Merge branch 'packweb-apache' into unstable
This commit is contained in:
commit
39dc5ddc6c
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1,3 @@
|
|||
.kitchen/
|
||||
.kateproject.d
|
||||
.vagrant/
|
||||
|
|
11
apache/files/evolinux-ssl.conf
Normal file
11
apache/files/evolinux-ssl.conf
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Strong security.
|
||||
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder On
|
||||
SSLCompression off
|
||||
SSLSessionCache shmcb:/var/log/apache2/ssl_gcache_data(512000)
|
||||
SSLSessionCacheTimeout 600
|
||||
|
||||
# Stapling not activated by default. Need config.
|
||||
#SSLUseStapling on
|
||||
#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling-cache(150000)
|
|
@ -3,13 +3,35 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- apache2-mpm-itk
|
||||
- apache2
|
||||
- apache2-mpm-prefork
|
||||
- apachetop
|
||||
- libapache2-mod-evasive
|
||||
- libwww-perl
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: manually disable mpm_event
|
||||
command: a2dismod mpm_event
|
||||
register: cmd_disable_event
|
||||
changed_when: "'Module mpm_event already disabled' not in cmd_disable_event.stdout"
|
||||
|
||||
- name: manually enable mpm_prefork
|
||||
command: a2enmod mpm_prefork
|
||||
register: cmd_disable_prefork
|
||||
changed_when: "'Module mpm_prefork already enabled' not in cmd_disable_prefork.stdout"
|
||||
|
||||
# With Ansible 2.2 the module check the config for conflicts
|
||||
# With 2.3 it can be disabled.
|
||||
# https://docs.ansible.com/ansible/apache2_module_module.html
|
||||
# - name: mpm_event modules is disabled
|
||||
# apache2_module:
|
||||
# name: '{{ item }}'
|
||||
# state: absent
|
||||
# with_items:
|
||||
# - mpm_event
|
||||
# tags:
|
||||
# - apache
|
||||
|
||||
- name: basic modules are enabled
|
||||
apache2_module:
|
||||
name: '{{ item }}'
|
||||
|
@ -18,8 +40,8 @@
|
|||
- rewrite
|
||||
- expires
|
||||
- headers
|
||||
- rewrite
|
||||
- cgi
|
||||
- ssl
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
@ -45,6 +67,17 @@
|
|||
tags:
|
||||
- apache
|
||||
|
||||
- name: Copy Apache SSL (strong security) config file
|
||||
copy:
|
||||
src: evolinux-ssl.conf
|
||||
dest: "/etc/apache2/conf-available/evolinux-ssl.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Ensure Apache config files are enabled
|
||||
command: "a2enconf {{ item }}"
|
||||
register: command_result
|
||||
|
@ -52,6 +85,7 @@
|
|||
with_items:
|
||||
- z-evolinux-defaults.conf
|
||||
- zzz-evolinux-custom.conf
|
||||
- evolinux-ssl.conf
|
||||
tags:
|
||||
- apache
|
||||
|
||||
|
|
14
evoadmin/defaults/main.yml
Normal file
14
evoadmin/defaults/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
general_alert_email: "root@localhost"
|
||||
evoadmin_contact_email: Null
|
||||
evoadmin_bounce_email: "{{ evoadmin_contact_email }}"
|
||||
|
||||
evoadmin_home_dir: "/home/{{ evoadmin_username }}"
|
||||
evoadmin_document_root: "{{ evoadmin_home_dir }}/www"
|
||||
evoadmin_log_dir: "{{ evoadmin_home_dir }}/log"
|
||||
evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
|
||||
evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
|
||||
evoadmin_username: evoadmin
|
||||
evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"
|
||||
|
||||
evoadmin_enable_vhost: True
|
12
evoadmin/files/evolinux.conf.diff
Normal file
12
evoadmin/files/evolinux.conf.diff
Normal file
|
@ -0,0 +1,12 @@
|
|||
--- evolinux.conf 2015-04-09 16:39:41.862242460 +0200
|
||||
+++ evolinux.conf 2015-04-09 16:51:11.902241748 +0200
|
||||
@@ -23,7 +23,5 @@
|
||||
# Allow RESUME (REST command)
|
||||
AllowStoreRestart on
|
||||
|
||||
-<Limit LOGIN>
|
||||
- AllowGroup ftpusers
|
||||
- DenyAll
|
||||
-</Limit>
|
||||
+AuthOrder mod_auth_file.c
|
||||
+AuthUserFile /etc/proftpd/vpasswd
|
6
evoadmin/handlers/main.yml
Normal file
6
evoadmin/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
- name: reload apache2
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
17
evoadmin/tasks/config.yml
Normal file
17
evoadmin/tasks/config.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
- name: "Create /etc/evolinux"
|
||||
file:
|
||||
dest: "/etc/evolinux"
|
||||
recurse: yes
|
||||
state: directory
|
||||
|
||||
- name: Configure web-add config file
|
||||
template:
|
||||
src: web-add.conf.j2
|
||||
dest: /etc/evolinux/web-add.conf
|
||||
|
||||
- name: Configure web-add template file for mail
|
||||
template:
|
||||
src: web-mail.tpl.j2
|
||||
dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"
|
24
evoadmin/tasks/ftp.yml
Normal file
24
evoadmin/tasks/ftp.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
- name: Verify if proftpd has evolinux config file
|
||||
stat:
|
||||
path: /etc/proftpd/conf.d/z-evolinux.conf
|
||||
register: proftpd_config
|
||||
|
||||
- block:
|
||||
- name: Patch ProFTPd config file
|
||||
patch:
