279 lines
7 KiB
YAML
279 lines
7 KiB
YAML
---
|
|
|
|
- name: Include apache role
|
|
include_role:
|
|
name: "{{ roles }}/apache"
|
|
|
|
- name: Add elements to user account template
|
|
file:
|
|
path: "/etc/skel/{{ item.path }}"
|
|
state: "{{ item.state }}"
|
|
mode: "{{ item.mode }}"
|
|
with_items:
|
|
- { path: log, mode: "0750", state: directory }
|
|
- { path: awstats, mode: "0750", state: directory }
|
|
- { path: www, mode: "0750", state: directory }
|
|
- { path: log/access.log, mode: "0644", state: touch }
|
|
- { path: log/error.log, mode: "0644", state: touch }
|
|
|
|
- name: Force DIR_MODE to 0750 in /etc/adduser.conf
|
|
lineinfile:
|
|
dest: /etc/adduser.conf
|
|
regexp: '^DIR_MODE='
|
|
line: 'DIR_MODE=0750'
|
|
|
|
- name: Check if Apache envvars have a PATH
|
|
command: "grep -E '^export PATH ' /etc/apache2/envvars"
|
|
failed_when: False
|
|
changed_when: False
|
|
register: envvar_grep_path
|
|
#check_mode: no (for migration to Ansible 2.2)
|
|
always_run: yes
|
|
|
|
- name: Add a PATH envvar for Apache
|
|
blockinfile:
|
|
dest: /etc/apache2/envvars
|
|
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PATH"
|
|
block: |
|
|
# Used for Evoadmin-web
|
|
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
|
when: envvar_grep_path.rc != 0
|
|
|
|
- name: Additional packages are installed
|
|
apt:
|
|
name: '{{ item }}'
|
|
state: present
|
|
with_items:
|
|
- apache2-mpm-itk
|
|
- libapache2-mod-evasive
|
|
- libapache2-mod-security2
|
|
|
|
- name: Copy Apache settings for modules
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: "/etc/apache2/conf-available/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
force: no
|
|
with_items:
|
|
- evolinux-itk.conf
|
|
- evolinux-evasive.conf
|
|
- evolinux-modsec.conf
|
|
|
|
- name: Ensure Apache modules configs are enabled
|
|
command: "a2enconf {{ item }}"
|
|
register: command_result
|
|
changed_when: "'Enabling' in command_result.stderr"
|
|
with_items:
|
|
- evolinux-itk
|
|
- evolinux-evasive
|
|
- evolinux-modsec
|
|
|
|
- name: Check if log2mail is installed
|
|
command: "apt list --installed log2mail"
|
|
register: command_result
|
|
changed_when: False
|
|
|
|
- debug:
|
|
var: command_result
|
|
verbosity: 1
|
|
|
|
- name: Add log2mail config for Apache segfaults
|
|
template:
|
|
src: log2mail-apache.j2
|
|
dest: "/etc/log2mail/config/apache"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
force: no
|
|
when: "'log2mail' in command_result.stdout"
|
|
|
|
- name: Install PHP5 packages
|
|
apt:
|
|
name: '{{ item }}'
|
|
state: present
|
|
with_items:
|
|
- libapache2-mod-php5
|
|
- php5
|
|
- php5-gd
|
|
- php5-imap
|
|
- php5-ldap
|
|
- php5-mcrypt
|
|
- php5-mysql
|
|
- php5-pgsql
|
|
- php-gettext
|
|
- php5-curl
|
|
- libssh2-php
|
|
tags:
|
|
- apache
|
|
|
|
- name: Set default values in /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
|
|
ini_file:
|
|
dest: /etc/php5/apache2/conf.d/z-evolinux_defaults.ini
|
|
section: PHP
|
|
option: "{{ item.option }}"
|
|
value: "{{ item.value }}"
|
|
mode: "0644"
|
|
create: yes
|
|
with_items:
|
|
- { option: "short_open_tag", value: "Off" }
|
|
- { option: "disable_functions", value: "exec, shell-exec, system, passthru, putenv, popen" }
|
|
- { option: "expose_php", value: "Off" }
|
|
- { option: "display_errors", value: "Off" }
|
|
- { option: "log_errors", value: "On" }
|
|
- { option: "allow_url_fopen", value: "Off" }
|
|
notify: reload apache
|
|
|
|
- name: Custom php.ini
|
|
copy:
