From 6a225e469bd99b41da319e7df8212c2c7e76396f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 21 Mar 2017 17:35:42 +0100 Subject: [PATCH 01/12] [WIP]: First pass for packweb-apache --- apache/files/evolinux-ssl.conf | 11 +++ apache/tasks/main.yml | 15 +++- packweb-apache/README.md | 38 +++++++++ packweb-apache/defaults/main.yml | 4 + packweb-apache/files/evolinux-evasive.conf | 8 ++ packweb-apache/files/evolinux-itk.conf | 10 +++ packweb-apache/files/evolinux-modsec.conf | 48 ++++++++++++ packweb-apache/files/log2mail-apache.conf | 4 + packweb-apache/tasks/main.yml | 87 +++++++++++++++++++++ packweb-apache/templates/log2mail-apache.j2 | 4 + 10 files changed, 227 insertions(+), 2 deletions(-) create mode 100644 apache/files/evolinux-ssl.conf create mode 100644 packweb-apache/README.md create mode 100644 packweb-apache/defaults/main.yml create mode 100644 packweb-apache/files/evolinux-evasive.conf create mode 100644 packweb-apache/files/evolinux-itk.conf create mode 100644 packweb-apache/files/evolinux-modsec.conf create mode 100644 packweb-apache/files/log2mail-apache.conf create mode 100644 packweb-apache/tasks/main.yml create mode 100644 packweb-apache/templates/log2mail-apache.j2 diff --git a/apache/files/evolinux-ssl.conf b/apache/files/evolinux-ssl.conf new file mode 100644 index 00000000..cde0f7ec --- /dev/null +++ b/apache/files/evolinux-ssl.conf @@ -0,0 +1,11 @@ +# Strong security. +SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +SSLProtocol All -SSLv2 -SSLv3 +SSLHonorCipherOrder On +SSLCompression off +SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000) +SSLSessionCacheTimeout 600 + +# Stapling not activated by default. Need config. +#SSLUseStapling on +#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000) diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 4df77dcf..502cb9f2 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -3,9 +3,7 @@ name: '{{ item }}' state: present with_items: - - apache2-mpm-itk - apachetop - - libapache2-mod-evasive - libwww-perl tags: - apache @@ -20,6 +18,7 @@ - headers - rewrite - cgi + - ssl tags: - apache @@ -45,6 +44,17 @@ tags: - apache +- name: Copy Apache SSL (strong security) config file + copy: + src: evolinux-ssl.conf + dest: "/etc/apache2/conf-available/evolinux-ssl.conf" + owner: root + group: root + mode: "0644" + force: no + tags: + - apache + - name: Ensure Apache config files are enabled command: "a2enconf {{ item }}" register: command_result @@ -52,6 +62,7 @@ with_items: - z-evolinux-defaults.conf - zzz-evolinux-custom.conf + - evolinux-ssl.conf tags: - apache diff --git a/packweb-apache/README.md b/packweb-apache/README.md new file mode 100644 index 00000000..225dd44b --- /dev/null +++ b/packweb-apache/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml new file mode 100644 index 00000000..a9e9416f --- /dev/null +++ b/packweb-apache/defaults/main.yml @@ -0,0 +1,4 @@ +--- +# defaults file for packweb-apache +general_alert_email: "root@localhost" +log2mail_alert_email: Null diff --git a/packweb-apache/files/evolinux-evasive.conf b/packweb-apache/files/evolinux-evasive.conf new file mode 100644 index 00000000..15be182f --- /dev/null +++ b/packweb-apache/files/evolinux-evasive.conf @@ -0,0 +1,8 @@ + +DOSHashTableSize 3097 +DOSPageCount 5 +DOSSiteCount 30 +DOSPageInterval 3 +DOSSiteInterval 1 +DOSBlockingPeriod 60 + diff --git a/packweb-apache/files/evolinux-itk.conf b/packweb-apache/files/evolinux-itk.conf new file mode 100644 index 00000000..4e25d84b --- /dev/null +++ b/packweb-apache/files/evolinux-itk.conf @@ -0,0 +1,10 @@ + +StartServers 50 +MinSpareServers 20 +MaxSpareServers 30 +ServerLimit 250 +MaxClients 250 +MaxRequestsPerChild 0 +LimitUIDRange 0 6000 +LimitGIDRange 0 6000 + diff --git a/packweb-apache/files/evolinux-modsec.conf b/packweb-apache/files/evolinux-modsec.conf new file mode 100644 index 00000000..d78c0d9f --- /dev/null +++ b/packweb-apache/files/evolinux-modsec.conf @@ -0,0 +1,48 @@ + + +# enable mod_security +SecRuleEngine On +# access to request bodies +SecRequestBodyAccess On +#SecRequestBodyLimit 134217728 +#SecRequestBodyInMemoryLimit 131072 +# access to response bodies +SecResponseBodyAccess Off +#SecResponseBodyLimit 524288 +SecResponseBodyMimeType (null) text/html text/plain text/xml +#SecServerSignature "Apache/2.2.0 (Fedora)" + +SecUploadDir /tmp +SecUploadKeepFiles Off + +# default action +SecDefaultAction "log,auditlog,deny,status:406,phase:2" + +SecAuditEngine RelevantOnly +#SecAuditLogRelevantStatus "^[45]" +# use only one log file +SecAuditLogType Serial +# audit log file +SecAuditLog /var/log/apache2/modsec_audit.log +# what is logged +SecAuditLogParts "ABIFHZ" + +#SecArgumentSeparator "&" +SecCookieFormat 0 +SecDebugLog /var/log/apache2/modsec_debug.log +SecDebugLogLevel 0 + +SecDataDir /tmp +SecTmpDir /tmp + +######### +# RULES +######### + +# File name +SecRule REQUEST_FILENAME "modsecuritytest1" "id:1" +# Complete URI +SecRule REQUEST_URI "modsecuritytest2" "id:2" +SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3" + + diff --git a/packweb-apache/files/log2mail-apache.conf b/packweb-apache/files/log2mail-apache.conf new file mode 100644 index 00000000..93547a53 --- /dev/null +++ b/packweb-apache/files/log2mail-apache.conf @@ -0,0 +1,4 @@ +file = /var/log/apache2/error.log +pattern = "Segmentation fault" +mailto = alert3@evolix.fr +template = /etc/log2mail/mail diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml new file mode 100644 index 00000000..feb60529 --- /dev/null +++ b/packweb-apache/tasks/main.yml @@ -0,0 +1,87 @@ +--- +# tasks file for packweb-apache + + +- name: Setting /etc/skel/ + file: + path: "/etc/skel/{{ item.path }}" + state: "{{ item.state }}" + mode: "{{ item.mode }}" + with_items: + - {path: log, mode: "0750", state: directory} + - {path: awstats, mode: "0750", state: directory} + - {path: www, mode: "0750", state: directory} + - {path: log/access.log, mode: "0644", state: touch} + - {path: log/error.log, mode: "0644", state: touch} + +- name: Setting DIR_MODE in /etc/adduser.conf to 0750 + lineinfile: + dest: /etc/adduser.conf + regexp: '^DIR_MODE=' + line: 'DIR_MODE=0750' + +- name: is PATH already present? + command: "grep -E '^export PATH ' /etc/apache2/envvars" + failed_when: False + changed_when: False + register: envvar_grep_path + #check_mode: no (for migration to Ansible 2.2) + always_run: yes + +- name: Add a mark in envvars for PATH + blockinfile: + dest: /etc/apache2/envvars + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" + block: | + # Used for Evoadmin-web + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + when: envvar_grep_path.rc != 0 + +- name: packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-evasive + - apache2-mpm-itk + - libapache2-mod-security2 + +- name: Copy Apache itk and evasive settings + copy: + src: "{{ item }}" + dest: "/etc/apache2/conf-available/{{ item }}" + owner: root + group: root + mode: "0644" + force: no + with_items: + - evolinux-itk.conf + - evolinux-evasive.conf + - evolinux-modsec.conf + +- name: Ensure Apache config files are enabled + command: "a2enconf {{ item }}" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + with_items: + - evolinux-itk + - evolinux-evasive + - evolinux-modsec + +- name: Is log2mail installed? + command: "apt list --installed log2mail" + register: command_result + changed_when: False + +- debug: + var: command_result + +- name: Add log2mail config for apache segfault + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: root + group: root + mode: "0644" + force: no + when: "'log2mail' in command_result.stdout" diff --git a/packweb-apache/templates/log2mail-apache.j2 b/packweb-apache/templates/log2mail-apache.j2 new file mode 100644 index 00000000..ff08f04f --- /dev/null +++ b/packweb-apache/templates/log2mail-apache.j2 @@ -0,0 +1,4 @@ +file = /var/log/apache2/error.log +pattern = "Segmentation fault" +mailto = {{ log2mail_alert_email or general_alert_email | mandatory }} +template = /etc/log2mail/mail From 9b85b434ef9d9500d5510d0940ac5d4c31e0d269 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Tue, 21 Mar 2017 17:46:00 +0100 Subject: [PATCH 02/12] Ignore .kateproject.d/ --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 13f2924c..555b9455 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .kitchen/ .vagrant/ +.kateproject.d From 0273a0d07c12be6a36121d9e753877f62df76156 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Mar 2017 18:21:30 +0100 Subject: [PATCH 03/12] Improve tasks names --- packweb-apache/tasks/main.yml | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index feb60529..6729233a 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,26 +1,23 @@ --- -# tasks file for packweb-apache - - -- name: Setting /etc/skel/ +- name: Add elements to user account template file: path: "/etc/skel/{{ item.path }}" state: "{{ item.state }}" mode: "{{ item.mode }}" with_items: - - {path: log, mode: "0750", state: directory} - - {path: awstats, mode: "0750", state: directory} - - {path: www, mode: "0750", state: directory} - - {path: log/access.log, mode: "0644", state: touch} - - {path: log/error.log, mode: "0644", state: touch} + - { path: log, mode: "0750", state: directory } + - { path: awstats, mode: "0750", state: directory } + - { path: www, mode: "0750", state: directory } + - { path: log/access.log, mode: "0644", state: touch } + - { path: log/error.log, mode: "0644", state: touch } -- name: Setting DIR_MODE in /etc/adduser.conf to 0750 +- name: Force DIR_MODE to 0750 in /etc/adduser.conf lineinfile: dest: /etc/adduser.conf regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' -- name: is PATH already present? +- name: Check if Apache envvars have a PATH command: "grep -E '^export PATH ' /etc/apache2/envvars" failed_when: False changed_when: False @@ -28,7 +25,7 @@ #check_mode: no (for migration to Ansible 2.2) always_run: yes -- name: Add a mark in envvars for PATH +- name: Add a PATH envvar for Apache blockinfile: dest: /etc/apache2/envvars marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" @@ -37,16 +34,16 @@ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin when: envvar_grep_path.rc != 0 -- name: packages are installed +- name: Additional packages are installed apt: name: '{{ item }}' state: present with_items: - - libapache2-mod-evasive - apache2-mpm-itk + - libapache2-mod-evasive - libapache2-mod-security2 -- name: Copy Apache itk and evasive settings +- name: Copy Apache settings for modules copy: src: "{{ item }}" dest: "/etc/apache2/conf-available/{{ item }}" @@ -59,7 +56,7 @@ - evolinux-evasive.conf - evolinux-modsec.conf -- name: Ensure Apache config files are enabled +- name: Ensure Apache modules configs are enabled command: "a2enconf {{ item }}" register: command_result changed_when: "'Enabling' in command_result.stderr" @@ -68,7 +65,7 @@ - evolinux-evasive - evolinux-modsec -- name: Is log2mail installed? +- name: Check if log2mail is installed command: "apt list --installed log2mail" register: command_result changed_when: False @@ -76,7 +73,7 @@ - debug: var: command_result -- name: Add log2mail config for apache segfault +- name: Add log2mail config for Apache segfaults template: src: log2mail-apache.j2 dest: "/etc/log2mail/config/apache" From f4b3fd8f68b416705d0879f02c306504eb89b83f Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 21 Mar 2017 18:22:29 +0100 Subject: [PATCH 04/12] Remove useless file --- packweb-apache/files/log2mail-apache.conf | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 packweb-apache/files/log2mail-apache.conf diff --git a/packweb-apache/files/log2mail-apache.conf b/packweb-apache/files/log2mail-apache.conf deleted file mode 100644 index 93547a53..00000000 --- a/packweb-apache/files/log2mail-apache.conf +++ /dev/null @@ -1,4 +0,0 @@ -file = /var/log/apache2/error.log -pattern = "Segmentation fault" -mailto = alert3@evolix.fr -template = /etc/log2mail/mail From 2a4986e5ef8c02241f19f57ef8255b70a3024cdb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 22 Mar 2017 18:11:48 +0100 Subject: [PATCH 05/12] packweb-apache: Basic README --- packweb-apache/README.md | 39 ++++++++------------------------------- 1 file changed, 8 insertions(+), 31 deletions(-) diff --git a/packweb-apache/README.md b/packweb-apache/README.md index 225dd44b..a8bae5f0 100644 --- a/packweb-apache/README.md +++ b/packweb-apache/README.md @@ -1,38 +1,15 @@ -Role Name -========= +# packweb-apache -A brief description of the role goes here. +Install the web pack, with Apache. -Requirements ------------- +## Tasks -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +Everything is in the `tasks/main.yml` file for now. -Role Variables --------------- +## Available variables -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +Main variables are : -Dependencies ------------- +* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`). -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +The full list of variables (with default values) can be found in `defaults/main.yml`. From 58dd5c38173c011c97472646ca7c699cb7f57e2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Wed, 29 Mar 2017 17:45:57 +0200 Subject: [PATCH 06/12] WIP: More things done for packweb... PHP, Awstats, ... --- apache/tasks/main.yml | 1 + packweb-apache/handlers/main.yml | 10 ++ packweb-apache/tasks/main.yml | 194 +++++++++++++++++++++++++++++++ 3 files changed, 205 insertions(+) create