|
||||
remote_src: no
|
||||
src: evolinux.conf.diff
|
||||
dest: /etc/proftpd/conf.d/z-evolinux.conf
|
||||
# Why 440? Because should be edited with ftpasswd.
|
||||
# So, readonly when opened with vim.
|
||||
# Then readable by group.
|
||||
- name: Create /etc/proftpd/vpasswd file in 0440 mode
|
||||
file:
|
||||
state: touch
|
||||
path: /etc/proftpd/vpasswd
|
||||
mode: "0440"
|
||||
owner: root
|
||||
group: root
|
||||
when: proftpd_config.stat.exists
|
13
evoadmin/tasks/main.yml
Normal file
13
evoadmin/tasks/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
|
||||
- include: packages.yml
|
||||
|
||||
- include: user.yml
|
||||
|
||||
- include: config.yml
|
||||
|
||||
- include: ssl.yml
|
||||
|
||||
- include: web.yml
|
||||
|
||||
- include: ftp.yml
|
17
evoadmin/tasks/packages.yml
Normal file
17
evoadmin/tasks/packages.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
- include_role:
|
||||
name: apt-repositories
|
||||
tasks_from: evolix_public.yml
|
||||
|
||||
- meta: flush_handlers
|
||||
|
||||
- name: Install PHP packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
allow_unauthenticated: yes
|
||||
with_items:
|
||||
- php-pear
|
||||
- php-log
|
||||
- php5-pam
|
24
evoadmin/tasks/ssl.yml
Normal file
24
evoadmin/tasks/ssl.yml
Normal file
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
|
||||
|
||||
- name: ssl-cert package is installed
|
||||
apt:
|
||||
name: ssl-cert
|
||||
state: present
|
||||
|
||||
- name: Create private key and csr for default site ({{ ansible_fqdn }})
|
||||
command: openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/{{ evoadmin_host }}.csr -batch -subj "{{ evoadmin_ssl_subject }}"
|
||||
args:
|
||||
creates: "/etc/ssl/private/{{ evoadmin_host }}.key"
|
||||
|
||||
- name: Adjust rights on private key
|
||||
file:
|
||||
path: /etc/ssl/private/{{ evoadmin_host }}.key
|
||||
owner: root
|
||||
group: ssl-cert
|
||||
mode: "0640"
|
||||
|
||||
- name: Create certificate for default site
|
||||
command: openssl x509 -req -days 3650 -sha256 -in /etc/ssl/{{ evoadmin_host }}.csr -signkey /etc/ssl/private/{{ evoadmin_host }}.key -out /etc/ssl/certs/{{ evoadmin_host }}.crt
|
||||
args:
|
||||
creates: "/etc/ssl/certs/{{ evoadmin_host }}.crt"
|
60
evoadmin/tasks/user.yml
Normal file
60
evoadmin/tasks/user.yml
Normal file
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
|
||||
- name: Create evoadmin account
|
||||
user:
|
||||
name: evoadmin
|
||||
comment: "Evoadmin Web Account"
|
||||
home: "{{ evoadmin_home_dir}}"
|
||||
password: "!"
|
||||
|
||||
- name: Create www-evoadmin group
|
||||
group:
|
||||
name: www-evoadmin
|
||||
state: present
|
||||
|
||||
- name: Install Git
|
||||
apt:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: Clone evoadmin repository
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-web.git
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
update: no
|
||||
# Warning: Need sudo!
|
||||
become_user: "{{ evoadmin_username }}"
|
||||
|
||||
- name: "Create {{ evoadmin_scripts_dir }}"
|
||||
file:
|
||||
dest: "{{ evoadmin_scripts_dir }}"
|
||||
# recurse: yes
|
||||
mode: "0700"
|
||||
state: directory
|
||||
|
||||
- name: Install scripts like web-add.sh
|
||||
shell: "cp {{ evoadmin_document_root}}/scripts/* {{ evoadmin_scripts_dir }}/"
|
||||
args:
|
||||
creates: "{{ evoadmin_scripts_dir }}/web-add.sh"
