diff --git a/apache/tasks/main.yml b/apache/tasks/main.yml
index 9b23eb3c..dce83867 100644
--- a/apache/tasks/main.yml
+++ b/apache/tasks/main.yml
@@ -4,11 +4,34 @@
state: present
with_items:
- apache2
+ - apache2-mpm-prefork
- apachetop
- libwww-perl
tags:
- apache
+- name: manually disable mpm_event
+ command: a2dismod mpm_event
+ register: cmd_disable_event
+ changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
+
+- name: manually enable mpm_prefork
+ command: a2enmod mpm_prefork
+ register: cmd_disable_prefork
+ changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
+
+# With Ansible 2.2 the module check the config for conflicts
+# With 2.3 it can be disabled.
+# https://docs.ansible.com/ansible/apache2_module_module.html
+# - name: mpm_event modules is disabled
+# apache2_module:
+# name: '{{ item }}'
+# state: absent
+# with_items:
+# - mpm_event
+# tags:
+# - apache
+
- name: basic modules are enabled
apache2_module:
name: '{{ item }}'
@@ -17,7 +40,6 @@
- rewrite
- expires
- headers
- - rewrite
- cgi
- ssl
tags:
diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml
new file mode 100644
index 00000000..03a7ff3b
--- /dev/null
+++ b/evoadmin/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+general_alert_email: "root@localhost"
+evoadmin_contact_email: Null
+evoadmin_bounce_email: "{{ evoadmin_contact_email }}"
+
+evoadmin_home_dir: "/home/{{ evoadmin_username }}"
+evoadmin_document_root: "{{ evoadmin_home_dir }}/www"
+evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
+evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
+evoadmin_username: evoadmin
+evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"
diff --git a/evoadmin/files/evolinux.conf.diff b/evoadmin/files/evolinux.conf.diff
new file mode 100644
index 00000000..dd09e474
--- /dev/null
+++ b/evoadmin/files/evolinux.conf.diff
@@ -0,0 +1,12 @@
+--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200
++++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200
+@@ -23,7 +23,5 @@
+ # Allow RESUME (REST command)
+ AllowStoreRestart on
+
+-
+- AllowGroup ftpusers
+- DenyAll
+-
++AuthOrder mod_auth_file.c
++AuthUserFile /etc/proftpd/vpasswd
diff --git a/evoadmin/handlers/main.yml b/evoadmin/handlers/main.yml
new file mode 100644
index 00000000..c4cdb576
--- /dev/null
+++ b/evoadmin/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: reload apache2
+ service:
+ name: apache2
+ state: reloaded
diff --git a/evoadmin/tasks/config.yml b/evoadmin/tasks/config.yml
new file mode 100644
index 00000000..b34b5ef0
--- /dev/null
+++ b/evoadmin/tasks/config.yml
@@ -0,0 +1,17 @@
+---
+
+- name: "Create /etc/evolinux"
+ file:
+ dest: "/etc/evolinux"
+ recurse: yes
+ state: directory
+
+- name: Configure web-add config file
+ template:
+ src: web-add.conf.j2
+ dest: /etc/evolinux/web-add.conf
+
+- name: Configure web-add template file for mail
+ template:
+ src: web-mail.tpl.j2
+ dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"
diff --git a/evoadmin/tasks/ftp.yml b/evoadmin/tasks/ftp.yml
new file mode 100644
index 00000000..e4eacabf
--- /dev/null
+++ b/evoadmin/tasks/ftp.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Verify if proftpd has evolinux config file
+ stat:
+ path: /etc/proftpd/conf.d/z-evolinux.conf
+ register: proftpd_config
+
+- block:
+ - name: Patch ProFTPd config file
+ patch:
+ remote_src: no
+ src: evolinux.conf.diff
+ dest: /etc/proftpd/conf.d/z-evolinux.conf
+ # Why 440? Because should be edited with ftpasswd.
+ # So, readonly when opened with vim.
+ # Then readable by group.
