLocal>
+Listen 127.0.0.1:80
+PidFile run/httpdlocal.pid
+</IfDefine>
+<IfDefine !HttpdLocal>
+Listen <%= scope.lookupvar('::ipaddress') %>:80
+PidFile run/httpd.pid
+</IfDefine>
diff --git a/puppet/modules/apache/templates/vhosts/0-default_ssl.conf.erb b/puppet/modules/apache/templates/vhosts/0-default_ssl.conf.erb
new file mode 100644
index 00000000..86e4979f
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/0-default_ssl.conf.erb
@@ -0,0 +1,21 @@
+############################################################
+### This file is managed by PUPPET!                     ####
+### Only modify in repo or you will loose the changes!  ####
+############################################################
+
+<VirtualHost *:443>
+    Include include.d/defaults.inc
+    Include include.d/ssl_defaults.inc
+    DocumentRoot /var/www/html
+
+    # Use separate log files for the SSL virtual host; note that LogLevel
+    # is not inherited from httpd.conf.
+    ErrorLog logs/ssl_error_log
+    TransferLog logs/ssl_access_log
+    LogLevel warn
+
+<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb',
+                                {'configuration' => {}}]) %>
+</VirtualHost>
+
+# vim: ts=4 filetype=apache
diff --git a/puppet/modules/apache/templates/vhosts/default.erb b/puppet/modules/apache/templates/vhosts/default.erb
new file mode 100644
index 00000000..1ef8023d
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/default.erb
@@ -0,0 +1,44 @@
+<%
+vhost_parts = case @ssl_mode
+  when 'only' then [:ssl]
+  when false,'false' then  [:normal]
+  else [:normal,:ssl]
+end
+vhost_parts.each do |vhost_part| -%>
+<VirtualHost *:<%= vhost_part == :ssl ? '443' : '80' %> >
+
+<%= scope.function_templatewlv(['apache/vhosts/partials/header_default.erb',
+                                {'vhost_part'    => vhost_part,
+                                 'configuration' => @configuration,}]) %>
+
+<%= scope.function_template(['apache/vhosts/partials/logs.erb']) %>
+
+<% if @run_mode.to_s =~ /(proxy\-|static\-)?itk/ -%>
+  <IfModule mpm_itk_module>
+    AssignUserId <%= "#{@run_uid} #{@run_gid}" %>
+  </IfModule>
+
+<% elsif @run_mode.to_s == 'fcgid' -%>
+  <IfModule mod_fcgid.c>
+    SuexecUserGroup <%= "#{@run_uid} #{@run_gid}" %>
+    FcgidMaxRequestsPerProcess 5000
+    FCGIWrapper /var/www/mod_fcgid-starters/<%= @name %>/<%= @name %>-starter .<%= @passing_extension %>
+    AddHandler fcgid-script .<%= @passing_extension %>
+  </IfModule>
+
+<% end -%>
+<% if @ssl_mode == 'force' && vhost_part == :normal -%>
+  RewriteEngine On
+  RewriteCond %{HTTPS} !=on
+  RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+  RewriteRule (.*) https://%{SERVER_NAME}$1 [R=permanent,L]
+<% end -%>
+<%= scope.function_templatewlv([@template_partial, {'vhost_part' => vhost_part } ]) %>
+<% unless @template_partial == 'apache/vhosts/itk_plus/partial.erb' -%>
+<%= scope.function_template(['apache/vhosts/partials/mod_security.erb']) %>
+<% end -%>
+<% unless @additional_options.to_s == 'absent' -%>
+  <%= @additional_options %>
+<% end -%>
+</VirtualHost>
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/gitweb/partial.erb b/puppet/modules/apache/templates/vhosts/gitweb/partial.erb
new file mode 100644
index 00000000..a8475f60
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/gitweb/partial.erb
@@ -0,0 +1,16 @@
+  SetEnv GITWEB_CONFIG <%= @gitweb_config %>
+  DirectoryIndex gitweb.cgi
+  <Directory "<%= @documentroot %>/">
+<% if @options.to_s != 'absent' || @do_includes.to_s == 'true'-%>
+    Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% unless @options.include?('+ExecCGI') -%> +ExecCGI<% end -%>
+<% end -%>
+    AddHandler cgi-script .cgi
+    <Files gitweb.cgi>
+      Options ExecCGI FollowSymLinks
+      SetHandler cgi-script
+    </Files>