|
||||
|
||||
# we use a shell command to have a "changed" thet really reflects the result.
|
||||
- name: Fix permissions
|
||||
shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
# failed_when: False
|
||||
with_items:
|
||||
- "{{ evoadmin_home_dir}}/www"
|
||||
|
||||
- name: Add www-evoadmin to group shadow
|
||||
user:
|
||||
name: www-evoadmin
|
||||
groups: shadow
|
||||
append: yes
|
||||
|
||||
- name: Add evoadmin sudoers file
|
||||
template:
|
||||
src: sudoers.j2
|
||||
dest: /etc/sudoers.d/evoadmin
|
||||
mode: "0600"
|
||||
validate: "visudo -cf %s"
|
42
evoadmin/tasks/web.yml
Normal file
42
evoadmin/tasks/web.yml
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
|
||||
- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
|
||||
ini_file:
|
||||
dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
|
||||
section: PHP
|
||||
option: "disable_functions"
|
||||
value: "shell-exec,system,passthru,putenv,popen"
|
||||
notify: reload apache
|
||||
|
||||
|
||||
- name: Install evoadmin VHost
|
||||
template:
|
||||
src: evoadmin.conf.j2
|
||||
dest: /etc/apache2/sites-available/evoadmin.conf
|
||||
notify: reload apache2
|
||||
|
||||
- name: Enable evoadmin vhost
|
||||
command: "a2ensite evoadmin.conf"
|
||||
register: cmd_a2ensite
|
||||
changed_when: "'Enabling site' in cmd_a2ensite.stdout"
|
||||
notify: reload apache2
|
||||
when: evoadmin_enable_vhost
|
||||
|
||||
- name: Disable evoadmin vhost
|
||||
command: "a2dissite evoadmin.conf"
|
||||
register: cmd_a2dissite
|
||||
changed_when: "'Disabling site' in cmd_a2dissite.stdout"
|
||||
notify: reload apache2
|
||||
when: not evoadmin_enable_vhost
|
||||
|
||||
- name: Copy config file for evoadmin
|
||||
template:
|
||||
src: config.local.php.j2
|
||||
dest: "{{ evoadmin_document_root}}/conf/config.local.php"
|
||||
mode: "0644"
|
||||
force: no
|
||||
|
||||
- name: add www-evoadmin to shadow group
|
||||
user:
|
||||
name: www-evoadmin
|
||||
groups: shadow
|
8
evoadmin/templates/config.local.php.j2
Normal file
8
evoadmin/templates/config.local.php.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
<?php
|
||||
|
||||
$localconf['admin']['mail'] = '{{ evoadmin_contact_email or general_alert_email | mandatory }}';
|
||||
$localconf['debug'] = FALSE;
|
||||
// Add local users that should be superadmin
|
||||
$localconf['superadmin'] = array();
|
||||
$localconf['script_path'] = '{{ evoadmin_scripts_dir }}';
|
||||
$localconf['cluster'] = FALSE;
|
59
evoadmin/templates/evoadmin.conf.j2
Normal file
59
evoadmin/templates/evoadmin.conf.j2
Normal file
|
@ -0,0 +1,59 @@
|
|||
<VirtualHost *:80>
|
||||
ServerName {{ evoadmin_host }}
|
||||
Redirect permanent / https://{{ evoadmin_host }}/
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
|
||||
# FQDN principal
|
||||
ServerName {{ evoadmin_host }}
|
||||
#ServerAlias {{ evoadmin_host }}
|
||||
|
||||
# Repertoire principal
|
||||
DocumentRoot {{ evoadmin_document_root }}/htdocs/
|
||||
|
||||
# SSL
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/ssl/certs/{{ evoadmin_host }}.crt
|
||||
SSLCertificateKeyFile /etc/ssl/private/{{ evoadmin_host }}.key
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
|
||||
# Propriete du repertoire
|
||||
<Directory {{ evoadmin_document_root }}/htdocs/>
|
||||
#Options Indexes SymLinksIfOwnerMatch
|
||||
Options SymLinksIfOwnerMatch
|
||||
AllowOverride AuthConfig Limit FileInfo
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
# user - group (thanks to sesse@debian.org)
|
||||
AssignUserID www-evoadmin evoadmin
|
||||
|
||||
# LOG
|
||||
CustomLog /var/log/apache2/access.log combined
|
||||
CustomLog {{ evoadmin_log_dir }}/access.log combined
|
||||
ErrorLog {{ evoadmin_log_dir }}/error.log
|
||||
|
||||
# AWSTATS
|
||||
SetEnv AWSTATS_FORCE_CONFIG evoadmin
|
||||
|
||||
# REWRITE
|
||||
UseCanonicalName On
