evoadmin/packweb: end of first pass

apache/tasks/main.yml

@@ -4,11 +4,34 @@
     state: present
   with_items:
   - apache2
+  - apache2-mpm-prefork
   - apachetop
   - libwww-perl
   tags:
   - apache
 
+- name: manually disable mpm_event
+  command: a2dismod mpm_event
+  register: cmd_disable_event
+  changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
+
+- name: manually enable mpm_prefork
+  command: a2enmod mpm_prefork
+  register: cmd_disable_prefork
+  changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
+
+# With Ansible 2.2 the module check the config for conflicts
+# With 2.3 it can be disabled.
+# https://docs.ansible.com/ansible/apache2_module_module.html
+# - name: mpm_event modules is disabled
+#   apache2_module:
+#     name: '{{ item }}'
+#     state: absent
+#   with_items:
+#   - mpm_event
+#   tags:
+#   - apache
+
 - name: basic modules are enabled
   apache2_module:
     name: '{{ item }}'
@@ -17,7 +40,6 @@
   - rewrite
   - expires
   - headers
-  - rewrite
   - cgi
   - ssl
   tags:

evoadmin/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+general_alert_email: "root@localhost"
+evoadmin_contact_email: Null
+evoadmin_bounce_email: "{{ evoadmin_contact_email }}"
+
+evoadmin_home_dir: "/home/{{ evoadmin_username }}"
+evoadmin_document_root: "{{ evoadmin_home_dir }}/www"
+evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
+evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
+evoadmin_username: evoadmin
+evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"

evoadmin/files/evolinux.conf.diff

@@ -0,0 +1,12 @@
+--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200
++++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200
+@@ -23,7 +23,5 @@
+ # Allow RESUME (REST command)
+ AllowStoreRestart on
+ 
+-<Limit LOGIN>
+-    AllowGroup ftpusers
+-    DenyAll
+-</Limit>
++AuthOrder    mod_auth_file.c
++AuthUserFile /etc/proftpd/vpasswd

evoadmin/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: reload apache2
+  service:
+    name: apache2
+    state: reloaded

evoadmin/tasks/config.yml

@@ -0,0 +1,17 @@
+---
+
+- name: "Create /etc/evolinux"
+  file:
+    dest: "/etc/evolinux"
+    recurse: yes
+    state: directory
+
+- name: Configure web-add config file
+  template:
+    src: web-add.conf.j2
+    dest: /etc/evolinux/web-add.conf
+
+- name: Configure web-add template file for mail
+  template:
+    src: web-mail.tpl.j2
+    dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"

evoadmin/tasks/ftp.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Verify if proftpd has evolinux config file
+  stat:
+    path: /etc/proftpd/conf.d/z-evolinux.conf
+  register: proftpd_config
+
+- block:
+    - name: Patch ProFTPd config file
+      patch:
+        remote_src: no
+        src: evolinux.conf.diff
+        dest: /etc/proftpd/conf.d/z-evolinux.conf
+    # Why 440? Because should be edited with ftpasswd.
+    # So, readonly when opened with vim.
+    # Then readable by group.
+    - name: Create /etc/proftpd/vpasswd file in 0440 mode
+      file:
+        state: touch
+        path: /etc/proftpd/vpasswd
+        mode: "0440"
+        owner: root
+        group: root
+  when: proftpd_config.stat.exists

evoadmin/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- include: packages.yml
+
+- include: user.yml
+
+- include: config.yml
+
+- include: ssl.yml
+
+- include: web.yml
+
+- include: ftp.yml

evoadmin/tasks/packages.yml

@@ -0,0 +1,17 @@
+---
+
+- include_role:
+    name: apt-repositories
+    tasks_from: evolix_public.yml
+
+- meta: flush_handlers
+
+- name: Install PHP packages
+  apt:
+    name: '{{ item }}'
+    state: present
+    allow_unauthenticated: yes
+  with_items:
+  - php-pear
+  - php-log
+  - php5-pam

