diff --git a/.salt-lint b/.salt-lint index 10cd1967..c7543805 100644 --- a/.salt-lint +++ b/.salt-lint @@ -19,7 +19,8 @@ rules: ignore: | apache/files/Debian/ssl.conf.jinja apache/files/FreeBSD/mod_ssl.conf.jinja - apache/files/tls-defaults.conf.jinja + apache/files/ssl/tls-defaults.conf.jinja + test/salt/pillar/modules.sls skip_list: # Using `salt-lint` for linting other files as well, such as Jinja macros/templates - 205 # Use ".sls" as a Salt State file extension diff --git a/.travis.yml b/.travis.yml index 3f0491b8..28ef4b5d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -58,35 +58,38 @@ jobs: ## Define the rest of the matrix based on Kitchen testing # Make sure the instances listed below match up with # the `platforms` defined in `kitchen.yml` - - env: INSTANCE=default-debian-10-master-py3 - # - env: INSTANCE=default-ubuntu-1804-master-py3 - # - env: INSTANCE=default-centos-8-master-py3 - # - env: INSTANCE=default-fedora-31-master-py3 - # - env: INSTANCE=default-opensuse-leap-151-master-py3 - # - env: INSTANCE=default-amazonlinux-2-master-py3 - # - env: INSTANCE=default-debian-10-2019-2-py3 - # - env: INSTANCE=default-debian-9-2019-2-py3 - - env: INSTANCE=default-ubuntu-1804-2019-2-py3 - # - env: INSTANCE=default-centos-8-2019-2-py3 - # - env: INSTANCE=default-fedora-31-2019-2-py3 - # - env: INSTANCE=default-opensuse-leap-151-2019-2-py3 - # - env: INSTANCE=default-centos-7-2019-2-py2 - - env: INSTANCE=default-amazonlinux-2-2019-2-py3 - # - env: INSTANCE=default-arch-base-latest-2019-2-py2 - - env: INSTANCE=default-fedora-30-2018-3-py3 - # - env: INSTANCE=default-debian-9-2018-3-py2 - # - env: INSTANCE=default-ubuntu-1604-2018-3-py2 - # - env: INSTANCE=default-centos-7-2018-3-py2 - # - env: INSTANCE=default-opensuse-leap-151-2018-3-py2 - # - env: INSTANCE=default-amazonlinux-1-2018-3-py2 - # - env: INSTANCE=default-arch-base-latest-2018-3-py2 - # - env: INSTANCE=default-debian-8-2017-7-py2 - # - env: INSTANCE=default-ubuntu-1604-2017-7-py2 - - env: INSTANCE=default-centos-6-2017-7-py2 - # - env: INSTANCE=default-fedora-30-2017-7-py2 - # - env: INSTANCE=default-opensuse-leap-151-2017-7-py2 - # - env: INSTANCE=default-amazonlinux-1-2017-7-py2 - # - env: INSTANCE=default-arch-base-latest-2017-7-py2 + - env: INSTANCE=modules-debian-10-master-py3 + # env: INSTANCE=modules-ubuntu-1804-master-py3 + - env: INSTANCE=modules-centos-8-master-py3 + - env: INSTANCE=modules-fedora-31-master-py3 + - env: INSTANCE=modules-opensuse-leap-151-master-py3 + + # https://community.letsencrypt.org/t/localhost-crt-does-not-exist-or-is-empty/103979 + - env: INSTANCE=default-amazonlinux-2-master-py3 + + # - env: INSTANCE=modules-debian-10-2019-2-py3 + # - env: INSTANCE=modules-debian-9-2019-2-py3 + - env: INSTANCE=modules-ubuntu-1804-2019-2-py3 + # - env: INSTANCE=modules-centos-8-2019-2-py3 + # - env: INSTANCE=modules-fedora-31-2019-2-py3 + # - env: INSTANCE=suse-opensuse-leap-151-2019-2-py3 + - env: INSTANCE=modules-centos-7-2019-2-py2 + # env: INSTANCE=default-amazonlinux-2-2019-2-py3 + # - env: INSTANCE=modules-arch-base-latest-2019-2-py2 + # env: INSTANCE=modules-fedora-30-2018-3-py3 + # - env: INSTANCE=modules-debian-9-2018-3-py2 + # - env: INSTANCE=modules-ubuntu-1604-2018-3-py2 + # - env: INSTANCE=modules-centos-7-2018-3-py2 + # - env: INSTANCE=modules-opensuse-leap-151-2018-3-py2 + # - env: INSTANCE=modules-amazonlinux-1-2018-3-py2 + # - env: INSTANCE=modules-arch-base-latest-2018-3-py2 + # - env: INSTANCE=modules-debian-8-2017-7-py2 + # - env: INSTANCE=modules-ubuntu-1604-2017-7-py2 + # env: INSTANCE=default-centos-6-2017-7-py2 + # - env: INSTANCE=modules-fedora-30-2017-7-py2 + # - env: INSTANCE=modules-opensuse-leap-151-2017-7-py2 + # - env: INSTANCE=modules-amazonlinux-1-2017-7-py2 + - env: INSTANCE=arch-arch-base-latest-2017-7-py2 ## Define the release stage that runs `semantic-release` - stage: 'release' diff --git a/.yamllint b/.yamllint index 740beca0..cc08fefc 100644 --- a/.yamllint +++ b/.yamllint @@ -12,6 +12,9 @@ ignore: | node_modules/ test/**/states/**/*.sls .kitchen/ + test/salt/pillar/modules.sls + test/salt/pillar/default.sls + pillar.example yaml-files: # Default settings diff --git a/apache/certificates b/apache/certificates new file mode 120000 index 00000000..d391a80b --- /dev/null +++ b/apache/certificates @@ -0,0 +1 @@ +config/certificates/ \ No newline at end of file diff --git a/apache/certificates.sls b/apache/certificates.sls deleted file mode 100644 index c0aaeead..00000000 --- a/apache/certificates.sls +++ /dev/null @@ -1,63 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{%- for site, confcert in salt['pillar.get']('apache:sites', {}).items() %} - -{% if confcert.SSLCertificateKeyFile is defined and confcert.SSLCertificateKeyFile_content is defined %} -# Deploy {{ site }} key file -apache_cert_config_{{ site }}_key_file: - file.managed: - - name: {{ confcert.SSLCertificateKeyFile }} - - contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content - - makedirs: True - - mode: 600 - - user: root - - group: root - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if confcert.SSLCertificateFile is defined and confcert.SSLCertificateFile_content is defined %} -# Deploy {{ site }} cert file -apache_cert_config_{{ site }}_cert_file: - file.managed: - - name: {{ confcert.SSLCertificateFile }} - - contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content - - makedirs: True - - mode: 600 - - user: root - - group: root - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if confcert.SSLCertificateChainFile is defined and confcert.SSLCertificateChainFile_content is defined %} -# Deploy {{ site }} bundle file -apache_cert_config_{{ site }}_bundle_file: - file.managed: - - name: {{ confcert.SSLCertificateChainFile }} - - contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content - - makedirs: True - - mode: 600 - - user: root - - group: root - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{%- endfor %} - diff --git a/apache/clean.sls b/apache/clean.sls new file mode 100644 index 00000000..2cefe7dd --- /dev/null +++ b/apache/clean.sls @@ -0,0 +1,7 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .service.clean + - .config.clean + - .package.clean diff --git a/apache/config.sls b/apache/config.sls deleted file mode 100644 index dd3cb9b7..00000000 --- a/apache/config.sls +++ /dev/null @@ -1,140 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{{ apache.logdir }}: - file.directory: - - makedirs: True - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.configfile }}: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}.config.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} - -{{ apache.vhostdir }}: - file.directory: - - makedirs: True - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if grains['os_family']=="Debian" %} -/etc/apache2/envvars: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.portsfile }}: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} - -{% endif %} - -{% if grains['os_family']=="RedHat" %} -{{ apache.confdir }}/welcome.conf: - file.absent: - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %} -/etc/apache2/global.conf: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/global.config.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} -{% endif %} - -{% if grains['os_family']=="FreeBSD" %} -/usr/local/etc/{{ apache.service }}/envvars.d/by_salt.env: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.portsfile }}: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - apache: {{ apache | json }} -{% endif %} diff --git a/apache/config/certificates/clean.sls b/apache/config/certificates/clean.sls new file mode 100644 index 00000000..e42c4501 --- /dev/null +++ b/apache/config/certificates/clean.sls @@ -0,0 +1,52 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + +{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %} + + {%- if cert.SSLCertificateKeyFile is defined %} + +apache_cert_config_clean_{{ site }}_key_file: + file.absent: + - name: {{ cert.SSLCertificateKeyFile }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if cert.SSLCertificateFile is defined %} + +apache_cert_config_clean_{{ site }}_cert_file: + file.absent: + - name: {{ cert.SSLCertificateFile }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if cert.SSLCertificateChainFile is defined %} + +apache_cert_config_clean_{{ site }}_bundle_file: + file.managed: + - name: {{ cert.SSLCertificateChainFile }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} +{%- endfor %} diff --git a/apache/config/certificates/init.sls b/apache/config/certificates/init.sls new file mode 100644 index 00000000..d3e55181 --- /dev/null +++ b/apache/config/certificates/init.sls @@ -0,0 +1,5 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .install diff --git a/apache/config/certificates/install.sls b/apache/config/certificates/install.sls new file mode 100644 index 00000000..6f73f71c --- /dev/null +++ b/apache/config/certificates/install.sls @@ -0,0 +1,67 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + +{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %} + + {%- if cert.SSLCertificateKeyFile is defined and cert.SSLCertificateKeyFile_content is defined %} + +apache_cert_config_install_{{ site }}_key_file: + file.managed: + - name: {{ cert.SSLCertificateKeyFile }} + - contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content + - makedirs: True + - mode: 600 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if cert.SSLCertificateFile is defined and cert.SSLCertificateFile_content is defined %} + +apache_cert_config_install_{{ site }}_cert_file: + file.managed: + - name: {{ cert.SSLCertificateFile }} + - contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content + - makedirs: True + - mode: 600 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if cert.SSLCertificateChainFile is defined and cert.SSLCertificateChainFile_content is defined %} + +apache_cert_config_install_{{ site }}_bundle_file: + file.managed: + - name: {{ cert.SSLCertificateChainFile }} + - contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content + - makedirs: True + - mode: 600 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} +{%- endfor %} diff --git a/apache/config/clean.sls b/apache/config/clean.sls new file mode 100644 index 00000000..8644dee3 --- /dev/null +++ b/apache/config/clean.sls @@ -0,0 +1,26 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_clean = tplroot ~ '.service.clean' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - .modules.clean + - {{ sls_service_clean }} + +apache-config-clean-file-absent: + file.absent: + - names: + - {{ apache.config }} + - {{ apache.logdir }} + - {{ apache.vhostdir }} + - /etc/apache2/envvars + # apache.portsfile + - /etc/apache2/global.conf + - /etc/httpd/conf.modules.d + - /etc/httpd/sites-enabled + - /etc/httpd/var + - {{ apache.confdir }}/server-status{{ apache.confext }} + - require: + - sls: {{ sls_service_clean }} diff --git a/apache/config/debian_full.sls b/apache/config/debian_full.sls new file mode 100644 index 00000000..f5c0bf84 --- /dev/null +++ b/apache/config/debian_full.sls @@ -0,0 +1,50 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_config_registersite = tplroot ~ '.config.register_site' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains.os_family in ('Debian',) %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + - {{ sls_config_registersite }} + +extend: + apache-package-install-pkg-installed: + pkg: + - order: 175 + apache-service-running: + service: + - order: 455 + apache-service-running-reload: + module: + - order: 420 + apache-service-running-restart: + module: + - order: 425 + +apache-config-debian-full-cmd-run: + cmd.run: + - name: a2dissite 000-default{{ apache.confext }} || true + - onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + - require: + - pkg: apache-package-install-pkg-installed + file.absent: + - names: + - /etc/apache2/sites-available/{{ apache.default_site }} + - /etc/apache2/sites-available/{{ apache.default_site_ssl }} + - require: + - pkg: apache-package-install-pkg-installed + + {%- endif %} #END: os = debian diff --git a/apache/config/file.sls b/apache/config/file.sls new file mode 100644 index 00000000..feaa184b --- /dev/null +++ b/apache/config/file.sls @@ -0,0 +1,166 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-file-directory-logdir: + file.directory: + - name: {{ apache.logdir }} + - user: {{ apache.user }} + - group: {{ apache.group }} + - recurse: + - user + - group + - makedirs: True + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + +apache-config-file-directory-vhostdir: + file.directory: + - name: {{ apache.vhostdir }} + - makedirs: True + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + +apache-config-file-directory-moddir: + file.directory: + - name: {{ apache.moddir }} + - makedirs: True + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + + {%- if apache.davlockdbdir %} + +apache-config-file-directory-davlockdbdir: + file.directory: + - name: {{ apache.davlockdbdir }} + - makedirs: True + - user: {{ apache.user }} + - group: {{ apache.group }} + - recurse: + - user + - group + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + + {%- endif %} + {%- if 'sitesdir' in apache and apache.sitesdir %} + +apache-config-file-directory-sites-enabled: + file.directory: + - name: {{ apache.sitesdir }} + - makedirs: True + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + + {%- endif %} + {%- if grains.os_family in ('Debian',) and 'confdir' in apache and apache.confdir %} + +apache-config-file-directory-conf-enabled: + file.directory: + - name: {{ apache.confdir }} + - makedirs: True + - require: + - sls: {{ sls_package_install }} + - require_in: + - service: apache-service-running + + {%- endif %} + +apache-config-file-managed: + file.managed: + - name: {{ apache.config }} + - source: 'salt://apache/files/{{ grains.os_family }}/apache-{{ apache.version }}.config.jinja' + - mode: 644 + - user: {{ apache.rootuser }} + {%- if grains.kernel != 'Windows' %} + - group: {{ apache.rootgroup }} + {%- endif %} + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - require: + - sls: {{ sls_package_install }} + - context: + apache: {{ apache | json }} + + {%- if grains.os_family in ('Debian', 'FreeBSD') %} + +apache-config-file-managed-{{ grains.os }}-env: + file.managed: + - name: /etc/apache2/envvars + - source: 'salt://apache/files/{{ grains.os_family }}/envvars-{{ apache.version }}.jinja' + - mode: 644 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache | json }} + - require_in: + - file: apache-config-file-managed-{{ grains.os }}-ports + +apache-config-file-managed-{{ grains.os }}-ports: + file.managed: + - name: {{ apache.portsfile }} + - source: salt://apache/files/{{ grains.os_family }}/ports-{{ apache.version }}.conf.jinja + - mode: 644 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache | json }} + + {%- elif grains.os_family == "RedHat" %} + +apache-config-file-absent-{{ grains.os }}: + file.absent: + - name: {{ apache.confdir }}/welcome.conf + + {%- elif grains.os_family == "Suse" %} + +apache-config-file-managed-{{ grains.os }}: + file.managed: + - name: /etc/apache2/global.conf + - source: 'salt://apache/files/Suse/global.config.jinja' + - mode: 644 + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache | json }} + + {%- else %} + +apache-config-file-managed-skip: + test.show_notification: + - text: | + No configuration file to manage + + {%- endif %} + - require: + - sls: {{ sls_package_install }} + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - service: apache-service-running diff --git a/apache/config/flags.sls b/apache/config/flags.sls new file mode 100644 index 00000000..3846a376 --- /dev/null +++ b/apache/config/flags.sls @@ -0,0 +1,48 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} +{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %} + + {%- if grains.os_family == 'Suse' %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + + {%- for flag in salt['pillar.get']('apache:flags:enabled', []) %} + +apache-config-flags-{{ flag }}-cmd-a2en: + cmd.run: + - name: a2enflag {{ flag }} + - unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 |grep {{ flag }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endfor %} + {%- for flag in salt['pillar.get']('apache:flags:disabled', []) %} + +apache-config-flags-{{ flag }}-a2dis: + cmd.run: + - name: a2disflag -f {{ flag }} + - onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + {%- endfor %} + + {%- endif %} diff --git a/apache/config/init.sls b/apache/config/init.sls new file mode 100644 index 00000000..16c55a46 --- /dev/null +++ b/apache/config/init.sls @@ -0,0 +1,15 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .file + # .modules.clean # disable (exclude from init state) + # .modules # enable by default (read pillars) + - .debian_full + - .flags + - .logrotate + - .manage_security + - .no_default_vhost + - .own_default_vhost + - .register_site + - .vhosts diff --git a/apache/config/logrotate.sls b/apache/config/logrotate.sls new file mode 100644 index 00000000..47ab75ed --- /dev/null +++ b/apache/config/logrotate.sls @@ -0,0 +1,31 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +apache-config-logrotate-file-managed: + file.managed: + - name: {{ apache.logrotatedir }} + - makedirs: True + - contents: | + {{ apache.logdir }}/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + if /etc/init.d/{{ apache.service }} status >/dev/null; then \ + /etc/init.d/{{ apache.service }} reload >/dev/null; \ + fi; + endscript + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi; \ + endscript + } diff --git a/apache/config/manage_security.sls b/apache/config/manage_security.sls new file mode 100644 index 00000000..495af195 --- /dev/null +++ b/apache/config/manage_security.sls @@ -0,0 +1,44 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains.os_family in ('Debian', 'FreeBSD') %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + +apache-config-manage-security-{{ grains.os_family }}: + file.managed: + {%- if grains.os_family == "Debian" %} + + - onlyif: test -f /etc/apache2/conf-available/security.conf + - name: /etc/apache2/conf-available/security.conf + + {%- elif grains.os_family == "FreeBSD" %} + + - name: {{ apache.confdir + '/security.conf' }} + + {%- endif %} + - source: + - salt://apache/files/{{ grains.os_family }}/security.conf.jinja + - salt://apache/files/ssl/security.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache | json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/clean.sls b/apache/config/modules/clean.sls new file mode 100644 index 00000000..057f3638 --- /dev/null +++ b/apache/config/modules/clean.sls @@ -0,0 +1,52 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_clean = tplroot ~ '.package.clean' %} +{%- set sls_service_dead = tplroot ~ '.service.clean' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_dead }} + + {%- set existing_states = salt['cp.list_states']() %} + {%- for module in salt['pillar.get']('apache:modules:disabled', []) %} +apache-config-modules-{{ module }}-disable: + + {%- if grains['os_family']=="Debian" %} + + cmd.run: + - name: a2dismod -f {{ module }} + - onlyif: ls {{ apache.moddir }}/{{ module }}.load + + {%- elif grains.os_family in ('Redhat', 'Arch') %} + + cmd.run: + - name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \; + - onlyif: + - test -d /etc/httpd + - {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module") + file.absent: + - name: /etc/httpd/conf.modules.d/*{{ module }}.conf + + {%- elif salt['grains.get']('os_family') == 'Suse' %} + + cmd.run: + - name: a2dismod {{ module }} + - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }} + + {%- else %} + + test.show_notification: + - text: | + No {{ module }} module change + + {%- endif %} + + - order: 225 + - require: + - sls: {{ sls_service_dead }} + - require_in: + - pkg: apache-package-clean-pkg-removed + + {%- endfor %} diff --git a/apache/config/modules/init.sls b/apache/config/modules/init.sls new file mode 100644 index 00000000..6fe9fae0 --- /dev/null +++ b/apache/config/modules/init.sls @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .install + - .mod_rewrite + - .mod_proxy + - .mod_headers + {%- if 'osfinger' in grains and grains.osfinger not in ('Amazon Linux-2',) %} + - .mod_geoip + {%- endif %} diff --git a/apache/config/modules/install.sls b/apache/config/modules/install.sls new file mode 100644 index 00000000..a3a67343 --- /dev/null +++ b/apache/config/modules/install.sls @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_config_file = tplroot ~ '.config.file' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_config_file }} + + {% set existing_states = salt['cp.list_states']() %} + {% for module in salt['pillar.get']('apache:modules:enabled', []) %} +apache-config-modules-{{ module }}-enable: + + {% if grains['os_family']=="Debian" %} + + cmd.run: + - name: a2enmod -f {{ module }} + - onlyif: ls {{ apache.moddir }}/{{ module }}.load + + {% elif grains.os_family in ('RedHat', 'Arch') %} + + cmd.run: + - name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \; + - onlyif: {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module") + + {% elif salt['grains.get']('os_family') == 'Suse' %} + + cmd.run: + - name: a2enmod {{ module }} + - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 |grep {{ module }} + + {% else %} + + test.show_notification: + - text: | + No {{ module }} module change + + {%- endif %} + - order: 225 + - require: + - sls: {{ sls_config_file }} + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + + {%- endfor %} diff --git a/apache/config/modules/mod_actions.sls b/apache/config/modules/mod_actions.sls new file mode 100644 index 00000000..29608b0f --- /dev/null +++ b/apache/config/modules/mod_actions.sls @@ -0,0 +1,30 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-actions-cmd-run: + cmd.run: + - name: a2enmod actions + - unless: + - ls {{ apache.moddir }}/actions.