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP_HOST} !^{{ evoadmin_host }}$
|
||||
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
|
||||
|
||||
# PHP
|
||||
#php_admin_flag engine off
|
||||
#AddType text/html .html
|
||||
#php_admin_flag display_errors On
|
||||
#php_flag short_open_tag On
|
||||
#php_flag register_globals On
|
||||
#php_admin_value memory_limit 256M
|
||||
#php_admin_value max_execution_time 60
|
||||
#php_admin_value upload_max_filesize 8M
|
||||
#php_admin_flag allow_url_fopen Off
|
||||
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin"
|
||||
php_admin_value error_log "{{ evoadmin_home_dir }}/log/php.log"
|
||||
php_admin_value open_basedir "none"
|
||||
</VirtualHost>
|
3
evoadmin/templates/sudoers.j2
Normal file
3
evoadmin/templates/sudoers.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
User_Alias EVOADMIN = www-evoadmin
|
||||
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh
|
||||
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
|
2
evoadmin/templates/web-add.conf.j2
Normal file
2
evoadmin/templates/web-add.conf.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
|
||||
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
|
86
evoadmin/templates/web-mail.tpl.j2
Normal file
86
evoadmin/templates/web-mail.tpl.j2
Normal file
|
@ -0,0 +1,86 @@
|
|||
From: %MAIL_FROM%
|
||||
To: RCPTTO
|
||||
Bcc: %MAIL_BCC%
|
||||
Subject: Parametres hebergement web : LOGIN
|
||||
|
||||
Bonjour,
|
||||
|
||||
Votre compte d'hebergement web a ete cree.
|
||||
|
||||
**********************************
|
||||
* CONNEXION SFTP/SSH
|
||||
**********************************
|
||||
|
||||
NOM DU SERVEUR : %SERVER_NAME%
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE1
|
||||
|
||||
*****************************************
|
||||
* Details sur l'environnement Apache/PHP
|
||||
*****************************************
|
||||
|
||||
URL du site :
|
||||
http://SERVERNAME
|
||||
|
||||
URL des stats :
|
||||
http://SERVERNAME/cgi-RANDOM/awstats.pl
|
||||
(acces par IP ou login a demander !)
|
||||
|
||||
Repertoire de connexion : HOME_DIR/LOGIN/
|
||||
Repertoire pour site web : HOME_DIR/LOGIN/www/
|
||||
|
||||
Apache/PHP tourne en www-LOGIN:LOGIN c'est-a-dire qu'il a acces
|
||||
uniquement *en lecture* aux differents fichiers/repertoires
|
||||
(a condition d'avoir 'g=rx' sur les repertoires et 'g=r' sur les
|
||||
fichiers ce qui est le comportement par defaut).
|
||||
|
||||
Lorsqu'on a besoin d'autoriser *l'ecriture* pour certains
|
||||
fichiers/repertoires, il suffit d'ajouter le droit 'g+w'.
|
||||
|
||||
***********************************
|
||||
* MySQL
|
||||
***********************************
|
||||
|
||||
SERVEUR : 127.0.0.1
|
||||
PORT DU SERVEUR : 3306
|
||||
USER : LOGIN
|
||||
PASSWORD : PASSE2
|
||||
NOM BASE : DBNAME
|
||||
URL interface d'admin :
|
||||
%PMA_URL%
|
||||
|
||||
***********************************
|
||||
* Rappels divers
|
||||
***********************************
|
||||
|
||||
Votre nom de domaine doit etre configure pour pointer
|
||||
sur l'adresse IP %SERVER_ADDR% (enregistrement DNS A)
|
||||
ou etre un alias de %SERVER_NAME% (enregistrement DNS CNAME).
|
||||
|
||||
Si vous avez besoin de faire des tests, vous devez
|
||||
ajouter la ligne suivante au fichier "/etc/hosts" sous Linux/Unix
|
||||
ou au fichier "system32\drivers\etc\hosts" sous Windows NT/XP :
|
||||
%SERVER_ADDR% SERVERNAME
|
||||
|
||||
Attention, par defaut, toutes les connexions vers l'exterieur
|
||||
sont bloquees. Si vous avez besoin de recuperer des donnees
|
||||
a l'exterieur (flux RSS, BDD externe, etc.), contactez nous
|
||||
afin de mettre en oeuvre les autorisations necessaires.
|
||||
|
||||
Afin de securiser au maximum le serveur, certaines URL
|
||||
particulieres sont non autorisees pour eviter diverses
|
||||
attaques (XSS, robots, trojans, injections, etc.).