+ - name: Create /etc/proftpd/vpasswd file in 0440 mode
+ file:
+ state: touch
+ path: /etc/proftpd/vpasswd
+ mode: "0440"
+ owner: root
+ group: root
+ when: proftpd_config.stat.exists
diff --git a/evoadmin/tasks/main.yml b/evoadmin/tasks/main.yml
new file mode 100644
index 00000000..655aa81d
--- /dev/null
+++ b/evoadmin/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- include: packages.yml
+
+- include: user.yml
+
+- include: config.yml
+
+- include: ssl.yml
+
+- include: web.yml
+
+- include: ftp.yml
diff --git a/evoadmin/tasks/packages.yml b/evoadmin/tasks/packages.yml
new file mode 100644
index 00000000..f0dd16d3
--- /dev/null
+++ b/evoadmin/tasks/packages.yml
@@ -0,0 +1,17 @@
+---
+
+- include_role:
+ name: apt-repositories
+ tasks_from: evolix_public.yml
+
+- meta: flush_handlers
+
+- name: Install PHP packages
+ apt:
+ name: '{{ item }}'
+ state: present
+ allow_unauthenticated: yes
+ with_items:
+ - php-pear
+ - php-log
+ - php5-pam
diff --git a/evoadmin/tasks/ssl.yml b/evoadmin/tasks/ssl.yml
new file mode 100644
index 00000000..1eb354fc
--- /dev/null
+++ b/evoadmin/tasks/ssl.yml
@@ -0,0 +1,24 @@
+---
+
+
+- name: ssl-cert package is installed
+ apt:
+ name: ssl-cert
+ state: present
+
+- name: Create private key and csr for default site ({{ ansible_fqdn }})
+ command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}"
+ args:
+ creates: "/etc/ssl/private/{{ evoadmin_host }}.key"
+
+- name: Adjust rights on private key
+ file:
+ path: /etc/ssl/private/{{ evoadmin_host }}.key
+ owner: root
+ group: ssl-cert
+ mode: "0640"
+
+- name: Create certificate for default site
+ command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt
+ args:
+ creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt"
diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml
new file mode 100644
index 00000000..dda4429d
--- /dev/null
+++ b/evoadmin/tasks/user.yml
@@ -0,0 +1,60 @@
+---
+
+- name: Create evoadmin account
+ user:
+ name: evoadmin
+ comment: "Evoadmin Web Account"
+ home: "{{ evoadmin_home_dir}}"
+ password: "!"
+
+- name: Create www-evoadmin group
+ group:
+ name: www-evoadmin
+ state: present
+
+- name: Install Git
+ apt:
+ name: git
+ state: present
+
+- name: Clone evoadmin repository
+ git:
+ repo: https://forge.evolix.org/evoadmin-web.git
+ dest: "{{ evoadmin_document_root}}"
+ update: no
+ # Warning: Need sudo!
+ become_user: "{{ evoadmin_username }}"
+
+- name: "Create {{ evoadmin_scripts_dir }}"
+ file:
+ dest: "{{ evoadmin_scripts_dir }}"
+ # recurse: yes
+ mode: "0700"
+ state: directory
+
+- name: Install scripts like web-add.sh
+ shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
+ args:
+ creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
+
+# we use a shell command to have a "changed" thet really reflects the result.
+- name: Fix permissions
+ shell: "test -f {{ item }} && chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
+ register: command_result
+ changed_when: "'changed' in command_result.stdout"
+ failed_when: False
+ with_items:
+ - "{{ evoadmin_home_dir}}/www"
+
+- name: Add www-evoadmin to group shadow
+ user:
+ name: www-evoadmin
+ groups: shadow
+ append: yes
+
+- name: Add evoadmin sudoers file
+ template:
+ src: sudoers.j2
+ dest: /etc/sudoers.d/evoadmin
+ mode: "0600"
+ validate: "visudo -cf %s"
diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml
new file mode 100644
index 00000000..69f719ef
--- /dev/null
+++ b/evoadmin/tasks/web.yml
@@ -0,0 +1,33 @@
+---
+
+- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ ini_file:
+ dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ section: PHP
+ option: "disable_functions"
+ value: "shell-exec,system,passthru,putenv,popen"
+ notify: reload apache
+
+
+- name: Install evoadmin VHost
+ template:
+ src: evoadmin.conf.j2
+ dest: /etc/apache2/sites-available/evoadmin.conf
+ notify: reload apache2
+
+- name: Enable evoadmin vhost
+ command: "a2ensite evoadmin.conf"
+ register: cmd_a2ensite
+ changed_when: "'Enabling site' in cmd_a2ensite.stdout"
+ notify: reload apache2
+
+- name: Copy config file for evoadmin
+ copy:
+ src: config.local.php
+ dest: "{{ evoadmin_home_dir}}/www/conf/"
+ mode: "0644"
+
+- name: add www-evoadmin to shadow group
+ user:
+ name: www-evoadmin
+ groups: shadow
diff --git a/evoadmin/templates/evoadmin.conf.j2 b/evoadmin/templates/evoadmin.conf.j2
new file mode 100644
index 00000000..20ff2f01
--- /dev/null
+++ b/evoadmin/templates/evoadmin.conf.j2
@@ -0,0 +1,60 @@
+
+ ServerName {{ evoadmin_host }}
+ Redirect permanent / https://{{ evoadmin_host }}/
+
+
+
+
+ # FQDN principal
+ ServerName {{ evoadmin_host }}
+ #ServerAlias {{ evoadmin_host }}