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep actions + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_cgi.sls b/apache/config/modules/mod_cgi.sls new file mode 100644 index 00000000..766d5a26 --- /dev/null +++ b/apache/config/modules/mod_cgi.sls @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family']=="FreeBSD" %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-cgi-cmd-run: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_cgi.conf + - source: salt://apache/files/FreeBSD/mod_cgi.conf.jinja + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + - mode: 644 + + {%- endif %} diff --git a/apache/config/modules/mod_dav_svn.sls b/apache/config/modules/mod_dav_svn.sls new file mode 100644 index 00000000..0713f8c0 --- /dev/null +++ b/apache/config/modules/mod_dav_svn.sls @@ -0,0 +1,49 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] == "Debian" %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-dav_svn_pkg_installed: + pkg.installed: + - name: libapache2-mod-svn + +apache-config-modules-dav_svn_cmd-run-a2en: + cmd.run: + - name: a2enmod dav_svn + - unless: ls {{ apache.moddir }}/dav_svn.load + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - pkg: apache-config-modules-dav_svn_pkg_installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + +apache-config-modules-dav_svn_cmd-run-a2en-authz: + cmd.run: + - name: a2enmod authz_svn + - unless: ls {{ apache.moddir }}/authz_svn.load + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - pkg: apache-config-modules-dav_svn_pkg_installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_fastcgi.sls b/apache/config/modules/mod_fastcgi.sls new file mode 100644 index 00000000..2f6a1847 --- /dev/null +++ b/apache/config/modules/mod_fastcgi.sls @@ -0,0 +1,49 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] == "Debian" %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + - .mod_actions + +apache-config-modules-fastcgi-pkg: + pkgrepo.managed: + - name: "deb http://ftp.us.debian.org/debian {{ grains['oscodename'] }}" + - file: /etc/apt/sources.list.d/non-free.list + - onlyif: grep Debian /proc/version >/dev/null 2>&1 + - comps: non-free + pkg.installed: + - name: {{ apache.mod_fastcgi }} + - order: 180 + - require: + - pkgrepo: apache-config-modules-fastcgi-pkg + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + +apache-config-modules-fastcgi_cmd-run: + cmd.run: + - name: a2enmod fastcgi + - unless: ls {{ apache.moddir }}/fastcgi.load + - order: 225 + - require: + - pkg: mod-fastcgi + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_fcgid.sls b/apache/config/modules/mod_fcgid.sls new file mode 100644 index 00000000..bfac6fcb --- /dev/null +++ b/apache/config/modules/mod_fcgid.sls @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-fcgid-pkg: + pkg.installed: + - name: {{ apache.mod_fcgid }} + - order: 180 + - require: + - pkg: apache-package-install-pkg-installed + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + + cmd.run: + - name: a2enmod fcgid + - order: 225 + - unless: ls {{ apache.moddir }}/fcgid.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' fcgid' + - require: + - pkg: apache-config-modules-fcgid-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_geoip.sls b/apache/config/modules/mod_geoip.sls new file mode 100644 index 00000000..7d76b3aa --- /dev/null +++ b/apache/config/modules/mod_geoip.sls @@ -0,0 +1,87 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if 'mod_geoip' in apache and 'finger' in grains and grains.osfinger not in ('Leap-42',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-geoip-pkg: + pkg.installed: + - pkgs: + - {{ apache.mod_geoip }} + - {{ apache.mod_geoip_database }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if grains['os_family']=="RedHat" %} + +apache-config-modules-geoip-conf-file-managed: + file.managed: + - name: {{ apache.confdir }}/geoip.conf + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - makedirs: True + - mode: 644 + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - source: + - salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf + +apache-config-modules-geoip-db-file-managed: + file.managed: + - name: /usr/share/GeoIP/GeoIP.dat + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - makedirs: True + - mode: 644 + - source: + - salt://apache/files/{{ salt['grains.get']('os_family') }}/GeoIP.dat + +apache-config-modules-geoip-{{ grains.os_family }}-conf-file-managed: + file.managed: + - name: {{ apache.moddir }}/10-geoip.conf + - makedirs: True + - source: + - salt://apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-geoip-cmd-run: + cmd.run: + - name: a2enmod geoip + - unless: ls {{ apache.moddir }}/geoip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep geoip + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - pkg: apache-config-modules-geoip-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- endif %} diff --git a/apache/config/modules/mod_headers.sls b/apache/config/modules/mod_headers.sls new file mode 100644 index 00000000..7fa5e719 --- /dev/null +++ b/apache/config/modules/mod_headers.sls @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-headers-pkg: + cmd.run: + - name: a2enmod headers + - unless: ls {{ apache.moddir }}/headers.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep headers + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_logio.sls b/apache/config/modules/mod_logio.sls new file mode 100644 index 00000000..48e7be32 --- /dev/null +++ b/apache/config/modules/mod_logio.sls @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-logio-pkg: + cmd.run: + - name: a2enmod logio + - unless: ls {{ apache.moddir }}/logio.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep logio + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_mpm.sls b/apache/config/modules/mod_mpm.sls new file mode 100644 index 00000000..cfb1bcc4 --- /dev/null +++ b/apache/config/modules/mod_mpm.sls @@ -0,0 +1,84 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} +{%- set mpm_module = salt['pillar.get']('apache:mpm:module', 'mpm_prefork') %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-mpm-pkg: + cmd.run: + - name: a2enmod {{ mpm_module }} + - unless: ls {{ apache.moddir }}/{{ mpm_module }}.load + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + file.managed: + - name: /etc/apache2/mods-available/{{ mpm_module }}.conf + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - source: + - salt://apache/files/Debian/mpm/{{ mpm_module }}.conf.jinja + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + # Deactivate the other mpm modules as a previous step + {%- for mod in ['mpm_prefork', 'mpm_worker', 'mpm_event'] if not mod == mpm_module %} + +apache-config-modules-mpm-{{ mod }}-cmd-run: + cmd.run: + - name: a2dismod {{ mod }} + - onlyif: ls {{ apache.moddir }}/{{ mod }}.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' {{ mod }}' + - require: + - pkg: apache-package-install-pkg-installed + - require_in: + - cmd: a2enmod {{ mpm_module }} + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endfor %} + {%- elif grains['os_family']=="RedHat" %} + +apache-config-modules-mpm-{{ grains.os_family }}-conf-file-managed: + file.managed: + - name: {{ apache.moddir }}/00-mpm.conf + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - source: + - salt://apache/files/RedHat/conf.modules.d/00-{{ mpm_module }}.conf.jinja + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_pagespeed.sls b/apache/config/modules/mod_pagespeed.sls new file mode 100644 index 00000000..1b9ad3b9 --- /dev/null +++ b/apache/config/modules/mod_pagespeed.sls @@ -0,0 +1,68 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} +{%- set pagespeed_module = salt['pillar.get']('apache:pagespeed:module', 'pagespeed_prefork') %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-pagespeed-pkg: + pkg.installed: + - name: {{ apache.mod_pagespeed }} + - sources: + - mod-pagespeed-stable: {{ apache.mod_pagespeed_source }} + cmd.run: + - name: a2enmod pagespeed + - unless: ls {{ apache.moddir }}/pagespeed.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep pagespeed + - order: 255 + - require: + - pkg: apache-config-modules-pagespeed-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- for dir in ['/var/cache/mod_pagespeed', '/var/log/pagespeed'] %} + +apache-config-modules-pagespeed-{{ dir }}-file-directory: + file.directory + - name: {{ dir }} + - makedirs: true + - user: {{ apache.user }} + - group: {{ apache.group }} + - require: + - pkg: apache-config-modules-pagespeed-pkg + - user: {{ apache.user }} + - group: {{ apache.group }} + + {%- endfor %} + # Here we hardcode a logrotate entry to take care of the logs + +apache-config-modules-pagespeed-logrotate-file-managed: + file.managed: + - name: /etc/logrotate.d/pagespeed + - contents: | + /var/log/pagespeed/*.log { + weekly + missingok + rotate 52 + compress + delaycompress + notifempty + sharedscripts + postrotate + if /etc/init.d/apache2 status > /dev/null ; then \ + /etc/init.d/apache2 reload > /dev/null; \ + fi; + endscript + } + {%- endif %} diff --git a/apache/config/modules/mod_perl2.sls b/apache/config/modules/mod_perl2.sls new file mode 100644 index 00000000..6d5578b4 --- /dev/null +++ b/apache/config/modules/mod_perl2.sls @@ -0,0 +1,60 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-perl-pkg: + pkg.installed: + - name: {{ apache.mod_perl2 }} + - order: 180 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + + cmd.run: + - name: a2enmod perl + - unless: ls {{ apache.moddir }}/perl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' perl' + - order: 225 + - require: + - pkg: apache-config-modules-perl-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + + file.managed: + - name: {{ apache.modulesdir }}/260_mod_perl.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_perl.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_php5.sls b/apache/config/modules/mod_php5.sls new file mode 100644 index 00000000..63ce590f --- /dev/null +++ b/apache/config/modules/mod_php5.sls @@ -0,0 +1,84 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + +apache-config-modules-php5-pkg: + pkg.installed: + - name: {{ apache.mod_php5 }} + - order: 180 + - require: + - pkg: apache-package-install-pkg-installed + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + + cmd.run: + - name: a2enmod php5 + - unless: ls {{ apache.moddir }}/php5.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' php5' + - order: 225 + - require: + - pkg: mod-php5 + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if 'apache' in pillar and 'php-ini' in pillar['apache'] %} + + file.managed: + - name: /etc/php5/apache2/php.ini + - source: {{ pillar['apache']['php-ini'] }} + - order: 225 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + - require: + - pkg: apache-package-install-pkg-installed + - pkg: apache-config-modules-php5-pkg + + {%- endif %} + {%- elif grains['os_family']=="FreeBSD" %} + + file.managed: + - name: {{ apache.modulesdir }}/050_mod_php5.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_php5.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="Suse" %} + + file.replace: + - name: /etc/sysconfig/apache2 + - unless: grep '^APACHE_MODULES=.*php5' /etc/sysconfig/apache2 + - pattern: '^APACHE_MODULES=(.*)"' + - repl: 'APACHE_MODULES=\1 php5"' + + {%- endif %} diff --git a/apache/config/modules/mod_proxy.sls b/apache/config/modules/mod_proxy.sls new file mode 100644 index 00000000..745a907d --- /dev/null +++ b/apache/config/modules/mod_proxy.sls @@ -0,0 +1,49 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-proxy-pkg: + cmd.run: + - name: a2enmod proxy + - unless: ls {{ apache.moddir }}/proxy.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' proxy' + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + +apache-config-modules-proxy-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_proxy.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_proxy_ajp.sls b/apache/config/modules/mod_proxy_ajp.sls new file mode 100644 index 00000000..03567aff --- /dev/null +++ b/apache/config/modules/mod_proxy_ajp.sls @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + - .mod_proxy + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-proxy_ajp-pkg: + cmd.run: + - name: a2enmod proxy_ajp + - unless: ls {{ apache.moddir }}/proxy_ajp.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_ajp + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + # cmd: a2enmod proxy + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + +apache-config-modules-proxy_ajp-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_proxy_ajp.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_ajp.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_proxy_fcgi.sls b/apache/config/modules/mod_proxy_fcgi.sls new file mode 100644 index 00000000..b47a4e7c --- /dev/null +++ b/apache/config/modules/mod_proxy_fcgi.sls @@ -0,0 +1,31 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + - .mod_proxy + +apache-config-modules-proxy_fcgi-pkg: + cmd.run: + - name: a2enmod proxy_fcgi + - unless: ls {{ apache.moddir }}/proxy_fcgi.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_fcgi + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + # cmd: a2enmod proxy + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_proxy_http.sls b/apache/config/modules/mod_proxy_http.sls new file mode 100644 index 00000000..bcb0983d --- /dev/null +++ b/apache/config/modules/mod_proxy_http.sls @@ -0,0 +1,51 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + - .mod_proxy + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-proxy_http-pkg: + cmd.run: + - name: a2enmod proxy_http + - unless: ls {{ apache.moddir }}/proxy_http.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_http + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + # cmd: a2enmod proxy + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + +apache-config-modules-proxy_http-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_proxy_http.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_http.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_remoteip.sls b/apache/config/modules/mod_remoteip.sls new file mode 100644 index 00000000..58429bae --- /dev/null +++ b/apache/config/modules/mod_remoteip.sls @@ -0,0 +1,80 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-remoteip-cmd-run-mod-a2en: + cmd.run: + - name: a2enmod remoteip + - unless: ls {{ apache.moddir }}/remoteip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep remoteip + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + +apache-config-modules-remoteip-cmd-run-conf: + cmd.run: + - name: a2enconf remoteip + - unless: ls /etc/apache2/conf-enabled/remoteip.conf + - order: 255 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + file.managed: + - name: /etc/apache2/conf-available/remoteip.conf + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - source: + - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf-available/remoteip.conf.jinja + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + - cmd: apache-config-modules-remoteip-cmd-run-conf + + {%- elif grains['os_family']=="RedHat" %} + +apache-config-modules-remoteip-file-managed-conf: + file.managed: + - name: /etc/httpd/conf.d/remoteip.conf + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - source: + - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf.modules.d/remoteip.conf.jinja + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_rewrite.sls b/apache/config/modules/mod_rewrite.sls new file mode 100644 index 00000000..2b5a9523 --- /dev/null +++ b/apache/config/modules/mod_rewrite.sls @@ -0,0 +1,49 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Debian', 'Suse') %} + +apache-config-modules-rewrite-cmd-run-mod: + cmd.run: + - name: a2enmod rewrite + - unless: ls {{ apache.moddir }}/rewrite.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep rewrite + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + +apache-config-modules-rewrite-file-managed-conf: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_rewrite.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_rewrite.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_security/init.sls b/apache/config/modules/mod_security/init.sls new file mode 100644 index 00000000..5b5c70fc --- /dev/null +++ b/apache/config/modules/mod_security/init.sls @@ -0,0 +1,89 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains.os_family not in ('Arch',) %} + +apache-config-modules-security-pkg: + pkg.installed: + - name: {{ apache.mod_security.package }} + - order: 180 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if apache.mod_security.crs_install and 'crs_package' in apache.mod_security %} + +apache-config-modules-security-crs-pkg: + pkg.installed: + - name: {{ apache.mod_security.crs_package }} + - order: 180 + - require: + - pkg: apache-config-modules-security-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if apache.mod_security.manage_config and 'config_file' in apache.mod_security %} + +apache-config-modules-security-main-config-file-managed: + file.managed: + - name: {{ apache.mod_security.config_file }} + - order: 220 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - source: + - {{ 'salt://apache/files/' ~ salt['grains.get']('os_family') ~ '/modsecurity.conf.jinja' }} + - context: {{ apache.mod_security|json }} + - require: + - pkg: apache-config-modules-security-pkg + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +apache-config-modules-security-cmd-run-a2en-security2: + cmd.run: + - name: a2enmod security2 + - unless: ls {{ apache.moddir }}/security2.load && ls {{ apache.moddir }}/security2.conf + - order: 225 + + {%- elif grains.os_family in ('Redhat',) %} +apache-config-modules-security-file-directory-modsecurity: + file.directory: + - name: /etc/httpd/modsecurity.d + {%- endif %} + + - require: + - pkg: apache-config-modules-security-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + {%- endif %} diff --git a/apache/mod_security/rules.sls b/apache/config/modules/mod_security/rules.sls similarity index 65% rename from apache/mod_security/rules.sls rename to apache/config/modules/mod_security/rules.sls index 966a9341..8858aa0e 100644 --- a/apache/mod_security/rules.sls +++ b/apache/config/modules/mod_security/rules.sls @@ -6,14 +6,14 @@ include: - apache.mod_security {%- for rule_name, rule_details in mod_security.get('rules', {}).items() %} - {% set rule_set = rule_details.get('rule_set', '') %} - {% set enabled = rule_details.get('enabled', False ) %} + {%- set rule_set = rule_details.get('rule_set', '') %} + {%- set enabled = rule_details.get('enabled', False ) %} {%- if enabled %} /etc/modsecurity/{{ rule_name }}: file.symlink: - target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }} - - user: root - - group: root + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} - mode: 755 {%- else %} /etc/modsecurity/{{ rule_name }}: @@ -24,17 +24,18 @@ include: {%- endfor %} {%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %} - {% set file = custom_rule_details.get('file', None) %} - {% set path = custom_rule_details.get('path', None) %} - {% set enabled = custom_rule_details.get('enabled', False ) %} + {%- set file = custom_rule_details.get('file', None) %} + {%- set path = custom_rule_details.get('path', None) %} + {%- set enabled = custom_rule_details.get('enabled', False ) %} {%- if enabled %} /etc/modsecurity/{{ file }}: file.managed: - source: {{ path }} - - user: root - - group: root + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} - mode: 755 + - makedirs: True {%- else %} /etc/modsecurity/{{ file }}: file.absent: @@ -42,4 +43,4 @@ include: {%- endif %} {%- endfor %} -{% endif %} +{%- endif %} diff --git a/apache/config/modules/mod_socache_shmcb.sls b/apache/config/modules/mod_socache_shmcb.sls new file mode 100644 index 00000000..50693f5a --- /dev/null +++ b/apache/config/modules/mod_socache_shmcb.sls @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family']=="FreeBSD" %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-socache_shmcb-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/009_mod_socache_shmcb.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/generic_module.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + - context: + module_name: socache_shmcb + + {%- endif %} diff --git a/apache/config/modules/mod_ssl.sls b/apache/config/modules/mod_ssl.sls new file mode 100644 index 00000000..5ad9c35f --- /dev/null +++ b/apache/config/modules/mod_ssl.sls @@ -0,0 +1,129 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + + {%- if grains['os_family'] in ('Debian', 'Suse') %} + +apache-config-modules-ssl-cmd-run: + cmd.run: + - name: a2enmod ssl + - unless: ls {{ apache.moddir }}/ssl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' ssl' + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + file.managed: + - name: /etc/apache2/mods-available/ssl.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/ssl.conf.jinja + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - mode: 644 + - makedirs: True + - watch_in: + - module: apache-service-running-restart + + {%- elif grains['os_family']=="RedHat" %} + +apache-config-modules-ssl-pkg: + pkg.installed: + - name: {{ apache.pkg.mod_ssl }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + file.absent: + - name: {{ apache.confdir }}/ssl.conf + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- elif grains['os_family']=="FreeBSD" %} + - .mod_ssl + +apache-config-modules-ssl-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/010_mod_ssl.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_ssl.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + +apache-config-modules-ssl-file-managed-tls-defaults: + {%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + file.managed: + - name: {{ apache.confdir }}/tls-defaults.conf + - source: salt://apache/files/ssl/tls-defaults.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + {%- else %} + file.absent: + - name: {{ apache.confdir }}/tls-defaults.conf + {%- endif %} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if grains['os_family'] in ('Debian',) %} +apache-config-modules-ssl-cmd-run-debian-tls-defaults: + cmd.run: + {%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + - name: a2enconf tls-defaults + - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf + {%- else %} + - name: a2disconf tls-defaults + - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf + {%- endif %} + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - file: {{ apache.confdir }}/tls-defaults.conf + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + {%- endif %} diff --git a/apache/config/modules/mod_status.sls b/apache/config/modules/mod_status.sls new file mode 100644 index 00000000..b55a9d50 --- /dev/null +++ b/apache/config/modules/mod_status.sls @@ -0,0 +1,52 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_package_install }} + +apache-config-server-status: + file.managed: + - name: {{ apache.confdir }}/server-status{{ apache.confext }} + - source: 'salt://apache/files/server-status.conf.jinja' + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if grains['os_family'] == "Debian" %} + +apache-config-server-status-file-directory: + file.directory: + - name: /etc/apache2/conf-enabled + - require: + - pkg: apache-package-install-pkg-installed + +apache-config-server-status-cmd-run: + cmd.run: + - name: a2enconf server-status + - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf' + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - file: apache-config-server-status + - file: apache-config-server-status-file-directory + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_suexec.sls b/apache/config/modules/mod_suexec.sls new file mode 100644 index 00000000..4871aa35 --- /dev/null +++ b/apache/config/modules/mod_suexec.sls @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family']=="FreeBSD" %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-suexec-file-managed: + file.managed: + - name: {{ apache.modulesdir }}/040_mod_suexec.conf + - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_suexec.conf.jinja + - mode: 644 + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_upload_progress.sls b/apache/config/modules/mod_upload_progress.sls new file mode 100644 index 00000000..5febb54f --- /dev/null +++ b/apache/config/modules/mod_upload_progress.sls @@ -0,0 +1,31 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-upload_progress-pkg: + pkg.installed + - name: {{ apache.mod_upload_progress }} + cmd.run: + - name: a2enmod upload_progress + - unless: ls {{ apache.moddir }}/upload_progress.