|
||||
Exemple d'URL refusee :
|
||||
http://SERVERNAME/cmd32.exe
|
||||
En cas de soucis avec votre application, prevenez-nous.
|
||||
|
||||
Si vous desirez mettre en place des parametres particuliers
|
||||
pour votre site (PHP, etc.) ou pour tout autre demande (scripts en crontab,
|
||||
etc.), n'hesitez pas a nous contacter a l'adresse
|
||||
%MAIL_STANDARD% (ou %MAIL_URGENT% si votre demande est
|
||||
urgente).
|
||||
|
||||
|
||||
Cordialement,
|
||||
--
|
||||
%FOOTER%
|
|
@ -92,7 +92,7 @@
|
|||
- name: Apache vhost is installed
|
||||
template:
|
||||
src: default_www/apache_default_site.j2
|
||||
dest: /etc/apache2/sites-available/000-default
|
||||
dest: /etc/apache2/sites-available/000-default.conf
|
||||
mode: "0640"
|
||||
# force: yes
|
||||
notify: reload apache
|
||||
|
@ -101,8 +101,8 @@
|
|||
|
||||
- name: Apache vhost is enabled
|
||||
file:
|
||||
src: /etc/apache2/sites-available/000-default
|
||||
dest: /etc/apache2/sites-enabled/000-default
|
||||
src: /etc/apache2/sites-available/000-default.conf
|
||||
dest: /etc/apache2/sites-enabled/000-default.conf
|
||||
state: link
|
||||
notify: reload apache
|
||||
when: evolinux_default_www_apache_enabled
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
- name: Configure logrotate.conf
|
||||
replace:
|
||||
dest: /etc/logrotate.conf
|
||||
regexp: "rotate [0-9]*"
|
||||
regexp: "rotate [0-9]+"
|
||||
replace: "rotate 12"
|
||||
when: evolinux_logs_default_rotate
|
||||
|
||||
|
|
15
packweb-apache/README.md
Normal file
15
packweb-apache/README.md
Normal file
|
@ -0,0 +1,15 @@
|
|||
# packweb-apache
|
||||
|
||||
Install the web pack, with Apache.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file for now.
|
||||
|
||||
## Available variables
|
||||
|
||||
Main variables are :
|
||||
|
||||
* `log2mail_alert_email`: email address to send Log2mail messages to (default: `general_alert_email`).
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
5
packweb-apache/defaults/main.yml
Normal file
5
packweb-apache/defaults/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
# defaults file for packweb-apache
|
||||
general_alert_email: "root@localhost"
|
||||
log2mail_alert_email: Null
|
||||
packweb_enable_evoadmin_vhost: True
|
8
packweb-apache/files/evolinux-evasive.conf
Normal file
8
packweb-apache/files/evolinux-evasive.conf
Normal file
|
@ -0,0 +1,8 @@
|
|||
<IfModule mod_evasive20.c>
|
||||
DOSHashTableSize 3097
|
||||
DOSPageCount 5
|
||||
DOSSiteCount 30
|
||||
DOSPageInterval 3
|
||||
DOSSiteInterval 1
|
||||
DOSBlockingPeriod 60
|
||||
</IfModule>
|
10
packweb-apache/files/evolinux-itk.conf
Normal file
10
packweb-apache/files/evolinux-itk.conf
Normal file
|
@ -0,0 +1,10 @@
|
|||
<IfModule mpm_itk_module>
|
||||
StartServers 50
|
||||
MinSpareServers 20
|
||||
MaxSpareServers 30
|
||||
ServerLimit 250
|
||||
MaxClients 250
|
||||
MaxRequestsPerChild 0
|
||||
LimitUIDRange 0 6000
|
||||
LimitGIDRange 0 6000
|
||||
</IfModule>
|
48
packweb-apache/files/evolinux-modsec.conf
Normal file
48
packweb-apache/files/evolinux-modsec.conf
Normal file
|
@ -0,0 +1,48 @@
|
|||
<IfModule mod_security2.c>
|
||||
|
||||
# enable mod_security
|
||||
SecRuleEngine On
|
||||
# access to request bodies
|
||||
SecRequestBodyAccess On
|
||||
#SecRequestBodyLimit 134217728
|
||||
#SecRequestBodyInMemoryLimit 131072
|
||||
# access to response bodies
|
||||
SecResponseBodyAccess Off
|
||||
#SecResponseBodyLimit 524288
|
||||
SecResponseBodyMimeType (null) text/html text/plain text/xml
|
||||
#SecServerSignature "Apache/2.2.0 (Fedora)"
|
||||
|
||||
SecUploadDir /tmp
|
||||
SecUploadKeepFiles Off
|
||||
|
||||
# default action
|
||||
SecDefaultAction "log,auditlog,deny,status:406,phase:2"
|
||||
|
||||
SecAuditEngine RelevantOnly
|
||||
#SecAuditLogRelevantStatus "^[45]"
|
||||
# use only one log file
|
||||
SecAuditLogType Serial
|
||||
# audit log file
|
||||
SecAuditLog /var/log/apache2/modsec_audit.log
|
||||
# what is logged
|
||||
SecAuditLogParts "ABIFHZ"
|
