Merge branch 'packweb-apache' into unstable

.gitignore

@@ -1,2 +1,3 @@
 .kitchen/
+.kateproject.d
 .vagrant/

apache/files/evolinux-ssl.conf

@@ -0,0 +1,11 @@
+# Strong security.
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+SSLProtocol All -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+SSLCompression off
+SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
+SSLSessionCacheTimeout 600
+
+# Stapling not activated by default. Need config.
+#SSLUseStapling on
+#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)

apache/tasks/main.yml

@@ -3,13 +3,35 @@
     name: '{{ item }}'
     state: present
   with_items:
-  - apache2-mpm-itk
+  - apache2
+  - apache2-mpm-prefork
   - apachetop
-  - libapache2-mod-evasive
   - libwww-perl
   tags:
   - apache
 
+- name: manually disable mpm_event
+  command: a2dismod mpm_event
+  register: cmd_disable_event
+  changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
+
+- name: manually enable mpm_prefork
+  command: a2enmod mpm_prefork
+  register: cmd_disable_prefork
+  changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
+
+# With Ansible 2.2 the module check the config for conflicts
+# With 2.3 it can be disabled.
+# https://docs.ansible.com/ansible/apache2_module_module.html
+# - name: mpm_event modules is disabled
+#   apache2_module:
+#     name: '{{ item }}'
+#     state: absent
+#   with_items:
+#   - mpm_event
+#   tags:
+#   - apache
+
 - name: basic modules are enabled
   apache2_module:
     name: '{{ item }}'
@@ -18,8 +40,8 @@
   - rewrite
   - expires
   - headers
-  - rewrite
   - cgi
+  - ssl
   tags:
   - apache
 
@@ -45,6 +67,17 @@
   tags:
   - apache
 
+- name: Copy Apache SSL (strong security) config file
+  copy:
+    src: evolinux-ssl.conf
+    dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
+    owner: root
+    group: root
+    mode: "0644"
+    force: no
+  tags:
+  - apache
+
 - name: Ensure Apache config files are enabled
   command: "a2enconf {{ item }}"
   register: command_result
@@ -52,6 +85,7 @@
   with_items:
   - z-evolinux-defaults.conf
   - zzz-evolinux-custom.conf
+  - evolinux-ssl.conf
   tags:
   - apache
 

evoadmin/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+general_alert_email: "root@localhost"
+evoadmin_contact_email: Null
+evoadmin_bounce_email: "{{ evoadmin_contact_email }}"
+
+evoadmin_home_dir: "/home/{{ evoadmin_username }}"
+evoadmin_document_root: "{{ evoadmin_home_dir }}/www"
+evoadmin_log_dir: "{{ evoadmin_home_dir }}/log"
+evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
+evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
+evoadmin_username: evoadmin
+evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"
+
+evoadmin_enable_vhost: True

evoadmin/files/evolinux.conf.diff

@@ -0,0 +1,12 @@
+--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200
++++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200
+@@ -23,7 +23,5 @@
+ # Allow RESUME (REST command)
+ AllowStoreRestart on
+ 
+-<Limit LOGIN>
+-    AllowGroup ftpusers
+-    DenyAll
+-</Limit>
++AuthOrder    mod_auth_file.c
++AuthUserFile /etc/proftpd/vpasswd

evoadmin/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+
+- name: reload apache2
+  service:
+    name: apache2
+    state: reloaded

evoadmin/tasks/config.yml

@@ -0,0 +1,17 @@
+---
+
+- name: "Create /etc/evolinux"
+  file:
+    dest: "/etc/evolinux"
+    recurse: yes
+    state: directory
+
+- name: Configure web-add config file
+  template:
+    src: web-add.conf.j2
+    dest: /etc/evolinux/web-add.conf
+
+- name: Configure web-add template file for mail
+  template:
+    src: web-mail.tpl.j2
+    dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"