|
|
dest: /etc/php5/apache2/conf.d/zzz-evolinux_custom.ini
|
|
content: |
|
|
# Put customized values here.
|
|
force: no
|
|
|
|
- name: Install phpmyadmin
|
|
apt:
|
|
name: phpmyadmin
|
|
state: present
|
|
|
|
- name: Check if phpmyadmin default configuration is present
|
|
stat:
|
|
path: /etc/apache2/conf-enabled/phpmyadmin.conf
|
|
register: pma_default_config
|
|
|
|
- debug:
|
|
var: pma_default_config
|
|
verbosity: 1
|
|
|
|
- name: Disable phpmyadmin default configuration
|
|
command: "a2disconf phpmyadmin"
|
|
register: command_result
|
|
changed_when: "'Disabling' in command_result.stderr"
|
|
when: pma_default_config.stat.exists
|
|
|
|
- name: Change group to www-data for /etc/phpmyadmin/
|
|
file:
|
|
dest: /etc/phpmyadmin/
|
|
group: www-data
|
|
|
|
- name: Install awstats
|
|
apt:
|
|
name: awstats
|
|
state: present
|
|
|
|
- name: Configure awstats
|
|
blockinfile:
|
|
dest: /etc/awstats/awstats.conf.local
|
|
marker: "## {mark} ANSIBLE MANAGED BLOCK FOR PACKWEB"
|
|
block: |
|
|
LogFile="/var/log/apache2/access.log"
|
|
SiteDomain="{{ ansible_hostname }}"
|
|
DirData="/var/lib/awstats"
|
|
ShowHostsStats=0
|
|
ShowOriginStats=0
|
|
ShowPagesStats=0
|
|
ShowKeyphrasesStats=0
|
|
ShowKeywordsStats=0
|
|
ShowHTTPErrorsStats=0
|
|
LogFormat=1
|
|
AllowFullYearView=3
|
|
ErrorMessages="An error occured. Contact your Administrator"
|
|
mode: "0644"
|
|
|
|
- name: Create conf-available/awstats-icon.conf file
|
|
copy:
|
|
dest: /etc/apache2/conf-available/awstats-icon.conf
|
|
content: |
|
|
Alias /awstats-icon/ /usr/share/awstats/icon/
|
|
<Directory /usr/share/awstats/icon/>
|
|
Require All Granted
|
|
</Directory>
|
|
force: no
|
|
mode: "0644"
|
|
|
|
- name: Enable apache awstats-icon configuration
|
|
command: "a2enconf awstats-icon"
|
|
register: command_result
|
|
changed_when: "'Enabling' in command_result.stderr"
|
|
notify: reload apache
|
|
|
|
- name: Create awstats cron
|
|
lineinfile:
|
|
dest: /etc/cron.d/awstats
|
|
create: yes
|
|
regexp: '-config=awstats'
|
|
line: "10 */6 * * * root umask 033; [ -x /usr/lib/cgi-bin/awstats.pl -a -f /etc/awstats/awstats.conf -a -r /var/log/apache2/access.log ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null"
|
|
|
|
- name: Remove read permission on some folders (/, /etc, ...)
|
|
shell: "test -d {{ item }} && chmod --verbose o-r {{ item }}"
|
|
register: command_result
|
|
changed_when: "'changed' in command_result.stdout"
|
|
failed_when: False
|
|
with_items:
|
|
- /
|
|
- /etc
|
|
- /usr
|
|
- /usr/bin
|
|
- /var
|
|
- /var/log
|
|
- /home
|
|
- /bin
|
|
- /sbin
|
|
- /lib
|
|
- /usr/lib
|
|
- /usr/include
|
|
- /usr/bin
|
|
- /usr/sbin
|
|
- /usr/share
|
|
- /usr/share/doc
|
|
- /etc/default
|
|
|
|
- name: Set 750 permission on some folders (/var/log/apt, /var/log/munin, ...)
|
|
shell: "test -d {{ item }} && chmod --verbose 750 {{ item }}"
|
|
register: command_result
|
|
changed_when: "'changed' in command_result.stdout"
|
|
failed_when: False
|
|
with_items:
|
|
- /var/log/apt
|
|
- /var/lib/dpkg
|
|
- /var/log/munin
|
|
- /var/backups
|
|
- /var/cache/apt
|
|
- /etc/init.d
|
|
- /etc/apt
|
|
- /etc/apache2
|
|
- /etc/network
|
|
- /etc/phpmyadmin
|
|
- /var/log/installer
|
|
|
|
- name: Set u-s permission on some binaries (/bin/ping, /usr/bin/mtr, ...)
|
|
shell: "test -f {{ item }} && chmod --verbose u-s {{ item }}"
|
|
register: command_result
|
|
changed_when: "'changed' in command_result.stdout"
|
|
failed_when: False
|
|
with_items:
|
|
- /bin/ping
|
|
- /bin/ping6
|
|
- /usr/bin/fping
|
|
- /usr/bin/fping6
|
|
- /usr/bin/mtr
|
|
|
|
- name: Set 640 permission on some files (/var/log/evolix.log, ...)
|
|
shell: "test -f {{ item }} && chmod --verbose 640 {{ item }}"
|
|
register: command_result
|
|
changed_when: "'changed' in command_result.stdout"
|
|
failed_when: False
|
|
with_items:
|
|
- /var/log/evolix.log
|
|
- /etc/warnquota.conf
|
|
|
|
- name: Remove some log files (/var/log/mail.err, ...)
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /var/log/debug
|
|
- /var/log/mail.err
|
|
- /var/log/mail.warn
|