mode 100644 packweb-apache/handlers/main.yml diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 502cb9f2..9b23eb3c 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -3,6 +3,7 @@ name: '{{ item }}' state: present with_items: + - apache2 - apachetop - libwww-perl tags: diff --git a/packweb-apache/handlers/main.yml b/packweb-apache/handlers/main.yml new file mode 100644 index 00000000..af4d94d2 --- /dev/null +++ b/packweb-apache/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: restart apache + service: + name: apache2 + state: restarted + +- name: reload apache + service: + name: apache2 + state: reloaded diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 6729233a..cc43adff 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -1,4 +1,9 @@ --- + +- name: Include apache role + include_role: + name: "{{ roles }}/apache" + - name: Add elements to user account template file: path: "/etc/skel/{{ item.path }}" @@ -72,6 +77,7 @@ - debug: var: command_result + verbosity: 1 - name: Add log2mail config for Apache segfaults template: @@ -82,3 +88,191 @@ mode: "0644" force: no when: "'log2mail' in command_result.stdout" + +- name: Install PHP5 packages + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + - php5 + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-curl + - libssh2-php + tags: + - apache + +- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + ini_file: + dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "disable_functions", value: "exec, shell-exec, system, passthru, putenv, popen" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "allow_url_fopen", value: "Off" } + notify: reload apache + +- name: Custom php.ini + copy: + dest: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + content: | + # Put customized values here. + force: no + +- name: Install phpmyadmin + apt: + name: phpmyadmin + state: present + +- name: Check if phpmyadmin default configuration is present + stat: + path: /etc/apache2/conf-enabled/phpmyadmin.conf + register: pma_default_config + +- debug: + var: pma_default_config + verbosity: 1 + +- name: Disable phpmyadmin default configuration + command: "a2disconf phpmyadmin" + register: command_result + changed_when: "'Disabling' in command_result.stderr" + when: pma_default_config.stat.exists + +- name: Change group to www-data for /etc/phpmyadmin/ + file: + dest: /etc/phpmyadmin/ + group: www-data + +- name: Install awstats + apt: + name: awstats + state: present + +- name: Configure awstats + blockinfile: + dest: /etc/awstats/awstats.conf.local + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" + block: | + LogFile="/var/log/apache2/access.log" + SiteDomain="{{ ansible_hostname }}" + DirData="/var/lib/awstats" + ShowHostsStats=0 + ShowOriginStats=0 + ShowPagesStats=0 + ShowKeyphrasesStats=0 + ShowKeywordsStats=0 + ShowHTTPErrorsStats=0 + LogFormat=1 + AllowFullYearView=3 + ErrorMessages="An error occured. Contact your Administrator" + mode: "0644" + +- name: Create conf-available/awstats-icon.conf file + copy: + dest: /etc/apache2/conf-available/awstats-icon.conf + content: | + Alias /awstats-icon/ /usr/share/awstats/icon/ + + Require All Granted + + force: no + mode: "0644" + +- name: Enable apache awstats-icon configuration + command: "a2enconf awstats-icon" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + notify: reload apache + +- name: Create awstats cron + lineinfile: + dest: /etc/cron.d/awstats + create: yes + regexp: '-config=awstats' + line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" + +- name: Remove read permission on some folders (/, /etc, ...) + shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - / + - /etc + - /usr + - /usr/bin + - /var + - /var/log + - /home + - /bin + - /sbin + - /lib + - /usr/lib + - /usr/include + - /usr/bin + - /usr/sbin + - /usr/share + - /usr/share/doc + - /etc/default + +- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...) + shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /var/log/apt + - /var/lib/dpkg + - /var/log/munin + - /var/backups + - /var/cache/apt + - /etc/init.d + - /etc/apt + - /etc/apache2 + - /etc/network + - /etc/phpmyadmin + - /var/log/installer + +- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...) + shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /bin/ping + - /bin/ping6 + - /usr/bin/fping + - /usr/bin/fping6 + - /usr/bin/mtr + +- name: Set 640 permission on some files (/var/log/evolix.log, ...) + shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - /var/log/evolix.log + - /etc/warnquota.conf + +- name: Remove some log files (/var/log/mail.err, ...) + file: + path: "{{ item }}" + state: absent + with_items: + - /var/log/debug + - /var/log/mail.err + - /var/log/mail.warn From 664a926caa2e73dd3a14e4ddcad4de237239f5c0 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 30 Mar 2017 14:56:29 +0200 Subject: [PATCH 07/12] evolinux: fix rotate value customization with "[0-9]*" too much lines would be changed --- evolinux-base/tasks/logs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evolinux-base/tasks/logs.yml b/evolinux-base/tasks/logs.yml index c56afd59..101330b8 100644 --- a/evolinux-base/tasks/logs.yml +++ b/evolinux-base/tasks/logs.yml @@ -27,7 +27,7 @@ - name: Configure logrotate.conf replace: dest: /etc/logrotate.conf - regexp: "rotate [0-9]*" + regexp: "rotate [0-9]+" replace: "rotate 12" when: evolinux_logs_default_rotate From 108090762c818a37b9a6de37e561831ecc10357e Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2017 17:58:38 +0200 Subject: [PATCH 08/12] gitignore vagrant dir --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 555b9455..ae28a696 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .kitchen/ .vagrant/ +tests/.vagrant .kateproject.d From fe32d691b85beb0340965c985e8d42e63893fc59 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 9 Jun 2017 09:15:58 +0200 Subject: [PATCH 09/12] packweb: use "check_mode" with Ansible 2.2 --- packweb-apache/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index cc43adff..de4e467e 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -27,8 +27,7 @@ failed_when: False changed_when: False register: envvar_grep_path - #check_mode: no (for migration to Ansible 2.2) - always_run: yes + check_mode: no - name: Add a PATH envvar for Apache blockinfile: From 2084e2e53e8b3a92511348bd1bc79d52d2adc4fb Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2017 18:22:24 +0200 Subject: [PATCH 10/12] evoadmin/packweb: end of first pass --- apache/tasks/main.yml | 24 +++++++- evoadmin/defaults/main.yml | 11 ++++ evoadmin/files/evolinux.conf.diff | 12 ++++ evoadmin/handlers/main.yml | 6 ++ evoadmin/tasks/config.yml | 17 ++++++ evoadmin/tasks/ftp.yml | 24 ++++++++ evoadmin/tasks/main.yml | 13 +++++ evoadmin/tasks/packages.yml | 17 ++++++ evoadmin/tasks/ssl.yml | 24 ++++++++ evoadmin/tasks/user.yml | 60 ++++++++++++++++++++ evoadmin/tasks/web.yml | 33 +++++++++++ evoadmin/templates/evoadmin.conf.j2 | 60 ++++++++++++++++++++ evoadmin/templates/sudoers.j2 | 3 + evoadmin/templates/web-add.conf.j2 | 2 + evoadmin/templates/web-mail.tpl.j2 | 86 +++++++++++++++++++++++++++++ packweb-apache/defaults/main.yml | 1 + packweb-apache/files/log/access.log | 0 packweb-apache/files/log/error.log | 0 packweb-apache/files/userlogrotate | 38 +++++++++++++ packweb-apache/tasks/main.yml | 59 +++++++++++++++++--- packweb-apache/tasks/web-add.yml | 3 + 21 files changed, 484 insertions(+), 9 deletions(-) create mode 100644 evoadmin/defaults/main.yml create mode 100644 evoadmin/files/evolinux.conf.diff create mode 100644 evoadmin/handlers/main.yml create mode 100644 evoadmin/tasks/config.yml create mode 100644 evoadmin/tasks/ftp.yml create mode 100644 evoadmin/tasks/main.yml create mode 100644 evoadmin/tasks/packages.yml create mode 100644 evoadmin/tasks/ssl.yml create mode 100644 evoadmin/tasks/user.yml create mode 100644 evoadmin/tasks/web.yml create mode 100644 evoadmin/templates/evoadmin.conf.j2 create mode 100644 evoadmin/templates/sudoers.j2 create mode 100644 evoadmin/templates/web-add.conf.j2 create mode 100644 evoadmin/templates/web-mail.tpl.j2 create mode 100644 packweb-apache/files/log/access.log create mode 100644 packweb-apache/files/log/error.log create mode 100644 packweb-apache/files/userlogrotate create mode 100644 packweb-apache/tasks/web-add.yml diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml index 9b23eb3c..dce83867 100644 --- a/apache/tasks/main.yml +++ b/apache/tasks/main.yml @@ -4,11 +4,34 @@ state: present with_items: - apache2 + - apache2-mpm-prefork - apachetop - libwww-perl tags: - apache +- name: manually disable mpm_event + command: a2dismod mpm_event + register: cmd_disable_event + changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout" + +- name: manually enable mpm_prefork + command: a2enmod mpm_prefork + register: cmd_disable_prefork + changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout" + +# With Ansible 2.2 the module check the config for conflicts +# With 2.3 it can be disabled. +# https://docs.ansible.com/ansible/apache2_module_module.html +# - name: mpm_event modules is disabled +# apache2_module: +# name: '{{ item }}' +# state: absent +# with_items: +# - mpm_event +# tags: +# - apache + - name: basic modules are enabled apache2_module: name: '{{ item }}' @@ -17,7 +40,6 @@ - rewrite - expires - headers - - rewrite - cgi - ssl tags: diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml new file mode 100644 index 00000000..03a7ff3b --- /dev/null +++ b/evoadmin/defaults/main.yml @@ -0,0 +1,11 @@ +--- +general_alert_email: "root@localhost" +evoadmin_contact_email: Null +evoadmin_bounce_email: "{{ evoadmin_contact_email }}" + +evoadmin_home_dir: "/home/{{ evoadmin_username }}" +evoadmin_document_root: "{{ evoadmin_home_dir }}/www" +evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ +evoadmin_host: "evoadmin.{{ ansible_fqdn }}" +evoadmin_username: evoadmin +evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}" diff --git a/evoadmin/files/evolinux.conf.diff b/evoadmin/files/evolinux.conf.diff new file mode 100644 index 00000000..dd09e474 --- /dev/null +++ b/evoadmin/files/evolinux.conf.diff @@ -0,0 +1,12 @@ +--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200 ++++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200 +@@ -23,7 +23,5 @@ + # Allow RESUME (REST command) + AllowStoreRestart on + +- +- AllowGroup ftpusers +- DenyAll +- ++AuthOrder mod_auth_file.c ++AuthUserFile /etc/proftpd/vpasswd diff --git a/evoadmin/handlers/main.yml b/evoadmin/handlers/main.yml new file mode 100644 index 00000000..c4cdb576 --- /dev/null +++ b/evoadmin/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: reload apache2 + service: + name: apache2 + state: reloaded diff --git a/evoadmin/tasks/config.yml b/evoadmin/tasks/config.yml new file mode 100644 index 00000000..b34b5ef0 --- /dev/null +++ b/evoadmin/tasks/config.yml @@ -0,0 +1,17 @@ +--- + +- name: "Create /etc/evolinux" + file: + dest: "/etc/evolinux" + recurse: yes + state: directory + +- name: Configure web-add config file + template: + src: web-add.conf.j2 + dest: /etc/evolinux/web-add.conf + +- name: Configure web-add template file for mail + template: + src: web-mail.tpl.j2 + dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl" diff --git a/evoadmin/tasks/ftp.yml b/evoadmin/tasks/ftp.yml new file mode 100644 index 00000000..e4eacabf --- /dev/null +++ b/evoadmin/tasks/ftp.yml @@ -0,0 +1,24 @@ +--- + +- name: Verify if proftpd has evolinux config file + stat: + path: /etc/proftpd/conf.d/z-evolinux.conf + register: proftpd_config + +- block: + - name: Patch ProFTPd config file + patch: + remote_src: no + src: evolinux.conf.diff + dest: /etc/proftpd/conf.d/z-evolinux.conf + # Why 440? Because should be edited with ftpasswd. + # So, readonly when opened with vim. + # Then readable by group. + - name: Create /etc/proftpd/vpasswd file in 0440 mode + file: + state: touch + path: /etc/proftpd/vpasswd + mode: "0440" + owner: root + group: root + when: proftpd_config.stat.exists diff --git a/evoadmin/tasks/main.yml b/evoadmin/tasks/main.yml new file mode 100644 index 00000000..655aa81d --- /dev/null +++ b/evoadmin/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- include: packages.yml + +- include: user.yml + +- include: config.yml + +- include: ssl.yml + +- include: web.yml + +- include: ftp.yml diff --git a/evoadmin/tasks/packages.yml b/evoadmin/tasks/packages.yml new file mode 100644 index 00000000..f0dd16d3 --- /dev/null +++ b/evoadmin/tasks/packages.yml @@ -0,0 +1,17 @@ +--- + +- include_role: + name: apt-repositories + tasks_from: evolix_public.yml + +- meta: flush_handlers + +- name: Install PHP packages + apt: + name: '{{ item }}' + state: present + allow_unauthenticated: yes + with_items: + - php-pear + - php-log + - php5-pam diff --git a/evoadmin/tasks/ssl.yml b/evoadmin/tasks/ssl.yml new file mode 100644 index 00000000..1eb354fc --- /dev/null +++ b/evoadmin/tasks/ssl.yml @@ -0,0 +1,24 @@ +--- + + +- name: ssl-cert package is installed + apt: + name: ssl-cert + state: present + +- name: Create private key and csr for default site ({{ ansible_fqdn }}) + command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}" + args: + creates: "/etc/ssl/private/{{ evoadmin_host }}.key" + +- name: Adjust rights on private key + file: + path: /etc/ssl/private/{{ evoadmin_host }}.key + owner: root + group: ssl-cert + mode: "0640" + +- name: Create certificate for default site + command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt + args: + creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt" diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml new file mode 100644 index 00000000..dda4429d --- /dev/null +++ b/evoadmin/tasks/user.yml @@ -0,0 +1,60 @@ +--- + +- name: Create evoadmin account + user: + name: evoadmin + comment: "Evoadmin Web Account" + home: "{{ evoadmin_home_dir}}" + password: "!" + +- name: Create www-evoadmin group + group: + name: www-evoadmin + state: present + +- name: Install Git + apt: + name: git + state: present + +- name: Clone evoadmin repository + git: + repo: https://forge.evolix.org/evoadmin-web.git + dest: "{{ evoadmin_document_root}}" + update: no + # Warning: Need sudo! + become_user: "{{ evoadmin_username }}" + +- name: "Create {{ evoadmin_scripts_dir }}" + file: + dest: "{{ evoadmin_scripts_dir }}" + # recurse: yes + mode: "0700" + state: directory + +- name: Install scripts like web-add.sh + shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/" + args: + creates: "{{ evoadmin_scripts_dir }}/web-add.sh" + +# we use a shell command to have a "changed" thet really reflects the result. +- name: Fix permissions + shell: "test -f {{ item }} && chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + register: command_result + changed_when: "'changed' in command_result.stdout" + failed_when: False + with_items: + - "{{ evoadmin_home_dir}}/www" + +- name: Add www-evoadmin to group shadow + user: + name: www-evoadmin + groups: shadow + append: yes + +- name: Add evoadmin sudoers file + template: + src: sudoers.j2 + dest: /etc/sudoers.d/evoadmin + mode: "0600" + validate: "visudo -cf %s" diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml new file mode 100644 index 00000000..69f719ef --- /dev/null +++ b/evoadmin/tasks/web.yml @@ -0,0 +1,33 @@ +--- + +- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + ini_file: + dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + section: PHP + option: "disable_functions" + value: "shell-exec,system,passthru,putenv,popen" + notify: reload apache + + +- name: Install evoadmin VHost + template: + src: evoadmin.conf.j2 + dest: /etc/apache2/sites-available/evoadmin.conf + notify: reload apache2 + +- name: Enable evoadmin vhost + command: "a2ensite evoadmin.conf" + register: cmd_a2ensite + changed_when: "'Enabling site' in cmd_a2ensite.stdout" + notify: reload apache2 + +- name: Copy config file for evoadmin + copy: + src: config.local.php + dest: "{{ evoadmin_home_dir}}/www/conf/" + mode: "0644" + +- name: add www-evoadmin to shadow group + user: + name: www-evoadmin + groups: shadow diff --git a/evoadmin/templates/evoadmin.conf.j2 b/evoadmin/templates/evoadmin.conf.j2 new file mode 100644 index 00000000..20ff2f01 --- /dev/null +++ b/evoadmin/templates/evoadmin.conf.j2 @@ -0,0 +1,60 @@ + + ServerName {{ evoadmin_host }} + Redirect permanent / https://{{ evoadmin_host }}/ + + + + + # FQDN principal + ServerName {{ evoadmin_host }} + #ServerAlias {{ evoadmin_host }} + + # Repertoire principal + DocumentRoot /home/evoadmin/www/htdocs/ + + # SSL + SSLEngine on + SSLCertificateFile /etc/ssl/certs/{{ evoadmin_host }}.crt + SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key + SSLProtocol all -SSLv2 -SSLv3 + + # Propriete du repertoire + + #Options Indexes SymLinksIfOwnerMatch + Options SymLinksIfOwnerMatch + AllowOverride AuthConfig Limit FileInfo + Require all granted + + + # user - group (thanks to sesse@debian.org) + AssignUserID www-evoadmin evoadmin + + # LOG + CustomLog /var/log/apache2/access.log combined + CustomLog /home/evoadmin/log/access.log combined + ErrorLog /home/evoadmin/log/error.log + + # AWSTATS + SetEnv AWSTATS_FORCE_CONFIG evoadmin + + # REWRITE + UseCanonicalName On + RewriteEngine On + RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$ + RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] + + # PHP + #php_admin_flag engine off + #AddType text/html .html + #php_admin_flag display_errors On + #php_flag short_open_tag On + #php_flag register_globals On + #php_admin_value memory_limit 256M + #php_admin_value max_execution_time 60 + #php_admin_value upload_max_filesize 8M + #php_admin_flag allow_url_fopen Off + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin" + php_admin_value error_log "/home/evoadmin/log/php.log" + php_admin_value open_basedir "none" + + diff --git a/evoadmin/templates/sudoers.j2 b/evoadmin/templates/sudoers.j2 new file mode 100644 index 00000000..4dfd71c1 --- /dev/null +++ b/evoadmin/templates/sudoers.j2 @@ -0,0 +1,3 @@ +User_Alias EVOADMIN = www-evoadmin +Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh +EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB diff --git a/evoadmin/templates/web-add.conf.j2 b/evoadmin/templates/web-add.conf.j2 new file mode 100644 index 00000000..86eabd29 --- /dev/null +++ b/evoadmin/templates/web-add.conf.j2 @@ -0,0 +1,2 @@ +CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}" +WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}" diff --git a/evoadmin/templates/web-mail.tpl.j2 b/evoadmin/templates/web-mail.tpl.j2 new file mode 100644 index 00000000..82d4f67d --- /dev/null +++ b/evoadmin/templates/web-mail.tpl.j2 @@ -0,0 +1,86 @@ +From: %MAIL_FROM% +To: RCPTTO +Bcc: %MAIL_BCC% +Subject: Parametres hebergement web : LOGIN + +Bonjour, + +Votre compte d'hebergement web a ete cree. + +********************************** +* CONNEXION SFTP/SSH +********************************** + +NOM DU SERVEUR : %SERVER_NAME% +USER : LOGIN +PASSWORD : PASSE1 + +***************************************** +* Details sur l'environnement Apache/PHP +***************************************** + +URL du site : +http://SERVERNAME + +URL des stats : +http://SERVERNAME/cgi-RANDOM/awstats.pl +(acces par IP ou login a demander !) + +Repertoire de connexion : HOME_DIR/LOGIN/ +Repertoire pour site web : HOME_DIR/LOGIN/www/ + +Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces +uniquement *en lecture* aux differents fichiers/repertoires +(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les +fichiers ce qui est le comportement par defaut). + +Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains +fichiers/repertoires, il suffit d'ajouter le droit 'g+w'. + +*********************************** +* MySQL +*********************************** + +SERVEUR : 127.0.0.1 +PORT DU SERVEUR : 3306 +USER : LOGIN +PASSWORD : PASSE2 +NOM BASE : DBNAME +URL interface d'admin : +%PMA_URL% + +*********************************** +* Rappels divers +*********************************** + +Votre nom de domaine doit etre configure pour pointer +sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A) +ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME). + +Si vous avez besoin de faire des tests, vous devez +ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix +ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP : +%SERVER_ADDR% SERVERNAME + +Attention, par defaut, toutes les connexions vers l'exterieur +sont bloquees. Si vous avez besoin de recuperer des donnees +a l'exterieur (flux RSS, BDD externe, etc.), contactez nous +afin de mettre en oeuvre les autorisations necessaires. + +Afin de securiser au maximum le serveur, certaines URL +particulieres sont non autorisees pour eviter diverses +attaques (XSS, robots, trojans, injections, etc.). +Exemple d'URL refusee : +http://SERVERNAME/cmd32.exe +En cas de soucis avec votre application, prevenez-nous. + +Si vous desirez mettre en place des parametres particuliers +pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, +etc.), n'hesitez pas a nous contacter a l'adresse +%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est +urgente). + + +Cordialement, +-- +%FOOTER% \ No newline at end of file diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index a9e9416f..2e2c3481 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -2,3 +2,4 @@ # defaults file for packweb-apache general_alert_email: "root@localhost" log2mail_alert_email: Null +packweb_install_evoadmin: True diff --git a/packweb-apache/files/log/access.log b/packweb-apache/files/log/access.log new file mode 100644 index 00000000..e69de29b diff --git a/packweb-apache/files/log/error.log b/packweb-apache/files/log/error.log new file mode 100644 index 00000000..e69de29b diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate new file mode 100644 index 00000000..339101a9 --- /dev/null +++ b/packweb-apache/files/userlogrotate @@ -0,0 +1,38 @@ +#!/bin/bash + +DATE=`/bin/date +"%d-%m-%Y"` +HOMEPREFIX="/home" + +rotate () { + mv $1 $1.$DATE + gzip $1.$DATE + touch $1 + chown $2 $1 + chmod g+r $1 +} + +user_for() { + homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"` + stat -L -c '%G' $homedir +} + +for log in access.log access-*.log error.log; do + for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i root:$USER + done +done + +for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i www-$USER:$USER +done + +for log in production.log delayed_job.log development.log test.log; do + for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + USER=`user_for $i` + rotate $i $USER:$USER + done +done + +apache2ctl restart > /dev/null diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index de4e467e..24d86cd0 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -2,7 +2,7 @@ - name: Include apache role include_role: - name: "{{ roles }}/apache" + name: "apache" - name: Add elements to user account template file: @@ -13,8 +13,22 @@ - { path: log, mode: "0750", state: directory } - { path: awstats, mode: "0750", state: directory } - { path: www, mode: "0750", state: directory } - - { path: log/access.log, mode: "0644", state: touch } - - { path: log/error.log, mode: "0644", state: touch } + +- name: Copy apache empty log files if missing + copy: + src: "log/{{ item }}" + dest: "/etc/skel/log/{{ item }}" + mode: "0644" + force: no + with_items: + - access.log + - error.log + +- name: Install userlogrotate + copy: + src: userlogrotate + dest: /etc/cron.weekly/userlogrotate + mode: "0755" - name: Force DIR_MODE to 0750 in /etc/adduser.conf lineinfile: @@ -107,9 +121,14 @@ tags: - apache -- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini +- name: Set variables for php config files + set_fact: + php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + +- name: Set default values for PHP ini_file: - dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + dest: "{{ php5_apache5_defaults_file }}" section: PHP option: "{{ item.option }}" value: "{{ item.value }}" @@ -117,16 +136,31 @@ create: yes with_items: - { option: "short_open_tag", value: "Off" } - - { option: "disable_functions", value: "exec, shell-exec, system, passthru, putenv, popen" } - { option: "expose_php", value: "Off" } - { option: "display_errors", value: "Off" } - { option: "log_errors", value: "On" } - { option: "allow_url_fopen", value: "Off" } notify: reload apache +- name: Disable PHP exec function without evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + when: not packweb_install_evoadmin + +- name: Don't disable PHP exec function with evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "shell-exec,system,passthru,putenv,popen" + when: packweb_install_evoadmin + - name: Custom php.ini copy: - dest: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + dest: "{{ php5_apache5_custom_file }}" content: | # Put customized values here. force: no @@ -186,7 +220,7 @@ content: | Alias /awstats-icon/ /usr/share/awstats/icon/ - Require All Granted + Require all granted force: no mode: "0644" @@ -275,3 +309,12 @@ - /var/log/debug - /var/log/mail.err - /var/log/mail.warn + +- name: Install Evoadmin + include_role: + name: evoadmin + when: packweb_install_evoadmin + +- name: Install web-add script + include: web-add.yml + when: not packweb_install_evoadmin diff --git a/packweb-apache/tasks/web-add.yml b/packweb-apache/tasks/web-add.yml new file mode 100644 index 00000000..60bc20a8 --- /dev/null +++ b/packweb-apache/tasks/web-add.yml @@ -0,0 +1,3 @@ +--- + +# TODO: ... From bae8961e9994d7b13e7854a1ded2a9ded0d87e2d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2017 18:23:39 +0200 Subject: [PATCH 11/12] packweb/evoadmin: cleanup * extracted tasks * more variables * more templates * less bugs --- evoadmin/defaults/main.yml | 3 + evoadmin/tasks/user.yml | 4 +- evoadmin/tasks/web.yml | 15 +- evoadmin/templates/config.local.php.j2 | 8 + evoadmin/templates/evoadmin.conf.j2 | 11 +- evolinux-base/tasks/default_www.yml | 6 +- packweb-apache/defaults/main.yml | 2 +- packweb-apache/tasks/apache.yml | 67 ++++++++ packweb-apache/tasks/awstats.yml | 48 ++++++ packweb-apache/tasks/main.yml | 209 +------------------------ packweb-apache/tasks/php.yml | 64 ++++++++ packweb-apache/tasks/phpmyadmin.yml | 26 +++ 12 files changed, 245 insertions(+), 218 deletions(-) create mode 100644 evoadmin/templates/config.local.php.j2 create mode 100644 packweb-apache/tasks/apache.yml create mode 100644 packweb-apache/tasks/awstats.yml create mode 100644 packweb-apache/tasks/php.yml create mode 100644 packweb-apache/tasks/phpmyadmin.yml diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml index 03a7ff3b..30ba8010 100644 --- a/evoadmin/defaults/main.yml +++ b/evoadmin/defaults/main.yml @@ -5,7 +5,10 @@ evoadmin_bounce_email: "{{ evoadmin_contact_email }}" evoadmin_home_dir: "/home/{{ evoadmin_username }}" evoadmin_document_root: "{{ evoadmin_home_dir }}/www" +evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}" + +evoadmin_enable_vhost: True diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml index dda4429d..e3442cd1 100644 --- a/evoadmin/tasks/user.yml +++ b/evoadmin/tasks/user.yml @@ -39,10 +39,10 @@ # we use a shell command to have a "changed" thet really reflects the result. - name: Fix permissions - shell: "test -f {{ item }} && chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" - failed_when: False + # failed_when: False with_items: - "{{ evoadmin_home_dir}}/www" diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 69f719ef..7bbc67be 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -20,12 +20,21 @@ register: cmd_a2ensite changed_when: "'Enabling site' in cmd_a2ensite.stdout" notify: reload apache2 + when: evoadmin_enable_vhost + +- name: Disable evoadmin vhost + command: "a2dissite evoadmin.conf" + register: cmd_a2dissite + changed_when: "'Disabling site' in cmd_a2dissite.stdout" + notify: reload apache2 + when: not evoadmin_enable_vhost - name: Copy config file for evoadmin - copy: - src: config.local.php - dest: "{{ evoadmin_home_dir}}/www/conf/" + template: + src: config.local.php.j2 + dest: "{{ evoadmin_document_root}}/conf/config.local.php" mode: "0644" + force: no - name: add www-evoadmin to shadow group user: diff --git a/evoadmin/templates/config.local.php.j2 b/evoadmin/templates/config.local.php.j2 new file mode 100644 index 00000000..3e159bcd --- /dev/null +++ b/evoadmin/templates/config.local.php.j2 @@ -0,0 +1,8 @@ + + #Options Indexes SymLinksIfOwnerMatch Options SymLinksIfOwnerMatch AllowOverride AuthConfig Limit FileInfo @@ -31,8 +31,8 @@ # LOG CustomLog /var/log/apache2/access.log combined - CustomLog /home/evoadmin/log/access.log combined - ErrorLog /home/evoadmin/log/error.log + CustomLog {{ evoadmin_log_dir }}/access.log combined + ErrorLog {{ evoadmin_log_dir }}/error.log # AWSTATS SetEnv AWSTATS_FORCE_CONFIG evoadmin @@ -54,7 +54,6 @@ #php_admin_value upload_max_filesize 8M #php_admin_flag allow_url_fopen Off php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin" - php_admin_value error_log "/home/evoadmin/log/php.log" + php_admin_value error_log "{{ evoadmin_home_dir }}/log/php.log" php_admin_value open_basedir "none" - diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 750d2200..0fdf03f9 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -92,7 +92,7 @@ - name: Apache vhost is installed template: src: default_www/apache_default_site.j2 - dest: /etc/apache2/sites-available/000-default + dest: /etc/apache2/sites-available/000-default.conf mode: "0640" # force: yes notify: reload apache @@ -101,8 +101,8 @@ - name: Apache vhost is enabled file: - src: /etc/apache2/sites-available/000-default - dest: /etc/apache2/sites-enabled/000-default + src: /etc/apache2/sites-available/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf state: link notify: reload apache when: evolinux_default_www_apache_enabled diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 2e2c3481..0301183f 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -2,4 +2,4 @@ # defaults file for packweb-apache general_alert_email: "root@localhost" log2mail_alert_email: Null -packweb_install_evoadmin: True +packweb_enable_evoadmin_vhost: True diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml new file mode 100644 index 00000000..76756d10 --- /dev/null +++ b/packweb-apache/tasks/apache.yml @@ -0,0 +1,67 @@ +--- + +- name: Check if Apache envvars have a PATH + command: "grep -E '^export PATH ' /etc/apache2/envvars" + failed_when: False + changed_when: False + register: envvar_grep_path + check_mode: no + +- name: Add a PATH envvar for Apache + blockinfile: + dest: /etc/apache2/envvars + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" + block: | + # Used for Evoadmin-web + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + when: envvar_grep_path.rc != 0 + +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - apache2-mpm-itk + - libapache2-mod-evasive + - libapache2-mod-security2 + +- name: Copy Apache settings for modules + copy: + src: "{{ item }}" + dest: "/etc/apache2/conf-available/{{ item }}" + owner: root + group: root + mode: "0644" + force: no + with_items: + - evolinux-itk.conf + - evolinux-evasive.conf + - evolinux-modsec.conf + +- name: Ensure Apache modules configs are enabled + command: "a2enconf {{ item }}" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + with_items: + - evolinux-itk + - evolinux-evasive + - evolinux-modsec + +- name: Check if log2mail is installed + command: "apt list --installed log2mail" + register: command_result + changed_when: False + +- debug: + var: command_result + verbosity: 1 + +- name: Add log2mail config for Apache segfaults + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: root + group: root + mode: "0644" + force: no + when: "'log2mail' in command_result.stdout" diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml new file mode 100644 index 00000000..1919b17d --- /dev/null +++ b/packweb-apache/tasks/awstats.yml @@ -0,0 +1,48 @@ +--- +- name: Install awstats + apt: + name: awstats + state: present + +- name: Configure awstats + blockinfile: + dest: /etc/awstats/awstats.conf.local + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" + block: | + LogFile="/var/log/apache2/access.log" + SiteDomain="{{ ansible_hostname }}" + DirData="/var/lib/awstats" + ShowHostsStats=0 + ShowOriginStats=0 + ShowPagesStats=0 + ShowKeyphrasesStats=0 + ShowKeywordsStats=0 + ShowHTTPErrorsStats=0 + LogFormat=1 + AllowFullYearView=3 + ErrorMessages="An error occured. Contact your Administrator" + mode: "0644" + +- name: Create conf-available/awstats-icon.conf file + copy: + dest: /etc/apache2/conf-available/awstats-icon.conf + content: | + Alias /awstats-icon/ /usr/share/awstats/icon/ + + Require all granted + + force: no + mode: "0644" + +- name: Enable apache awstats-icon configuration + command: "a2enconf awstats-icon" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + notify: reload apache + +- name: Create awstats cron + lineinfile: + dest: /etc/cron.d/awstats + create: yes + regexp: '-config=awstats' + line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 24d86cd0..8aa0f26c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -36,207 +36,13 @@ regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' -- name: Check if Apache envvars have a PATH - command: "grep -E '^export PATH ' /etc/apache2/envvars" - failed_when: False - changed_when: False - register: envvar_grep_path - check_mode: no +- include: apache.yml -- name: Add a PATH envvar for Apache - blockinfile: - dest: /etc/apache2/envvars - marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" - block: | - # Used for Evoadmin-web - export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: envvar_grep_path.rc != 0 +- include: php.yml -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - apache2-mpm-itk - - libapache2-mod-evasive - - libapache2-mod-security2 +- include: phpmyadmin.yml -- name: Copy Apache settings for modules - copy: - src: "{{ item }}" - dest: "/etc/apache2/conf-available/{{ item }}" - owner: root - group: root - mode: "0644" - force: no - with_items: - - evolinux-itk.conf - - evolinux-evasive.conf - - evolinux-modsec.conf - -- name: Ensure Apache modules configs are enabled - command: "a2enconf {{ item }}" - register: command_result - changed_when: "'Enabling' in command_result.stderr" - with_items: - - evolinux-itk - - evolinux-evasive - - evolinux-modsec - -- name: Check if log2mail is installed - command: "apt list --installed log2mail" - register: command_result - changed_when: False - -- debug: - var: command_result - verbosity: 1 - -- name: Add log2mail config for Apache segfaults - template: - src: log2mail-apache.j2 - dest: "/etc/log2mail/config/apache" - owner: root - group: root - mode: "0644" - force: no - when: "'log2mail' in command_result.stdout" - -- name: Install PHP5 packages - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php5 - - php5 - - php5-gd - - php5-imap - - php5-ldap - - php5-mcrypt - - php5-mysql - - php5-pgsql - - php-gettext - - php5-curl - - libssh2-php - tags: - - apache - -- name: Set variables for php config files - set_fact: - php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini - php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini - -- name: Set default values for PHP - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "allow_url_fopen", value: "Off" } - notify: reload apache - -- name: Disable PHP exec function without evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - when: not packweb_install_evoadmin - -- name: Don't disable PHP exec function with evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "shell-exec,system,passthru,putenv,popen" - when: packweb_install_evoadmin - -- name: Custom php.ini - copy: - dest: "{{ php5_apache5_custom_file }}" - content: | - # Put customized values here. - force: no - -- name: Install phpmyadmin - apt: - name: phpmyadmin - state: present - -- name: Check if phpmyadmin default configuration is present - stat: - path: /etc/apache2/conf-enabled/phpmyadmin.conf - register: pma_default_config - -- debug: - var: pma_default_config - verbosity: 1 - -- name: Disable phpmyadmin default configuration - command: "a2disconf phpmyadmin" - register: command_result - changed_when: "'Disabling' in command_result.stderr" - when: pma_default_config.stat.exists - -- name: Change group to www-data for /etc/phpmyadmin/ - file: - dest: /etc/phpmyadmin/ - group: www-data - -- name: Install awstats - apt: - name: awstats - state: present - -- name: Configure awstats - blockinfile: - dest: /etc/awstats/awstats.conf.local - marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" - block: | - LogFile="/var/log/apache2/access.log" - SiteDomain="{{ ansible_hostname }}" - DirData="/var/lib/awstats" - ShowHostsStats=0 - ShowOriginStats=0 - ShowPagesStats=0 - ShowKeyphrasesStats=0 - ShowKeywordsStats=0 - ShowHTTPErrorsStats=0 - LogFormat=1 - AllowFullYearView=3 - ErrorMessages="An error occured. Contact your Administrator" - mode: "0644" - -- name: Create conf-available/awstats-icon.conf file - copy: - dest: /etc/apache2/conf-available/awstats-icon.conf - content: | - Alias /awstats-icon/ /usr/share/awstats/icon/ - - Require all granted - - force: no - mode: "0644" - -- name: Enable apache awstats-icon configuration - command: "a2enconf awstats-icon" - register: command_result - changed_when: "'Enabling' in command_result.stderr" - notify: reload apache - -- name: Create awstats cron - lineinfile: - dest: /etc/cron.d/awstats - create: yes - regexp: '-config=awstats' - line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" +- include: awstats.yml - name: Remove read permission on some folders (/, /etc, ...) shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" @@ -313,8 +119,5 @@ - name: Install Evoadmin include_role: name: evoadmin - when: packweb_install_evoadmin - -- name: Install web-add script - include: web-add.yml - when: not packweb_install_evoadmin + vars: + evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml new file mode 100644 index 00000000..ee65fd2f --- /dev/null +++ b/packweb-apache/tasks/php.yml @@ -0,0 +1,64 @@ +--- + +- name: Install PHP5 packages + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + - php5 + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-curl + - libssh2-php + tags: + - apache + +- name: Set variables for php config files + set_fact: + php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + +- name: Set default values for PHP + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "allow_url_fopen", value: "Off" } + notify: reload apache + +- name: Disable PHP exec function without evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + when: not packweb_enable_evoadmin_vhost + +- name: Don't disable PHP exec function with evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "shell-exec,system,passthru,putenv,popen" + when: packweb_enable_evoadmin_vhost + +- name: Custom php.ini + copy: + dest: "{{ php5_apache5_custom_file }}" + content: | + # Put customized values here. + force: no diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml new file mode 100644 index 00000000..cc34067e --- /dev/null +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -0,0 +1,26 @@ +--- + +- name: Install phpmyadmin + apt: + name: phpmyadmin + state: present + +- name: Check if phpmyadmin default configuration is present + stat: + path: /etc/apache2/conf-enabled/phpmyadmin.conf + register: pma_default_config + +- debug: + var: pma_default_config + verbosity: 1 + +- name: Disable phpmyadmin default configuration + command: "a2disconf phpmyadmin" + register: command_result + changed_when: "'Disabling' in command_result.stderr" + when: pma_default_config.stat.exists + +- name: Change group to www-data for /etc/phpmyadmin/ + file: + dest: /etc/phpmyadmin/ + group: www-data From b774a82146f4a5390ce303f5230c4fad33fc1ff3 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2017 18:24:13 +0200 Subject: [PATCH 12/12] gitignore cleanup --- .gitignore | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index ae28a696..20708de3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ .kitchen/ -.vagrant/ -tests/.vagrant .kateproject.d +.vagrant/