evoadmin/tasks/ftp.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Verify if proftpd has evolinux config file
+  stat:
+    path: /etc/proftpd/conf.d/z-evolinux.conf
+  register: proftpd_config
+
+- block:
+    - name: Patch ProFTPd config file
+      patch:
+        remote_src: no
+        src: evolinux.conf.diff
+        dest: /etc/proftpd/conf.d/z-evolinux.conf
+    # Why 440? Because should be edited with ftpasswd.
+    # So, readonly when opened with vim.
+    # Then readable by group.
+    - name: Create /etc/proftpd/vpasswd file in 0440 mode
+      file:
+        state: touch
+        path: /etc/proftpd/vpasswd
+        mode: "0440"
+        owner: root
+        group: root
+  when: proftpd_config.stat.exists

evoadmin/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- include: packages.yml
+
+- include: user.yml
+
+- include: config.yml
+
+- include: ssl.yml
+
+- include: web.yml
+
+- include: ftp.yml

evoadmin/tasks/packages.yml

@@ -0,0 +1,17 @@
+---
+
+- include_role:
+    name: apt-repositories
+    tasks_from: evolix_public.yml
+
+- meta: flush_handlers
+
+- name: Install PHP packages
+  apt:
+    name: '{{ item }}'
+    state: present
+    allow_unauthenticated: yes
+  with_items:
+  - php-pear
+  - php-log
+  - php5-pam

evoadmin/tasks/ssl.yml

@@ -0,0 +1,24 @@
+---
+
+
+- name: ssl-cert package is installed
+  apt:
+    name: ssl-cert
+    state: present
+
+- name: Create private key and csr for default site ({{ ansible_fqdn }})
+  command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}"
+  args:
+    creates: "/etc/ssl/private/{{ evoadmin_host }}.key"
+
+- name: Adjust rights on private key
+  file:
+    path: /etc/ssl/private/{{ evoadmin_host }}.key
+    owner: root
+    group: ssl-cert
+    mode: "0640"
+
+- name: Create certificate for default site
+  command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt
+  args:
+    creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt"

evoadmin/tasks/user.yml

@@ -0,0 +1,60 @@
+---
+
+- name: Create evoadmin account
+  user:
+    name: evoadmin
+    comment: "Evoadmin Web Account"
+    home: "{{ evoadmin_home_dir}}"
+    password: "!"
+
+- name: Create www-evoadmin group
+  group:
+    name: www-evoadmin
+    state: present
+
+- name: Install Git
+  apt:
+    name: git
+    state: present
+
+- name: Clone evoadmin repository
+  git:
+    repo: https://forge.evolix.org/evoadmin-web.git
+    dest: "{{ evoadmin_document_root}}"
+    update: no
+  # Warning: Need sudo!
+  become_user: "{{ evoadmin_username }}"
+
+- name: "Create {{ evoadmin_scripts_dir }}"
+  file:
+    dest: "{{ evoadmin_scripts_dir }}"
+    # recurse: yes
+    mode: "0700"
+    state: directory
+
+- name: Install scripts like web-add.sh
+  shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
+  args:
+    creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
+
+# we use a shell command to have a "changed" thet really reflects the result.
+- name: Fix permissions
+  shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  # failed_when: False
+  with_items:
+  - "{{ evoadmin_home_dir}}/www"
+
+- name: Add www-evoadmin to group shadow
+  user:
+    name: www-evoadmin
+    groups: shadow
+    append: yes
+
+- name: Add evoadmin sudoers file
+  template:
+    src: sudoers.j2
+    dest: /etc/sudoers.d/evoadmin
+    mode: "0600"
+    validate: "visudo -cf %s"

