Merge branch 'packweb' into unstable

apache/defaults/main.yml

@@ -4,3 +4,9 @@ apache_private_ipaddr_whitelist_absent: []
 
 apache_private_htpasswd_present: []
 apache_private_htpasswd_absent: []
+
+apache_default_redirect_url: "http://evolix.fr"
+apache_evolinux_default_enabled: True
+
+apache_phpmyadmin_suffix: ""
+apache_serverstatus_suffix: ""

apache/files/private_ipaddr_whitelist.conf

@@ -1,2 +1,2 @@
 # Whitelisted IP addresses, add `Include ipaddr_whitelist.conf` to use it
-#Allow from 192.0.2.42
+#Require ip 192.0.2.42

apache/tasks/main.yml

@@ -103,7 +103,7 @@
 - name: add IP addresses to private IP whitelist
   lineinfile:
     dest: /etc/apache2/private_ipaddr_whitelist.conf
-    line: "Allow from {{ item }}"
+    line: "Require ip {{ item }}"
     state: present
   with_items: "{{ apache_private_ipaddr_whitelist_present }}"
   notify: reload apache
@@ -113,13 +113,20 @@
 - name: remove IP addresses from private IP whitelist
   lineinfile:
     dest: /etc/apache2/private_ipaddr_whitelist.conf
-    line: "Allow from {{ item }}"
+    line: "Require ip {{ item }}"
     state: absent
   with_items: "{{ apache_private_ipaddr_whitelist_absent }}"
   notify: reload apache
   tags:
   - apache
 
+- name: include private IP whitelist for server-status
+  lineinfile:
+    dest: /etc/apache2/mods-available/status.conf
+    line: "        include /etc/apache2/private_ipaddr_whitelist.conf"
+    insertafter: 'SetHandler server-status'
+    state: present
+
 - name: Copy private_htpasswd
   copy:
     src: private_htpasswd
@@ -152,6 +159,61 @@
   tags:
   - apache
 
+- name: default vhost is installed
+  template:
+    src: evolinux-default.conf.j2
+    dest: /etc/apache2/sites-available/000-evolinux-default.conf
+    mode: "0640"
+    # force: yes
+  notify: reload apache
+  tags:
+  - apache
+
+- name: default vhost is enabled
+  file:
+    src: /etc/apache2/sites-available/000-evolinux-default.conf
+    dest: /etc/apache2/sites-enabled/000-default.conf
+    state: link
+    force: yes
+  notify: reload apache
+  when: apache_evolinux_default_enabled
+  tags:
+  - apache
+
+- block:
+  - name: generate random string for phpmyadmin suffix
+    command: "apg -a 1 -M N -n 1"
+    changed_when: False
+    register: _random_phpmyadmin_suffix
+
+  - name: overwrite apache_phpmyadmin_suffix
+    set_fact:
+      apache_phpmyadmin_suffix: "{{ _random_phpmyadmin_suffix.stdout }}"
+  when: apache_phpmyadmin_suffix == ""
+
+- name: replace phpmyadmin suffix in default site index
+  replace:
+    dest: /var/www/index.html
+    regexp: '__PHPMYADMIN_SUFFIX__'
+    replace: "{{ apache_phpmyadmin_suffix }}"
+
+# - block:
+#   - name: generate random string for serverstatus suffix
+#     command: "apg -a 1 -M N -n 1"
+#     changed_when: False
+#     register: _random_serverstatus_suffix
+#
+#   - name: overwrite apache_serverstatus_suffix
+#     set_fact:
+#       apache_serverstatus_suffix: "{{ _random_serverstatus_suffix.stdout }}"
+#   when: apache_serverstatus_suffix == ""
+#
+# - name: replace server-status suffix in default site index
+#   replace:
+#     dest: /var/www/index.html
+#     regexp: '__SERVERSTATUS_SUFFIX__'
+#     replace: "{{ apache_serverstatus_suffix }}"
+
 - name: is umask already present?
   command: "grep -E '^umask ' /etc/apache2/envvars"
   failed_when: False

apache/templates/evolinux-default.conf.j2

@@ -1,35 +1,40 @@
-<VirtualHost *:80 *:443>
+<VirtualHost *:80>
     ServerName {{ ansible_fqdn }}
     ServerAdmin webmaster@localhost
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
+    # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
+    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ ansible_fqdn }}
+    ServerAdmin webmaster@localhost
+
     DocumentRoot /var/www/
 