+    RewriteEngine on
+    RewriteRule ^[a-zA-Z0-9_-]+.git/?(\?.)?$ /gitweb.cgi%{REQUESTURI} [L,PT]
+
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/itk_plus.erb b/puppet/modules/apache/templates/vhosts/itk_plus.erb
new file mode 100644
index 00000000..b5461968
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/itk_plus.erb
@@ -0,0 +1,6 @@
+<IfDefine HttpdLocal>
+<%= scope.function_template(['apache/vhost/default.erb']) %>
+</IfDefine>
+<IfDefine !HttpdLocal>
+<%= scope.function_templatewlv(['apache/vhost/default.erb', {'template_partial' => 'apache/vhosts/itk_plus/partial.erb' }]) %>
+</IfDefine>
diff --git a/puppet/modules/apache/templates/vhosts/itk_plus/partial.erb b/puppet/modules/apache/templates/vhosts/itk_plus/partial.erb
new file mode 100644
index 00000000..df045433
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/itk_plus/partial.erb
@@ -0,0 +1,31 @@
+
+  ProxyPreserveHost On
+  ProxyRequests off
+<% if vhost_part == :ssl -%>
+  SSLProxyEngine On
+<%   if run_mode.to_s == 'static-itk' -%>
+  ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ https://127.0.0.1/$1
+<%   else -%>
+  ProxyPass / https://127.0.0.1/
+<%   end -%>
+  ProxyPassReverse / https://127.0.0.1/
+<% else -%>
+<%   if run_mode.to_s == 'static-itk' -%>
+  ProxyPassMatch ^/(.*\.<%= @passing_extension %>/?.*)$ http://127.0.0.1/$1
+<%   else -%>
+  ProxyPass / http://127.0.0.1/
+<%   end -%>
+  ProxyPassReverse / http://127.0.0.1/
+<% end -%>
+
+<% if @run_mode.to_s == 'static-itk' && (@ssl_mode.to_s != 'force' || vhost_part == :ssl) -%>
+  <Directory "<%= @documentroot %>/">
+    AllowOverride <%= @allow_override %>
+<%   if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%>
+    Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%>
+<%   end -%>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
+<% end -%>
+
+
diff --git a/puppet/modules/apache/templates/vhosts/partials/authentication.erb b/puppet/modules/apache/templates/vhosts/partials/authentication.erb
new file mode 100644
index 00000000..ed832210
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/authentication.erb
@@ -0,0 +1,6 @@
+<% unless @htpasswd_file.to_s == 'absent' -%>
+    AuthType Basic
+    AuthName "Access fuer <%= @servername %>"
+    AuthUserFile <%= @real_htpasswd_path %>
+    require valid-user
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/partials/header_default.erb b/puppet/modules/apache/templates/vhosts/partials/header_default.erb
new file mode 100644
index 00000000..cd4d04ca
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/header_default.erb
@@ -0,0 +1,22 @@
+  Include include.d/defaults.inc
+<% if vhost_part == :ssl -%>
+  Include include.d/ssl_defaults.inc
+<%= scope.function_templatewlv(['apache/vhosts/partials/ssl.erb',
+                                {'configuration' => configuration}]) %>
+<% end -%>
+  ServerName <%= @servername %>
+<% unless @serveralias.empty? || (@serveralias == 'absent') -%>
+  ServerAlias <%= Array(@serveralias).sort.join(' ') %>
+<% end -%>
+<% unless @server_admin.empty? || (@server_admin == 'absent') -%>
+  ServerAdmin <%= @server_admin %>
+<% end -%>
+<% unless @documentroot == 'really_absent' -%>
+  DocumentRoot <%= @documentroot %>/
+<% end -%>
+<% if @default_charset != 'absent' -%>
+  AddDefaultCharset <%= @default_charset %>
+<% end -%>
+<% if @passing_extension != 'absent' -%>
+  DirectoryIndex index.htm index.html index.<%= @passing_extension %>
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/partials/logs.erb b/puppet/modules/apache/templates/vhosts/partials/logs.erb
new file mode 100644
index 00000000..4fe1b0a6
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/logs.erb
@@ -0,0 +1,18 @@
+<% case @logmode.to_s
+      when 'nologs' -%>
+  ErrorLog /dev/null