evoadmin/tasks/web.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+  ini_file:
+    dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+    section: PHP
+    option: "disable_functions"
+    value: "shell-exec,system,passthru,putenv,popen"
+  notify: reload apache
+
+
+- name: Install evoadmin VHost
+  template:
+    src: evoadmin.conf.j2
+    dest: /etc/apache2/sites-available/evoadmin.conf
+  notify: reload apache2
+
+- name: Enable evoadmin vhost
+  command: "a2ensite evoadmin.conf"
+  register: cmd_a2ensite
+  changed_when: "'Enabling site' in cmd_a2ensite.stdout"
+  notify: reload apache2
+  when: evoadmin_enable_vhost
+
+- name: Disable evoadmin vhost
+  command: "a2dissite evoadmin.conf"
+  register: cmd_a2dissite
+  changed_when: "'Disabling site' in cmd_a2dissite.stdout"
+  notify: reload apache2
+  when: not evoadmin_enable_vhost
+
+- name: Copy config file for evoadmin
+  template:
+    src: config.local.php.j2
+    dest: "{{ evoadmin_document_root}}/conf/config.local.php"
+    mode: "0644"
+    force: no
+
+- name: add www-evoadmin to shadow group
+  user:
+    name: www-evoadmin
+    groups: shadow

evoadmin/templates/config.local.php.j2

@@ -0,0 +1,8 @@
+<?php
+
+$localconf['admin']['mail'] = '{{ evoadmin_contact_email or general_alert_email | mandatory }}';
+$localconf['debug'] = FALSE;
+// Add local users that should be superadmin
+$localconf['superadmin'] = array();
+$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
+$localconf['cluster'] = FALSE;

evoadmin/templates/evoadmin.conf.j2

@@ -0,0 +1,59 @@
+<VirtualHost *:80>
+    ServerName {{ evoadmin_host }}
+    Redirect permanent / https://{{ evoadmin_host }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+
+    # FQDN principal
+    ServerName {{ evoadmin_host }}
+    #ServerAlias {{ evoadmin_host }}
+
+    # Repertoire principal
+    DocumentRoot {{ evoadmin_document_root }}/htdocs/
+
+    # SSL
+    SSLEngine on
+    SSLCertificateFile    /etc/ssl/certs/{{ evoadmin_host }}.crt
+    SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key
+    SSLProtocol all -SSLv2 -SSLv3
+
+    # Propriete du repertoire
+    <Directory {{ evoadmin_document_root }}/htdocs/>
+        #Options Indexes SymLinksIfOwnerMatch
+        Options SymLinksIfOwnerMatch
+        AllowOverride AuthConfig Limit FileInfo
+        Require all granted
+    </Directory>
+
+    # user - group (thanks to sesse@debian.org)
+    AssignUserID www-evoadmin evoadmin
+
+    # LOG
+    CustomLog /var/log/apache2/access.log combined
+    CustomLog {{ evoadmin_log_dir }}/access.log combined
+    ErrorLog  {{ evoadmin_log_dir }}/error.log
+
+    # AWSTATS
+    SetEnv AWSTATS_FORCE_CONFIG evoadmin
+
+    # REWRITE
+    UseCanonicalName On
+    RewriteEngine On
+    RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$
+    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
+
+    # PHP
+    #php_admin_flag engine off
+    #AddType text/html .html
+    #php_admin_flag display_errors On
+    #php_flag short_open_tag On
+    #php_flag register_globals On
+    #php_admin_value memory_limit 256M
+    #php_admin_value max_execution_time 60
+    #php_admin_value upload_max_filesize 8M
+    #php_admin_flag allow_url_fopen Off
+    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin"
+    php_admin_value error_log "{{ evoadmin_home_dir }}/log/php.log"
+    php_admin_value open_basedir "none"
+</VirtualHost>

evoadmin/templates/sudoers.j2

@@ -0,0 +1,3 @@
+User_Alias EVOADMIN = www-evoadmin
+Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
+EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB

evoadmin/templates/web-add.conf.j2

@@ -0,0 +1,2 @@
+CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
+WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"