+
+ # Repertoire principal
+ DocumentRoot /home/evoadmin/www/htdocs/
+
+ # SSL
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/{{ evoadmin_host }}.crt
+ SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key
+ SSLProtocol all -SSLv2 -SSLv3
+
+ # Propriete du repertoire
+
+ #Options Indexes SymLinksIfOwnerMatch
+ Options SymLinksIfOwnerMatch
+ AllowOverride AuthConfig Limit FileInfo
+ Require all granted
+
+
+ # user - group (thanks to sesse@debian.org)
+ AssignUserID www-evoadmin evoadmin
+
+ # LOG
+ CustomLog /var/log/apache2/access.log combined
+ CustomLog /home/evoadmin/log/access.log combined
+ ErrorLog /home/evoadmin/log/error.log
+
+ # AWSTATS
+ SetEnv AWSTATS_FORCE_CONFIG evoadmin
+
+ # REWRITE
+ UseCanonicalName On
+ RewriteEngine On
+ RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$
+ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
+
+ # PHP
+ #php_admin_flag engine off
+ #AddType text/html .html
+ #php_admin_flag display_errors On
+ #php_flag short_open_tag On
+ #php_flag register_globals On
+ #php_admin_value memory_limit 256M
+ #php_admin_value max_execution_time 60
+ #php_admin_value upload_max_filesize 8M
+ #php_admin_flag allow_url_fopen Off
+ php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin"
+ php_admin_value error_log "/home/evoadmin/log/php.log"
+ php_admin_value open_basedir "none"
+
+
diff --git a/evoadmin/templates/sudoers.j2 b/evoadmin/templates/sudoers.j2
new file mode 100644
index 00000000..4dfd71c1
--- /dev/null
+++ b/evoadmin/templates/sudoers.j2
@@ -0,0 +1,3 @@
+User_Alias EVOADMIN = www-evoadmin
+Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
+EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
diff --git a/evoadmin/templates/web-add.conf.j2 b/evoadmin/templates/web-add.conf.j2
new file mode 100644
index 00000000..86eabd29
--- /dev/null
+++ b/evoadmin/templates/web-add.conf.j2
@@ -0,0 +1,2 @@
+CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
+WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
diff --git a/evoadmin/templates/web-mail.tpl.j2 b/evoadmin/templates/web-mail.tpl.j2
new file mode 100644
index 00000000..82d4f67d
--- /dev/null
+++ b/evoadmin/templates/web-mail.tpl.j2
@@ -0,0 +1,86 @@
+From: %MAIL_FROM%
+To: RCPTTO
+Bcc: %MAIL_BCC%
+Subject: Parametres hebergement web : LOGIN
+
+Bonjour,
+
+Votre compte d'hebergement web a ete cree.
+
+**********************************
+* CONNEXION SFTP/SSH
+**********************************
+
+NOM DU SERVEUR : %SERVER_NAME%
+USER : LOGIN
+PASSWORD : PASSE1
+
+*****************************************
+* Details sur l'environnement Apache/PHP
+*****************************************
+
+URL du site :
+http://SERVERNAME
+
+URL des stats :
+http://SERVERNAME/cgi-RANDOM/awstats.pl
+(acces par IP ou login a demander !)
+
+Repertoire de connexion : HOME_DIR/LOGIN/
+Repertoire pour site web : HOME_DIR/LOGIN/www/
+
+Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
+uniquement *en lecture* aux differents fichiers/repertoires
+(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
+fichiers ce qui est le comportement par defaut).
+
+Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
+fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
+
+***********************************
+* MySQL
+***********************************
+
+SERVEUR : 127.0.0.1
+PORT DU SERVEUR : 3306
+USER : LOGIN
+PASSWORD : PASSE2
+NOM BASE : DBNAME
+URL interface d'admin :
+%PMA_URL%
+
+***********************************
+* Rappels divers
+***********************************
+
+Votre nom de domaine doit etre configure pour pointer
+sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A)
+ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME).
+
+Si vous avez besoin de faire des tests, vous devez
+ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
+ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
+%SERVER_ADDR% SERVERNAME
+
+Attention, par defaut, toutes les connexions vers l'exterieur
+sont bloquees. Si vous avez besoin de recuperer des donnees
+a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
+afin de mettre en oeuvre les autorisations necessaires.
+
+Afin de securiser au maximum le serveur, certaines URL
+particulieres sont non autorisees pour eviter diverses
+attaques (XSS, robots, trojans, injections, etc.).
+Exemple d'URL refusee :
+http://SERVERNAME/cmd32.exe
+En cas de soucis avec votre application, prevenez-nous.
+
+Si vous desirez mettre en place des parametres particuliers
+pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
+etc.), n'hesitez pas a nous contacter a l'adresse
+%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est
+urgente).