+  CustomLog /dev/null %%
+<% when 'noaccess' -%>
+  ErrorLog <%= @logdir %>/<%= @logprefix %>error_log
+  CustomLog /dev/null noip
+<% when 'semianonym' -%>
+  ErrorLog <%= @logdir %>/<%= @logprefix %>error_log
+  CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip
+<% when 'anonym' -%>
+  ErrorLog /dev/null
+  CustomLog <%= @logdir %>/<%= @logprefix %>access_log noip
+<% else -%>
+  ErrorLog <%= @logdir %>/<%= @logprefix %>error_log
+  CustomLog <%= @logdir %>/<%= @logprefix %>access_log combined
+<% end -%>
+
diff --git a/puppet/modules/apache/templates/vhosts/partials/mod_security.erb b/puppet/modules/apache/templates/vhosts/partials/mod_security.erb
new file mode 100644
index 00000000..380e78f1
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/mod_security.erb
@@ -0,0 +1,27 @@
+  <IfModule mod_security2.c>
+<% if @mod_security.to_s == 'true' -%>
+    SecRuleEngine On
+<%   if @mod_security_relevantonly.to_s == 'true' -%>
+    SecAuditEngine RelevantOnly
+<%   else -%>
+    SecAuditEngine On
+<%   end -%>
+<% else -%>
+    SecRuleEngine Off
+    SecAuditEngine Off
+<% end -%>
+    SecAuditLogType Concurrent
+    SecAuditLogStorageDir <%= @logdir %>/
+    SecAuditLog <%= @logdir %>/mod_security_audit.log
+    SecDebugLog <%= @logdir %>/mod_security_debug.log
+<% unless (disabled_rules=Array(@mod_security_rules_to_disable)).empty? -%>
+
+<%    disabled_rules.each do |rule| -%>
+    SecRuleRemoveById "<%= rule %>"
+<%   end -%>
+<% end -%>
+<% unless (s=@mod_security_additional_options).to_s == 'absent' -%>
+
+    <%= s %>
+<% end -%>
+  </IfModule>
diff --git a/puppet/modules/apache/templates/vhosts/partials/php_settings.erb b/puppet/modules/apache/templates/vhosts/partials/php_settings.erb
new file mode 100644
index 00000000..74f6ecf2
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/php_settings.erb
@@ -0,0 +1,20 @@
+<% if @run_mode != 'fcgid'
+  @php_settings.reject{|k,v| (v == :undef) || v.nil? }.keys.sort.each do |key|
+    dvalue = @php_settings[key].to_s.downcase
+    munged_value = if dvalue == 'true'
+       'on'
+      elsif dvalue == 'false'
+        'off'
+      elsif ['on','off'].include?(dvalue)
+        dvalue
+      else
+        @php_settings[key]
+      end
+
+       if ['on','off' ].include?(munged_value) -%>
+    php_admin_flag <%= key %> <%= munged_value %>
+<%     else -%>
+    php_admin_value <%= key %> <%= munged_value %>
+<%     end -%>
+<%   end -%>
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/partials/ssl.erb b/puppet/modules/apache/templates/vhosts/partials/ssl.erb
new file mode 100644
index 00000000..c9f39333
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/ssl.erb
@@ -0,0 +1,8 @@
+  SSLCertificateFile <%= configuration['ssl_certificate_file'] || scope.lookupvar('apache::default_ssl_certificate_file') %>
+  SSLCertificateKeyFile <%= configuration['ssl_certificate_key_file'] || scope.lookupvar('apache::default_ssl_certificate_key_file') %>
+<% if configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') != 'absent' -%>
+  SSLCertificateChainFile <%= configuration['ssl_certificate_chain_file'] || scope.lookupvar('apache::default_ssl_certificate_chain_file') %>
+<% end -%>
+<% if configuration['hsts'] -%>
+  Header add Strict-Transport-Security "max-age=<%= (configuration['hsts']['age'] || 15768000) rescue 15768000 %>"
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/partials/std_override_options.erb b/puppet/modules/apache/templates/vhosts/partials/std_override_options.erb
new file mode 100644
index 00000000..6d8b74f8
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/partials/std_override_options.erb
@@ -0,0 +1,4 @@
+    AllowOverride <%= @allow_override %>
+<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' || @run_mode == 'fcgid' -%>
