From bae8961e9994d7b13e7854a1ded2a9ded0d87e2d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jul 2017 18:23:39 +0200 Subject: [PATCH] packweb/evoadmin: cleanup * extracted tasks * more variables * more templates * less bugs --- evoadmin/defaults/main.yml | 3 + evoadmin/tasks/user.yml | 4 +- evoadmin/tasks/web.yml | 15 +- evoadmin/templates/config.local.php.j2 | 8 + evoadmin/templates/evoadmin.conf.j2 | 11 +- evolinux-base/tasks/default_www.yml | 6 +- packweb-apache/defaults/main.yml | 2 +- packweb-apache/tasks/apache.yml | 67 ++++++++ packweb-apache/tasks/awstats.yml | 48 ++++++ packweb-apache/tasks/main.yml | 209 +------------------------ packweb-apache/tasks/php.yml | 64 ++++++++ packweb-apache/tasks/phpmyadmin.yml | 26 +++ 12 files changed, 245 insertions(+), 218 deletions(-) create mode 100644 evoadmin/templates/config.local.php.j2 create mode 100644 packweb-apache/tasks/apache.yml create mode 100644 packweb-apache/tasks/awstats.yml create mode 100644 packweb-apache/tasks/php.yml create mode 100644 packweb-apache/tasks/phpmyadmin.yml diff --git a/evoadmin/defaults/main.yml b/evoadmin/defaults/main.yml index 03a7ff3b..30ba8010 100644 --- a/evoadmin/defaults/main.yml +++ b/evoadmin/defaults/main.yml @@ -5,7 +5,10 @@ evoadmin_bounce_email: "{{ evoadmin_contact_email }}" evoadmin_home_dir: "/home/{{ evoadmin_username }}" evoadmin_document_root: "{{ evoadmin_home_dir }}/www" +evoadmin_log_dir: "{{ evoadmin_home_dir }}/log" evoadmin_scripts_dir: /usr/share/scripts/evoadmin/ evoadmin_host: "evoadmin.{{ ansible_fqdn }}" evoadmin_username: evoadmin evoadmin_ssl_subject: "/CN={{ ansible_fqdn }}" + +evoadmin_enable_vhost: True diff --git a/evoadmin/tasks/user.yml b/evoadmin/tasks/user.yml index dda4429d..e3442cd1 100644 --- a/evoadmin/tasks/user.yml +++ b/evoadmin/tasks/user.yml @@ -39,10 +39,10 @@ # we use a shell command to have a "changed" thet really reflects the result. - name: Fix permissions - shell: "test -f {{ item }} && chmod -R --verbose u=rwX,g=rX,o= {{ item }}" + shell: "chmod -R --verbose u=rwX,g=rX,o= {{ item }}" register: command_result changed_when: "'changed' in command_result.stdout" - failed_when: False + # failed_when: False with_items: - "{{ evoadmin_home_dir}}/www" diff --git a/evoadmin/tasks/web.yml b/evoadmin/tasks/web.yml index 69f719ef..7bbc67be 100644 --- a/evoadmin/tasks/web.yml +++ b/evoadmin/tasks/web.yml @@ -20,12 +20,21 @@ register: cmd_a2ensite changed_when: "'Enabling site' in cmd_a2ensite.stdout" notify: reload apache2 + when: evoadmin_enable_vhost + +- name: Disable evoadmin vhost + command: "a2dissite evoadmin.conf" + register: cmd_a2dissite + changed_when: "'Disabling site' in cmd_a2dissite.stdout" + notify: reload apache2 + when: not evoadmin_enable_vhost - name: Copy config file for evoadmin - copy: - src: config.local.php - dest: "{{ evoadmin_home_dir}}/www/conf/" + template: + src: config.local.php.j2 + dest: "{{ evoadmin_document_root}}/conf/config.local.php" mode: "0644" + force: no - name: add www-evoadmin to shadow group user: diff --git a/evoadmin/templates/config.local.php.j2 b/evoadmin/templates/config.local.php.j2 new file mode 100644 index 00000000..3e159bcd --- /dev/null +++ b/evoadmin/templates/config.local.php.j2 @@ -0,0 +1,8 @@ + + #Options Indexes SymLinksIfOwnerMatch Options SymLinksIfOwnerMatch AllowOverride AuthConfig Limit FileInfo @@ -31,8 +31,8 @@ # LOG CustomLog /var/log/apache2/access.log combined - CustomLog /home/evoadmin/log/access.log combined - ErrorLog /home/evoadmin/log/error.log + CustomLog {{ evoadmin_log_dir }}/access.log combined + ErrorLog {{ evoadmin_log_dir }}/error.log # AWSTATS SetEnv AWSTATS_FORCE_CONFIG evoadmin @@ -54,7 +54,6 @@ #php_admin_value upload_max_filesize 8M #php_admin_flag allow_url_fopen Off php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin" - php_admin_value error_log "/home/evoadmin/log/php.log" + php_admin_value error_log "{{ evoadmin_home_dir }}/log/php.log" php_admin_value open_basedir "none" - diff --git