evoadmin/tasks/ssl.yml

@@ -0,0 +1,24 @@
+---
+
+
+- name: ssl-cert package is installed
+  apt:
+    name: ssl-cert
+    state: present
+
+- name: Create private key and csr for default site ({{ ansible_fqdn }})
+  command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}"
+  args:
+    creates: "/etc/ssl/private/{{ evoadmin_host }}.key"
+
+- name: Adjust rights on private key
+  file:
+    path: /etc/ssl/private/{{ evoadmin_host }}.key
+    owner: root
+    group: ssl-cert
+    mode: "0640"
+
+- name: Create certificate for default site
+  command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt
+  args:
+    creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt"

evoadmin/tasks/user.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Create evoadmin account
+  user:
+    name: evoadmin
+    comment: "Evoadmin Web Account"
+    home: "{{ evoadmin_home_dir}}"
+    password: "!"
+
+- name: Create www-evoadmin group
+  group:
+    name: www-evoadmin
+    state: present
+
+- name: Install Git
+  apt:
+    name: git
+    state: present
+
+- name: Clone evoadmin repository
+  git:
+    repo: https://forge.evolix.org/evoadmin-web.git
+    dest: "{{ evoadmin_document_root}}"
+    update: no
+  # Warning: Need sudo!
+  become_user: "{{ evoadmin_username }}"
+
+- name: "Create {{ evoadmin_scripts_dir }}"
+  file:
+    dest: "{{ evoadmin_scripts_dir }}"
+    # recurse: yes
+    mode: "0700"
+    state: directory
+
+- name: Install scripts like web-add.sh
+  shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
+  args:
+    creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
+
+# we use a shell command to have a "changed" thet really reflects the result.
+- name: Fix permissions
+  shell: "test -f {{ item }} && chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  failed_when: False
+  with_items:
+  - "{{ evoadmin_home_dir}}/www"
+
+- name: Add www-evoadmin to group shadow
+  user:
+    name: www-evoadmin
+    groups: shadow
+    append: yes
+
+- name: Add evoadmin sudoers file
+  template:
+    src: sudoers.j2
+    dest: /etc/sudoers.d/evoadmin
+    mode: "0600"
+    validate: "visudo -cf %s"

evoadmin/tasks/web.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+  ini_file:
+    dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+    section: PHP
+    option: "disable_functions"
+    value: "shell-exec,system,passthru,putenv,popen"
+  notify: reload apache
+
+
+- name: Install evoadmin VHost
+  template:
+    src: evoadmin.conf.j2
+    dest: /etc/apache2/sites-available/evoadmin.conf
+  notify: reload apache2
+
+- name: Enable evoadmin vhost
+  command: "a2ensite evoadmin.conf"
+  register: cmd_a2ensite
+  changed_when: "'Enabling site' in cmd_a2ensite.stdout"
+  notify: reload apache2
+
+- name: Copy config file for evoadmin
+  copy:
+    src: config.local.php
+    dest: "{{ evoadmin_home_dir}}/www/conf/"
+    mode: "0644"
+
+- name: add www-evoadmin to shadow group
+  user:
+    name: www-evoadmin
+    groups: shadow