     SSLEngine on
     SSLCertificateFile    /etc/ssl/certs/{{ ansible_fqdn }}.crt
     SSLCertificateKeyFile /etc/ssl/private/{{ ansible_fqdn }}.key
-    SSLProtocol all -SSLv2 -SSLv3
+    # SSLProtocol all -SSLv2 -SSLv3
 
-    # Redirect to HTTPS, execpt for server-status, because Munin plugin
-    # can't handle HTTPS! :(
-    RewriteEngine on
-    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
-    RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
-    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
-
-    <Directory />
-        Options FollowSymLinks
+    <Directory /var/www/>
+        Options +Indexes +FollowSymLinks +MultiViews
         AllowOverride None
-        Deny from all
+
         Include /etc/apache2/private_ipaddr_whitelist.conf
     </Directory>
 
-    <Directory /var/www/>
-        Options Indexes FollowSymLinks MultiViews
+    Alias /munin /var/cache/munin/www
+    <Directory /var/cache/munin/www/>
+        Options +Indexes +FollowSymLinks +MultiViews
         AllowOverride None
+
+        Include /etc/apache2/private_ipaddr_whitelist.conf
     </Directory>
 
     <Location /munin_opcache.php>
-        Deny from all
-        Allow from 127.0.0.1
         Include /etc/apache2/private_ipaddr_whitelist.conf
     </Location>
 
@@ -39,13 +44,13 @@
         Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
     </Directory>
 
-    ErrorDocument 403 {{ evolinux_default_www_redirect_url }}
+    ErrorDocument 403 {{ apache_default_redirect_url }}
+
     CustomLog /var/log/apache2/access.log vhost_combined
     ErrorLog /var/log/apache2/error.log
     LogLevel warn
 
-    Alias /munin /var/cache/munin/www
-    Alias /phpmyadmin-SED_RANDOM /usr/share/phpmyadmin/
+    Alias /phpmyadmin-{{ apache_phpmyadmin_suffix }} /usr/share/phpmyadmin/
     IncludeOptional /etc/apache2/conf-available/phpmyadmin*
 
     <Files ~ "\.(inc|bak)$">

evoadmin/defaults/main.yml

@@ -9,6 +9,6 @@ evoadmin_log_dir: "{{ evoadmin_home_dir }}/log"
 evoadmin_scripts_dir: /usr/share/scripts/evoadmin/
 evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
 evoadmin_username: evoadmin
-evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}"
+evoadmin_ssl_subject: "/CN={{ evoadmin_host }}"
 
 evoadmin_enable_vhost: True

evoadmin/tasks/ftp.yml

@@ -11,6 +11,7 @@
         remote_src: no
         src: evolinux.conf.diff
         dest: /etc/proftpd/conf.d/z-evolinux.conf
+
     # Why 440? Because should be edited with ftpasswd.
     # So, readonly when opened with vim.
     # Then readable by group.

evoadmin/tasks/web.yml

@@ -40,3 +40,4 @@
   user:
     name: www-evoadmin
     groups: shadow
+    append: yes

evolinux-base/defaults/main.yml

@@ -135,14 +135,6 @@ evolinux_default_www_files: True
 evolinux_default_www_ssl_cert: True
 evolinux_default_www_ssl_subject: "/CN={{ ansible_fqdn }}"
 
-evolinux_default_www_nginx_vhost: True
-evolinux_default_www_nginx_enabled: False
-
-evolinux_default_www_apache_vhost: True
-evolinux_default_www_apache_enabled: False
-
-evolinux_default_www_redirect_url: "http://evolix.fr"
-
 # hardware
 
 evolinux_hardware_include: True

evolinux-base/tasks/default_www.yml

@@ -48,67 +48,4 @@
       creates: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
   when: evolinux_default_www_ssl_cert
 