+    Options <%- unless @options.to_s == 'absent' -%><%= @options %><% end -%><% if @do_includes.to_s == 'true' && !@options.include?('+Includes') -%> +Includes<% end -%><% if @run_mode == 'fcgid' && !@options.include?('+ExecCGI') -%> +ExecCGI<% end -%>
+<% end -%>
diff --git a/puppet/modules/apache/templates/vhosts/passenger/partial.erb b/puppet/modules/apache/templates/vhosts/passenger/partial.erb
new file mode 100644
index 00000000..c3b63f55
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/passenger/partial.erb
@@ -0,0 +1,7 @@
+  SetEnv GEM_HOME <%= @gempath %>
+  <Directory <%= @documentroot %>/>
+    AllowOverride <%= @allow_override %>
+    Options <%- unless @options.to_s == 'absent' -%><%= @options %><%- end -%><%- unless !@options.to_s.include?('MultiViews') -%>-MultiViews<%- end -%>
+
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/perl/partial.erb b/puppet/modules/apache/templates/vhosts/perl/partial.erb
new file mode 100644
index 00000000..8c1f0a5a
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/perl/partial.erb
@@ -0,0 +1,14 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
+
+<% unless @htpasswd_file.to_s == 'absent' -%>
+  <Directory "<%= @cgi_binpath %>/">
+    AuthType Basic
+    AuthName "Access fuer <%= @servername %>"
+    AuthUserFile <%= @real_htpasswd_path %>
+    require valid-user
+  </Directory>
+<% end -%>
+ ScriptAlias /cgi-bin/ <%= @cgi_binpath %>/
diff --git a/puppet/modules/apache/templates/vhosts/php/partial.erb b/puppet/modules/apache/templates/vhosts/php/partial.erb
new file mode 100644
index 00000000..c19ae7b4
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php/partial.erb
@@ -0,0 +1,5 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/php_drupal/partial.erb b/puppet/modules/apache/templates/vhosts/php_drupal/partial.erb
new file mode 100644
index 00000000..316942fd
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_drupal/partial.erb
@@ -0,0 +1,22 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %>
+    # Protect files and directories from prying eyes.
+    <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
+      Order allow,deny
+    </FilesMatch>
+
+    # Customized error messages.
+    ErrorDocument 404 /index.php
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
+  </Directory>
+  <Directory "<%= @documentroot %>/files/">
+    SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
+    Options None
+    Options +FollowSymLinks
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/php_gallery2/partial.erb b/puppet/modules/apache/templates/vhosts/php_gallery2/partial.erb
new file mode 100644
index 00000000..218c0e71
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_gallery2/partial.erb
@@ -0,0 +1,14 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+
+    # Always rewrite login's
+    # Source: http://gallery.menalto.com/node/30558
+    RewriteEngine On
+    RewriteCond %{HTTPS} !=on
+    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+    RewriteCond %{HTTP_COOKIE} ^GALLERYSID= [OR]
+    RewriteCond %{QUERY_STRING} subView=core\.UserLogin
+    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/php_joomla/partial.erb b/puppet/modules/apache/templates/vhosts/php_joomla/partial.erb
new file mode 100644
index 00000000..55445bfc
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_joomla/partial.erb
@@ -0,0 +1,30 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %> 
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+
+    Include include.d/joomla.inc
+  </Directory>
+
+  <Directory "<%= @documentroot %>/administrator/">
+    RewriteEngine on
+
+    # Rewrite URLs to https that go for the admin area
+    RewriteCond %{REMOTE_ADDR} !^127\.[0-9]+\.[0-9]+\.[0-9]+$
+    RewriteCond %{HTTPS} !=on
+    RewriteCond %{REQUEST_URI} (.*/administrator/.*)