+
+
+Cordialement,
+--
+%FOOTER%
\ No newline at end of file
diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml
index a9e9416f..2e2c3481 100644
--- a/packweb-apache/defaults/main.yml
+++ b/packweb-apache/defaults/main.yml
@@ -2,3 +2,4 @@
# defaults file for packweb-apache
general_alert_email: "root@localhost"
log2mail_alert_email: Null
+packweb_install_evoadmin: True
diff --git a/packweb-apache/files/log/access.log b/packweb-apache/files/log/access.log
new file mode 100644
index 00000000..e69de29b
diff --git a/packweb-apache/files/log/error.log b/packweb-apache/files/log/error.log
new file mode 100644
index 00000000..e69de29b
diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate
new file mode 100644
index 00000000..339101a9
--- /dev/null
+++ b/packweb-apache/files/userlogrotate
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+DATE=`/bin/date +"%d-%m-%Y"`
+HOMEPREFIX="/home"
+
+rotate () {
+ mv $1 $1.$DATE
+ gzip $1.$DATE
+ touch $1
+ chown $2 $1
+ chmod g+r $1
+}
+
+user_for() {
+ homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"`
+ stat -L -c '%G' $homedir
+}
+
+for log in access.log access-*.log error.log; do
+ for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i root:$USER
+ done
+done
+
+for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i www-$USER:$USER
+done
+
+for log in production.log delayed_job.log development.log test.log; do
+ for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
+ USER=`user_for $i`
+ rotate $i $USER:$USER
+ done
+done
+
+apache2ctl restart > /dev/null
diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml
index de4e467e..24d86cd0 100644
--- a/packweb-apache/tasks/main.yml
+++ b/packweb-apache/tasks/main.yml
@@ -2,7 +2,7 @@
- name: Include apache role
include_role:
- name: "{{ roles }}/apache"
+ name: "apache"
- name: Add elements to user account template
file:
@@ -13,8 +13,22 @@
- { path: log, mode: "0750", state: directory }
- { path: awstats, mode: "0750", state: directory }
- { path: www, mode: "0750", state: directory }
- - { path: log/access.log, mode: "0644", state: touch }
- - { path: log/error.log, mode: "0644", state: touch }
+
+- name: Copy apache empty log files if missing
+ copy:
+ src: "log/{{ item }}"
+ dest: "/etc/skel/log/{{ item }}"
+ mode: "0644"
+ force: no
+ with_items:
+ - access.log
+ - error.log
+
+- name: Install userlogrotate
+ copy:
+ src: userlogrotate
+ dest: /etc/cron.weekly/userlogrotate
+ mode: "0755"
- name: Force DIR_MODE to 0750 in /etc/adduser.conf
lineinfile:
@@ -107,9 +121,14 @@
tags:
- apache
-- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+- name: Set variables for php config files
+ set_fact:
+ php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+
+- name: Set default values for PHP
ini_file:
- dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+ dest: "{{ php5_apache5_defaults_file }}"
section: PHP
option: "{{ item.option }}"
value: "{{ item.value }}"
@@ -117,16 +136,31 @@
create: yes
with_items:
- { option: "short_open_tag", value: "Off" }
- - { option: "disable_functions", value: "exec, shell-exec, system, passthru, putenv, popen" }
- { option: "expose_php", value: "Off" }
- { option: "display_errors", value: "Off" }
- { option: "log_errors", value: "On" }
- { option: "allow_url_fopen", value: "Off" }
notify: reload apache
+- name: Disable PHP exec function without evoadmin
+ ini_file:
+ dest: "{{ php5_apache5_defaults_file }}"
+ section: PHP
+ option: disable_functions
+ value: "exec,shell-exec,system,passthru,putenv,popen"
+ when: not packweb_install_evoadmin
+
+- name: Don't disable PHP exec function with evoadmin
+ ini_file:
+ dest: "{{ php5_apache5_defaults_file }}"
+ section: PHP
+ option: disable_functions
+ value: "shell-exec,system,passthru,putenv,popen"
+ when: packweb_install_evoadmin
+
- name: Custom php.ini
copy:
- dest: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+ dest: "{{ php5_apache5_custom_file }}"
content: |
# Put customized values here.
force: no
@@ -186,7 +220,7 @@
content: |
Alias /awstats-icon/ /usr/share/awstats/icon/
- Require All Granted
+ Require all granted
force: no
mode: "0644"
@@ -275,3 +309,12 @@
- /var/log/debug
- /var/log/mail.err
- /var/log/mail.warn
+
+- name: Install Evoadmin
+ include_role:
+ name: evoadmin
+ when: packweb_install_evoadmin
+
+- name: Install web-add script
+ include: web-add.yml
+ when: not packweb_install_evoadmin
diff --git a/packweb-apache/tasks/web-add.yml b/packweb-apache/tasks/web-add.yml
new file mode 100644
index 00000000..60bc20a8
--- /dev/null
+++ b/packweb-apache/tasks/web-add.yml
@@ -0,0 +1,3 @@
+---
+
+# TODO: ...