||||
|
||||
#SecArgumentSeparator "&"
|
||||
SecCookieFormat 0
|
||||
SecDebugLog /var/log/apache2/modsec_debug.log
|
||||
SecDebugLogLevel 0
|
||||
|
||||
SecDataDir /tmp
|
||||
SecTmpDir /tmp
|
||||
|
||||
#########
|
||||
# RULES
|
||||
#########
|
||||
|
||||
# File name
|
||||
SecRule REQUEST_FILENAME "modsecuritytest1" "id:1"
|
||||
# Complete URI
|
||||
SecRule REQUEST_URI "modsecuritytest2" "id:2"
|
||||
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp)\.exe" "id:3"
|
||||
|
||||
</IfModule>
|
0
packweb-apache/files/log/access.log
Normal file
0
packweb-apache/files/log/access.log
Normal file
0
packweb-apache/files/log/error.log
Normal file
0
packweb-apache/files/log/error.log
Normal file
38
packweb-apache/files/userlogrotate
Normal file
38
packweb-apache/files/userlogrotate
Normal file
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
DATE=`/bin/date +"%d-%m-%Y"`
|
||||
HOMEPREFIX="/home"
|
||||
|
||||
rotate () {
|
||||
mv $1 $1.$DATE
|
||||
gzip $1.$DATE
|
||||
touch $1
|
||||
chown $2 $1
|
||||
chmod g+r $1
|
||||
}
|
||||
|
||||
user_for() {
|
||||
homedir=`echo $1 | sed "s#\($HOMEPREFIX/\([^/]\+\)\).*#\1#"`
|
||||
stat -L -c '%G' $homedir
|
||||
}
|
||||
|
||||
for log in access.log access-*.log error.log; do
|
||||
for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do
|
||||
USER=`user_for $i`
|
||||
rotate $i root:$USER
|
||||
done
|
||||
done
|
||||
|
||||
for i in `ls -1 -d $HOMEPREFIX/*/log/php.log 2>/dev/null | grep -v \.bak\.`; do
|
||||
USER=`user_for $i`
|
||||
rotate $i www-$USER:$USER
|
||||
done
|
||||
|
||||
for log in production.log delayed_job.log development.log test.log; do
|
||||
for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do
|
||||
USER=`user_for $i`
|
||||
rotate $i $USER:$USER
|
||||
done
|
||||
done
|
||||
|
||||
apache2ctl restart > /dev/null
|
10
packweb-apache/handlers/main.yml
Normal file
10
packweb-apache/handlers/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: restart apache
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
||||
|
||||
- name: reload apache
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
67
packweb-apache/tasks/apache.yml
Normal file
67
packweb-apache/tasks/apache.yml
Normal file
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
|
||||
- name: Check if Apache envvars have a PATH
|
||||
command: "grep -E '^export PATH ' /etc/apache2/envvars"
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
register: envvar_grep_path
|
||||
check_mode: no
|
||||
|
||||
- name: Add a PATH envvar for Apache
|
||||
blockinfile:
|
||||
dest: /etc/apache2/envvars
|
||||
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
|
||||
block: |
|
||||
# Used for Evoadmin-web
|
||||
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
when: envvar_grep_path.rc != 0
|
||||
|
||||
- name: Additional packages are installed
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- apache2-mpm-itk
|
||||
- libapache2-mod-evasive
|
||||
- libapache2-mod-security2
|
||||
|
||||
- name: Copy Apache settings for modules
|
||||
copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/apache2/conf-available/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
with_items:
|
||||
- evolinux-itk.conf
|
||||
- evolinux-evasive.conf
|
||||
- evolinux-modsec.conf
|
||||
|
||||
- name: Ensure Apache modules configs are enabled
|
||||
command: "a2enconf {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
with_items:
|
||||
- evolinux-itk
|
||||
- evolinux-evasive
|
||||
- evolinux-modsec
|
||||
|
||||
- name: Check if log2mail is installed
|
||||
command: "apt list --installed log2mail"
|
||||
register: command_result
|
||||
changed_when: False
|
||||
|
||||
- debug:
|
||||
var: command_result
|
||||
verbosity: 1
|
||||
|
||||
- name: Add log2mail config for Apache segfaults
|
||||
template:
|
||||
src: log2mail-apache.j2
|
||||
dest: "/etc/log2mail/config/apache"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: no
|
||||
when: "'log2mail' in command_result.stdout"