evoadmin/templates/evoadmin.conf.j2

@@ -0,0 +1,60 @@
+<VirtualHost *:80>
+    ServerName {{ evoadmin_host }}
+    Redirect permanent / https://{{ evoadmin_host }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+
+    # FQDN principal
+    ServerName {{ evoadmin_host }}
+    #ServerAlias {{ evoadmin_host }}
+
+    # Repertoire principal
+    DocumentRoot /home/evoadmin/www/htdocs/
+
+    # SSL
+    SSLEngine on
+    SSLCertificateFile    /etc/ssl/certs/{{ evoadmin_host }}.crt
+    SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key
+    SSLProtocol all -SSLv2 -SSLv3
+
+    # Propriete du repertoire
+    <Directory /home/evoadmin/www/htdocs/>
+        #Options Indexes SymLinksIfOwnerMatch
+        Options SymLinksIfOwnerMatch
+        AllowOverride AuthConfig Limit FileInfo
+        Require all granted
+    </Directory>
+
+    # user - group (thanks to sesse@debian.org)
+    AssignUserID www-evoadmin evoadmin
+
+    # LOG
+    CustomLog /var/log/apache2/access.log combined
+    CustomLog /home/evoadmin/log/access.log combined
+    ErrorLog  /home/evoadmin/log/error.log
+
+    # AWSTATS
+    SetEnv AWSTATS_FORCE_CONFIG evoadmin
+
+    # REWRITE
+    UseCanonicalName On
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$
+    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
+
+    # PHP
+    #php_admin_flag engine off
+    #AddType text/html .html
+    #php_admin_flag display_errors On
+    #php_flag short_open_tag On
+    #php_flag register_globals On
+    #php_admin_value memory_limit 256M
+    #php_admin_value max_execution_time 60
+    #php_admin_value upload_max_filesize 8M
+    #php_admin_flag allow_url_fopen Off
+    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin"
+    php_admin_value error_log "/home/evoadmin/log/php.log"
+    php_admin_value open_basedir "none"
+
+</VirtualHost>

evoadmin/templates/sudoers.j2

@@ -0,0 +1,3 @@
+User_Alias EVOADMIN = www-evoadmin
+Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
+EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB

evoadmin/templates/web-add.conf.j2

@@ -0,0 +1,2 @@
+CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
+WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"

evoadmin/templates/web-mail.tpl.j2

@@ -0,0 +1,86 @@
+From: %MAIL_FROM%
+To: RCPTTO
+Bcc: %MAIL_BCC%
+Subject: Parametres hebergement web : LOGIN
+
+Bonjour,
+
+Votre compte d'hebergement web a ete cree.
+
+**********************************
+* CONNEXION SFTP/SSH
+**********************************
+
+NOM DU SERVEUR : %SERVER_NAME%
+USER : LOGIN
+PASSWORD : PASSE1
+
+*****************************************
+* Details sur l'environnement Apache/PHP
+*****************************************
+
+URL du site :
+http://SERVERNAME
+
+URL des stats :
+http://SERVERNAME/cgi-RANDOM/awstats.pl
+(acces par IP ou login a demander !)
+
+Repertoire de connexion : HOME_DIR/LOGIN/
+Repertoire pour site web : HOME_DIR/LOGIN/www/
+
+Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
+uniquement *en lecture* aux differents fichiers/repertoires
+(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
+fichiers ce qui est le comportement par defaut).
+
+Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
+fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
+
+***********************************
+* MySQL
+***********************************
+
+SERVEUR : 127.0.0.1
+PORT DU SERVEUR : 3306
+USER : LOGIN
+PASSWORD : PASSE2
+NOM BASE : DBNAME
+URL interface d'admin :
+%PMA_URL%
+
+***********************************
+* Rappels divers
+***********************************
+
+Votre nom de domaine doit etre configure pour pointer
+sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A)
+ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME).
+
+Si vous avez besoin de faire des tests, vous devez
+ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
+ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
+%SERVER_ADDR% SERVERNAME
+
+Attention, par defaut, toutes les connexions vers l'exterieur
+sont bloquees. Si vous avez besoin de recuperer des donnees
+a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
+afin de mettre en oeuvre les autorisations necessaires.
+
+Afin de securiser au maximum le serveur, certaines URL
+particulieres sont non autorisees pour eviter diverses
+attaques (XSS, robots, trojans, injections, etc.).
+Exemple d'URL refusee :
+http://SERVERNAME/cmd32.exe
+En cas de soucis avec votre application, prevenez-nous.
+
+Si vous desirez mettre en place des parametres particuliers
+pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, 
+etc.), n'hesitez pas a nous contacter a l'adresse
+%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est
+urgente).
+
+
+Cordialement,
+-- 
+%FOOTER%

packweb-apache/defaults/main.yml

@@ -2,3 +2,4 @@
 # defaults file for packweb-apache
 general_alert_email: "root@localhost"
 log2mail_alert_email: Null
+packweb_install_evoadmin: True