evoadmin/templates/web-mail.tpl.j2

@@ -0,0 +1,86 @@
+From: %MAIL_FROM%
+To: RCPTTO
+Bcc: %MAIL_BCC%
+Subject: Parametres hebergement web : LOGIN
+
+Bonjour,
+
+Votre compte d'hebergement web a ete cree.
+
+**********************************
+* CONNEXION SFTP/SSH
+**********************************
+
+NOM DU SERVEUR : %SERVER_NAME%
+USER : LOGIN
+PASSWORD : PASSE1
+
+*****************************************
+* Details sur l'environnement Apache/PHP
+*****************************************
+
+URL du site :
+http://SERVERNAME
+
+URL des stats :
+http://SERVERNAME/cgi-RANDOM/awstats.pl
+(acces par IP ou login a demander !)
+
+Repertoire de connexion : HOME_DIR/LOGIN/
+Repertoire pour site web : HOME_DIR/LOGIN/www/
+
+Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
+uniquement *en lecture* aux differents fichiers/repertoires
+(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
+fichiers ce qui est le comportement par defaut).
+
+Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
+fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
+
+***********************************
+* MySQL
+***********************************
+
+SERVEUR : 127.0.0.1
+PORT DU SERVEUR : 3306
+USER : LOGIN
+PASSWORD : PASSE2
+NOM BASE : DBNAME
+URL interface d'admin :
+%PMA_URL%
+
+***********************************
+* Rappels divers
+***********************************
+
+Votre nom de domaine doit etre configure pour pointer
+sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A)
+ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME).
+
+Si vous avez besoin de faire des tests, vous devez
+ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
+ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
+%SERVER_ADDR% SERVERNAME
+
+Attention, par defaut, toutes les connexions vers l'exterieur
+sont bloquees. Si vous avez besoin de recuperer des donnees
+a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
+afin de mettre en oeuvre les autorisations necessaires.
+
+Afin de securiser au maximum le serveur, certaines URL
+particulieres sont non autorisees pour eviter diverses
+attaques (XSS, robots, trojans, injections, etc.).
+Exemple d'URL refusee :
+http://SERVERNAME/cmd32.exe
+En cas de soucis avec votre application, prevenez-nous.
+
+Si vous desirez mettre en place des parametres particuliers
+pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab, 
+etc.), n'hesitez pas a nous contacter a l'adresse
+%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est
+urgente).
+
+
+Cordialement,
+-- 
+%FOOTER%

evolinux-base/tasks/default_www.yml

@@ -92,7 +92,7 @@
   - name: Apache vhost is installed
     template:
       src: default_www/apache_default_site.j2
-      dest: /etc/apache2/sites-available/000-default
+      dest: /etc/apache2/sites-available/000-default.conf
       mode: "0640"
       # force: yes
     notify: reload apache
@@ -101,8 +101,8 @@
 
   - name: Apache vhost is enabled
     file:
-      src: /etc/apache2/sites-available/000-default
-      dest: /etc/apache2/sites-enabled/000-default
+      src: /etc/apache2/sites-available/000-default.conf
+      dest: /etc/apache2/sites-enabled/000-default.conf
       state: link
     notify: reload apache
     when: evolinux_default_www_apache_enabled

evolinux-base/tasks/logs.yml

@@ -27,7 +27,7 @@
 - name: Configure logrotate.conf
   replace:
     dest: /etc/logrotate.conf
-    regexp: "rotate [0-9]*"
+    regexp: "rotate [0-9]+"
     replace: "rotate 12"
   when: evolinux_logs_default_rotate
 

packweb-apache/README.md

@@ -0,0 +1,15 @@
+# packweb-apache
+
+Install the web pack, with Apache.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file for now.
+
+## Available variables
+
+Main variables are :
+
+* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.

packweb-apache/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+# defaults file for packweb-apache
+general_alert_email: "root@localhost"
+log2mail_alert_email: Null
+packweb_enable_evoadmin_vhost: True

packweb-apache/files/evolinux-evasive.conf

@@ -0,0 +1,8 @@
+<IfModule mod_evasive20.c>
+DOSHashTableSize    3097
+DOSPageCount        5
+DOSSiteCount        30
+DOSPageInterval     3
+DOSSiteInterval     1
+DOSBlockingPeriod   60
+</IfModule>