|
48
packweb-apache/tasks/awstats.yml
Normal file
48
packweb-apache/tasks/awstats.yml
Normal file
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
- name: Install awstats
|
||||
apt:
|
||||
name: awstats
|
||||
state: present
|
||||
|
||||
- name: Configure awstats
|
||||
blockinfile:
|
||||
dest: /etc/awstats/awstats.conf.local
|
||||
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB"
|
||||
block: |
|
||||
LogFile="/var/log/apache2/access.log"
|
||||
SiteDomain="{{ ansible_hostname }}"
|
||||
DirData="/var/lib/awstats"
|
||||
ShowHostsStats=0
|
||||
ShowOriginStats=0
|
||||
ShowPagesStats=0
|
||||
ShowKeyphrasesStats=0
|
||||
ShowKeywordsStats=0
|
||||
ShowHTTPErrorsStats=0
|
||||
LogFormat=1
|
||||
AllowFullYearView=3
|
||||
ErrorMessages="An error occured. Contact your Administrator"
|
||||
mode: "0644"
|
||||
|
||||
- name: Create conf-available/awstats-icon.conf file
|
||||
copy:
|
||||
dest: /etc/apache2/conf-available/awstats-icon.conf
|
||||
content: |
|
||||
Alias /awstats-icon/ /usr/share/awstats/icon/
|
||||
<Directory /usr/share/awstats/icon/>
|
||||
Require all granted
|
||||
</Directory>
|
||||
force: no
|
||||
mode: "0644"
|
||||
|
||||
- name: Enable apache awstats-icon configuration
|
||||
command: "a2enconf awstats-icon"
|
||||
register: command_result
|
||||
changed_when: "'Enabling' in command_result.stderr"
|
||||
notify: reload apache
|
||||
|
||||
- name: Create awstats cron
|
||||
lineinfile:
|
||||
dest: /etc/cron.d/awstats
|
||||
create: yes
|
||||
regexp: '-config=awstats'
|
||||
line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null"
|
123
packweb-apache/tasks/main.yml
Normal file
123
packweb-apache/tasks/main.yml
Normal file
|
@ -0,0 +1,123 @@
|
|||
---
|
||||
|
||||
- name: Include apache role
|
||||
include_role:
|
||||
name: "apache"
|
||||
|
||||
- name: Add elements to user account template
|
||||
file:
|
||||
path: "/etc/skel/{{ item.path }}"
|
||||
state: "{{ item.state }}"
|
||||
mode: "{{ item.mode }}"
|
||||
with_items:
|
||||
- { path: log, mode: "0750", state: directory }
|
||||
- { path: awstats, mode: "0750", state: directory }
|
||||
- { path: www, mode: "0750", state: directory }
|
||||
|
||||
- name: Copy apache empty log files if missing
|
||||
copy:
|
||||
src: "log/{{ item }}"
|
||||
dest: "/etc/skel/log/{{ item }}"
|
||||
mode: "0644"
|
||||
force: no
|
||||
with_items:
|
||||
- access.log
|
||||
- error.log
|
||||
|
||||
- name: Install userlogrotate
|
||||
copy:
|
||||
src: userlogrotate
|
||||
dest: /etc/cron.weekly/userlogrotate
|
||||
mode: "0755"
|
||||
|
||||
- name: Force DIR_MODE to 0750 in /etc/adduser.conf
|
||||
lineinfile:
|
||||
dest: /etc/adduser.conf
|
||||
regexp: '^DIR_MODE='
|
||||
line: 'DIR_MODE=0750'
|
||||
|
||||
- include: apache.yml
|
||||
|
||||
- include: php.yml
|
||||
|
||||
- include: phpmyadmin.yml
|
||||
|
||||
- include: awstats.yml
|
||||
|
||||
- name: Remove read permission on some folders (/, /etc, ...)
|
||||
shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /
|
||||
- /etc
|
||||
- /usr
|
||||
- /usr/bin
|
||||
- /var
|
||||
- /var/log
|
||||
- /home
|
||||
- /bin
|
||||
- /sbin
|
||||
- /lib
|
||||
- /usr/lib
|
||||
- /usr/include
|
||||
- /usr/bin
|
||||
- /usr/sbin
|
||||
- /usr/share
|
||||
- /usr/share/doc
|
||||
- /etc/default
|
||||
|
||||
- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
|
||||
shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /var/log/apt
|
||||
- /var/lib/dpkg
|
||||
- /var/log/munin
|
||||
- /var/backups
|
||||
- /var/cache/apt
|
||||
- /etc/init.d
|
||||
- /etc/apt
|
||||
- /etc/apache2
|
||||
- /etc/network
|
||||
- /etc/phpmyadmin
|
||||
- /var/log/installer
|
||||
|
||||
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
||||
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /bin/ping
|
||||
- /bin/ping6
|
||||
- /usr/bin/fping
|
||||
- /usr/bin/fping6
|
||||
- /usr/bin/mtr
|
||||
|
||||
- name: Set 640 permission on some files (/var/log/evolix.log, ...)