packweb-apache/files/userlogrotate

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+DATE=`/bin/date +"%d-%m-%Y"`
+HOMEPREFIX="/home"
+
+rotate () {
+  mv $1 $1.$DATE
+  gzip $1.$DATE
+  touch $1
+  chown $2 $1
+  chmod g+r $1
+}
+
+user_for() {
+  homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"`
+  stat -L -c '%G' $homedir
+}
+
+for log in access.log access-*.log error.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
+    USER=`user_for $i`
+    rotate $i root:$USER
+  done
+done
+
+for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do
+  USER=`user_for $i`
+  rotate $i www-$USER:$USER
+done
+
+for log in production.log delayed_job.log development.log test.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
+    USER=`user_for $i`
+    rotate $i $USER:$USER
+  done
+done
+
+apache2ctl restart > /dev/null

packweb-apache/tasks/main.yml

@@ -2,7 +2,7 @@
 
 - name: Include apache role
   include_role:
-    name: "{{ roles }}/apache"
+    name: "apache"
 
 - name: Add elements to user account template
   file:
@@ -13,8 +13,22 @@
   - { path: log, mode: "0750", state: directory }
   - { path: awstats, mode: "0750", state: directory }
   - { path: www, mode: "0750", state: directory }
-  - { path: log/access.log, mode: "0644", state: touch }
-  - { path: log/error.log, mode: "0644", state: touch }
+
+- name: Copy apache empty log files if missing
+  copy:
+    src: "log/{{ item }}"
+    dest: "/etc/skel/log/{{ item }}"
+    mode: "0644"
+    force: no
+  with_items:
+  - access.log
+  - error.log
+
+- name: Install userlogrotate
+  copy:
+    src: userlogrotate
+    dest: /etc/cron.weekly/userlogrotate
+    mode: "0755"
 
 - name: Force DIR_MODE to 0750 in /etc/adduser.conf
   lineinfile:
@@ -107,9 +121,14 @@
   tags:
   - apache
 
-- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+- name: Set variables for php config files
+  set_fact:
+    php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+    php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+
+- name: Set default values for PHP
   ini_file:
-    dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+    dest: "{{ php5_apache5_defaults_file }}"
     section: PHP
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -117,16 +136,31 @@
     create: yes
   with_items:
   - { option: "short_open_tag", value: "Off" }
-  - { option: "disable_functions", value: "exec, shell-exec, system, passthru, putenv, popen" }
   - { option: "expose_php", value: "Off" }
   - { option: "display_errors", value: "Off" }
   - { option: "log_errors", value: "On" }
   - { option: "allow_url_fopen", value: "Off" }
   notify: reload apache
 
+- name: Disable PHP exec function without evoadmin
+  ini_file:
+    dest: "{{ php5_apache5_defaults_file }}"
+    section: PHP
+    option: disable_functions
+    value: "exec,shell-exec,system,passthru,putenv,popen"
+  when: not packweb_install_evoadmin
+
+- name: Don't disable PHP exec function with evoadmin
+  ini_file:
+    dest: "{{ php5_apache5_defaults_file }}"
+    section: PHP
+    option: disable_functions
+    value: "shell-exec,system,passthru,putenv,popen"
+  when: packweb_install_evoadmin
+
 - name: Custom php.ini
   copy:
-    dest: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+    dest: "{{ php5_apache5_custom_file }}"
     content: |
       # Put customized values here.
     force: no
@@ -186,7 +220,7 @@
     content: |
       Alias /awstats-icon/ /usr/share/awstats/icon/
       <Directory /usr/share/awstats/icon/>
-        Require All Granted
+        Require all granted
       </Directory>
     force: no
     mode: "0644"
@@ -275,3 +309,12 @@
   - /var/log/debug
   - /var/log/mail.err
   - /var/log/mail.warn
+
+- name: Install Evoadmin
+  include_role:
+    name: evoadmin
+  when: packweb_install_evoadmin
+
+- name: Install web-add script
+  include: web-add.yml
+  when: not packweb_install_evoadmin

packweb-apache/tasks/web-add.yml

@@ -0,0 +1,3 @@
+---
+
+# TODO: ...