packweb-apache/files/evolinux-itk.conf

@@ -0,0 +1,10 @@
+<IfModule mpm_itk_module>
+StartServers        50
+MinSpareServers     20
+MaxSpareServers     30
+ServerLimit         250
+MaxClients          250
+MaxRequestsPerChild 0
+LimitUIDRange       0 6000
+LimitGIDRange       0 6000
+</IfModule>

packweb-apache/files/evolinux-modsec.conf

@@ -0,0 +1,48 @@
+<IfModule mod_security2.c>
+
+# enable mod_security
+SecRuleEngine On
+# access to request bodies
+SecRequestBodyAccess On
+#SecRequestBodyLimit 134217728
+#SecRequestBodyInMemoryLimit 131072
+# access to response bodies
+SecResponseBodyAccess Off
+#SecResponseBodyLimit 524288
+SecResponseBodyMimeType (null) text/html text/plain text/xml
+#SecServerSignature "Apache/2.2.0 (Fedora)"
+
+SecUploadDir /tmp
+SecUploadKeepFiles Off
+
+# default action
+SecDefaultAction "log,auditlog,deny,status:406,phase:2"
+
+SecAuditEngine RelevantOnly
+#SecAuditLogRelevantStatus "^[45]"
+# use only one log file
+SecAuditLogType Serial
+# audit log file
+SecAuditLog /var/log/apache2/modsec_audit.log
+# what is logged
+SecAuditLogParts "ABIFHZ"
+
+#SecArgumentSeparator "&"
+SecCookieFormat 0
+SecDebugLog /var/log/apache2/modsec_debug.log
+SecDebugLogLevel        0
+
+SecDataDir /tmp
+SecTmpDir /tmp
+
+#########
+# RULES
+#########
+
+# File name
+SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
+# Complete URI
+SecRule REQUEST_URI "modsecuritytest2" "id:2"
+SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
+
+</IfModule>

packweb-apache/files/userlogrotate

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+DATE=`/bin/date +"%d-%m-%Y"`
+HOMEPREFIX="/home"
+
+rotate () {
+  mv $1 $1.$DATE
+  gzip $1.$DATE
+  touch $1
+  chown $2 $1
+  chmod g+r $1
+}
+
+user_for() {
+  homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"`
+  stat -L -c '%G' $homedir
+}
+
+for log in access.log access-*.log error.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
+    USER=`user_for $i`
+    rotate $i root:$USER
+  done
+done
+
+for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do
+  USER=`user_for $i`
+  rotate $i www-$USER:$USER
+done
+
+for log in production.log delayed_job.log development.log test.log; do
+  for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
+    USER=`user_for $i`
+    rotate $i $USER:$USER
+  done
+done
+
+apache2ctl restart > /dev/null

packweb-apache/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: restart apache
+  service:
+    name: apache2
+    state: restarted
+
+- name: reload apache
+  service:
+    name: apache2
+    state: reloaded

packweb-apache/tasks/apache.yml

@@ -0,0 +1,67 @@
+---
+
+- name: Check if Apache envvars have a PATH
+  command: "grep -E '^export PATH ' /etc/apache2/envvars"
+  failed_when: False
+  changed_when: False
+  register: envvar_grep_path
+  check_mode: no
+
+- name: Add a PATH envvar for Apache
+  blockinfile:
+    dest: /etc/apache2/envvars
+    marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
+    block: |
+      # Used for Evoadmin-web
+      export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  when: envvar_grep_path.rc != 0
+
+- name: Additional packages are installed
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+  - apache2-mpm-itk
+  - libapache2-mod-evasive
+  - libapache2-mod-security2
+
+- name: Copy Apache settings for modules
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/apache2/conf-available/{{ item }}"
+    owner: root
+    group: root
+    mode: "0644"
+    force: no
+  with_items:
+  - evolinux-itk.conf
+  - evolinux-evasive.conf
+  - evolinux-modsec.conf
+
+- name: Ensure Apache modules configs are enabled
+  command: "a2enconf {{ item }}"
+  register: command_result
+  changed_when: "'Enabling' in command_result.stderr"
+  with_items:
+  - evolinux-itk
+  - evolinux-evasive
+  - evolinux-modsec
+
+- name: Check if log2mail is installed
+  command: "apt list --installed log2mail"
+  register: command_result
+  changed_when: False
+
+- debug:
+    var: command_result
+    verbosity: 1
+
+- name: Add log2mail config for Apache segfaults
+  template:
+    src: log2mail-apache.j2
+    dest: "/etc/log2mail/config/apache"
+    owner: root
+    group: root
+    mode: "0644"
+    force: no
+  when: "'log2mail' in command_result.stdout"