|
||||
shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
|
||||
register: command_result
|
||||
changed_when: "'changed' in command_result.stdout"
|
||||
failed_when: False
|
||||
with_items:
|
||||
- /var/log/evolix.log
|
||||
- /etc/warnquota.conf
|
||||
|
||||
- name: Remove some log files (/var/log/mail.err, ...)
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /var/log/debug
|
||||
- /var/log/mail.err
|
||||
- /var/log/mail.warn
|
||||
|
||||
- name: Install Evoadmin
|
||||
include_role:
|
||||
name: evoadmin
|
||||
vars:
|
||||
evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"
|
64
packweb-apache/tasks/php.yml
Normal file
64
packweb-apache/tasks/php.yml
Normal file
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
|
||||
- name: Install PHP5 packages
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- libapache2-mod-php5
|
||||
- php5
|
||||
- php5-gd
|
||||
- php5-imap
|
||||
- php5-ldap
|
||||
- php5-mcrypt
|
||||
- php5-mysql
|
||||
- php5-pgsql
|
||||
- php-gettext
|
||||
- php5-curl
|
||||
- libssh2-php
|
||||
tags:
|
||||
- apache
|
||||
|
||||
- name: Set variables for php config files
|
||||
set_fact:
|
||||
php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
|
||||
php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
|
||||
|
||||
- name: Set default values for PHP
|
||||
ini_file:
|
||||
dest: "{{ php5_apache5_defaults_file }}"
|
||||
section: PHP
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
mode: "0644"
|
||||
create: yes
|
||||
with_items:
|
||||
- { option: "short_open_tag", value: "Off" }
|
||||
- { option: "expose_php", value: "Off" }
|
||||
- { option: "display_errors", value: "Off" }
|
||||
- { option: "log_errors", value: "On" }
|
||||
- { option: "allow_url_fopen", value: "Off" }
|
||||
notify: reload apache
|
||||
|
||||
- name: Disable PHP exec function without evoadmin
|
||||
ini_file:
|
||||
dest: "{{ php5_apache5_defaults_file }}"
|
||||
section: PHP
|
||||
option: disable_functions
|
||||
value: "exec,shell-exec,system,passthru,putenv,popen"
|
||||
when: not packweb_enable_evoadmin_vhost
|
||||
|
||||
- name: Don't disable PHP exec function with evoadmin
|
||||
ini_file:
|
||||
dest: "{{ php5_apache5_defaults_file }}"
|
||||
section: PHP
|
||||
option: disable_functions
|
||||
value: "shell-exec,system,passthru,putenv,popen"
|
||||
when: packweb_enable_evoadmin_vhost
|
||||
|
||||
- name: Custom php.ini
|
||||
copy:
|
||||
dest: "{{ php5_apache5_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
force: no
|
26
packweb-apache/tasks/phpmyadmin.yml
Normal file
26
packweb-apache/tasks/phpmyadmin.yml
Normal file
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
|
||||
- name: Install phpmyadmin
|
||||
apt:
|
||||
name: phpmyadmin
|
||||
state: present
|
||||
|
||||
- name: Check if phpmyadmin default configuration is present
|
||||
stat:
|
||||
path: /etc/apache2/conf-enabled/phpmyadmin.conf
|
||||
register: pma_default_config
|
||||
|
||||
- debug:
|
||||
var: pma_default_config
|
||||
verbosity: 1
|
||||
|
||||
- name: Disable phpmyadmin default configuration
|
||||
command: "a2disconf phpmyadmin"
|
||||
register: command_result
|
||||
changed_when: "'Disabling' in command_result.stderr"
|
||||
when: pma_default_config.stat.exists
|
||||
|
||||
- name: Change group to www-data for /etc/phpmyadmin/
|
||||
file:
|
||||
dest: /etc/phpmyadmin/
|
||||
group: www-data
|
3
packweb-apache/tasks/web-add.yml
Normal file
3
packweb-apache/tasks/web-add.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
|
||||
# TODO: ...
|
4
packweb-apache/templates/log2mail-apache.j2
Normal file
4
packweb-apache/templates/log2mail-apache.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
file = /var/log/apache2/error.log
|
||||
pattern = "Segmentation fault"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
Loading…
Reference in a new issue