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep upload_progress + - order: 255 + - require: + - pkg: apache-config-modules-upload_progress-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_vhost_alias.sls b/apache/config/modules/mod_vhost_alias.sls new file mode 100644 index 00000000..e387456a --- /dev/null +++ b/apache/config/modules/mod_vhost_alias.sls @@ -0,0 +1,29 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-vhost_alias-cmd-run: + cmd.run: + - name: a2enmod vhost_alias + - unless: ls {{ apache.moddir }}/vhost_alias.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep vhost_alias + - order: 225 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_wsgi.sls b/apache/config/modules/mod_wsgi.sls new file mode 100644 index 00000000..4e2e0dc6 --- /dev/null +++ b/apache/config/modules/mod_wsgi.sls @@ -0,0 +1,40 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-modules-wsgi-pkg: + pkg.installed: + - name: {{ apache.pkg.mod_wsgi }} + - require: + - pkg: apache + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if 'conf_mod_wsgi' in apache %} + + file.uncomment: + - name: {{ apache.conf_mod_wsgi }} + - regex: LoadModule + - onlyif: test -f {{ apache.conf_mod_wsgi }} + - require: + - pkg: apache-config-modules-wsgi-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/mod_xsendfile.sls b/apache/config/modules/mod_xsendfile.sls new file mode 100644 index 00000000..458f4f19 --- /dev/null +++ b/apache/config/modules/mod_xsendfile.sls @@ -0,0 +1,41 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_service_running }} + - {{ sls_package_install }} + +apache-config-xsendfile-pkg: + pkg.installed: + - name: {{ apache.mod_xsendfile }} + - order: 180 + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if grains['os_family'] in ('Suse', 'Debian',) %} + + cmd.run: + - name: a2enmod xsendfile + - order: 225 + - unless: ls {{ apache.moddir }}/xsendfile.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep xsendfile + - require: + - pkg: apache-config-xsendfile-pkg + - watch_in: + - module: apache-service-running-restart + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/modules/server_status.sls b/apache/config/modules/server_status.sls new file mode 120000 index 00000000..58532131 --- /dev/null +++ b/apache/config/modules/server_status.sls @@ -0,0 +1 @@ +mod_status.sls \ No newline at end of file diff --git a/apache/config/no_default_vhost.sls b/apache/config/no_default_vhost.sls new file mode 100644 index 00000000..137dc4e5 --- /dev/null +++ b/apache/config/no_default_vhost.sls @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains.os_family == "Debian" %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + +apache-config-default-vhost: + cmd.run: + - name: a2dissite 000-default.conf || true + - unless: test ! -f /etc/apache2/sites-enabled/000-default.conf + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/own_default_vhost.sls b/apache/config/own_default_vhost.sls new file mode 100644 index 00000000..7371f3f5 --- /dev/null +++ b/apache/config/own_default_vhost.sls @@ -0,0 +1,32 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains.os_family == "Debian" %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + +apache-config-own-default-vhost: + file.managed: + - name: {{ apache.vhostdir }}/000-default.conf + - source: salt://apache/files/Debian/sites-available/000-default.conf + - makedirs: True + - template: {{ apache.get('template_engine', 'jinja') }} + - context: + apache: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} diff --git a/apache/config/register_site.sls b/apache/config/register_site.sls new file mode 100644 index 00000000..30409868 --- /dev/null +++ b/apache/config/register_site.sls @@ -0,0 +1,76 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +{%- if grains.os_family == "Debian" %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + +apache-config-register-site-file-directory: + file.directory: + - name: {{ apache.sitesdir }} + - require: + - pkg: apache-package-install-pkg-installed + + {%- if 'apache' in pillar and 'register-site' in pillar['apache'] %} + {%- for site in pillar['apache']['register-site'] %} + {%- if 'name' in pillar['apache']['register-site'][site] and 'state' in pillar['apache']['register-site'][site] %} + {%- if 'path' in pillar['apache']['register-site'][site] %} + {%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %} + {%- set a2modid = "a2ensite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %} + {%- else %} + {%- set a2modid = "a2dissite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %} + {%- endif %} + +apache-config-register-site-{{ a2modid }}: + cmd.run: + - name: {{ a2modid }} + {%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %} + - unless: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} + {%- else %} + - onlyif: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} + {%- endif %} + - order: 230 + - require: + - pkg: apache-package-install-pkg-installed + - file: apache-config-register-site-file-managed + - file: apache-config-register-site-file-directory + - watch: + - file: apache-config-register-site-file-managed + +apache-config-register-site-file-managed: + file.managed: + - name: /etc/apache2/sites-available/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} + - source: {{ pillar['apache']['register-site'][site]['path'] }} + - order: 225 + - makedirs: True + - user: {{ apache.rootuser }} + - group: {{ apache.rootgroup }} + - mode: 775 + {%- if 'template' in pillar['apache']['register-site'][site] and 'defaults' in pillar['apache']['register-site'][site] %} + - template: {{ apache.get('template_engine', 'jinja') }} + - defaults: + {%- for key, value in pillar['apache']['register-site'][site]['defaults'].items() %} + {{ key }}: {{ value }} + {%- endfor %} + {%- endif %} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module; apache-service-running-reload + cmd.run: + - name: echo dummy state to workaround requisite issue >/dev/null 2>&1 + - require_in: + - file: apache-config-register-site-file-managed + + {%- endif %} + {%- endif %} + {%- endfor %} + {%- endif %} #END: apache-service-running-register-site +{%- endif %} #END: grains['os_family'] == debian diff --git a/apache/config/vhosts/clean.sls b/apache/config/vhosts/clean.sls new file mode 120000 index 00000000..d5a213e2 --- /dev/null +++ b/apache/config/vhosts/clean.sls @@ -0,0 +1 @@ +cleanup.sls \ No newline at end of file diff --git a/apache/config/vhosts/cleanup.sls b/apache/config/vhosts/cleanup.sls new file mode 100644 index 00000000..a964dd85 --- /dev/null +++ b/apache/config/vhosts/cleanup.sls @@ -0,0 +1,42 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if grains.os_family == 'Debian' %} + +include: + - {{ sls_service_running }} + + {%- set dirpath = '/etc/apache2/sites-enabled' %} + {# Add . and .. to make it easier to not clean those #} + {%- set valid_sites = ['.', '..', ] %} + + {# Take sites from apache.vhosts.standard #} + {%- for id, site in salt['pillar.get']('apache:sites', {}).items() %} + {%- do valid_sites.append('{}{}'.format(id, apache.confext)) %} + {%- endfor %} + + {# Take sites from apache.register_site #} + {%- for id, site in salt['pillar.get']('apache:register-site', {}).items() %} + {%- do valid_sites.append('{}{}'.format(site.name, apache.confext)) %} + {%- endfor %} + + {%- if salt['file.directory_exists'](dirpath) %} + {%- for filename in salt['file.readdir'](dirpath) %} + {%- if filename not in valid_sites %} + +apache-config-vhosts-cleanup-{{ filename }}-cmd-run: + cmd.run: + - name: a2dissite {{ filename }} || true + - onlyif: "test -L {{ dirpath }}/{{ filename }} || test -f {{ dirpath }}/{{ filename }}" + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + + {%- endif %} + {%- endfor %} + {%- endif %} + {%- endif %}{# Debian #} diff --git a/apache/config/vhosts/init.sls b/apache/config/vhosts/init.sls new file mode 100644 index 00000000..531542ec --- /dev/null +++ b/apache/config/vhosts/init.sls @@ -0,0 +1,5 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .standard diff --git a/apache/vhosts/minimal.tmpl b/apache/config/vhosts/minimal.tmpl similarity index 100% rename from apache/vhosts/minimal.tmpl rename to apache/config/vhosts/minimal.tmpl diff --git a/apache/vhosts/proxy.tmpl b/apache/config/vhosts/proxy.tmpl similarity index 81% rename from apache/vhosts/proxy.tmpl rename to apache/config/vhosts/proxy.tmpl index 6511b513..740f169b 100644 --- a/apache/vhosts/proxy.tmpl +++ b/apache/config/vhosts/proxy.tmpl @@ -2,7 +2,6 @@ # This file is managed by Salt! Do not edit by hand! # {# Define default values here so the template below can just focus on layout #} -{% from "apache/map.jinja" import apache with context %} {% set sitename = site.get('ServerName', id) %} {% set vals = { 'interfaces': site.get('interface', '*').split(), @@ -35,7 +34,7 @@ 'Require': 'all granted', }, } %} - + ServerName {{ vals.ServerName }} {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %} {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %} @@ -73,8 +72,8 @@ ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }} {% endfor %} - {%- for path, loc in site.get('Location', {}).items() %} - {%- set lvals = { + {% for path, loc in site.get('Location', {}).items() %} + {% set lvals = { 'Order': loc.get('Order', vals.Location.Order), 'Allow': loc.get('Allow', vals.Location.Allow), 'Require': loc.get('Require', vals.Location.Require), @@ -82,16 +81,16 @@ } %} {% if apache.version == '2.4' %} - {%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %} + {% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %} {% else %} - {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} - {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} + {% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} + {% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} {% endif %} - {%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %} + {% if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %} {% endfor %} - {%- for regpath, locmat in site.get('LocationMatch', {}).items() %} - {%- set lmvals = { + {% for regpath, locmat in site.get('LocationMatch', {}).items() %} + {% set lmvals = { 'Order': locmat.get('Order', vals.LocationMatch.Order), 'Allow': locmat.get('Allow', vals.LocationMatch.Allow), 'Require': locmat.get('Require', vals.LocationMatch.Require), @@ -99,32 +98,32 @@ } %} {% if apache.version == '2.4' %} - {%- if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %} + {% if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %} {% else %} - {%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %} - {%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %} + {% if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %} + {% if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %} {% endif %} - {%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %} + {% if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %} {% endfor %} - {%- for proxypath, prox in site.get('Proxy_control', {}).items() %} - {%- set proxvals = { + {% for proxypath, prox in site.get('Proxy_control', {}).items() %} + {% set proxvals = { 'AllowAll': prox.get('AllowAll', vals.AllowAll), 'AllowCountry': prox.get('AllowCountry', vals.AllowCountry), 'AllowIP': prox.get('AllowIP', vals.AllowIP), } %} - {%- if proxvals.get('AllowAll') != False %} + {% if proxvals.get('AllowAll') != False %} Require all granted - {%- else %} + {% else %} {% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On {% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry {% endfor %}Require env AllowCountry {% endif %} {% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %} Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %} - {%- endif %} + {% endif %} - {%- endfor %} + {% endfor %} {% if site.get('Formula_Append') %} {{ site.Formula_Append|indent(4) }} {% endif %} diff --git a/apache/vhosts/redirect.tmpl b/apache/config/vhosts/redirect.tmpl similarity index 97% rename from apache/vhosts/redirect.tmpl rename to apache/config/vhosts/redirect.tmpl index 0811ac3b..8f91b1c7 100644 --- a/apache/vhosts/redirect.tmpl +++ b/apache/config/vhosts/redirect.tmpl @@ -2,7 +2,6 @@ # This file is managed by Salt! Do not edit by hand! # {# Define default values here so the template below can just focus on layout #} -{%- from "apache/map.jinja" import apache with context %} {%- set sitename = site.get('ServerName', id) %} {%- set vals = { diff --git a/apache/config/vhosts/standard.sls b/apache/config/vhosts/standard.sls new file mode 100644 index 00000000..7efb922c --- /dev/null +++ b/apache/config/vhosts/standard.sls @@ -0,0 +1,80 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_package_install = tplroot ~ '.package.install' %} +{%- set sls_service_running = tplroot ~ '.service.running' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_package_install }} + - {{ sls_service_running }} + + {%- for id, site in salt['pillar.get']('apache:sites', {}).items() %} + {%- set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %} + +apache-config-vhosts-standard-{{ id }}: + file.managed: + - name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }} + - source: {{ site.get('template_file', 'salt://apache/config/vhosts/standard.tmpl') }} + - template: {{ apache.get('template_engine', 'jinja') }} + - makedirs: True + - context: + apache: {{ apache|json }} + id: {{ id|json }} + site: {{ site|json }} + map: {{ apache|json }} + - require: + - pkg: apache-package-install-pkg-installed + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- if site.get('DocumentRoot') != False %} + +apache-config-vhosts-standard-{{ id }}-docroot: + file.directory: + - name: {{ documentroot }} + - makedirs: True + - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json or apache.user }} + - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json or apache.group }} + - allow_symlink: True + + {%- endif %} + {%- if grains.os_family == 'Debian' %} + {%- if site.get('enabled', True) %} + +apache-config-vhosts-standard-{{ id }}-cmd-run-a2en: + cmd.run: + - name: a2ensite {{ id }}{{ apache.confext }} + - unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} + - require: + - file: apache-config-vhosts-standard-{{ id }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- else %} + +apache-config-vhosts-standard-{{ id }}-cmd-run-a2dis: + cmd.run: + - name: a2dissite {{ id }}{{ apache.confext }}: + - onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} + - require: + - file: apache-config-vhosts-standard-{{ id }} + - watch_in: + - module: apache-service-running-reload + - require_in: + - module: apache-service-running-restart + - module: apache-service-running-reload + - service: apache-service-running + + {%- endif %} + {%- endif %} {# Debian #} + {%- endfor %} diff --git a/apache/vhosts/standard.tmpl b/apache/config/vhosts/standard.tmpl similarity index 84% rename from apache/vhosts/standard.tmpl rename to apache/config/vhosts/standard.tmpl index 17f9ef93..98bf31f7 100644 --- a/apache/vhosts/standard.tmpl +++ b/apache/config/vhosts/standard.tmpl @@ -2,9 +2,9 @@ # This file is managed by Salt! Do not edit by hand! # {# Define default values here so the template below can just focus on layout #} -{%- set sitename = site.get('ServerName', id) -%} +{% set sitename = site.get('ServerName', id) -%} -{%- set vals = { +{% set vals = { 'interfaces': site.get('interface', '*').split(), 'port': site.get('port', '80'), @@ -74,16 +74,16 @@ {{ site.Rewrite }} {% endif %} - {%- for loc, path in site.get('Alias', {}).items() %} + {% for loc, path in site.get('Alias', {}).items() %} Alias {{ loc }} {{ path }} - {%- endfor %} + {% endfor %} - {%- for loc, path in site.get('ScriptAlias', {}).items() %} + {% for loc, path in site.get('ScriptAlias', {}).items() %} ScriptAlias {{ loc }} {{ path }} - {%- endfor %} + {% endfor %} - {%- for path, dir in site.get('Directory', {}).items() -%} - {%- set dvals = { + {% for path, dir in site.get('Directory', {}).items() -%} + {% set dvals = { 'Options': dir.get('Options', vals.Directory.Options), 'Order': dir.get('Order', vals.Directory.Order), 'Allow': dir.get('Allow', vals.Directory.Allow), @@ -92,7 +92,7 @@ 'Dav': dir.get('Dav', False), } %} - {%- if path == 'default' %}{% set path = vals.Directory_default %}{% endif %} + {% if path == 'default' %}{% set path = vals.Directory_default %}{% endif %} {% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %} @@ -100,6 +100,7 @@ {% if dvals.get('Require') != False %}Require {{ dvals.Require }}{% endif %} {% else %} {% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %} + {% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %} {% endif %} {% if dvals.get('AllowOverride') != False %}AllowOverride {{ dvals.AllowOverride }}{% endif %} @@ -109,10 +110,10 @@ {{ dir.Formula_Append|indent(8) }} {% endif %} - {%- endfor %} + {% endfor %} - {%- for path, loc in site.get('Location', {}).items() %} - {%- set lvals = { + {% for path, loc in site.get('Location', {}).items() %} + {% set lvals = { 'Order': loc.get('Order', vals.Location.Order), 'Allow': loc.get('Allow', vals.Location.Allow), 'Require': loc.get('Require', vals.Location.Require), @@ -121,20 +122,20 @@ {% if map.version == '2.4' %} - {%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %} + {% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %} {% else %} - {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} - {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} + {% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %} + {% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %} {% endif %} - {%- if lvals.get('Dav') != False %}Dav On{% endif %} + {% if lvals.get('Dav') != False %}Dav On{% endif %} - {%- if loc.get('Formula_Append') %} + {% if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %} {% endfor %} - {%- if site.get('Formula_Append') %} + {% if site.get('Formula_Append') %} {{ site.Formula_Append|indent(4) }} {% endif %} diff --git a/apache/debian_full.sls b/apache/debian_full.sls deleted file mode 100644 index 2104fe1a..00000000 --- a/apache/debian_full.sls +++ /dev/null @@ -1,44 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if grains['os_family']=="Debian" %} - -include: - - apache - - apache.register_site - -extend: - apache: - pkg: - - order: 175 - service: - - order: 455 - apache-reload: - module: - - order: 420 - apache-restart: - module: - - order: 425 - -a2dissite 000-default{{ apache.confext }}: - cmd.run: - - onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }} - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - require: - - pkg: apache - -/etc/apache2/sites-available/{{ apache.default_site }}: - file.absent: - - require: - - pkg: apache - -/etc/apache2/sites-available/{{ apache.default_site_ssl }}: - file.absent: - - require: - - pkg: apache - -{% endif %} #END: os = debian diff --git a/apache/defaults.yaml b/apache/defaults.yaml index 2dc0d664..2eed4e54 100644 --- a/apache/defaults.yaml +++ b/apache/defaults.yaml @@ -2,10 +2,53 @@ # vim: ft=yaml --- apache: + lookup: {} + pkg: + name: apache2 + mod_ssl: mod_ssl + mod_wsgi: mod_wsgi + deps: [] + + rootuser: root + rootgroup: root + template_engine: jinja + config: '/etc/apache' + service: + name: apache + user: www-data + group: www-data + vhostdir: /etc/apache2/sites-available + confdir: /etc/apache2/conf.d + davlockdbdir: null + logdir: /var/log/apache2 + wwwdir: /srv/apache2 + document_root_user: null # Do not enforce group + document_root_group: null # Do not enforce group + manage_service_states: true service_state: running service_enable: true + flags: {} + global: {} + + modules: {} + + mod_remoteip: {} mod_security: crs_install: false - manage_config: false + manage_config: false # use software defaults + + mod_ssl: + manage_tls_defaults: false # use software defaults + + # Just here for testing + added_in_defaults: defaults_value + winner: defaults + + retry_option: + # https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states + attempts: 2 + until: true + interval: 10 + splay: 10 diff --git a/apache/files/Arch/apache-2.4.config.jinja b/apache/files/Arch/apache-2.4.config.jinja new file mode 100644 index 00000000..2907ad2a --- /dev/null +++ b/apache/files/Arch/apache-2.4.config.jinja @@ -0,0 +1,611 @@ +# +# This file is managed by Salt! Do not edit by hand! +# + +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}" + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:/run/httpd + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +{% if salt['pillar.get']('apache:sites') is mapping %} + {%- set listen_directives = [] %} + {%- for id, site in salt['pillar.get']('apache:sites').items() %} + {%- set interfaces = site.get('interface', '*').split() %} + {%- set port = site.get('port', 80) %} + {%- for interface in interfaces %} + {%- if not site.get('exclude_listen_directive', False) and not port == '*' %} + {%- set listen_directive = interface ~ ':' ~ port %} + {%- if listen_directive not in listen_directives %} + {%- do listen_directives.append(listen_directive) %} + {%- endif %} + {%- endif %} + {%- endfor %} + {%- endfor %} + {%- for listen in listen_directives %} +Listen {{ listen }} + {%- endfor %} +{%- else %} +Listen 80 + + + Listen 443 + + +{%- endif %} + + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule mpm_event_module modules/mod_mpm_event.so +#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +#LoadModule mpm_worker_module modules/mod_mpm_worker.so +LoadModule authn_file_module modules/mod_authn_file.so +#LoadModule authn_dbm_module modules/mod_authn_dbm.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule authn_socache_module modules/mod_authn_socache.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbd_module modules/mod_authz_dbd.so +LoadModule authz_core_module modules/mod_authz_core.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +#LoadModule auth_form_module modules/mod_auth_form.so +#LoadModule auth_digest_module modules/mod_auth_digest.so +#LoadModule allowmethods_module modules/mod_allowmethods.so +#LoadModule file_cache_module modules/mod_file_cache.so +#LoadModule cache_module modules/mod_cache.so +#LoadModule cache_disk_module modules/mod_cache_disk.so +#LoadModule cache_socache_module modules/mod_cache_socache.so +#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so +#LoadModule socache_dbm_module modules/mod_socache_dbm.so +#LoadModule socache_memcache_module modules/mod_socache_memcache.so +#LoadModule socache_redis_module modules/mod_socache_redis.so +#LoadModule watchdog_module modules/mod_watchdog.so +#LoadModule macro_module modules/mod_macro.