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
+  </Directory>
+
+  # Deny various directories that
+  # shouldn't be webaccessible
+  <Directory "<%= @documentroot %>/tmp/">
+    Deny From All
+  </Directory>
+  <Directory "<%= @documentroot %>/logs/">
+    Deny From All
+  </Directory>
+  <Directory "<%= @documentroot %>/cli/">
+    Deny From All
+  </Directory>
+
diff --git a/puppet/modules/apache/templates/vhosts/php_mediawiki/partial.erb b/puppet/modules/apache/templates/vhosts/php_mediawiki/partial.erb
new file mode 100644
index 00000000..1ed6ee3e
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_mediawiki/partial.erb
@@ -0,0 +1,7 @@
+<% if @run_mode == 'fcgid' -%>
+  RewriteEngine On
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
+  RewriteRule ^/?index.php/(.*)$ /index.php?title=$1 [PT,L,QSA]
+<% end -%>
+<%= scope.function_template(['apache/vhosts/php/partial.erb']) %>
diff --git a/puppet/modules/apache/templates/vhosts/php_silverstripe/partial.erb b/puppet/modules/apache/templates/vhosts/php_silverstripe/partial.erb
new file mode 100644
index 00000000..75a81931
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_silverstripe/partial.erb
@@ -0,0 +1,12 @@
+  # silverstripe
+  RewriteEngine On
+  RewriteCond %{HTTPS} !=on
+  RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+  RewriteRule /(Security|admin)(.*) https://%{HTTP_HOST}/admin$1$2 [L,R,NE]
+
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/php_settings.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+    Include include.d/silverstripe.inc
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/php_typo3/partial.erb b/puppet/modules/apache/templates/vhosts/php_typo3/partial.erb
new file mode 100644
index 00000000..afb756df
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_typo3/partial.erb
@@ -0,0 +1,10 @@
+<%= scope.function_template(['apache/vhosts/php/partial.erb']) %>
+  <Directory "<%= @documentroot %>/typo3/">
+    RewriteEngine on
+
+    # Rewrite URLs to https that go for the admin area
+    RewriteCond %{HTTPS} !=on
+    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+    RewriteCond %{REQUEST_URI} (.*/typo3/.*)
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R,NE]
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/php_wordpress/partial.erb b/puppet/modules/apache/templates/vhosts/php_wordpress/partial.erb
new file mode 100644
index 00000000..5e6ebd5e
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/php_wordpress/partial.erb
@@ -0,0 +1,19 @@
+<%= scope.function_template(['apache/vhosts/php/partial.erb']) %>
+
+  # fixes: http://git.zx2c4.com/w3-total-fail/tree/w3-total-fail.sh
+  <Directory "<%= @documentroot %>/wp-content/w3tc/dbcache">
+    Deny From All
+  </Directory>
+
+  # simple wp-login brute force protection
+  # http://www.frameloss.org/2013/04/26/even-easier-brute-force-login-protection-for-wordpress/
+  RewriteEngine On
+  RewriteCond %{HTTP_COOKIE} !<%= cookie = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "cookie"]) %>
+  RewriteRule ^/wp-login.php /wordpress-login-<%= tmpuri = scope.function_sha1([scope.function_fqdn_rand([9999999999999,@name]).to_s + "wp-login"]) %>.php [R,L]
+  <Location /wordpress-login-<%= tmpuri %>.php>
+    CookieTracking on
+    CookieExpires 30
+    CookieName <%= cookie %>
+  </Location>
+  RewriteRule ^/wordpress-login-<%= tmpuri %>.php /wp-login.php [NE]
+
diff --git a/puppet/modules/apache/templates/vhosts/proxy/partial.erb b/puppet/modules/apache/templates/vhosts/proxy/partial.erb
new file mode 100644
index 00000000..0eecf820
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/proxy/partial.erb
@@ -0,0 +1,8 @@
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Proxy>
+  ProxyRequests Off
+  ProxyPass        /   <%= @options %>/