a/evolinux-base/tasks/default_www.yml b/evolinux-base/tasks/default_www.yml index 750d2200..0fdf03f9 100644 --- a/evolinux-base/tasks/default_www.yml +++ b/evolinux-base/tasks/default_www.yml @@ -92,7 +92,7 @@ - name: Apache vhost is installed template: src: default_www/apache_default_site.j2 - dest: /etc/apache2/sites-available/000-default + dest: /etc/apache2/sites-available/000-default.conf mode: "0640" # force: yes notify: reload apache @@ -101,8 +101,8 @@ - name: Apache vhost is enabled file: - src: /etc/apache2/sites-available/000-default - dest: /etc/apache2/sites-enabled/000-default + src: /etc/apache2/sites-available/000-default.conf + dest: /etc/apache2/sites-enabled/000-default.conf state: link notify: reload apache when: evolinux_default_www_apache_enabled diff --git a/packweb-apache/defaults/main.yml b/packweb-apache/defaults/main.yml index 2e2c3481..0301183f 100644 --- a/packweb-apache/defaults/main.yml +++ b/packweb-apache/defaults/main.yml @@ -2,4 +2,4 @@ # defaults file for packweb-apache general_alert_email: "root@localhost" log2mail_alert_email: Null -packweb_install_evoadmin: True +packweb_enable_evoadmin_vhost: True diff --git a/packweb-apache/tasks/apache.yml b/packweb-apache/tasks/apache.yml new file mode 100644 index 00000000..76756d10 --- /dev/null +++ b/packweb-apache/tasks/apache.yml @@ -0,0 +1,67 @@ +--- + +- name: Check if Apache envvars have a PATH + command: "grep -E '^export PATH ' /etc/apache2/envvars" + failed_when: False + changed_when: False + register: envvar_grep_path + check_mode: no + +- name: Add a PATH envvar for Apache + blockinfile: + dest: /etc/apache2/envvars + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" + block: | + # Used for Evoadmin-web + export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + when: envvar_grep_path.rc != 0 + +- name: Additional packages are installed + apt: + name: '{{ item }}' + state: present + with_items: + - apache2-mpm-itk + - libapache2-mod-evasive + - libapache2-mod-security2 + +- name: Copy Apache settings for modules + copy: + src: "{{ item }}" + dest: "/etc/apache2/conf-available/{{ item }}" + owner: root + group: root + mode: "0644" + force: no + with_items: + - evolinux-itk.conf + - evolinux-evasive.conf + - evolinux-modsec.conf + +- name: Ensure Apache modules configs are enabled + command: "a2enconf {{ item }}" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + with_items: + - evolinux-itk + - evolinux-evasive + - evolinux-modsec + +- name: Check if log2mail is installed + command: "apt list --installed log2mail" + register: command_result + changed_when: False + +- debug: + var: command_result + verbosity: 1 + +- name: Add log2mail config for Apache segfaults + template: + src: log2mail-apache.j2 + dest: "/etc/log2mail/config/apache" + owner: root + group: root + mode: "0644" + force: no + when: "'log2mail' in command_result.stdout" diff --git a/packweb-apache/tasks/awstats.yml b/packweb-apache/tasks/awstats.yml new file mode 100644 index 00000000..1919b17d --- /dev/null +++ b/packweb-apache/tasks/awstats.yml @@ -0,0 +1,48 @@ +--- +- name: Install awstats + apt: + name: awstats + state: present + +- name: Configure awstats + blockinfile: + dest: /etc/awstats/awstats.conf.local + marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" + block: | + LogFile="/var/log/apache2/access.log" + SiteDomain="{{ ansible_hostname }}" + DirData="/var/lib/awstats" + ShowHostsStats=0 + ShowOriginStats=0 + ShowPagesStats=0 + ShowKeyphrasesStats=0 + ShowKeywordsStats=0 + ShowHTTPErrorsStats=0 + LogFormat=1 + AllowFullYearView=3 + ErrorMessages="An error occured. Contact your Administrator" + mode: "0644" + +- name: Create conf-available/awstats-icon.conf file + copy: + dest: /etc/apache2/conf-available/awstats-icon.conf + content: | + Alias /awstats-icon/ /usr/share/awstats/icon/ + + Require all granted + + force: no + mode: "0644" + +- name: Enable apache awstats-icon configuration + command: "a2enconf awstats-icon" + register: command_result + changed_when: "'Enabling' in command_result.stderr" + notify: reload apache + +- name: Create awstats cron + lineinfile: + dest: /etc/cron.d/awstats + create: yes + regexp: '-config=awstats' + line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" diff --git a/packweb-apache/tasks/main.yml b/packweb-apache/tasks/main.yml index 24d86cd0..8aa0f26c 100644 --- a/packweb-apache/tasks/main.yml +++ b/packweb-apache/tasks/main.yml @@ -36,207 +36,13 @@ regexp: '^DIR_MODE=' line: 'DIR_MODE=0750' -- name: Check if Apache envvars have a PATH - command: "grep -E '^export PATH ' /etc/apache2/envvars" - failed_when: False - changed_when: False - register: envvar_grep_path - check_mode: no +- include: apache.yml -- name: Add a PATH envvar for Apache - blockinfile: - dest: /etc/apache2/envvars - marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH" - block: | - # Used for Evoadmin-web - export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - when: envvar_grep_path.rc != 0 +- include: php.yml -- name: Additional packages are installed - apt: - name: '{{ item }}' - state: present - with_items: - - apache2-mpm-itk - - libapache2-mod-evasive - - libapache2-mod-security2 +- include: phpmyadmin.yml -- name: Copy Apache settings for modules - copy: - src: "{{ item }}" - dest: "/etc/apache2/conf-available/{{ item }}" - owner: root - group: root - mode: "0644" - force: no - with_items: - - evolinux-itk.conf - - evolinux-evasive.conf - - evolinux-modsec.conf - -- name: Ensure Apache modules configs are enabled - command: "a2enconf {{ item }}" - register: command_result - changed_when: "'Enabling' in command_result.stderr" - with_items: - - evolinux-itk - - evolinux-evasive - - evolinux-modsec - -- name: Check if log2mail is installed - command: "apt list --installed log2mail" - register: command_result - changed_when: False - -- debug: - var: command_result - verbosity: 1 - -- name: Add log2mail config for Apache segfaults - template: - src: log2mail-apache.j2 - dest: "/etc/log2mail/config/apache" - owner: root - group: root - mode: "0644" - force: no - when: "'log2mail' in command_result.stdout" - -- name: Install PHP5 packages - apt: - name: '{{ item }}' - state: present - with_items: - - libapache2-mod-php5 - - php5 - - php5-gd - - php5-imap - - php5-ldap - - php5-mcrypt - - php5-mysql - - php5-pgsql - - php-gettext - - php5-curl - - libssh2-php - tags: - - apache - -- name: Set variables for php config files - set_fact: - php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini - php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini - -- name: Set default values for PHP - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: "0644" - create: yes - with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "allow_url_fopen", value: "Off" } - notify: reload apache - -- name: Disable PHP exec function without evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - when: not packweb_install_evoadmin - -- name: Don't disable PHP exec function with evoadmin - ini_file: - dest: "{{ php5_apache5_defaults_file }}" - section: PHP - option: disable_functions - value: "shell-exec,system,passthru,putenv,popen" - when: packweb_install_evoadmin - -- name: Custom php.ini - copy: - dest: "{{ php5_apache5_custom_file }}" - content: | - # Put customized values here. - force: no - -- name: Install phpmyadmin - apt: - name: phpmyadmin - state: present - -- name: Check if phpmyadmin default configuration is present - stat: - path: /etc/apache2/conf-enabled/phpmyadmin.conf - register: pma_default_config - -- debug: - var: pma_default_config - verbosity: 1 - -- name: Disable phpmyadmin default configuration - command: "a2disconf phpmyadmin" - register: command_result - changed_when: "'Disabling' in command_result.stderr" - when: pma_default_config.stat.exists - -- name: Change group to www-data for /etc/phpmyadmin/ - file: - dest: /etc/phpmyadmin/ - group: www-data - -- name: Install awstats - apt: - name: awstats - state: present - -- name: Configure awstats - blockinfile: - dest: /etc/awstats/awstats.conf.local - marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB" - block: | - LogFile="/var/log/apache2/access.log" - SiteDomain="{{ ansible_hostname }}" - DirData="/var/lib/awstats" - ShowHostsStats=0 - ShowOriginStats=0 - ShowPagesStats=0 - ShowKeyphrasesStats=0 - ShowKeywordsStats=0 - ShowHTTPErrorsStats=0 - LogFormat=1 - AllowFullYearView=3 - ErrorMessages="An error occured. Contact your Administrator" - mode: "0644" - -- name: Create conf-available/awstats-icon.conf file - copy: - dest: /etc/apache2/conf-available/awstats-icon.conf - content: | - Alias /awstats-icon/ /usr/share/awstats/icon/ - - Require all granted - - force: no - mode: "0644" - -- name: Enable apache awstats-icon configuration - command: "a2enconf awstats-icon" - register: command_result - changed_when: "'Enabling' in command_result.stderr" - notify: reload apache - -- name: Create awstats cron - lineinfile: - dest: /etc/cron.d/awstats - create: yes - regexp: '-config=awstats' - line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null" +- include: awstats.yml - name: Remove read permission on some folders (/, /etc, ...) shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}" @@ -313,8 +119,5 @@ - name: Install Evoadmin include_role: name: evoadmin - when: packweb_install_evoadmin - -- name: Install web-add script - include: web-add.yml - when: not packweb_install_evoadmin + vars: + evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}" diff --git a/packweb-apache/tasks/php.yml b/packweb-apache/tasks/php.yml new file mode 100644 index 00000000..ee65fd2f --- /dev/null +++ b/packweb-apache/tasks/php.yml @@ -0,0 +1,64 @@ +--- + +- name: Install PHP5 packages + apt: + name: '{{ item }}' + state: present + with_items: + - libapache2-mod-php5 + - php5 + - php5-gd + - php5-imap + - php5-ldap + - php5-mcrypt + - php5-mysql + - php5-pgsql + - php-gettext + - php5-curl + - libssh2-php + tags: + - apache + +- name: Set variables for php config files + set_fact: + php5_apache5_defaults_file: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini + php5_apache5_custom_file: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini + +- name: Set default values for PHP + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0644" + create: yes + with_items: + - { option: "short_open_tag", value: "Off" } + - { option: "expose_php", value: "Off" } + - { option: "display_errors", value: "Off" } + - { option: "log_errors", value: "On" } + - { option: "allow_url_fopen", value: "Off" } + notify: reload apache + +- name: Disable PHP exec function without evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "exec,shell-exec,system,passthru,putenv,popen" + when: not packweb_enable_evoadmin_vhost + +- name: Don't disable PHP exec function with evoadmin + ini_file: + dest: "{{ php5_apache5_defaults_file }}" + section: PHP + option: disable_functions + value: "shell-exec,system,passthru,putenv,popen" + when: packweb_enable_evoadmin_vhost + +- name: Custom php.ini + copy: + dest: "{{ php5_apache5_custom_file }}" + content: | + # Put customized values here. + force: no diff --git a/packweb-apache/tasks/phpmyadmin.yml b/packweb-apache/tasks/phpmyadmin.yml new file mode 100644 index 00000000..cc34067e --- /dev/null +++ b/packweb-apache/tasks/phpmyadmin.yml @@ -0,0 +1,26 @@ +--- + +- name: Install phpmyadmin + apt: + name: phpmyadmin + state: present + +- name: Check if phpmyadmin default configuration is present + stat: + path: /etc/apache2/conf-enabled/phpmyadmin.conf + register: pma_default_config + +- debug: + var: pma_default_config + verbosity: 1 + +- name: Disable phpmyadmin default configuration + command: "a2disconf phpmyadmin" + register: command_result + changed_when: "'Disabling' in command_result.stderr" + when: pma_default_config.stat.exists + +- name: Change group to www-data for /etc/phpmyadmin/ + file: + dest: /etc/phpmyadmin/ + group: www-data