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule echo_module modules/mod_echo.so +#LoadModule buffer_module modules/mod_buffer.so +#LoadModule data_module modules/mod_data.so +#LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +#LoadModule ext_filter_module modules/mod_ext_filter.so +#LoadModule request_module modules/mod_request.so +LoadModule include_module modules/mod_include.so +LoadModule filter_module modules/mod_filter.so +#LoadModule reflector_module modules/mod_reflector.so +#LoadModule substitute_module modules/mod_substitute.so +#LoadModule sed_module modules/mod_sed.so +#LoadModule charset_lite_module modules/mod_charset_lite.so +#LoadModule deflate_module modules/mod_deflate.so +#LoadModule xml2enc_module modules/mod_xml2enc.so +#LoadModule proxy_html_module modules/mod_proxy_html.so +#LoadModule brotli_module modules/mod_brotli.so +LoadModule mime_module modules/mod_mime.so +#LoadModule ldap_module modules/mod_ldap.so +LoadModule log_config_module modules/mod_log_config.so +#LoadModule log_debug_module modules/mod_log_debug.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule logio_module modules/mod_logio.so +#LoadModule lua_module modules/mod_lua.so +LoadModule env_module modules/mod_env.so +#LoadModule mime_magic_module modules/mod_mime_magic.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule unique_id_module modules/mod_unique_id.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +#LoadModule remoteip_module modules/mod_remoteip.so +#LoadModule proxy_module modules/mod_proxy.so +#LoadModule proxy_connect_module modules/mod_proxy_connect.so +#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +#LoadModule proxy_http_module modules/mod_proxy_http.so +#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so +#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so +#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so +#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so +#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so +#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +#LoadModule proxy_express_module modules/mod_proxy_express.so +#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so +#LoadModule session_module modules/mod_session.so +#LoadModule session_cookie_module modules/mod_session_cookie.so +#LoadModule session_crypto_module modules/mod_session_crypto.so +#LoadModule session_dbd_module modules/mod_session_dbd.so +LoadModule slotmem_shm_module modules/mod_slotmem_shm.so +#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so +#LoadModule ssl_module modules/mod_ssl.so +#LoadModule dialup_module modules/mod_dialup.so +#LoadModule http2_module modules/mod_http2.so +#LoadModule proxy_http2_module modules/mod_proxy_http2.so +#LoadModule md_module modules/mod_md.so +#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so +#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so +#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so +#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so +LoadModule unixd_module modules/mod_unixd.so +#LoadModule heartbeat_module modules/mod_heartbeat.so +#LoadModule heartmonitor_module modules/mod_heartmonitor.so +#LoadModule dav_module modules/mod_dav.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +#LoadModule asis_module modules/mod_asis.so +#LoadModule info_module modules/mod_info.so +#LoadModule suexec_module modules/mod_suexec.so + + #LoadModule cgid_module modules/mod_cgid.so + + + #LoadModule cgi_module modules/mod_cgi.so + +#LoadModule dav_fs_module modules/mod_dav_fs.so +#LoadModule dav_lock_module modules/mod_dav_lock.so +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +#LoadModule imagemap_module modules/mod_imagemap.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule speling_module modules/mod_speling.so +LoadModule userdir_module modules/mod_userdir.so +LoadModule alias_module modules/mod_alias.so +#LoadModule rewrite_module modules/mod_rewrite.so + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User {{ apache.user or 'http' }} +Group {{ apache.group or 'http' }} + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin you@example.com + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +#ServerName www.example.com:80 + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "{{ apache.get('docroot', apache.wwwdir or '/srv/http') }}" + +# +# Relax access to content within {{ apache.wwwdir }}. +# + + AllowOverride None + # Allow open access: + Require all granted + + +# Further relax access to the default document root: + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "{{ apache.logdir }}/error_log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + {%- for log_format in salt['pillar.get']('apache:log_formats', []) %} + LogFormat {{ log_format }} + {%- endfor %} + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog "/var/log/httpd/access_log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + #CustomLog "/var/log/httpd/access_log" combined + CustomLog "{{ apache.logdir }}/access_log" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig conf/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + +# +# Specify a default charset for all content served; this enables +# interpretation of all content as UTF-8 by default. To use the +# default browser choice (ISO-8859-1), or to allow the META tags +# in HTML content to override this choice, comment out this +# directive: +# +{%- if apache.get('default_charset', False) is none %} +# AddDefaultCharset UTF-8 +{%- else %} +AddDefaultCharset {{ apache.get('default_charset', 'UTF-8') }} +{%- endif %} + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile conf/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +{%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %} +{{ directive }} {{ dvalue }} +{%- endfor %} + +# Supplemental configuration +# +# The configuration files in the conf/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Load config files in the "/etc/httpd/conf.d" directory, if any. +IncludeOptional {{ apache.confdir }}/*.conf +{% if apache.vhostdir != apache.confdir %} +IncludeOptional {{ apache.vhostdir }}/*.conf +{% endif %} + +# Server-pool management (MPM specific) +Include conf/extra/httpd-mpm.conf + +# Multi-language error messages +Include conf/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +Include conf/extra/httpd-autoindex.conf + +# Language settings +Include conf/extra/httpd-languages.conf + +# User home directories +Include conf/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include conf/extra/httpd-info.conf + +# Virtual hosts +#Include conf/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include conf/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) + +Include conf/extra/httpd-dav.conf + + +# Various default settings +Include conf/extra/httpd-default.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include conf/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +#Include conf/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + diff --git a/apache/files/Debian/apache-2.2.config.jinja b/apache/files/Debian/apache-2.2.config.jinja index 2e60b135..6aa89789 100644 --- a/apache/files/Debian/apache-2.2.config.jinja +++ b/apache/files/Debian/apache-2.2.config.jinja @@ -1,3 +1,6 @@ +# +# This file is managed by Salt! Do not edit by hand! + # # Based upon the NCSA server configuration files originally by Rob McCool. # diff --git a/apache/files/Debian/envvars-2.2.jinja b/apache/files/Debian/envvars-2.2.jinja index cab5b512..b5cb128c 100644 --- a/apache/files/Debian/envvars-2.2.jinja +++ b/apache/files/Debian/envvars-2.2.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{% from "apache/map.jinja" import apache with context -%} # envvars - default environment variables for apache2ctl diff --git a/apache/files/Debian/envvars-2.4.jinja b/apache/files/Debian/envvars-2.4.jinja index debf3ffb..fbd9bf34 100644 --- a/apache/files/Debian/envvars-2.4.jinja +++ b/apache/files/Debian/envvars-2.4.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{% from "apache/map.jinja" import apache with context -%} # envvars - default environment variables for apache2ctl diff --git a/apache/files/Debian/modsecurity.conf.jinja b/apache/files/Debian/modsecurity.conf.jinja index baee0657..dd920719 100644 --- a/apache/files/Debian/modsecurity.conf.jinja +++ b/apache/files/Debian/modsecurity.conf.jinja @@ -10,7 +10,7 @@ {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%} {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%} # -# This file is managed/autogenerated by salt. +# This file is managed by Salt! Do not edit by hand! # Modify the salt pillar that generates this file instead # # -- Rule engine initialization ---------------------------------------------- diff --git a/apache/files/Debian/ports-2.2.conf.jinja b/apache/files/Debian/ports-2.2.conf.jinja index ae51eb12..4a610698 100644 --- a/apache/files/Debian/ports-2.2.conf.jinja +++ b/apache/files/Debian/ports-2.2.conf.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{%- from "apache/map.jinja" import apache with context -%} {% if salt['pillar.get']('apache:sites') is mapping %} {%- set listen_directives = [] %} diff --git a/apache/files/Debian/ports-2.4.conf.jinja b/apache/files/Debian/ports-2.4.conf.jinja index ae51eb12..4a610698 100644 --- a/apache/files/Debian/ports-2.4.conf.jinja +++ b/apache/files/Debian/ports-2.4.conf.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{%- from "apache/map.jinja" import apache with context -%} {% if salt['pillar.get']('apache:sites') is mapping %} {%- set listen_directives = [] %} diff --git a/apache/files/FreeBSD/envvars-2.4.jinja b/apache/files/FreeBSD/envvars-2.4.jinja index d57bda39..34dff9e8 100644 --- a/apache/files/FreeBSD/envvars-2.4.jinja +++ b/apache/files/FreeBSD/envvars-2.4.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{%- from "apache/map.jinja" import apache with context -%} # envvars - default environment variables for apache2ctl diff --git a/apache/files/FreeBSD/mod_cgi.conf.jinja b/apache/files/FreeBSD/mod_cgi.conf.jinja index 3ce6f67c..de72bd96 100644 --- a/apache/files/FreeBSD/mod_cgi.conf.jinja +++ b/apache/files/FreeBSD/mod_cgi.conf.jinja @@ -1,5 +1,3 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule cgid_module libexec/{{ apache.service }}/mod_cgid.so diff --git a/apache/files/FreeBSD/mod_perl.conf.jinja b/apache/files/FreeBSD/mod_perl.conf.jinja index 6a525f4e..b4da00b4 100644 --- a/apache/files/FreeBSD/mod_perl.conf.jinja +++ b/apache/files/FreeBSD/mod_perl.conf.jinja @@ -1,3 +1 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule perl_module libexec/{{ apache.service }}/mod_perl.so diff --git a/apache/files/FreeBSD/mod_php5.conf.jinja b/apache/files/FreeBSD/mod_php5.conf.jinja index 7281a727..715fd9b9 100644 --- a/apache/files/FreeBSD/mod_php5.conf.jinja +++ b/apache/files/FreeBSD/mod_php5.conf.jinja @@ -1,5 +1,3 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule php5_module /usr/local/libexec/{{ apache.service }}/libphp5.so DirectoryIndex index.html index.php diff --git a/apache/files/FreeBSD/mod_proxy.conf.jinja b/apache/files/FreeBSD/mod_proxy.conf.jinja index 659957e8..6b732d3f 100644 --- a/apache/files/FreeBSD/mod_proxy.conf.jinja +++ b/apache/files/FreeBSD/mod_proxy.conf.jinja @@ -1,3 +1 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule proxy_module libexec/{{ apache.service }}/mod_proxy.so diff --git a/apache/files/FreeBSD/mod_proxy_http.conf.jinja b/apache/files/FreeBSD/mod_proxy_http.conf.jinja index 81b8294e..f42063de 100644 --- a/apache/files/FreeBSD/mod_proxy_http.conf.jinja +++ b/apache/files/FreeBSD/mod_proxy_http.conf.jinja @@ -1,3 +1 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule proxy_http_module libexec/{{ apache.service }}/mod_proxy_http.so diff --git a/apache/files/FreeBSD/mod_rewrite.conf.jinja b/apache/files/FreeBSD/mod_rewrite.conf.jinja index 4e14e01a..11c0e23b 100644 --- a/apache/files/FreeBSD/mod_rewrite.conf.jinja +++ b/apache/files/FreeBSD/mod_rewrite.conf.jinja @@ -1,3 +1 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule rewrite_module libexec/{{ apache.service }}/mod_rewrite.so diff --git a/apache/files/FreeBSD/mod_suexec.conf.jinja b/apache/files/FreeBSD/mod_suexec.conf.jinja index 607ead33..b1497de7 100644 --- a/apache/files/FreeBSD/mod_suexec.conf.jinja +++ b/apache/files/FreeBSD/mod_suexec.conf.jinja @@ -1,3 +1 @@ -{% from "apache/map.jinja" import apache with context %} - LoadModule suexec_module libexec/{{ apache.service }}/mod_suexec.so diff --git a/apache/files/FreeBSD/ports-2.4.conf.jinja b/apache/files/FreeBSD/ports-2.4.conf.jinja index ae51eb12..4a610698 100644 --- a/apache/files/FreeBSD/ports-2.4.conf.jinja +++ b/apache/files/FreeBSD/ports-2.4.conf.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{%- from "apache/map.jinja" import apache with context -%} {% if salt['pillar.get']('apache:sites') is mapping %} {%- set listen_directives = [] %} diff --git a/apache/files/RedHat/apache-2.2.config.jinja b/apache/files/RedHat/apache-2.2.config.jinja index c2bc11f5..6a15ecb6 100644 --- a/apache/files/RedHat/apache-2.2.config.jinja +++ b/apache/files/RedHat/apache-2.2.config.jinja @@ -1,4 +1,7 @@ # +# This file is managed by Salt! Do not edit by hand! +# + # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. # See for detailed information. diff --git a/apache/files/RedHat/apache-2.4.config.jinja b/apache/files/RedHat/apache-2.4.config.jinja index c5770da3..ab9f5c82 100644 --- a/apache/files/RedHat/apache-2.4.config.jinja +++ b/apache/files/RedHat/apache-2.4.config.jinja @@ -1,7 +1,6 @@ # # This file is managed by Salt! Do not edit by hand! # -{% from "apache/map.jinja" import apache with context %} # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions. diff --git a/apache/files/RedHat/conf.modules.d/00-log.conf.jinja b/apache/files/RedHat/conf.modules.d/00-log.conf.jinja new file mode 100644 index 00000000..dc06b9a5 --- /dev/null +++ b/apache/files/RedHat/conf.modules.d/00-log.conf.jinja @@ -0,0 +1,9 @@ +# +# This file is managed by Salt! Do not edit by hand! +# +# +# This file configures all the logging modules: +LoadModule log_config_module modules/mod_log_config.so +LoadModule log_debug_module modules/mod_log_debug.so +LoadModule log_forensic_module modules/mod_log_forensic.so +LoadModule logio_module modules/mod_logio.so diff --git a/apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja b/apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja index 336c0346..dcad4ca6 100644 --- a/apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja +++ b/apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja @@ -1,4 +1,6 @@ -# managed by saltstack +# +# This file is managed by Salt! Do not edit by hand! +# {% set mpm_module = 'mpm_prefork' -%} {% set mpm_param = salt['pillar.get']('apache:mod_mpm_prefork', {}) -%} diff --git a/apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja b/apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja new file mode 100644 index 00000000..0cfd7768 --- /dev/null +++ b/apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja @@ -0,0 +1,5 @@ +# +# This file is managed by Salt! Do not edit by hand! +# + +LoadModule geoip_module /usr/lib64/httpd/modules/mod_geoip.so diff --git a/apache/files/RedHat/conf.modules.d/remoteip.conf.jinja b/apache/files/RedHat/conf.modules.d/remoteip.conf.jinja index 17260b3c..163feecc 100644 --- a/apache/files/RedHat/conf.modules.d/remoteip.conf.jinja +++ b/apache/files/RedHat/conf.modules.d/remoteip.conf.jinja @@ -1,4 +1,6 @@ -# managed by saltstack +# +# This file is managed by Salt! Do not edit by hand! +# RemoteIPHeader {{ salt['pillar.get']('apache:mod_remoteip:RemoteIPHeader', 'X-Forwarded-For') }} {%- for trusted_proxy in salt['pillar.get']('apache:mod_remoteip:RemoteIPTrustedProxy', []) %} diff --git a/apache/files/RedHat/modsecurity.conf.jinja b/apache/files/RedHat/modsecurity.conf.jinja index 2fa04c6c..03f04507 100644 --- a/apache/files/RedHat/modsecurity.conf.jinja +++ b/apache/files/RedHat/modsecurity.conf.jinja @@ -10,7 +10,7 @@ {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%} {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%} # -# This file is managed/autogenerated by salt. +# This file is managed by Salt! Do not edit by hand! # Modify the salt pillar that generates this file instead # @@ -21,8 +21,13 @@ LoadModule security2_module modules/mod_security2.so # ModSecurity Core Rules Set configuration - Include modsecurity.d/*.conf - Include modsecurity.d/activated_rules/*.conf + {%- if 'osfinger' in grains and grains.osfinger in ('Red Hat Enterprise Linux Server-6', 'CentOS-6') %} + Include modsecurity.d/*.conf + Include modsecurity.d/activated_rules/*.conf + {%- else %} + IncludeOptional modsecurity.d/*.conf + IncludeOptional modsecurity.d/activated_rules/*.conf + {%- endif %} # Default recommended configuration SecRuleEngine {{ sec_rule_engine }} diff --git a/apache/files/RedHat/ssl.conf b/apache/files/RedHat/ssl.conf index 933cb08e..3199d36e 100644 --- a/apache/files/RedHat/ssl.conf +++ b/apache/files/RedHat/ssl.conf @@ -1,4 +1,7 @@ - ## + # + # This file is managed by Salt! Do not edit by hand! + # + ## SSL Global Context ## ## All SSL configuration in this context applies both to diff --git a/apache/files/Suse/apache-2.2.config.jinja b/apache/files/Suse/apache-2.2.config.jinja new file mode 100644 index 00000000..eeedf32a --- /dev/null +++ b/apache/files/Suse/apache-2.2.config.jinja @@ -0,0 +1,235 @@ +# +# This file is managed by Salt! Do not edit by hand +# +# +# /etc/apache2/httpd.conf +# +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information about +# the directives. + +# Based upon the default apache configuration file that ships with apache, +# which is based upon the NCSA server configuration files originally by Rob +# McCool. This file was knocked together by Peter Poeml . + +# If possible, avoid changes to this file. It does mainly contain Include +# statements and global settings that can/should be overridden in the +# configuration of your virtual hosts. + +# Quickstart guide: +# http://en.opensuse.org/SDB:Apache_installation + + +# Overview of include files, chronologically: +# +# httpd.conf +# | +# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under +# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...) +# |-- loadmodule.conf . . . . . . . . . . . [*] load these modules +# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on +# |-- mod_log_config.conf . . . . . . . . . define logging formats +# |-- global.conf . . . . . . . . . . . . . [*] server-wide general settings +# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring) +# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info +# |-- mod_reqtimeout.conf . . . . . . . . . set timeout and minimum data rate for receiving requests +# |-- mod_cgid-timeout.conf . . . . . . . . set CGIDScriptTimeout if mod_cgid is loaded/active +# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking +# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings +# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration +# |-- errors.conf . . . . . . . . . . . . . customize error responses +# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts +# | +# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests +# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded) +# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed) +# | +# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here +# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included) +# +# +# Files marked [*] are NOT read when server is started via systemd service. When server +# is started via service, defaults from /etc/sysconfig/apache2 are taken into account. +# + + + +# Filesystem layout: +# +# /etc/apache2/ +# |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap +# |-- conf.d/ +# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc +# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4 +# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages +# |-- default-server.conf +# |-- errors.conf +# |-- httpd.conf . . . . . . . . . . . . . top level configuration file +# |-- listen.conf +# |-- magic +# |-- mime.types -> ../mime.types +# |-- mod_autoindex-defaults.conf +# |-- mod_info.conf +# |-- mod_log_config.conf +# |-- mod_mime-defaults.conf +# |-- mod_perl-startup.pl +# |-- mod_status.conf +# |-- mod_userdir.conf +# |-- mod_usertrack.conf +# |-- server-tuning.conf +# |-- ssl-global.conf +# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL) +# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates +# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests +# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys +# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files +# |-- global.conf +# |-- loadmodule.conf +# |-- uid.conf +# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here +# |-- vhost-ssl.template +# `-- vhost.template + + + +### Global Environment ###################################################### +# +# The directives in this section affect the overall operation of Apache, +# such as the number of concurrent requests. + +# run under this user/group id +Include /etc/apache2/uid.conf + +# - how many server processes to start (server pool regulation) +# - usage of KeepAlive +Include /etc/apache2/server-tuning.conf + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +ErrorLog /var/log/apache2/error_log + +# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2 + + Include /etc/apache2/loadmodule.conf + + +# IP addresses / ports to listen on +Include /etc/apache2/listen.conf + +# predefined logging formats +Include /etc/apache2/mod_log_config.conf + +# generated from default values of global settings in /etc/sysconfig/apache2 + + Include /etc/apache2/global.conf + + +# optional mod_status, mod_info +Include /etc/apache2/mod_status.conf +Include /etc/apache2/mod_info.conf + +# mod_reqtimeout protects the server from the so-called "slowloris" +# attack: The server is not swamped with requests in fast succession, +# but with slowly transmitted request headers and body, thereby filling up +# the request slots until the server runs out of them. +# mod_reqtimeout is lightweight and should deliver good results +# with the configured default values. You shouldn't notice it at all. +Include /etc/apache2/mod_reqtimeout.conf + +# Fix for CVE-2014-0231 introduces new configuration parameter +# CGIDScriptTimeout. This directive and its effect prevent request +# workers to be eaten until starvation if cgi programs do not send +# output back to the server within the timout set by CGIDScriptTimeout. +Include /etc/apache2/mod_cgid-timeout.conf + +# optional cookie-based user tracking +# read the documentation before using it!! +Include /etc/apache2/mod_usertrack.conf + +# configuration of server-generated directory listings +Include /etc/apache2/mod_autoindex-defaults.conf + +# associate MIME types with filename extensions +TypesConfig /etc/apache2/mime.types +Include /etc/apache2/mod_mime-defaults.conf + +# set up (customizable) error responses +Include /etc/apache2/errors.conf + +# global (server-wide) SSL configuration, that is not specific to +# any virtual host +Include /etc/apache2/ssl-global.conf + +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} +Include /etc/apache24/conf.d/tls-defaults.conf +{%- endif %} + +# forbid access to the entire filesystem by default + + Options None + AllowOverride None + + Require all denied + + + Order deny,allow + Deny from all + + + +# use .htaccess files for overriding, +AccessFileName .htaccess +# and never show them + + + Require all denied + + + Order allow,deny + Deny from all + + + +# List of resources to look for when the client requests a directory +DirectoryIndex index.html index.html.var + +### 'Main' server configuration ############################################# +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# +Include /etc/apache2/default-server.conf + + +### Virtual server configuration ############################################ +# +# VirtualHost: If you want to maintain multiple domains/hostnames on your +# machine you can setup VirtualHost containers for them. Most configurations +# use only name-based virtual hosts so the server doesn't need to worry about +# IP addresses. This is indicated by the asterisks in the directives below. +# +# Please see the documentation at +# +# for further details before you try to setup virtual hosts. +# +# You may use the command line option '-S' to verify your virtual host +# configuration. +# +IncludeOptional /etc/apache2/vhosts.d/*.conf + + +# Note: instead of adding your own configuration here, consider +# adding it in your own file (/etc/apache2/httpd.conf.local) +# putting its name into APACHE_CONF_INCLUDE_FILES in +# /etc/sysconfig/apache2 -- this will make system updates +# easier :) diff --git a/apache/files/Suse/apache-2.4.config.jinja b/apache/files/Suse/apache-2.4.config.jinja index b83874f4..4dd7654d 100644 --- a/apache/files/Suse/apache-2.4.config.jinja +++ b/apache/files/Suse/apache-2.4.config.jinja @@ -1,4 +1,7 @@ # +# This file is managed by Salt! Do not edit by hand! +# + # /etc/apache2/httpd.conf # # This is the main Apache server configuration file. It contains the diff --git a/apache/files/Suse/modsecurity.conf.jinja b/apache/files/Suse/modsecurity.conf.jinja new file mode 100644 index 00000000..52d833b7 --- /dev/null +++ b/apache/files/Suse/modsecurity.conf.jinja @@ -0,0 +1,72 @@ +{%- set apache = pillar.get('apache', {}) %} +{%- set modsec = apache.get('mod_security', {}) %} +{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%} +{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%} +{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%} +{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%} +{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%} +{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%} +{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%} +{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%} +{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%} +# +# This file is managed by Salt! Do not edit by hand! +# Modify the salt pillar that generates this file instead +# + +LoadModule security2_module modules/mod_security2.so + + + # ModSecurity Core Rules Set configuration + IncludeOptional modsecurity.d/*.conf + IncludeOptional modsecurity.d/activated_rules/*.conf + + # Default recommended configuration + SecRuleEngine {{ sec_rule_engine }} + SecRequestBodyAccess {{ sec_request_body_access }} + SecRule REQUEST_HEADERS:Content-Type "text/xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + SecRequestBodyLimit {{ sec_request_body_limit }} + SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }} + SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }} + SecRequestBodyLimitAction {{ sec_request_body_limit_action }} + SecRule REQBODY_ERROR "!@eq 0" \ + "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ + "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ + failed strict validation: \ + PE %{REQBODY_PROCESSOR_ERROR}, \ + BQ %{MULTIPART_BOUNDARY_QUOTED}, \ + BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ + DB %{MULTIPART_DATA_BEFORE}, \ + DA %{MULTIPART_DATA_AFTER}, \ + HF %{MULTIPART_HEADER_FOLDING}, \ + LF %{MULTIPART_LF_LINE}, \ + SM %{MULTIPART_MISSING_SEMICOLON}, \ + IQ %{MULTIPART_INVALID_QUOTING}, \ + IP %{MULTIPART_INVALID_PART}, \ + IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ + FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + + SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ + "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" + + SecPcreMatchLimit {{ sec_pcre_match_limit }} + SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }} + + SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + SecResponseBodyAccess Off + SecDebugLog /var/log/apache2/modsec_debug.log + SecDebugLogLevel {{ sec_debug_log_level }} + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus "^(?:5|4(?!04))" + SecAuditLogParts ABIJDEFHZ + SecAuditLogType Serial + SecAuditLog /var/log/apache2/modsec_audit.log + SecArgumentSeparator & + SecCookieFormat 0 + SecTmpDir /var/lib/mod_security + SecDataDir /var/lib/mod_security + diff --git a/apache/files/dummy.conf b/apache/files/dummy.conf new file mode 100644 index 00000000..e69de29b diff --git a/apache/files/myname.conf b/apache/files/myname.conf new file mode 100644 index 00000000..df9e93e2 --- /dev/null +++ b/apache/files/myname.conf @@ -0,0 +1,2 @@ + + diff --git a/apache/files/security.conf.jinja b/apache/files/ssl/security.conf.jinja similarity index 100% rename from apache/files/security.conf.jinja rename to apache/files/ssl/security.conf.jinja diff --git a/apache/files/tls-defaults.conf.jinja b/apache/files/ssl/tls-defaults.conf.jinja similarity index 100% rename from apache/files/tls-defaults.conf.jinja rename to apache/files/ssl/tls-defaults.conf.jinja diff --git a/apache/flags.sls b/apache/flags.sls deleted file mode 100644 index 4f9f6020..00000000 --- a/apache/flags.sls +++ /dev/null @@ -1,36 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %} - -include: - - apache - -{% for flag in salt['pillar.get']('apache:flags:enabled', []) %} -a2enflag {{ flag }}: - cmd.run: - - unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% for module in salt['pillar.get']('apache:flags:disabled', []) %} -a2disflag -f {{ flag }}: - cmd.run: - - onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% endif %} diff --git a/apache/init.sls b/apache/init.sls index 744d6f20..858a8e6e 100644 --- a/apache/init.sls +++ b/apache/init.sls @@ -1,57 +1,7 @@ -{% from "apache/map.jinja" import apache with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls -apache: - pkg.installed: - - name: {{ apache.server }} - group.present: - - name: {{ apache.group }} - - system: True - user.present: - - name: {{ apache.user }} - - gid: {{ apache.group }} - - system: True - {# By default run apache service states (unless pillar is false) #} - {% if salt['pillar.get']('apache:manage_service_states', True) %} - service.{{ apache.service_state }}: - - name: {{ apache.service }} - {% if apache.service_state in [ 'running', 'dead' ] %} - - enable: True - {% endif %} - -# The following states are inert by default and can be used by other states to -# trigger a restart or reload as needed. -apache-reload: - module.wait: -{% if apache.service_state in ['running'] %} - - name: service.reload - - m_name: {{ apache.service }} -{% else %} - - name: cmd.run - - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }} - - python_shell: True -{% endif %} - -apache-restart: - module.wait: -{% if apache.service_state in ['running'] %} - - name: service.restart - - m_name: {{ apache.service }} -{% else %} - - name: cmd.run - - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }} - - python_shell: True -{% endif %} - - {% else %} - -apache-reload: - test.show_notification: - - name: Skipping reload per user request - - text: Pillar manage_service_states is False - -apache-restart: - test.show_notification: - - name: Skipping restart per user request - - text: Pillar manage_service_states is False - - {% endif %} +include: + - .package + - .config + - .service diff --git a/apache/libsaltcli.jinja b/apache/libsaltcli.jinja new file mode 100644 index 00000000..5c3593ef --- /dev/null +++ b/apache/libsaltcli.jinja @@ -0,0 +1,16 @@ +# -*- coding: utf-8 -*- +# vim: ft=jinja + +{#- Get the relevant values from the `opts` dict #} +{%- set opts_cli = opts.get('__cli', '') %} +{%- set opts_masteropts_cli = opts | traverse('__master_opts__:__cli', '') %} + +{#- Determine the type of salt command being run #} +{%- if opts_cli == 'salt-minion' %} +{%- set cli = 'minion' %} +{%- elif opts_cli == 'salt-call' %} +{%- set cli = 'ssh' if opts_masteropts_cli in ('salt-ssh', 'salt-master') else 'local' %} +{%- else %} +{%- set cli = 'unknown' %} +{%- endif %} +{%- do salt['log.debug']('[libsaltcli] the salt command type has been identified to be: ' ~ cli) %} diff --git a/apache/libtofs.jinja b/apache/libtofs.jinja new file mode 100644 index 00000000..06689258 --- /dev/null +++ b/apache/libtofs.jinja @@ -0,0 +1,112 @@ +{%- macro files_switch(source_files, + lookup=None, + default_files_switch=['id', 'os_family'], + indent_width=6, + use_subpath=False) %} + {#- + Returns a valid value for the "source" parameter of a "file.managed" + state function. This makes easier the usage of the Template Override and + Files Switch (TOFS) pattern. + + Params: + * source_files: ordered list of files to look for + * lookup: key under ':tofs:source_files' to prepend to the + list of source files + * default_files_switch: if there's no config (e.g. pillar) + ':tofs:files_switch' this is the ordered list of grains to + use as selector switch of the directories under + "/files" + * indent_width: indentation of the result value to conform to YAML + * use_subpath: defaults to `False` but if set, lookup the source file + recursively from the current state directory up to `tplroot` + + Example (based on a `tplroot` of `xxx`): + + If we have a state: + + Deploy configuration: + file.managed: + - name: /etc/yyy/zzz.conf + - source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'], + lookup='Deploy configuration' + ) }} + - template: jinja + + In a minion with id=theminion and os_family=RedHat, it's going to be + rendered as: + + Deploy configuration: + file.managed: + - name: /etc/yyy/zzz.conf + - source: + - salt://xxx/files/theminion/etc/yyy/zzz.conf + - salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja + - salt://xxx/files/RedHat/etc/yyy/zzz.conf + - salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja + - salt://xxx/files/default/etc/yyy/zzz.conf + - salt://xxx/files/default/etc/yyy/zzz.conf.jinja + - template: jinja + #} + {#- Get the `tplroot` from `tpldir` #} + {%- set tplroot = tpldir.split('/')[0] %} + {%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %} + {%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %} + {%- set files_switch_list = salt['config.get']( + tplroot ~ ':tofs:files_switch', + default_files_switch + ) %} + {#- Lookup source_files (v2), files (v1), or fallback to an empty list #} + {%- set src_files = salt['config.get']( + tplroot ~ ':tofs:source_files:' ~ lookup, + salt['config.get'](tplroot ~ ':tofs:files:' ~ lookup, []) + ) %} + {#- Append the default source_files #} + {%- set src_files = src_files + source_files %} + {#- Only add to [''] when supporting older TOFS implementations #} + {%- set path_prefix_exts = [''] %} + {%- if use_subpath and tplroot != tpldir %} + {#- Walk directory tree to find {{ files_dir }} #} + {%- set subpath_parts = tpldir.lstrip(tplroot).lstrip('/').split('/') %} + {%- for path in subpath_parts %} + {%- set subpath = subpath_parts[0:loop.index] | join('/') %} + {%- do path_prefix_exts.append('/' ~ subpath) %} + {%- endfor %} + {%- endif %} + {%- for path_prefix_ext in path_prefix_exts|reverse %} + {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %} + {#- For older TOFS implementation, use `files_switch` from the config #} + {#- Use the default, new method otherwise #} + {%- set fsl = salt['config.get']( + tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch', + files_switch_list + ) %} + {#- Append an empty value to evaluate as `default` in the loop below #} + {%- if '' not in fsl %} + {%- set fsl = fsl + [''] %} + {%- endif %} + {%- for fs in fsl %} + {%- for src_file in src_files %} + {%- if fs %} + {%- set fs_dirs = salt['config.get'](fs, fs) %} + {%- else %} + {%- set fs_dirs = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %} + {%- endif %} + {#- Force the `config.get` lookup result as a list where necessary #} + {#- since we need to also handle grains that are lists #} + {%- if fs_dirs is string %} + {%- set fs_dirs = [fs_dirs] %} + {%- endif %} + {%- for fs_dir in fs_dirs %} + {%- set url = [ + '- salt:/', + path_prefix_inc_ext.strip('/'), + files_dir.strip('/'), + fs_dir.strip('/'), + src_file.strip('/'), + ] | select | join('/') %} +{{ url | indent(indent_width, true) }} + {%- endfor %} + {%- endfor %} + {%- endfor %} + {%- endfor %} +{%- endmacro %} diff --git a/apache/logrotate.sls b/apache/logrotate.sls deleted file mode 100644 index 3696ad7c..00000000 --- a/apache/logrotate.sls +++ /dev/null @@ -1,26 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{{ apache.logrotatedir }}: - file: - - managed - - contents: | - {{ apache.logdir }}/*.log { - daily - missingok - rotate 14 - compress - delaycompress - notifempty - create 640 root adm - sharedscripts - postrotate - if /etc/init.d/{{ apache.service }} status > /dev/null ; then \ - /etc/init.d/{{ apache.service }} reload > /dev/null; \ - fi; - endscript - prerotate - if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ - run-parts /etc/logrotate.d/httpd-prerotate; \ - fi; \ - endscript - } diff --git a/apache/manage_security.sls b/apache/manage_security.sls deleted file mode 100644 index f4b176c1..00000000 --- a/apache/manage_security.sls +++ /dev/null @@ -1,31 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{%- macro security_config(name) %} -{{ name }}: - file.managed: - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja - - salt://apache/files/security.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{%- endmacro %} - -include: - - apache - -{% if grains['os_family']=="Debian" %} - -{{ security_config('/etc/apache2/conf-available/security.conf') }} - - onlyif: test -f '/etc/apache2/conf-available/security.conf' - -{% elif grains['os_family']=="FreeBSD" %} -{{ security_config(apache.confdir+'/security.conf') }} -{% endif %} diff --git a/apache/map.jinja b/apache/map.jinja index 7bc5dd4a..f46aca9a 100644 --- a/apache/map.jinja +++ b/apache/map.jinja @@ -1,23 +1,79 @@ -{#- vi: set ft=jinja: #} +# -*- coding: utf-8 -*- +# vim: ft=jinja -{%- import_yaml "apache/defaults.yaml" as default_settings %} -{%- import_yaml "apache/osfamilymap.yaml" as osfamilymap %} -{%- import_yaml "apache/oscodenamemap.yaml" as oscodenamemap %} -{%- import_yaml "apache/osfingermap.yaml" as osfingermap %} -{%- import_yaml "apache/modsecurity.yaml" as modsec %} +{%- set tplroot = tpldir.split('/')[0] %} +{%- import_yaml tplroot ~ "/defaults.yaml" as default_settings %} +{%- import_yaml tplroot ~ "/osarchmap.yaml" as osarchmap %} +{%- import_yaml tplroot ~ "/osfamilymap.yaml" as osfamilymap %} +{%- import_yaml tplroot ~ "/osmap.yaml" as osmap %} +{%- import_yaml tplroot ~ "/osfingermap.yaml" as osfingermap %} +{%- import_yaml tplroot ~ "/oscodenamemap.yaml" as oscodename %} +{%- import_yaml tplroot ~ "/modsecurity.yaml" as modsec %} -{%- set defaults = salt['grains.filter_by'](default_settings, - default='apache', - merge=salt['grains.filter_by'](modsec, grain='os_family', - merge=salt['grains.filter_by'](osfamilymap, grain='os_family', - merge=salt['grains.filter_by'](oscodenamemap, grain='oscodename', - merge=salt['grains.filter_by'](osfingermap, grain='osfinger', - merge=salt['pillar.get']('apache:lookup', default={}) +{#- Retrieve the config dict only once #} +{%- set _config = salt['config.get'](tplroot, default={}) %} + +{%- set defaults = salt['grains.filter_by']( + default_settings, + default=tplroot, + merge=salt['grains.filter_by']( + osarchmap, + grain='osarch', + merge=salt['grains.filter_by']( + osfamilymap, + grain='os_family', + merge=salt['grains.filter_by']( + osmap, + grain='os', + merge=salt['grains.filter_by']( + oscodename, + grain='oscodename', + merge=salt['grains.filter_by']( + osfingermap, + grain='osfinger', + merge=salt['grains.filter_by']( + modsec, + grain='os_family', + merge=salt['grains.filter_by']( + _config, + default='lookup' + ) + ) + ) + ) ) ) ) ) -) %} +%} + +{%- set config = salt['grains.filter_by']( + {'defaults': defaults}, + default='defaults', + merge=_config + ) +%} + +{%- set apache = config %} + +{#- Post-processing for specific non-YAML customisations #} +{%- if grains.os_family == 'MacOS' %} +{%- set rootuser = salt['cmd.run']("stat -f '%Su' /dev/console") %} +{%- set rootgroup = salt['cmd.run']("stat -f '%Sg' /dev/console") %} +{%- do apache.update({'rootuser': rootgroup}) %} +{%- do apache.update({'rootgroup': rootgroup}) %} +{%- elif grains.os_family == 'Windows' %} +{%- set rootuser = salt['cmd.run']("id -un") %} +{%- do apache.update({'rootuser': rootuser}) %} +{%- endif %} -{#- Merge the apache pillar #} -{%- set apache = salt['pillar.get']('apache', default=defaults, merge=True) %} +{# legacy pillar support #} +{%- if 'server' in apache.lookup and apache.lookup.server is string %} + {%- do apache.pkg.update({'name': apache.server}) %} +{%- endif %} +{%- if 'service' in apache.lookup and apache.lookup.service is string %} + {%- do apache.service.update({'name': apache.service}) %} +{%- endif %} +{%- if 'configfile' in apache and apache.configfile is string %} + {%- do apache.update({'config': apache.configfile}) %} +{%- endif %} diff --git a/apache/mod_actions.sls b/apache/mod_actions.sls deleted file mode 100644 index 2cf27031..00000000 --- a/apache/mod_actions.sls +++ /dev/null @@ -1,19 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod actions: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/actions.load - - order: 255 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_cgi.sls b/apache/mod_cgi.sls deleted file mode 100644 index 223b0939..00000000 --- a/apache/mod_cgi.sls +++ /dev/null @@ -1,22 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains['os_family']=="FreeBSD" %} - -{{ apache.modulesdir }}/040_mod_cgi.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_cgi.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_dav_svn.sls b/apache/mod_dav_svn.sls deleted file mode 100644 index e65a6502..00000000 --- a/apache/mod_dav_svn.sls +++ /dev/null @@ -1,38 +0,0 @@ -{% if grains['os_family'] == "Debian" %} - -include: - - apache - -libapache2-mod-svn: - pkg.installed: [] - - -a2enmod dav_svn: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/dav_svn.load - - order: 255 - - require: - - pkg: apache - - pkg: libapache2-mod-svn - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -a2enmod authz_svn: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/authz_svn.load - - order: 255 - - require: - - pkg: apache - - pkg: libapache2-mod-svn - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_fastcgi.sls b/apache/mod_fastcgi.sls deleted file mode 100644 index 196e3b09..00000000 --- a/apache/mod_fastcgi.sls +++ /dev/null @@ -1,43 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - - apache.mod_actions - -{% if grains['os_family']=="Debian" %} -mod-fastcgi: - pkg.installed: - - name: {{ apache.mod_fastcgi }} - - order: 180 - - require: - - pkgrepo: repo-fastcgi - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -repo-fastcgi: - pkgrepo.managed: - - name: "deb http://ftp.us.debian.org/debian {{ grains['oscodename'] }}" - - file: /etc/apt/sources.list.d/non-free.list - - onlyif: grep Debian /proc/version >/dev/null 2>&1 - - comps: non-free - -a2enmod fastcgi: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/fastcgi.load - - order: 225 - - require: - - pkg: mod-fastcgi - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} - diff --git a/apache/mod_fcgid.sls b/apache/mod_fcgid.sls deleted file mode 100644 index 485aa160..00000000 --- a/apache/mod_fcgid.sls +++ /dev/null @@ -1,28 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod-fcgid: - pkg.installed: - - name: {{ apache.mod_fcgid }} - - order: 180 - - require: - - pkg: apache - -{% if grains['os_family']=="Debian" %} -a2enmod fcgid for apache.mod_fcgid: - cmd.run: - - name: a2enmod fcgid - - order: 225 - - unless: ls /etc/apache2/mods-enabled/fcgid.load - - require: - - pkg: mod-fcgid - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_geoip.sls b/apache/mod_geoip.sls deleted file mode 100644 index 4adba670..00000000 --- a/apache/mod_geoip.sls +++ /dev/null @@ -1,43 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if 'mod_geoip' in apache %} - -include: - - apache - -mod-geoip: - pkg.installed: - - pkgs: - - {{ apache.mod_geoip }} - - {{ apache.mod_geoip_database }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - -{% if grains['os_family']=="RedHat" %} -geoip conf: - file.managed: - - name: {{ apache.confdir }}/geoip.conf - - user: root - - group: root - - mode: 644 - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf - -geoip database: - file.managed: - - name: /usr/share/GeoIP/GeoIP.dat - - user: root - - group: root - - mode: 644 - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/GeoIP.dat - -{% endif %} -{% endif %} diff --git a/apache/mod_headers.sls b/apache/mod_headers.sls deleted file mode 100644 index a13875ed..00000000 --- a/apache/mod_headers.sls +++ /dev/null @@ -1,19 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod headers: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/headers.load - - order: 255 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_mpm.sls b/apache/mod_mpm.sls deleted file mode 100644 index 0c69e888..00000000 --- a/apache/mod_mpm.sls +++ /dev/null @@ -1,73 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} -{% set mpm_module = salt['pillar.get']('apache:mpm:module', 'mpm_prefork') %} - -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod {{ mpm_module }}: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/{{ mpm_module }}.load - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - file.managed: - - name: /etc/apache2/mods-available/{{ mpm_module }}.conf - - template: jinja - - source: - - salt://apache/files/Debian/mpm/{{ mpm_module }}.