+  ProxyPassReverse /   <%= @options %>/
diff --git a/puppet/modules/apache/templates/vhosts/redirect/partial.erb b/puppet/modules/apache/templates/vhosts/redirect/partial.erb
new file mode 100644
index 00000000..c8d7d11e
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/redirect/partial.erb
@@ -0,0 +1 @@
+  Redirect permanent / https://<%= @options %>
diff --git a/puppet/modules/apache/templates/vhosts/static/partial.erb b/puppet/modules/apache/templates/vhosts/static/partial.erb
new file mode 100644
index 00000000..dc6f11ca
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/static/partial.erb
@@ -0,0 +1,4 @@
+  <Directory "<%= @documentroot %>/">
+<%= scope.function_template(['apache/vhosts/partials/std_override_options.erb']) %>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+  </Directory>
diff --git a/puppet/modules/apache/templates/vhosts/webdav/partial.erb b/puppet/modules/apache/templates/vhosts/webdav/partial.erb
new file mode 100644
index 00000000..09ce632f
--- /dev/null
+++ b/puppet/modules/apache/templates/vhosts/webdav/partial.erb
@@ -0,0 +1,21 @@
+  DAVLockDB <%= @real_dav_db_dir %>/DAVLock
+  <Directory "<%= @documentroot %>/">
+    Dav on
+    AllowOverride None
+<% if @options.to_s != 'absent' || @do_includes.to_s == 'true' -%>
+    Options <% unless @options.to_s == 'absent' -%><%= @options %><% end -%><% unless @options.include?('Indexes') -%> Indexes<%- end -%>
+
+<% else -%>
+    Options Indexes
+
+<% end -%>
+<%= scope.function_template(['apache/vhosts/partials/authentication.erb']) %>
+<% if @ldap_auth.to_s == 'true' then -%>
+    Include include.d/ldap_auth.inc
+<%   unless ldap_user.to_s == 'any' -%>
+    Require ldap-user <%= ldap_user.to_s %>
+<%   else -%>
+    Require valid-user
+<%   end
+   end -%>
+  </Directory>
diff --git a/puppet/modules/apache/templates/webfiles/autoconfig/config.shtml.erb b/puppet/modules/apache/templates/webfiles/autoconfig/config.shtml.erb
new file mode 100644
index 00000000..3a3d6bb5
--- /dev/null
+++ b/puppet/modules/apache/templates/webfiles/autoconfig/config.shtml.erb
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--#if expr="$SERVER_NAME = /([^.]*\.[^.]*)$/" -->
+    <!--#set var="DOMAIN" value="$1" -->
+<!--#endif -->
+
+<clientConfig version="1.1">
+  <emailProvider id="<%= @provider %>">
+    <domain><!--#echo var="DOMAIN" --></domain>
+    <displayName><%= @display_name || @provider %> Mail (<!--#echo var="DOMAIN" -->)</displayName>
+    <displayShortName><%= @shortname || @provider.split('.').first %></displayShortName>
+    <incomingServer type="imap">
+      <hostname><%= @imap_server || "imap.#{@provider}" %></hostname>
+      <port>143</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <incomingServer type="imap">
+      <hostname><%= @imap_server || "imap.#{@provider}" %></hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <incomingServer type="pop3">
+      <hostname><%= @pop_server || "pop.#{@provider}" %></hostname>
+      <port>110</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <incomingServer type="pop3">
+      <hostname><%= @pop_server  || "pop.#{@provider}" %></hostname>
+      <port>995</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname><%= @smtp_server || "smtp.#{@provider}" %></hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+    <outgoingServer type="smtp">
+      <hostname><%= @smtp_server  || "smtp.#{@provider}"%></hostname>
+      <port>465</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
+    <documentation url="<%= @documentation_url || "http://#{@provider}" %>">
+      <descr lang="de">Allgemeine Beschreibung der Einstellungen</descr>
+      <descr lang="en">Generic settings page</descr>
+    </documentation>
+  </emailProvider>
+</clientConfig>
-- 
cgit v1.2.3