packweb-apache/tasks/awstats.yml

@@ -0,0 +1,48 @@
+---
+- name: Install awstats
+  apt:
+    name: awstats
+    state: present
+
+- name: Configure awstats
+  blockinfile:
+    dest: /etc/awstats/awstats.conf.local
+    marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB"
+    block: |
+      LogFile="/var/log/apache2/access.log"
+      SiteDomain="{{ ansible_hostname }}"
+      DirData="/var/lib/awstats"
+      ShowHostsStats=0
+      ShowOriginStats=0
+      ShowPagesStats=0
+      ShowKeyphrasesStats=0
+      ShowKeywordsStats=0
+      ShowHTTPErrorsStats=0
+      LogFormat=1
+      AllowFullYearView=3
+      ErrorMessages="An error occured. Contact your Administrator"
+    mode: "0644"
+
+- name: Create conf-available/awstats-icon.conf file
+  copy:
+    dest: /etc/apache2/conf-available/awstats-icon.conf
+    content: |
+      Alias /awstats-icon/ /usr/share/awstats/icon/
+      <Directory /usr/share/awstats/icon/>
+        Require all granted
+      </Directory>
+    force: no
+    mode: "0644"
+
+- name: Enable apache awstats-icon configuration
+  command: "a2enconf awstats-icon"
+  register: command_result
+  changed_when: "'Enabling' in command_result.stderr"
+  notify: reload apache
+
+- name: Create awstats cron
+  lineinfile:
+    dest: /etc/cron.d/awstats
+    create: yes
+    regexp: '-config=awstats'
+    line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null"

packweb-apache/tasks/main.yml

@@ -0,0 +1,123 @@
+---
+
+- name: Include apache role
+  include_role:
+    name: "apache"
+
+- name: Add elements to user account template
+  file:
+    path: "/etc/skel/{{ item.path }}"
+    state: "{{ item.state }}"
+    mode: "{{ item.mode }}"
+  with_items:
+  - { path: log, mode: "0750", state: directory }
+  - { path: awstats, mode: "0750", state: directory }
+  - { path: www, mode: "0750", state: directory }
+
+- name: Copy apache empty log files if missing
+  copy:
+    src: "log/{{ item }}"
+    dest: "/etc/skel/log/{{ item }}"
+    mode: "0644"
+    force: no
+  with_items:
+  - access.log
+  - error.log
+
+- name: Install userlogrotate
+  copy:
+    src: userlogrotate
+    dest: /etc/cron.weekly/userlogrotate
+    mode: "0755"
+
+- name: Force DIR_MODE to 0750 in /etc/adduser.conf
+  lineinfile:
+    dest: /etc/adduser.conf
+    regexp: '^DIR_MODE='
+    line: 'DIR_MODE=0750'
+
+- include: apache.yml
+
+- include: php.yml
+
+- include: phpmyadmin.yml
+
+- include: awstats.yml
+
+- name: Remove read permission on some folders (/, /etc, ...)
+  shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  failed_when: False
+  with_items:
+  - /
+  - /etc
+  - /usr
+  - /usr/bin
+  - /var
+  - /var/log
+  - /home
+  - /bin
+  - /sbin
+  - /lib
+  - /usr/lib
+  - /usr/include
+  - /usr/bin
+  - /usr/sbin
+  - /usr/share
+  - /usr/share/doc
+  - /etc/default
+
+- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
+  shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  failed_when: False
+  with_items:
+  - /var/log/apt
+  - /var/lib/dpkg
+  - /var/log/munin
+  - /var/backups
+  - /var/cache/apt
+  - /etc/init.d
+  - /etc/apt
+  - /etc/apache2
+  - /etc/network
+  - /etc/phpmyadmin
+  - /var/log/installer
+
+- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
+  shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  failed_when: False
+  with_items:
+  - /bin/ping
+  - /bin/ping6
+  - /usr/bin/fping
+  - /usr/bin/fping6
+  - /usr/bin/mtr
+
+- name: Set 640 permission on some files (/var/log/evolix.log, ...)
+  shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
+  register: command_result
+  changed_when: "'changed' in command_result.stdout"
+  failed_when: False
+  with_items:
+  - /var/log/evolix.log
+  - /etc/warnquota.conf
+
+- name: Remove some log files (/var/log/mail.err, ...)
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+  - /var/log/debug
+  - /var/log/mail.err
+  - /var/log/mail.warn
+
+- name: Install Evoadmin
+  include_role:
+    name: evoadmin
+  vars:
+    evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"