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -# Deactivate the other mpm modules as a previous step -{% for mod in ['mpm_prefork', 'mpm_worker', 'mpm_event'] if not mod == mpm_module %} -a2dismod {{ mod }}: - cmd.run: - - onlyif: test -e /etc/apache2/mods-enabled/{{ mod }}.load - - require: - - pkg: apache - - require_in: - - cmd: a2enmod {{ mpm_module }} - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% endif %} - -{% if grains['os_family']=="RedHat" %} - -include: - - apache - -{{ apache.moddir }}/00-mpm-conf.conf: - file.managed: - - name: {{ apache.moddir }}/00-mpm.conf - - template: jinja - - source: - - salt://apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja - - require: - - pkg: httpd - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_pagespeed.sls b/apache/mod_pagespeed.sls deleted file mode 100644 index bc76f8ea..00000000 --- a/apache/mod_pagespeed.sls +++ /dev/null @@ -1,58 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -libapache2-mod-pagespeed: - pkg: - - installed - - sources: - - mod-pagespeed-stable: {{ apache.mod_pagespeed_source }} - -{% if grains['os_family']=="Debian" %} -a2enmod pagespeed: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/pagespeed.load - - order: 255 - - require: - - pkg: libapache2-mod-pagespeed - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% for dir in ['/var/cache/mod_pagespeed', '/var/log/pagespeed'] %} -{{ dir }}: - file: - - directory - - makedirs: true - - user: {{ apache.user }} - - group: {{ apache.group }} - - require: - - pkg: libapache2-mod-pagespeed - - user: {{ apache.user }} - - group: {{ apache.group }} -{% endfor %} - -# Here we hardcode a logrotate entry to take care of the logs -/etc/logrotate.d/pagespeed: - file: - - managed - - contents: | - /var/log/pagespeed/*.log { - weekly - missingok - rotate 52 - compress - delaycompress - notifempty - sharedscripts - postrotate - if /etc/init.d/apache2 status > /dev/null ; then \ - /etc/init.d/apache2 reload > /dev/null; \ - fi; - endscript - } -{% endif %} diff --git a/apache/mod_perl2.sls b/apache/mod_perl2.sls deleted file mode 100644 index 99135401..00000000 --- a/apache/mod_perl2.sls +++ /dev/null @@ -1,49 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod-perl2: - pkg.installed: - - name: {{ apache.mod_perl2 }} - - order: 180 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if grains['os_family']=="Debian" %} -a2enmod perl: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/perl.load - - order: 225 - - require: - - pkg: mod-perl2 - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% elif grains['os_family']=="FreeBSD" %} - -{{ apache.modulesdir }}/260_mod_perl.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_perl.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_php5.sls b/apache/mod_php5.sls deleted file mode 100644 index 21621015..00000000 --- a/apache/mod_php5.sls +++ /dev/null @@ -1,67 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod-php5: - pkg.installed: - - name: {{ apache.mod_php5 }} - - order: 180 - - require: - - pkg: apache - -{% if grains['os_family']=="Debian" %} -a2enmod php5: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/php5.load - - order: 225 - - require: - - pkg: mod-php5 - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if 'apache' in pillar and 'php-ini' in pillar['apache'] %} -/etc/php5/apache2/php.ini: - file.managed: - - source: {{ pillar['apache']['php-ini'] }} - - order: 225 - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - require: - - pkg: apache - - pkg: mod-php5 -{% endif %} - -{% elif grains['os_family']=="FreeBSD" %} - -{{ apache.modulesdir }}/050_mod_php5.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_php5.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} - -{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %} -/etc/sysconfig/apache2: - file.replace: - - unless: grep '^APACHE_MODULES=.*php5' /etc/sysconfig/apache2 - - pattern: '^APACHE_MODULES=(.*)"' - - repl: 'APACHE_MODULES=\1 php5"' -{% endif %} diff --git a/apache/mod_proxy.sls b/apache/mod_proxy.sls deleted file mode 100644 index 14c30889..00000000 --- a/apache/mod_proxy.sls +++ /dev/null @@ -1,36 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains['os_family']=="Debian" %} -a2enmod mod_proxy: - cmd.run: - - name: a2enmod proxy - - unless: ls /etc/apache2/mods-enabled/proxy.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% elif grains['os_family']=="FreeBSD" %} -{{ apache.modulesdir }}/040_mod_proxy.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_proxy_fcgi.sls b/apache/mod_proxy_fcgi.sls deleted file mode 100644 index c36eec39..00000000 --- a/apache/mod_proxy_fcgi.sls +++ /dev/null @@ -1,21 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -include: - - apache - - apache.mod_proxy - -a2enmod proxy_fcgi: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/proxy_fcgi.load - - order: 225 - - require: - - pkg: apache - - cmd: a2enmod proxy - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_proxy_http.sls b/apache/mod_proxy_http.sls deleted file mode 100644 index f251a73f..00000000 --- a/apache/mod_proxy_http.sls +++ /dev/null @@ -1,38 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - - apache.mod_proxy - -{% if grains['os_family']=="Debian" %} - -a2enmod proxy_http: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/proxy_http.load - - order: 225 - - require: - - pkg: apache - - cmd: a2enmod proxy - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% elif grains['os_family']=="FreeBSD" %} -{{ apache.modulesdir }}/040_mod_proxy_http.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_http.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_remoteip.sls b/apache/mod_remoteip.sls deleted file mode 100644 index 986deea0..00000000 --- a/apache/mod_remoteip.sls +++ /dev/null @@ -1,68 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod remoteip: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/remoteip.load - - order: 255 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -a2enconf remoteip: - cmd.run: - - unless: ls /etc/apache2/conf-enabled/remoteip.conf - - order: 255 - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -/etc/apache2/conf-available/remoteip.conf: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf-available/remoteip.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - cmd: a2enconf remoteip -{% endif %} - - -{% if grains['os_family']=="RedHat" %} - -include: - - apache - -/etc/httpd/conf.d/remoteip.conf: - file.managed: - - template: jinja - - source: - - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf.modules.d/remoteip.conf.jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_rewrite.sls b/apache/mod_rewrite.sls deleted file mode 100644 index 39cb60cd..00000000 --- a/apache/mod_rewrite.sls +++ /dev/null @@ -1,36 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains['os_family']=="Debian" %} -a2enmod rewrite: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/rewrite.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% elif grains['os_family']=="FreeBSD" %} - -{{ apache.modulesdir }}/040_mod_rewrite.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_rewrite.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_security/init.sls b/apache/mod_security/init.sls deleted file mode 100644 index 7eecad5b..00000000 --- a/apache/mod_security/init.sls +++ /dev/null @@ -1,66 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod-security: - pkg.installed: - - name: {{ apache.mod_security.package }} - - order: 180 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if apache.mod_security.crs_install %} -mod-security-crs: - pkg.installed: - - name: {{ apache.mod_security.crs_package }} - - order: 180 - - require: - - pkg: mod-security - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if apache.mod_security.manage_config %} -mod-security-main-config: - file.managed: - - name: {{ apache.mod_security.config_file }} - - order: 220 - - template: jinja - - source: - - {{ 'salt://apache/files/' ~ salt['grains.get']('os_family') ~ '/modsecurity.conf.jinja' }} - - context: {{ apache.mod_security }} - - require: - - pkg: mod-security - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} - -{% if grains['os_family']=="Debian" %} -a2enmod security2: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/security2.load && ls /etc/apache2/mods-enabled/security2.conf - - order: 225 - - require: - - pkg: mod-security - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} diff --git a/apache/mod_socache_shmcb.sls b/apache/mod_socache_shmcb.sls deleted file mode 100644 index 95fb7101..00000000 --- a/apache/mod_socache_shmcb.sls +++ /dev/null @@ -1,24 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if grains['os_family']=="FreeBSD" %} - -include: - - apache - -{{ apache.modulesdir }}/009_mod_socache_shmcb.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/generic_module.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - - context: - module_name: socache_shmcb - -{% endif %} diff --git a/apache/mod_ssl.sls b/apache/mod_ssl.sls deleted file mode 100644 index ea43a602..00000000 --- a/apache/mod_ssl.sls +++ /dev/null @@ -1,115 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod mod_ssl: - cmd.run: - - name: a2enmod ssl - - unless: ls /etc/apache2/mods-enabled/ssl.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -/etc/apache2/mods-available/ssl.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/ssl.conf.jinja - - template: jinja - - mode: 644 - - watch_in: - - module: apache-restart - -{% elif grains['os_family']=="RedHat" %} - -mod_ssl: - pkg.installed: - - name: {{ apache.mod_ssl_pkg }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{{ apache.confdir }}/ssl.conf: - file.absent: - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% elif grains['os_family']=="FreeBSD" %} - -include: - - apache - - apache.mod_socache_shmcb - -{{ apache.modulesdir }}/010_mod_ssl.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_ssl.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} - -{{ apache.confdir }}/tls-defaults.conf: -{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} - file.managed: - - source: salt://apache/files/tls-defaults.conf.jinja - - mode: 644 - - template: jinja -{% else %} - file.absent: -{% endif %} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if grains['os_family']=="Debian" %} -a2endisconf tls-defaults: - cmd.run: -{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} - - name: a2enconf tls-defaults - - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf -{% else %} - - name: a2disconf tls-defaults - - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf -{% endif %} - - order: 225 - - require: - - pkg: apache - - file: {{ apache.confdir }}/tls-defaults.conf - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} diff --git a/apache/mod_suexec.sls b/apache/mod_suexec.sls deleted file mode 100644 index b4742d78..00000000 --- a/apache/mod_suexec.sls +++ /dev/null @@ -1,22 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains['os_family']=="FreeBSD" %} - -{{ apache.modulesdir }}/040_mod_suexec.conf: - file.managed: - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_suexec.conf.jinja - - mode: 644 - - template: jinja - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_upload_progress.sls b/apache/mod_upload_progress.sls deleted file mode 100644 index 78947ed7..00000000 --- a/apache/mod_upload_progress.sls +++ /dev/null @@ -1,22 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -{% if grains['os_family']=="Debian" %} -include: - - apache - -libapache2-mod-upload-progress: - pkg.installed - -a2enmod upload_progress: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/upload_progress.load - - order: 255 - - require: - - pkg: libapache2-mod-upload-progress - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} diff --git a/apache/mod_vhost_alias.sls b/apache/mod_vhost_alias.sls deleted file mode 100644 index c85a3919..00000000 --- a/apache/mod_vhost_alias.sls +++ /dev/null @@ -1,19 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -include: - - apache - -a2enmod vhost_alias: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/vhost_alias.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/mod_wsgi.sls b/apache/mod_wsgi.sls deleted file mode 100644 index ca2ddafc..00000000 --- a/apache/mod_wsgi.sls +++ /dev/null @@ -1,31 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod_wsgi: - pkg.installed: - - name: {{ apache.mod_wsgi }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if 'conf_mod_wsgi' in apache %} -{{ apache.conf_mod_wsgi }}: - file.uncomment: - - regex: LoadModule - - onlyif: test -f {{ apache.conf_mod_wsgi }} - - require: - - pkg: mod_wsgi - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} diff --git a/apache/mod_xsendfile.sls b/apache/mod_xsendfile.sls deleted file mode 100644 index b03cadff..00000000 --- a/apache/mod_xsendfile.sls +++ /dev/null @@ -1,34 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -mod-xsendfile: - pkg.installed: - - name: {{ apache.mod_xsendfile }} - - order: 180 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if grains['os_family']=="Debian" %} -a2enmod xsendfile: - cmd.run: - - order: 225 - - unless: ls /etc/apache2/mods-enabled/xsendfile.load - - require: - - pkg: mod-xsendfile - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} - diff --git a/apache/modules.sls b/apache/modules.sls index 18985e54..b94abbe1 100644 --- a/apache/modules.sls +++ b/apache/modules.sls @@ -1,116 +1,6 @@ -{% if grains['os_family']=="Debian" %} +# -*- coding: utf-8 -*- +# vim: ft=sls include: - - apache -{%- set existing_states = salt['cp.list_states']() %} -{%- for module in salt['pillar.get']('apache:modules:enabled', []) %} -{%- set mod_state = 'apache.mod_{}'.format(module) %} -{%- if mod_state in existing_states %} - - {{ mod_state }} -{%- endif %} -{%- endfor %} - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} -{%- set mod_state = 'apache.mod_{}'.format(module) %} -{% if mod_state not in existing_states %} -a2enmod {{ module }}: - cmd.run: - - unless: ls /etc/apache2/mods-enabled/{{ module }}.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} -a2dismod -f {{ module }}: - cmd.run: - - onlyif: ls /etc/apache2/mods-enabled/{{ module }}.load - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% elif grains['os_family']=="RedHat" %} - -include: - - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} -find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;: - cmd.run: - - unless: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} -find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;: - cmd.run: - - onlyif: httpd -M 2> /dev/null | grep "[[:space:]]{{ module }}_module" - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% elif salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %} - -include: - - apache - -{% for module in salt['pillar.get']('apache:modules:enabled', []) %} -a2enmod {{ module }}: - cmd.run: - - unless: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }} - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% for module in salt['pillar.get']('apache:modules:disabled', []) %} -a2dismod -f {{ module }}: - cmd.run: - - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }} - - order: 225 - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endfor %} - -{% endif %} + - .config.modules # enable + # .config.modules.clean # disable diff --git a/apache/no_default_vhost.sls b/apache/no_default_vhost.sls deleted file mode 100644 index cab12df5..00000000 --- a/apache/no_default_vhost.sls +++ /dev/null @@ -1,20 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -a2dissite 000-default.conf: - cmd.run: - - unless: test ! -f /etc/apache2/sites-enabled/000-default.conf - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/osarchmap.yaml b/apache/osarchmap.yaml new file mode 100644 index 00000000..ab3bc1f4 --- /dev/null +++ b/apache/osarchmap.yaml @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['osarch'] based logic. +# You just need to add the key:values for an `osarch` that differ +# from `defaults.yaml`. +# Only add an `osarch` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `osarch` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osarch: {} +--- +amd64: + arch: amd64 + +x86_64: + arch: amd64 + +386: + arch: 386 + +arm64: + arch: arm64 + +armv6l: + arch: armv6l + +armv7l: + arch: armv7l + +ppc64le: + arch: ppc64le + +s390x: + arch: s390x diff --git a/apache/oscodenamemap.yaml b/apache/oscodenamemap.yaml index 690abe4f..7b14c2ae 100644 --- a/apache/oscodenamemap.yaml +++ b/apache/oscodenamemap.yaml @@ -1,6 +1,21 @@ # -*- coding: utf-8 -*- # vim: ft=yaml +# +# Setup variables using grains['osfinger'] based logic. +# You just need to add the key:values for an `osfinger` that differ +# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml` + `osmap.yaml`. +# Only add an `osfinger` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os_finger` grain, +# you will need to provide at least an empty dict in this file, e.g. +# oscodenamemap: {} + --- +Default: + confext: .conf + default_site: 000-default.conf + default_site_ssl: default-ssl.conf + trusty: confext: .conf default_site: 000-default.conf @@ -58,3 +73,7 @@ buster: confext: .conf default_site: 000-default.conf default_site_ssl: default-ssl.conf + +openSUSE Leap 42.3: + version: 2.2 + group: www diff --git a/apache/osfamilymap.yaml b/apache/osfamilymap.yaml index 9a176c48..779f055c 100644 --- a/apache/osfamilymap.yaml +++ b/apache/osfamilymap.yaml @@ -1,18 +1,36 @@ # -*- coding: utf-8 -*- # vim: ft=yaml +# +# Setup variables using grains['os_family'] based logic. +# You just need to add the key:values for an `os_family` that differ +# from `defaults.yaml` + `osarch.yaml`. +# Only add an `os_family` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os_family` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osfamilymap: {} --- Debian: - server: apache2 - service: apache2 + pkg: + name: apache2 + deps: + - libapache2-mod-security2 + - libapache2-mod-geoip + # libapache2-mod-fcgid + # libapache2-mod-upload-progress + service: + name: apache2 user: www-data group: www-data - configfile: /etc/apache2/apache2.conf + config: /etc/apache2/apache2.conf portsfile: /etc/apache2/ports.conf mod_wsgi: libapache2-mod-wsgi mod_php5: libapache2-mod-php5 mod_perl2: libapache2-mod-perl2 mod_fcgid: libapache2-mod-fcgid + mod_upload_progress: libapache2-mod-upload-progress + mod_pagespeed: mod-pagespeed-stable # yamllint disable-line rule:line-length mod_pagespeed_source: https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb mod_xsendfile: libapache2-mod-xsendfile @@ -22,19 +40,29 @@ Debian: vhostdir: /etc/apache2/sites-available confdir: /etc/apache2/conf-available + modulesdir: /usr/lib64/apache2/modules confext: .conf default_site: default default_site_ssl: default-ssl logdir: /var/log/apache2 logrotatedir: /etc/logrotate.d/apache2 wwwdir: /srv + moddir: /etc/apache2/mods-available + sitesdir: /etc/apache2/sites-enabled RedHat: - server: httpd - service: httpd + pkg: + name: httpd + deps: + - mod_ssl + - mod_security + - mod_geoip + - GeoIP + service: + name: httpd user: apache group: apache - configfile: /etc/httpd/conf/httpd.conf + config: /etc/httpd/conf/httpd.conf mod_ssl_pkg: mod_ssl mod_wsgi: mod_wsgi @@ -48,6 +76,7 @@ RedHat: vhostdir: /etc/httpd/vhosts.d confdir: /etc/httpd/conf.d + modulesdir: /usr/lib64/httpd/modules confext: .conf default_site: default default_site_ssl: default-ssl @@ -57,51 +86,108 @@ RedHat: default_charset: UTF-8 use_require: false moddir: /etc/httpd/conf.modules.d + sitesdir: /etc/httpd/sites-enabled + +Suse: + pkg: + name: apache2 + deps: + - apache2-mod_security2 + service: + name: apache2 + user: wwwrun + group: wwwrun + config: /etc/apache2/httpd.conf + portsfile: /etc/apache2/ports.conf + + mod_wsgi: apache2-mod_wsgi + mod_php5: apache2-mod_php5 + mod_fcgid: apache2-mod_fcgid + mod_perl2: apache2-mod_perl + mod_upload_progress: apache2-mod_upload_progress + mod_pagespeed: apache2-mod_pagespeed + mod_geoip: apache2-mod_geoip + mod_geoip_database: GeoIP-data + + vhostdir: /etc/apache2/sites-available + confdir: /etc/apache2/conf.d + modulesdir: /usr/lib64/apache2/modules + confext: .conf + default_site: vhost.template + default_site_ssl: vhost-ssl.template + logdir: /var/log/apache2 + logrotatedir: /etc/logrotate.d/apache2 + wwwdir: /srv/www + moddir: /etc/apache2/mods-enabled + sitesdir: /etc/apache2/sites-enabled Gentoo: - server: www-servers/apache - service: apache2 + pkg: + name: www-servers/apache + service: + name: apache2 user: apache group: apache - configfile: /etc/apache2/httpd.conf + config: /etc/apache2/httpd.conf mod_wsgi: www-apache/mod_wsgi mod_fcgid: www-apache/mod_fcgid vhostdir: /etc/apache2/vhosts.d confdir: /etc/conf.d/apache2 + modulesdir: /usr/lib64/apache2/modules confext: .conf default_site: default default_site_ssl: default-ssl logdir: /var/log/apache2 logrotatedir: /etc/logrotate.d/apache2 wwwdir: /var/www + moddir: /etc/apache2/mods-enabled + sitesdir: /etc/apache2/sites-enabled -Suse: - server: apache2 - service: apache2 - user: wwwrun - group: wwwrun - configfile: /etc/apache2/httpd.conf +Arch: + pkg: + name: apache + deps: + - geoip + - libxml2 + service: + name: httpd + service_state: skip + user: http + group: http + config: /etc/httpd/conf/httpd.conf - mod_wsgi: apache2-mod_wsgi - mod_php5: apache2-mod_php5 - mod_fcgid: apache2-mod_fcgid + mod_wsgi: mod_wsgi + mod_security: + package: libmodsecurity + mod_geoip: null + mod_geoip_database: geoip-database - vhostdir: /etc/apache2/vhosts.d - confdir: /etc/apache2/conf.d + vhostdir: /etc/httpd/conf/vhosts + confdir: /etc/httpd/conf/extra + davlockdbdir: /etc/httpd/var/DavLock + modulesdir: /usr/lib/httpd/modules confext: .conf - default_site: vhost.template - default_site_ssl: vhost-ssl.template - logdir: /var/log/apache2 - wwwdir: /srv/www + logdir: /var/log/httpd + logrotatedir: /etc/logrotate.d/httpd + wwwdir: /srv/http + default_site: default + default_site_ssl: default-ssl + moddir: /etc/httpd/conf.modules.d + sitesdir: /etc/httpd/sites-enabled + +Alpine: {} FreeBSD: - server: apache24 - service: apache24 + pkg: + name: apache24 + rootgroup: wheel + service: + name: apache24 user: www group: www - configfile: /usr/local/etc/apache24/httpd.conf + config: /usr/local/etc/apache24/httpd.conf portsfile: /usr/local/etc/apache24/ports.conf mod_php5: mod_php56 @@ -119,20 +205,15 @@ FreeBSD: logdir: /var/log/ wwwdir: /usr/local/www/apache24/ -Arch: - server: apache - service: httpd - user: http - group: http - configfile: /etc/httpd/conf/httpd.conf +OpenBSD: + rootgroup: wheel - mod_wsgi: mod_wsgi +Solaris: {} - vhostdir: /etc/httpd/conf/vhosts - confdir: /etc/httpd/conf/extra - modulesdir: /usr/lib/httpd/modules - confext: .conf - logdir: /var/log/httpd - wwwdir: /srv/http - default_site: default - default_site_ssl: default-ssl +Windows: + pkg: + name: apache-httpd + service: + name: apache + +MacOS: {} diff --git a/apache/osfingermap.yaml b/apache/osfingermap.yaml index ce48e8cf..732a17c4 100644 --- a/apache/osfingermap.yaml +++ b/apache/osfingermap.yaml @@ -1,26 +1,97 @@ # -*- coding: utf-8 -*- # vim: ft=yaml +# +# Setup variables using grains['osfinger'] based logic. +# You just need to add the key:values for an `osfinger` that differ +# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml` + `osmap.yaml`. +# Only add an `osfinger` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os_finger` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osfingermap: {} --- default: version: '2.4' -Ubuntu-12.04: + +# Suse +Leap-42: version: '2.2' + +# os: el Red Hat Enterprise Linux Server-6: version: '2.2' + service_state: skip + pkg: + deps: + - epel-release + - mod_ssl + - mod_security + - mod_geoip Red Hat Enterprise Linux Server-7: version: '2.4' -CentOS-6: +Oracle Linux Server-6: + version: '2.2' +Oracle Linux Server-7: + version: '2.4' + +# Debian-10: {} +# Debian-9: {} +# Debian-8: {} + +Ubuntu-12.04: version: '2.2' +# Ubuntu-16.04: {} +# Ubuntu-18.04: {} + +# Fedora-31: {} +# Fedora-30: {} + +CentOS Linux-8: + version: '2.4' + pkg: + deps: + - epel-release + - mod_ssl + - mod_security + - GeoIP + # mod_geoip + CentOS Linux-7: version: '2.4' conf_mod_wsgi: '/etc/httpd/conf.modules.d/10-wsgi.conf' -Oracle Linux Server-6: + pkg: + deps: + - epel-release + - mod_ssl + - mod_security + - GeoIP + - mod_geoip +CentOS-6: version: '2.2' -Oracle Linux Server-7: - version: '2.4' + service_state: skip # necessary for cent6 + pkg: + deps: + - epel-release + - mod_ssl + - mod_security + - mod_geoip + Amazon Linux AMI-2014: version: '2.2' Amazon Linux AMI-2015: version: '2.2' Amazon Linux AMI-2016: version: '2.2' +Amazon Linux-2: + version: '2.4' + pkg: + deps: + # mod_ssl + - mod_security + - GeoIP + +# Amazon Linux AMI-2018: {} +# Leap-15: {} +# FreeBSD-12: {} +# Windows-8.1: {} +# Gentoo-2: {} diff --git a/apache/osmap.yaml b/apache/osmap.yaml new file mode 100644 index 00000000..d2afcc5d --- /dev/null +++ b/apache/osmap.yaml @@ -0,0 +1,52 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['os'] based logic. +# You just need to add the key:values for an `os` that differ +# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml`. +# Only add an `os` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osmap: {} +--- +# os_family: Debian +Ubuntu: {} +Raspbian: {} + +# os_family: RedHat +Fedora: + pkg: + deps: + - mod_ssl + - mod_security + - GeoIP + - mod_geoip +CentOS: + pkg: + deps: + - epel-release + - mod_ssl + - mod_security + - GeoIP + +Amazon-2: + pkg: + deps: + - mod_ssl + - mod_security + - GeoIP + - mod_geoip + +# os_family: Suse +SUSE: {} +openSUSE: {} + +# os_family: Gentoo +Funtoo: {} + +# os_family: Arch +Manjaro: {} + +# os_family: Solaris +SmartOS: {} diff --git a/apache/own_default_vhost.sls b/apache/own_default_vhost.sls deleted file mode 100644 index 37ee1b34..00000000 --- a/apache/own_default_vhost.sls +++ /dev/null @@ -1,21 +0,0 @@ -{% if grains['os_family']=="Debian" %} - -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -apache_own-default-vhost: - file.managed: - - name: {{ apache.vhostdir }}/000-default.conf - - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/sites-available/000-default.conf - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} diff --git a/apache/package/clean.sls b/apache/package/clean.sls new file mode 100644 index 00000000..896614a2 --- /dev/null +++ b/apache/package/clean.sls @@ -0,0 +1,27 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_config_clean = tplroot ~ '.config.clean' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_config_clean }} + +apache-package-clean-pkg-removed: + {%- if grains.os_family == 'Windows' %} + chocolatey.uninstalled: + - name: {{ apache.pkg.name }} + {%- else %} + pkg.removed: + - names: + - {{ apache.pkg.name }} + - httpd-tools + {%- endif %} + - require: + - sls: {{ sls_config_clean }} + user.absent: + - name: {{ apache.user }} + group.absent: + - name: {{ apache.group }} diff --git a/apache/package/init.sls b/apache/package/init.sls new file mode 100644 index 00000000..d3e55181 --- /dev/null +++ b/apache/package/init.sls @@ -0,0 +1,5 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .install diff --git a/apache/package/install.sls b/apache/package/install.sls new file mode 100644 index 00000000..54534283 --- /dev/null +++ b/apache/package/install.sls @@ -0,0 +1,40 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + + {%- if 'deps' in apache.pkg and apache.pkg.deps and apache.pkg.deps is iterable and apache.pkg.deps is not string %} +apache-package-install-deps-pkg-installed: + pkg.installed: + - names: {{ apache.pkg.deps|json }} + - require: + - apache-package-install-pkg-installed + {%- if grains.os_family == 'Debian' %} + cmd.run: + # because pkg.installed returns error during dpkg postinstall + - name: apt install libapache2-mod-security2 || true + {%- endif %} + {%- endif %} + +apache-package-install-pkg-installed: + {%- if grains.os_family == 'Windows' %} + service.dead: + - name: {{ apache.service.name }} # port 8080 + chocolatey.installed: + - name: {{ apache.pkg.name }} + - force: True + + {%- else %} + + pkg.installed: + - name: {{ apache.pkg.name }} + group.present: + - name: {{ apache.group }} + - system: True + user.present: + - name: {{ apache.user }} + - gid: {{ apache.group }} + - system: True + + {%- endif %} diff --git a/apache/register_site.sls b/apache/register_site.sls deleted file mode 100644 index 5bb93e70..00000000 --- a/apache/register_site.sls +++ /dev/null @@ -1,62 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} -{% if grains['os_family']=="Debian" %} - -{% if 'apache' in pillar and 'register-site' in pillar['apache'] %} #BEGIN: ['apache']['register-site'] -{% for site in pillar['apache']['register-site'] %} - -#BEGIN: Call apache a2ensite -########################################## -{% if 'name' in pillar['apache']['register-site'][site] and 'state' in pillar['apache']['register-site'][site] %} - -{% if pillar['apache']['register-site'][site]['state'] == 'enabled' %} -{% set a2modid = "a2ensite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %} -{% else %} -{% set a2modid = "a2dissite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %} -{% endif %} -{{ a2modid }}: - cmd.run: -{% if pillar['apache']['register-site'][site]['state'] == 'enabled' %} - - unless: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} -{% else %} - - onlyif: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} -{% endif %} - - order: 230 - - require: - - pkg: apache - - file: /etc/apache2/sites-available/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }} - -{% endif %} -########################################## - -#BEGIN: Manage apache site config -########################################## -{% if 'name' in pillar['apache']['register-site'][site] and 'path' in pillar['apache']['register-site'][site] %} - -/etc/apache2/sites-available/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}: - file.managed: - - source: {{ pillar['apache']['register-site'][site]['path'] }} - - order: 225 - - user: root - - group: root - - mode: 775 -{% if 'template' in pillar['apache']['register-site'][site] and 'defaults' in pillar['apache']['register-site'][site] %} - - template: jinja - - defaults: - {% for key, value in pillar['apache']['register-site'][site]['defaults'].items() %} - {{ key }}: {{ value }} - {% endfor %} -{% endif %} - - watch_in: - - cmd: {{ a2modid }} - - module: apache-reload - - require_in: - - module: apache-restart - - module; apache-reload - - service: apache - -{% endif %} -########################################## - -{% endfor %} -{% endif %} #END: apache-register-site -{% endif %} #END: grains['os_family'] == debian diff --git a/apache/server_status.sls b/apache/server_status.sls deleted file mode 100644 index df757cee..00000000 --- a/apache/server_status.sls +++ /dev/null @@ -1,36 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - - apache.config - -{{ apache.confdir }}/server-status{{ apache.confext }}: - file.managed: - - source: salt://apache/files/server-status.conf.jinja - - template: jinja - - context: - apache: {{ apache | json }} - - require: - - pkg: apache - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{%- if grains['os_family'] == "Debian" %} -a2enconf server-status: - cmd.run: - - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf' - - order: 225 - - require: - - pkg: apache - - file: {{ apache.confdir }}/server-status.conf - - watch_in: - - module: apache-restart - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} diff --git a/apache/service/clean.sls b/apache/service/clean.sls new file mode 100644 index 00000000..ec508cef --- /dev/null +++ b/apache/service/clean.sls @@ -0,0 +1,13 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +apache-service-clean-service-dead: + service.dead: + - name: {{ apache.service.name }} + - enable: False + file.absent: + - name: /var/lock/subsys/httpd diff --git a/apache/service/init.sls b/apache/service/init.sls new file mode 100644 index 00000000..6fe4d1a3 --- /dev/null +++ b/apache/service/init.sls @@ -0,0 +1,5 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +include: + - .running diff --git a/apache/service/running.sls b/apache/service/running.sls new file mode 100644 index 00000000..07299777 --- /dev/null +++ b/apache/service/running.sls @@ -0,0 +1,64 @@ +# -*- coding: utf-8 -*- +# vim: ft=sls + +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_config_file = tplroot ~ '.config.file' %} +{%- set sls_config_registersite = tplroot ~ '.config.register_site' %} +{%- from tplroot ~ "/map.jinja" import apache with context %} + +include: + - {{ sls_config_file }} + - {{ sls_config_registersite }} + +apache-service-running: + {%- if salt['pillar.get']('apache:manage_service_states', True) %} + {# By default run apache service states (unless pillar is false) #} + service.running: + - name: {{ apache.service.name }} + - enable: True + - watch: + - sls: {{ sls_config_file }} + - retry: {{ apache.retry_option|json }} + cmd.run: + - names: + - journalctl -xe -u {{ apache.service.name }} || tail -20 /var/log/messages || true + - (service {{ apache.service.name }} restart && service {{ apache.service.name }} status) || true + - cat {{ apache.config }} + - onfail: + - service: apache-service-running + {%- endif %} + + {# The following states are by default inert and can be used #} + {# by other states to trigger a restart or reload as needed. #} + +apache-service-running-restart: + module.wait: + {%- if apache.service_state in ['running'] %} + - name: service.restart + - m_name: {{ apache.service.name }} + {%- else %} + - name: cmd.run + - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }} + - python_shell: True + {%- endif %} + - watch: + - sls: {{ sls_config_file }} + - require: + - sls: {{ sls_config_file }} + - service: apache-service-running + +apache-service-running-reload: + module.wait: + {%- if apache.service_state in ['running'] %} + - name: service.reload + - m_name: {{ apache.service.name }} + {%- else %} + - name: cmd.run + - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }} + - python_shell: True + {%- endif %} + - watch: + - sls: {{ sls_config_file }} + - require: + - sls: {{ sls_config_file }} + - service: apache-service-running diff --git a/apache/uninstall.sls b/apache/uninstall.sls deleted file mode 100644 index 65683f0e..00000000 --- a/apache/uninstall.sls +++ /dev/null @@ -1,11 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -apache-uninstall: - service.dead: - - name: {{ apache.service }} - - enable: False - pkg.removed: - - pkgs: - - {{ apache.server }} - - require: - - service: apache-uninstall diff --git a/apache/vhosts b/apache/vhosts new file mode 120000 index 00000000..cddebdb5 --- /dev/null +++ b/apache/vhosts @@ -0,0 +1 @@ +config/vhosts \ No newline at end of file diff --git a/apache/vhosts/cleanup.sls b/apache/vhosts/cleanup.sls deleted file mode 100644 index ea16d298..00000000 --- a/apache/vhosts/cleanup.sls +++ /dev/null @@ -1,43 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% if grains.os_family == 'Debian' %} - -{% set dirpath = '/etc/apache2/sites-enabled' %} - -{# Add . and .. to make it easier to not clean those #} -{% set valid_sites = ['.', '..', ] %} - -{# Take sites from apache.vhosts.standard #} -{% for id, site in salt['pillar.get']('apache:sites', {}).items() %} -{% do valid_sites.append('{}{}'.format(id, apache.confext)) %} -{% endfor %} - -{# Take sites from apache.register_site #} -{% for id, site in salt['pillar.get']('apache:register-site', {}) %} -{% do valid_sites.append('{}{}'.format(site.name, apache.confext)) %} -{% endfor %} - - -{% if salt['file.directory_exists'](dirpath) %} -{% for filename in salt['file.readdir'](dirpath) %} -{% if filename not in valid_sites %} - -a2dissite {{ filename }}: - cmd.run: - - onlyif: "test -L {{ dirpath }}/{{ filename }} || test -f {{ dirpath }}/{{ filename }}" - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% endif %} -{% endfor %} -{% endif %} - - -{% endif %}{# Debian #} diff --git a/apache/vhosts/standard.sls b/apache/vhosts/standard.sls deleted file mode 100644 index 5ad967b7..00000000 --- a/apache/vhosts/standard.sls +++ /dev/null @@ -1,65 +0,0 @@ -{% from "apache/map.jinja" import apache with context %} - -include: - - apache - -{% for id, site in salt['pillar.get']('apache:sites', {}).items() %} -{% set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %} - -apache_vhosts_{{ id }}: - file.managed: - - name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }} - - source: {{ site.get('template_file', 'salt://apache/vhosts/standard.tmpl') }} - - template: {{ site.get('template_engine', 'jinja') }} - - context: - id: {{ id|json }} - site: {{ site|json }} - map: {{ apache|json }} - - require: - - pkg: apache - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache - -{% if site.get('DocumentRoot') != False %} -{{ id }}-documentroot: - file.directory: - - name: {{ documentroot }} - - makedirs: True - - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json }} - - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json }} - - allow_symlink: True -{% endif %} - -{% if grains.os_family == 'Debian' %} -{% if site.get('enabled', True) %} -a2ensite {{ id }}{{ apache.confext }}: - cmd.run: - - unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} - - require: - - file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }} - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% else %} -a2dissite {{ id }}{{ apache.confext }}: - cmd.run: - - onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }} - - require: - - file: /etc/apache2/sites-available/{{ id }}{{ apache.confext }} - - watch_in: - - module: apache-reload - - require_in: - - module: apache-restart - - module: apache-reload - - service: apache -{% endif %} -{% endif %} - -{% endfor %} diff --git a/docs/AUTHORS.rst b/docs/AUTHORS.rst deleted file mode 100644 index a8654155..00000000 --- a/docs/AUTHORS.rst +++ /dev/null @@ -1,266 +0,0 @@ -.. role:: raw-html-m2r(raw) - :format: html - - -Authors -======= - -This list is sorted by the number of commits per contributor in *descending* order. - -.. list-table:: - :header-rows: 1 - - * - Avatar - - Contributor - - Contributions - * - :raw-html-m2r:`@myii` - - `@myii `_ - - 59 - * - :raw-html-m2r:`@alxwr` - - `@alxwr `_ - - 40 - * - :raw-html-m2r:`@gravyboat` - - `@gravyboat `_ - - 36 - * - :raw-html-m2r:`@aboe76` - - `@aboe76 `_ - - 32 - * - :raw-html-m2r:`@whiteinge` - - `@whiteinge `_ - - 31 - * - :raw-html-m2r:`@javierbertoli` - - `@javierbertoli `_ - - 27 - * - :raw-html-m2r:`@nmadhok` - - `@nmadhok `_ - - 20 - * - :raw-html-m2r:`@puneetk` - - `@puneetk `_ - - 20 - * - :raw-html-m2r:`@noelmcloughlin` - - `@noelmcloughlin `_ - - 12 - * - :raw-html-m2r:`@techhat` - - `@techhat `_ - - 10 - * - :raw-html-m2r:`@ixs` - - `@ixs `_ - - 9 - * - :raw-html-m2r:`@landergate` - - `@landergate `_ - - 9 - * - :raw-html-m2r:`@bradthurber` - - `@bradthurber `_ - - 8 - * - :raw-html-m2r:`@babilen5` - - `@babilen5 `_ - - 8 - * - :raw-html-m2r:`@arthurlogilab` - - `@arthurlogilab `_ - - 7 - * - :raw-html-m2r:`@stp-ip` - - `@stp-ip `_ - - 7 - * - :raw-html-m2r:`@porunov` - - `@porunov `_ - - 7 - * - :raw-html-m2r:`@genuss` - - `@genuss `_ - - 6 - * - :raw-html-m2r:`@kadogo` - - `@kadogo `_ - - 6 - * - :raw-html-m2r:`@bmwiedemann` - - `@bmwiedemann `_ - - 5 - * - :raw-html-m2r:`@eliasp` - - `@eliasp `_ - - 5 - * - :raw-html-m2r:`@multani` - - `@multani `_ - - 5 - * - :raw-html-m2r:`@rhertzog` - - `@rhertzog `_ - - 4 - * - :raw-html-m2r:`@scambra` - - `@scambra `_ - - 4 - * - :raw-html-m2r:`@daschatten` - - `@daschatten `_ - - 4 - * - :raw-html-m2r:`@adherzog` - - `@adherzog `_ - - 3 - * - :raw-html-m2r:`@abrefort` - - `@abrefort `_ - - 3 - * - :raw-html-m2r:`@arnisoph` - - `@arnisoph `_ - - 3 - * - :raw-html-m2r:`@opdude` - - `@opdude `_ - - 3 - * - :raw-html-m2r:`@louis-haddrell` - - `@louis-haddrell `_ - - 3 - * - :raw-html-m2r:`@Wenzel` - - `@Wenzel `_ - - 3 - * - :raw-html-m2r:`@abednarik` - - `@abednarik `_ - - 3 - * - :raw-html-m2r:`@dexbleeker` - - `@dexbleeker `_ - - 3 - * - :raw-html-m2r:`@vincentfretin` - - `@vincentfretin `_ - - 3 - * - :raw-html-m2r:`@bogdanr` - - `@bogdanr `_ - - 2 - * - :raw-html-m2r:`@carlovollebregt` - - `@carlovollebregt `_ - - 2 - * - :raw-html-m2r:`@thornycrackers` - - `@thornycrackers `_ - - 2 - * - :raw-html-m2r:`@msciciel` - - `@msciciel `_ - - 2 - * - :raw-html-m2r:`@actionjack` - - `@actionjack `_ - - 2 - * - :raw-html-m2r:`@mosen` - - `@mosen `_ - - 2 - * - :raw-html-m2r:`@RyPeck` - - `@RyPeck `_ - - 2 - * - :raw-html-m2r:`@thatch45` - - `@thatch45 `_ - - 2 - * - :raw-html-m2r:`@tibberg` - - `@tibberg `_ - - 2 - * - :raw-html-m2r:`@emeygret` - - `@emeygret `_ - - 2 - * - :raw-html-m2r:`@artmoni` - - `@artmoni `_ - - 2 - * - :raw-html-m2r:`@alexfrosa` - - `@alexfrosa `_ - - 2 - * - :raw-html-m2r:`@jhops-ab` - - `@jhops-ab `_ - - 1 - * - :raw-html-m2r:`@isntall` - - `@isntall `_ - - 1 - * - :raw-html-m2r:`@benjy` - - `@benjy `_ - - 1 - * - :raw-html-m2r:`@iggy` - - `@iggy `_ - - 1 - * - :raw-html-m2r:`@chorne-togetherwork` - - `@chorne-togetherwork `_ - - 1 - * - :raw-html-m2r:`@corywright` - - `@corywright `_ - - 1 - * - :raw-html-m2r:`@ev0rtex` - - `@ev0rtex `_ - - 1 - * - :raw-html-m2r:`@dimitry-unified-streaming` - - `@dimitry-unified-streaming `_ - - 1 - * - :raw-html-m2r:`@fintanmm` - - `@fintanmm `_ - - 1 - * - :raw-html-m2r:`@fcrozat` - - `@fcrozat `_ - - 1 - * - :raw-html-m2r:`@SynPrime` - - `@SynPrime `_ - - 1 - * - :raw-html-m2r:`@jbouse` - - `@jbouse `_ - - 1 - * - :raw-html-m2r:`@jerrykan` - - `@jerrykan `_ - - 1 - * - :raw-html-m2r:`@jcristau` - - `@jcristau `_ - - 1 - * - :raw-html-m2r:`@kpostrup` - - `@kpostrup `_ - - 1 - * - :raw-html-m2r:`@morsik` - - `@morsik `_ - - 1 - * - :raw-html-m2r:`@madssj` - - `@madssj `_ - - 1 - * - :raw-html-m2r:`@mpeeters` - - `@mpeeters `_ - - 1 - * - :raw-html-m2r:`@xenophonf` - - `@xenophonf `_ - - 1 - * - :raw-html-m2r:`@mshade` - - `@mshade `_ - - 1 - * - :raw-html-m2r:`@fujexo` - - `@fujexo `_ - - 1 - * - :raw-html-m2r:`@rmoorman` - - `@rmoorman `_ - - 1 - * - :raw-html-m2r:`@robruma` - - `@robruma `_ - - 1 - * - :raw-html-m2r:`@doublerr` - - `@doublerr `_ - - 1 - * - :raw-html-m2r:`@netzvieh` - - `@netzvieh `_ - - 1 - * - :raw-html-m2r:`@skylerberg` - - `@skylerberg `_ - - 1 - * - :raw-html-m2r:`@wido` - - `@wido `_ - - 1 - * - :raw-html-m2r:`@Yoda-BZH` - - `@Yoda-BZH `_ - - 1 - * - :raw-html-m2r:`@abehling` - - `@abehling `_ - - 1 - * - :raw-html-m2r:`@ardin` - - `@ardin `_ - - 1 - * - :raw-html-m2r:`@mcarlton00` - - `@mcarlton00 `_ - - 1 - * - :raw-html-m2r:`@mschiff` - - `@mschiff `_ - - 1 - * - :raw-html-m2r:`@nigelsim` - - `@nigelsim `_ - - 1 - * - :raw-html-m2r:`@srse` - - `@srse `_ - - 1 - * - :raw-html-m2r:`@tsenay` - - `@tsenay `_ - - 1 - * - :raw-html-m2r:`@ze42` - - `@ze42 `_ - - 1 - - ----- - -Auto-generated by a `forked version `_ of `gaocegege/maintainer `_ on 2020-07-20. diff --git a/docs/CHANGELOG.rst b/docs/CHANGELOG.rst deleted file mode 100644 index d1ea6000..00000000 --- a/docs/CHANGELOG.rst +++ /dev/null @@ -1,196 +0,0 @@ - -Changelog -========= - -`0.41.1 `_ (2020-07-20) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **server-status:** enable module in Debian family (\ `632802a `_\ ) -* **server-status:** manage module in debian (\ `eafa419 `_\ ) - -Tests -^^^^^ - - -* **default+modules:** add modules' tests suite (\ `b253625 `_\ ) - -`0.41.0 `_ (2020-07-16) ------------------------------------------------------------------------------------------------------------ - -Features -^^^^^^^^ - - -* **vhosts/standard:** add support for ScriptAlias in standard vhost (\ `b88b437 `_\ ) - -`0.40.0 `_ (2020-07-16) ------------------------------------------------------------------------------------------------------------ - -Features -^^^^^^^^ - - -* **redhat/apache-2.x.config.jinja:** allow override of default_charset (\ `648f589 `_\ ) - -`0.39.5 `_ (2020-06-21) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **vhosts/cleanup:** check ``sites-enabled`` dir exists before listing it (\ `88373e3 `_\ ), closes `#278 `_ - -Continuous Integration -^^^^^^^^^^^^^^^^^^^^^^ - - -* **gemfile.lock:** add to repo with updated ``Gemfile`` [skip ci] (\ `61b903e `_\ ) -* **kitchen:** use ``saltimages`` Docker Hub where available [skip ci] (\ `6895fb9 `_\ ) -* **kitchen+travis:** remove ``master-py2-arch-base-latest`` [skip ci] (\ `16bb1b0 `_\ ) -* **travis:** add notifications => zulip [skip ci] (\ `2417a75 `_\ ) -* **workflows/commitlint:** add to repo [skip ci] (\ `2ce966d `_\ ) - -`0.39.4 `_ (2020-04-02) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **mod_ssl:** update mod_ssl package variable to prevent clashes (\ `5591be2 `_\ ) - -`0.39.3 `_ (2020-04-02) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **debian:** generate remoteip conf before a2enconf (\ `1ed69f6 `_\ ) - -Continuous Integration -^^^^^^^^^^^^^^^^^^^^^^ - - -* **kitchen:** avoid using bootstrap for ``master`` instances [skip ci] (\ `275b5d5 `_\ ) -* **travis:** use ``major.minor`` for ``semantic-release`` version [skip ci] (\ `08cced2 `_\ ) - -`0.39.2 `_ (2019-12-20) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **redhat:** add user & group lookup to configs (\ `36ad2b2 `_\ ) - -`0.39.1 `_ (2019-12-20) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **mod_mpm:** cast to int to avoid Jinja type mismatch error (\ `21045c7 `_\ ) - -`0.39.0 `_ (2019-12-20) ------------------------------------------------------------------------------------------------------------ - -Continuous Integration -^^^^^^^^^^^^^^^^^^^^^^ - - -* **gemfile:** restrict ``train`` gem version until upstream fix [skip ci] (\ `13be6f9 `_\ ) -* **travis:** apply changes from build config validation [skip ci] (\ `0aac479 `_\ ) -* **travis:** opt-in to ``dpl v2`` to complete build config validation (\ `19e90ea `_\ ) -* **travis:** quote pathspecs used with ``git ls-files`` [skip ci] (\ `6608ddf `_\ ) -* **travis:** run ``shellcheck`` during lint job [skip ci] (\ `2ff6b2f `_\ ) -* **travis:** use build config validation (beta) [skip ci] (\ `73160b2 `_\ ) - -Features -^^^^^^^^ - - -* **server-status:** allow remote servers to reach server-status page (\ `a3c0022 `_\ ) - -`0.38.2 `_ (2019-11-07) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **apache/modules.sls:** fix duplicated ID (\ `57afd71 `_\ ) - -`0.38.1 `_ (2019-11-05) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **mod_perl2.sls:** fix a2enmod perl2 error (\ `fba8d21 `_\ ) -* **release.config.js:** use full commit hash in commit link [skip ci] (\ `dc5593c `_\ ) - -Continuous Integration -^^^^^^^^^^^^^^^^^^^^^^ - - -* **kitchen:** use ``debian-10-master-py3`` instead of ``develop`` [skip ci] (\ `09d82a5 `_\ ) -* **kitchen:** use ``develop`` image until ``master`` is ready (\ ``amazonlinux``\ ) [skip ci] (\ `d0bf6f3 `_\ ) -* **kitchen+travis:** upgrade matrix after ``2019.2.2`` release [skip ci] (\ `fc0f869 `_\ ) -* **travis:** update ``salt-lint`` config for ``v0.0.10`` [skip ci] (\ `2622d48 `_\ ) - -Performance Improvements -^^^^^^^^^^^^^^^^^^^^^^^^ - - -* **travis:** improve ``salt-lint`` invocation [skip ci] (\ `bf75770 `_\ ) - -`0.38.0 `_ (2019-10-20) ------------------------------------------------------------------------------------------------------------ - -Bug Fixes -^^^^^^^^^ - - -* **apache-2.2.config.jinja:** fix ``salt-lint`` errors (\ ` `_\ ) -* **apache-2.4.config.jinja:** fix ``salt-lint`` errors (\ ` `_\ ) -* **flags.