-# Nginx vhost
-
-- name: is Nginx installed?
-  stat:
-    path: /etc/nginx/sites-available
-  check_mode: no
-  register: nginx_sites_available
-
-- block:
-  - name: nginx vhost is installed
-    template:
-      src: default_www/nginx_default_site.j2
-      dest: /etc/nginx/sites-available/000-default
-      mode: "0640"
-      # force: yes
-    notify: reload nginx
-    tags:
-    - nginx
-
-  - name: nginx vhost is enabled
-    file:
-      src: /etc/nginx/sites-available/000-default
-      dest: /etc/nginx/sites-enabled/000-default
-      state: link
-    notify: reload nginx
-    when: evolinux_default_www_nginx_enabled
-    tags:
-    - nginx
-
-  when: evolinux_default_www_nginx_vhost and nginx_sites_available.stat.exists
-
-
-# Apache vhost
-
-- name: is Apache installed?
-  stat:
-    path: /etc/apache2/sites-available
-  check_mode: no
-  register: apache_sites_available
-
-- block:
-  - name: Apache vhost is installed
-    template:
-      src: default_www/apache_default_site.j2
-      dest: /etc/apache2/sites-available/000-default.conf
-      mode: "0640"
-      # force: yes
-    notify: reload apache
-    tags:
-    - apache
-
-  - name: Apache vhost is enabled
-    file:
-      src: /etc/apache2/sites-available/000-default.conf
-      dest: /etc/apache2/sites-enabled/000-default.conf
-      state: link
-    notify: reload apache
-    when: evolinux_default_www_apache_enabled
-    tags:
-    - apache
-
-  when: evolinux_default_www_apache_vhost and apache_sites_available.stat.exists
-
 - meta: flush_handlers

evolinux-base/templates/default_www/index.html.j2

@@ -6,50 +6,49 @@
     <link rel="icon" type="image/ico" href="img/favicon.ico" />
     <title>{{ ansible_hostname }}</title>
     <style type="text/css">
-    body, html {
-    margin: auto;
-    font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
-    font-size: 14px;
-    border-top: #86CBE7 solid 1px;
-    }
-    #container {
-    padding-top: 20px;
-    width: 500px;
-    margin: auto;
-    overflow: hidden;
-    }
-    h1.hostname {
-    padding-top: 50px;
-    color: #373637;
-    border-bottom: 1px solid #a9a9a9;
-    background-image: url(./img/background-top.png);
-    background-repeat: no-repeat;
-    background-position: 245px 5px;
-    }
-    ul {
-    list-style-type: none;
-    padding: 0;
-    margin: 0;
-    }
-    li:before
-    {
-    content: "• ";
-    color: #373637;
-    }
-    a {
-    color: #86CBE7;
-    text-decoration: none;
-    }
-    a:hover {
-    color: #373637;
-    text-decoration: none;
-    }
-    p.footer {
-    border-top: 1px solid #a9a9a9;
-    padding-top: 5px;
-    font-size: 12px;
-    text-align: right;
-    }
+      body, html {
+        margin: auto;
+        font-family: "Open Sans","Helvetica Neue",Helvetica,Arial,sans-serif;
+        font-size: 14px;
+        border-top: #86CBE7 solid 1px;
+      }
+      #container {
+        padding-top: 20px;
+        width: 500px;
+        margin: auto;
+        overflow: hidden;
+      }
+      h1.hostname {
+        padding-top: 50px;
+        color: #373637;
+        border-bottom: 1px solid #a9a9a9;
+        background-image: url(./img/background-top.png);
+        background-repeat: no-repeat;
+        background-position: 245px 5px;
+      }
+      ul {
+        list-style-type: none;
+        padding: 0;
+        margin: 0;
+      }
+      li:before {
+        content: "• ";
+        color: #373637;
+      }
+      a {
+        color: #86CBE7;
+        text-decoration: none;
+      }
+      a:hover {
+        color: #373637;
+        text-decoration: none;
+      }
+      p.footer {
+        border-top: 1px solid #a9a9a9;
+        padding-top: 5px;
+        font-size: 12px;
+        text-align: right;
+      }
     </style>
 </head>
 <body>
@@ -57,15 +56,15 @@
     <div id="container">
         <h1 class="hostname">{{ ansible_hostname }}</h1>
 