packweb-apache/tasks/php.yml

@@ -0,0 +1,64 @@
+---
+
+- name: Install PHP5 packages
+  apt:
+    name: '{{ item }}'
+    state: present
+  with_items:
+  - libapache2-mod-php5
+  - php5
+  - php5-gd
+  - php5-imap
+  - php5-ldap
+  - php5-mcrypt
+  - php5-mysql
+  - php5-pgsql
+  - php-gettext
+  - php5-curl
+  - libssh2-php
+  tags:
+  - apache
+
+- name: Set variables for php config files
+  set_fact:
+    php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
+    php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
+
+- name: Set default values for PHP
+  ini_file:
+    dest: "{{ php5_apache5_defaults_file }}"
+    section: PHP
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: "0644"
+    create: yes
+  with_items:
+  - { option: "short_open_tag", value: "Off" }
+  - { option: "expose_php", value: "Off" }
+  - { option: "display_errors", value: "Off" }
+  - { option: "log_errors", value: "On" }
+  - { option: "allow_url_fopen", value: "Off" }
+  notify: reload apache
+
+- name: Disable PHP exec function without evoadmin
+  ini_file:
+    dest: "{{ php5_apache5_defaults_file }}"
+    section: PHP
+    option: disable_functions
+    value: "exec,shell-exec,system,passthru,putenv,popen"
+  when: not packweb_enable_evoadmin_vhost
+
+- name: Don't disable PHP exec function with evoadmin
+  ini_file:
+    dest: "{{ php5_apache5_defaults_file }}"
+    section: PHP
+    option: disable_functions
+    value: "shell-exec,system,passthru,putenv,popen"
+  when: packweb_enable_evoadmin_vhost
+
+- name: Custom php.ini
+  copy:
+    dest: "{{ php5_apache5_custom_file }}"
+    content: |
+      # Put customized values here.
+    force: no

packweb-apache/tasks/phpmyadmin.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Install phpmyadmin
+  apt:
+    name: phpmyadmin
+    state: present
+
+- name: Check if phpmyadmin default configuration is present
+  stat:
+    path: /etc/apache2/conf-enabled/phpmyadmin.conf
+  register: pma_default_config
+
+- debug:
+    var: pma_default_config
+    verbosity: 1
+
+- name: Disable phpmyadmin default configuration
+  command: "a2disconf phpmyadmin"
+  register: command_result
+  changed_when: "'Disabling' in command_result.stderr"
+  when: pma_default_config.stat.exists
+
+- name: Change group to www-data for /etc/phpmyadmin/
+  file:
+    dest: /etc/phpmyadmin/
+    group: www-data

packweb-apache/tasks/web-add.yml

@@ -0,0 +1,3 @@
+---
+
+# TODO: ...

packweb-apache/templates/log2mail-apache.j2

@@ -0,0 +1,4 @@
+file = /var/log/apache2/error.log
+pattern = "Segmentation fault"
+mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
+template = /etc/log2mail/mail