-        <ul>
+        <ul id="evolinks">
             <li><a href="/munin/{{ ansible_domain }}/{{ ansible_fqdn }}/">Stats système</a></li>
+            <li><a href="/server-status">Server Status</a></li>
             <!--
-            <li><a href="/phpmyadmin-PHPMASECRET/">Accès PhpMyAdmin</a></li>
+            <li><a href="/phpmyadmin-__PHPMYADMIN_SUFFIX__/">Accès PhpMyAdmin</a></li>
             <li><a href="/mysqlreport.html">Dernier rapport MySQL Tuner</a></li>
             <li><a href="/cgi-bin/awstats.pl">Stats web</a></li>
             <li><a href="/info.php">Infos PHP</a></li>
             <li><a href="/opcache.php">Infos OpCache PHP</a></li>
-            <li><a href="/server-status-RANDOM_SERVERSTATUS/">Server Status</a></li>
             -->
         </ul>
 

nginx/defaults/main.yml

@@ -4,3 +4,9 @@ nginx_private_ipaddr_whitelist_absent: []
 
 nginx_private_htpasswd_present: []
 nginx_private_htpasswd_absent: []
+
+nginx_default_redirect_url: "http://evolix.fr"
+nginx_evolinux_default_enabled: True
+
+# nginx_phpmyadmin_suffix: ""
+# nginx_serverstatus_suffix: ""

nginx/tasks/main.yml

@@ -109,6 +109,60 @@
   tags:
   - nginx
 
+- name: nginx vhost is installed
+  template:
+    src: evolinux-default.conf.j2
+    dest: /etc/nginx/sites-available/evolinux-default.conf
+    mode: "0640"
+  notify: reload nginx
+  tags:
+  - nginx
+
+- name: default vhost is enabled
+  file:
+    src: /etc/nginx/sites-available/evolinux-default.conf
+    dest: /etc/nginx/sites-enabled/default.conf
+    state: link
+    force: yes
+  notify: reload nginx
+  when: nginx_evolinux_default_enabled
+  tags:
+  - nginx
+
+# - block:
+#   - name: generate random string for phpmyadmin suffix
+#     command: "apg -a 1 -M N -n 1"
+#     changed_when: False
+#     register: random_phpmyadmin_suffix
+#
+#   - name: overwrite nginx_phpmyadmin_suffix
+#     set_fact:
+#       nginx_phpmyadmin_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
+#   when: nginx_phpmyadmin_suffix == ""
+#
+# - name: replace phpmyadmin suffix in default site index
+#   replace:
+#     dest: /var/www/index.html
+#     regexp: '__PHPMYADMIN_SUFFIX__'
+#     replace: "{{ nginx_phpmyadmin_suffix }}"
+#
+# - block:
+#   - name: generate random string for serverstatus suffix
+#     command: "apg -a 1 -M N -n 1"
+#     changed_when: False
+#     register: random_serverstatus_suffix
+#
+#   - name: overwrite nginx_serverstatus_suffix
+#     set_fact:
+#       nginx_serverstatus_suffix: "{{ random_phpmyadmin_suffix.stdout }}"
+#   when: nginx_serverstatus_suffix == ""
+#
+# - name: replace server-status suffix in default site index
+#   replace:
+#     dest: /var/www/index.html
+#     regexp: '__SERVERSTATUS_SUFFIX__'
+#     replace: "{{ nginx_serverstatus_suffix }}"
+
 - name: Verify that the service is enabled and started
   service:
     name: nginx

nginx/templates/evolinux-default.conf.j2

@@ -18,7 +18,7 @@ server {
 
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
-    error_page 403 {{ evolinux_default_www_redirect_url }};
+    error_page 403 {{ nginx_default_redirect_url }};
 
     root /var/www;
 

packweb-apache/tasks/web-add.yml

@@ -1,3 +0,0 @@
----
-
-# TODO: ...