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **init.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **map.jinja:** fix ``salt-lint`` errors (\ ` `_\ ) -* **mod_geoip.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **modsecurity.conf.jinja:** fix ``salt-lint`` errors (\ ` `_\ ) -* **modules.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **server_status.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **uninstall.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **vhosts/cleanup.sls:** fix ``salt-lint`` errors (\ ` `_\ ) -* **vhosts/minimal.tmpl:** fix ``salt-lint`` errors (\ ` `_\ ) -* **vhosts/proxy.tmpl:** fix ``salt-lint`` errors (\ ` `_\ ) -* **vhosts/redirect.tmpl:** fix ``salt-lint`` errors (\ ` `_\ ) -* **vhosts/standard.tmpl:** fix ``salt-lint`` errors (\ ` `_\ ) -* **yamllint:** fix all errors (\ ` `_\ ) - -Documentation -^^^^^^^^^^^^^ - - -* **formula:** use standard structure (\ ` `_\ ) -* **readme:** move to ``docs/`` directory and modify accordingly (\ ` `_\ ) - -Features -^^^^^^^^ - - -* **semantic-release:** implement for this formula (\ ` `_\ ) - -Tests -^^^^^ - - -* **mod_security_spec:** convert from Serverspec to InSpec (\ ` `_\ ) diff --git a/docs/README.rst b/docs/README.rst index 6a2ae5d6..1042d117 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -53,154 +53,165 @@ Installs the Apache package and starts the service. ``apache.config`` ^^^^^^^^^^^^^^^^^ +Metastate to apply all apache configuration + + +``apache.config.file`` +^^^^^^^^^^^^^^^^^^^^^^ + Configures apache based on os_family -``apache.certificates`` +``apache.config.flags`` ^^^^^^^^^^^^^^^^^^^^^^^ +Configures apache flags on SuSE + +``apache.config.certificates`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Deploy SSL certificates from pillars -``apache.mod_mpm`` -^^^^^^^^^^^^^^^^^^ +``apache.config.modules`` +^^^^^^^^^^^^^^^^^^^^^^^^^ -Configures the apache mpm modules on Debian ``mpm_prefork``, ``mpm_worker`` or ``mpm_event`` (Debian Only) +Metastate to Enable and disable Apache modules. -``apache.modules`` -^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_mpm`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Enables and disables Apache modules. +Configures the apache mpm modules on Debian ``mpm_prefork``, ``mpm_worker`` or ``mpm_event`` (Debian Only) -``apache.mod_rewrite`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_rewrite`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enabled the Apache module mod_rewrite (Debian and FreeBSD only) -``apache.mod_proxy`` -^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_proxy`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module mod_proxy. (Debian and FreeBSD only) -``apache.mod_proxy_http`` -^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_proxy_http`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module mod_proxy_http and requires the Apache module mod_proxy to be enabled. (Debian Only) -``apache.mod_proxy_fcgi`` -^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_proxy_fcgi`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module mod_proxy_fcgi and requires the Apache module mod_proxy to be enabled. (Debian Only) -``apache.mod_wsgi`` -^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_wsgi`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs the mod_wsgi package and enables the Apache module. -``apache.mod_actions`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_actions`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module mod_actions. (Debian Only) -``apache.mod_headers`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_headers`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module mod_headers. (Debian Only) -``apache.mod_pagespeed`` -^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_pagespeed`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and Enables the mod_pagespeed module. (Debian and RedHat Only) -``apache.mod_perl2`` -^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_perl2`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_perl2 module (Debian and FreeBSD only) -``apache.mod_geoip`` -^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_geoip`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_geoIP (RedHat only) -``apache.mod_php5`` -^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_php5`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_php5 module -``apache.mod_cgi`` -^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_cgi`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables mod_cgi. (FreeBSD only) -``apache.mod_fcgid`` -^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_fcgid`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_fcgid module (Debian only) -``apache.mod_fastcgi`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_fastcgi`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_fastcgi module -``apache.mod_dav_svn`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_dav_svn`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_dav_svn module (Debian only) -``apache.mod_security`` -^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_security`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs an enables the `Apache mod_security2 WAF``_ using data from Pillar. (Debian and RedHat Only) Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2 -``apache.mod_security.rules`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_security.rules`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This state can create symlinks based on basic Core Rules package. (Debian only) Or it can distribute a mod_security rule file and place it /etc/modsecurity/ -``apache.mod_socache_shmcb`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_socache_shmcb`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables mod_socache_shmcb. (FreeBSD only) -``apache.mod_ssl`` -^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_ssl`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables the mod_ssl module (Debian, RedHat and FreeBSD only) -``apache.mod_suexec`` -^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_suexec`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables mod_suexec. (FreeBSD only) -``apache.mod_vhost_alias`` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_vhost_alias`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables the Apache module vhost_alias (Debian Only) -``apache.mod_remoteip`` -^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_remoteip`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Enables and configures the Apache module mod_remoteip using data from Pillar. (Debian Only) -``apache.mod_xsendfile`` -^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_xsendfile`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and enables mod_xsendfile module. (Debian Only) -``apache.own_default_vhost`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.own_default_vhost`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Replace default vhost with own version. By default, it's 503 code. (Debian Only) -``apache.no_default_vhost`` -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.no_default_vhost`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Remove the default vhost. (Debian Only) -``apache.vhosts.standard`` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.vhosts.standard`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar. @@ -223,23 +234,29 @@ of interfaces to bind to. For example, to bind both IPv4 and IPv6: example.com: interface: '1.2.3.4 [2001:abc:def:100::3]' -``apache.manage_security`` -^^^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.manage_security`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Configures Apache's security.conf options by reassinging them using data from Pillar. -``apache.server_status`` -^^^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.modules.mod_status`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Configures Apache's server_status handler for localhost -``apache.debian_full`` -^^^^^^^^^^^^^^^^^^^^^^ +``apache.config.debian_full`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installs and configures Apache on Debian and Ubuntu systems. -``apache.uninstall`` -^^^^^^^^^^^^^^^^^^^^ +``apache.config.clean`` +^^^^^^^^^^^^^^^^^^^^^^^ + +Metastate to cleanup all apache configuration. + + +``apache.clean`` +^^^^^^^^^^^^^^^^ Stops the Apache service and uninstalls the package. @@ -284,7 +301,8 @@ Requirements $ gem install bundler $ bundle install - $ bin/kitchen test [platform] + :1 + $ bin/kitchen test [platform] Where ``[platform]`` is the platform name defined in ``kitchen.yml``, e.g. ``debian-9-2019-2-py3``. diff --git a/docs/TOFS_pattern.rst b/docs/TOFS_pattern.rst new file mode 100644 index 00000000..4fea5dda --- /dev/null +++ b/docs/TOFS_pattern.rst @@ -0,0 +1,518 @@ +.. _tofs_pattern: + +TOFS: A pattern for using SaltStack +=================================== + +.. list-table:: + :name: tofs-authors + :header-rows: 1 + :stub-columns: 1 + :widths: 2,2,3,2 + + * - + - Person + - Contact + - Date + * - Authored by + - Roberto Moreda + - moreda@allenta.com + - 29/12/2014 + * - Modified by + - Daniel Dehennin + - daniel.dehennin@baby-gnu.org + - 07/02/2019 + * - Modified by + - Imran Iqbal + - https://github.com/myii + - 23/02/2019 + +All that follows is a proposal based on my experience with `SaltStack `_. The good thing of a piece of software like this is that you can "bend it" to suit your needs in many possible ways, and this is one of them. All the recommendations and thoughts are given "as it is" with no warranty of any type. + +.. contents:: **Table of Contents** + +Usage of values in pillar vs templates in ``file_roots`` +-------------------------------------------------------- + +Among other functions, the *master* (or *salt-master*) serves files to the *minions* (or *salt-minions*). The `file_roots `_ is the list of directories used in sequence to find a file when a minion requires it: the first match is served to the minion. Those files could be `state files `_ or configuration templates, among others. + +Using SaltStack is a simple and effective way to implement configuration management, but even in a `non-multitenant `_ scenario, it is not a good idea to generally access some data (e.g. the database password in our `Zabbix `_ server configuration file or the private key of our `Nginx `_ TLS certificate). + +To avoid this situation we can use the `pillar mechanism `_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja `_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates. + +There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas `_' repositories. `Some `_ `developments `_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja `_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer. + +In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values. + +On the reusability of SaltStack state files +------------------------------------------- + +There is a brilliant initiative of the SaltStack community called `salt-formulas `_. Their goal is to provide state files, pillar examples and configuration templates ready to be used for provisioning. I am a contributor for two small ones: `zabbix-formula `_ and `varnish-formula `_. + +The `design guidelines `_ for formulas are clear in many aspects and it is a recommended reading for anyone willing to write state files, even non-formulaic ones. + +In the next section, I am going to describe my proposal to extend further the reusability of formulas, suggesting some patterns of usage. + +The Template Override and Files Switch (TOFS) pattern +----------------------------------------------------- + +I understand a formula as a **complete, independent set of SaltStack state and configuration template files sufficient to configure a system**. A system could be something as simple as an NTP server or some other much more complex service that requires many state and configuration template files. + +The customization of a formula should be done mainly by providing pillar data used later to render either the state or the configuration template files. + +Example: NTP before applying TOFS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Let's work with the NTP example. A basic formula that follows the `design guidelines `_ has the following files and directories tree: + +.. code-block:: + + /srv/saltstack/salt-formulas/ntp-saltstack-formula/ + ntp/ + map.jinja + init.sls + conf.sls + files/ + default/ + etc/ + ntp.conf.jinja + +In order to use it, let's assume a `masterless configuration `_ and this relevant section of ``/etc/salt/minion``: + +.. code-block:: yaml + + pillar_roots: + base: + - /srv/saltstack/pillar + file_client: local + file_roots: + base: + - /srv/saltstack/salt + - /srv/saltstack/salt-formulas/ntp-saltstack-formula + +.. code-block:: jinja + + {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/map.jinja #} + {%- set ntp = salt['grains.filter_by']({ + 'default': { + 'pkg': 'ntp', + 'service': 'ntp', + 'config': '/etc/ntp.conf', + }, + }, merge=salt['pillar.get']('ntp:lookup')) %} + +In ``init.sls`` we have the minimal states required to have NTP configured. In many cases ``init.sls`` is almost equivalent to an ``apt-get install`` or a ``yum install`` of the package. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/init.sls + {%- from 'ntp/map.jinja' import ntp with context %} + + Install NTP: + pkg.installed: + - name: {{ ntp.pkg }} + + Enable and start NTP: + service.running: + - name: {{ ntp.service }} + - enabled: True + - require: + - pkg: Install NTP package + +In ``conf.sls`` we have the configuration states. In most cases, that is just managing configuration file templates and making them to be watched by the service. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +Under ``files/default``, there is a structure that mimics the one in the minion in order to avoid clashes and confusion on where to put the needed templates. There you can find a mostly standard template for the configuration file. + +.. code-block:: jinja + + {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/default/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + {%- set settings = salt['pillar.get']('ntp', {}) %} + {%- set default_servers = ['0.ubuntu.pool.ntp.org', + '1.ubuntu.pool.ntp.org', + '2.ubuntu.pool.ntp.org', + '3.ubuntu.pool.ntp.org'] %} + + driftfile /var/lib/ntp/ntp.drift + statistics loopstats peerstats clockstats + filegen loopstats file loopstats type day enable + filegen peerstats file peerstats type day enable + filegen clockstats file clockstats type day enable + + {%- for server in settings.get('servers', default_servers) %} + server {{ server }} + {%- endfor %} + + restrict -4 default kod notrap nomodify nopeer noquery + restrict -6 default kod notrap nomodify nopeer noquery + + restrict 127.0.0.1 + restrict ::1 + +With all this, it is easy to install and configure a simple NTP server by just running ``salt-call state.sls ntp.conf``: the package will be installed, the service will be running and the configuration should be correct for most of cases, even without pillar data. + +Alternatively, you can define a highstate in ``/srv/saltstack/salt/top.sls`` and run ``salt-call state.highstate``. + +.. code-block:: sls + + ## /srv/saltstack/salt/top.sls + base: + '*': + - ntp.conf + +**Customizing the formula just with pillar data**, we have the option to define the NTP servers. + +.. code-block:: sls + + ## /srv/saltstack/pillar/top.sls + base: + '*': + - ntp + +.. code-block:: sls + + ## /srv/saltstack/pillar/ntp.sls + ntp: + servers: + - 0.ch.pool.ntp.org + - 1.ch.pool.ntp.org + - 2.ch.pool.ntp.org + - 3.ch.pool.ntp.org + +Template Override +^^^^^^^^^^^^^^^^^ + +If the customization based on pillar data is not enough, we can override the template by creating a new one in ``/srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja`` + +.. code-block:: jinja + + {#- /srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + + {#- Some bizarre configurations here #} + {#- ... #} + + {%- for server in settings.get('servers', default_servers) %} + server {{ server }} + {%- endfor %} + +This way we are locally **overriding the template files** offered by the formula in order to make a more complex adaptation. Of course, this could be applied as well to any of the files, including the state files. + +Files Switch +^^^^^^^^^^^^ + +To bring some order into the set of template files included in a formula, as we commented, we suggest having a similar structure to a normal final file system under ``files/default``. + +We can make different templates coexist for different minions, classified by any `grain `_ value, by simply creating new directories under ``files``. This mechanism is based on **using values of some grains as a switch for the directories under** ``files/``. + +If we decide that we want ``os_family`` as switch, then we could provide the formula template variants for both the ``RedHat`` and ``Debian`` families. + +.. code-block:: + + /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/ + default/ + etc/ + ntp.conf.jinja + RedHat/ + etc/ + ntp.conf.jinja + Debian/ + etc/ + ntp.conf.jinja + +To make this work we need a ``conf.sls`` state file that takes a list of possible files as the configuration template. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: + - salt://ntp/files/{{ grains.get('os_family', 'default') }}/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +If we want to cover the possibility of a special template for a minion identified by ``node01`` then we could have a specific template in ``/srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja``. + +.. code-block:: jinja + + {#- /srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja #} + {#- Managed by saltstack #} + {#- Edit pillars or override this template in saltstack if you need customization #} + + {#- Some crazy configurations here for node01 #} + {#- ... #} + +To make this work we could write a specially crafted ``conf.sls``. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- from 'ntp/map.jinja' import ntp with context %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: + - salt://ntp/files/{{ grains.get('id') }}/etc/ntp.conf.jinja + - salt://ntp/files/{{ grains.get('os_family') }}/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + +Using the ``files_switch`` macro +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +We can simplify the ``conf.sls`` with the new ``files_switch`` macro to use in the ``source`` parameter for the ``file.managed`` state. + +.. code-block:: sls + + ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls + include: + - ntp + + {%- set tplroot = tpldir.split('/')[0] %} + {%- from 'ntp/map.jinja' import ntp with context %} + {%- from 'ntp/libtofs.jinja' import files_switch %} + + Configure NTP: + file.managed: + - name: {{ ntp.config }} + - template: jinja + - source: {{ files_switch(['/etc/ntp.conf.jinja'], + lookup='Configure NTP' + ) + }} + - watch_in: + - service: Enable and start NTP service + - require: + - pkg: Install NTP package + + +* This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use. +* If this returns a result, the default of ``['/etc/ntp.conf.jinja']`` will be appended to it. +* If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used. + +In ``libtofs.jinja``, we define this new macro ``files_switch``. + +.. literalinclude:: ../template/libtofs.jinja + :caption: /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/libtofs.jinja + :language: jinja + +How to customise the ``source`` further +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The examples below are based on an ``Ubuntu`` minion called ``theminion`` being configured via. pillar. + +Using the default settings of the ``files_switch`` macro above, +the ``source`` will be: + +.. code-block:: sls + + - source: + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + +Customise ``files`` +~~~~~~~~~~~~~~~~~~~ + +The ``files`` portion can be customised: + +.. code-block:: sls + + ntp: + tofs: + dirs: + files: files_alt + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files_alt/theminion/etc/ntp.conf.jinja + - salt://ntp/files_alt/Debian/etc/ntp.conf.jinja + - salt://ntp/files_alt/default/etc/ntp.conf.jinja + +Customise the use of grains +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Grains can be customised and even arbitrary paths can be supplied: + +.. code-block:: sls + + ntp: + tofs: + files_switch: + - any/path/can/be/used/here + - id + - os + - os_family + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files/any/path/can/be/used/here/etc/ntp.conf.jinja + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/Ubuntu/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + +Customise the ``default`` path +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ``default`` portion of the path can be customised: + +.. code-block:: sls + + ntp: + tofs: + dirs: + default: default_alt + +Resulting in: + +.. code-block:: sls + + - source: + ... + - salt://ntp/files/default_alt/etc/ntp.conf.jinja + +Customise the list of ``source_files`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The list of ``source_files`` can be given: + +.. code-block:: sls + + ntp: + tofs: + source_files: + Configure NTP: + - '/etc/ntp.conf_alt.jinja' + +Resulting in: + +.. code-block:: sls + + - source: + - salt://ntp/files/theminion/etc/ntp.conf_alt.jinja + - salt://ntp/files/theminion/etc/ntp.conf.jinja + - salt://ntp/files/Debian/etc/ntp.conf_alt.jinja + - salt://ntp/files/Debian/etc/ntp.conf.jinja + - salt://ntp/files/default/etc/ntp.conf_alt.jinja + - salt://ntp/files/default/etc/ntp.conf.jinja + +Note: This does *not* override the default value. +Rather, the value from the pillar/config is prepended to the default. + +Using sub-directories for ``components`` +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If your formula is composed of several components, you may prefer to provides files under sub-directories, like in the `systemd-formula `_. + +.. code-block:: + + /srv/saltstack/systemd-formula/ + systemd/ + init.sls + libtofs.jinja + map.jinja + networkd/ + init.sls + files/ + default/ + network/ + 99-default.link + resolved/ + init.sls + files/ + default/ + resolved.conf + timesyncd/ + init.sls + files/ + Arch/ + resolved.conf + Debian/ + resolved.conf + default/ + resolved.conf + Ubuntu/ + resolved.conf + +For example, the following ``formula.component.config`` SLS: + +.. code-block:: sls + + {%- from "formula/libtofs.jinja" import files_switch with context %} + + formula configuration file: + file.managed: + - name: /etc/formula.conf + - user: root + - group: root + - mode: 644 + - template: jinja + - source: {{ files_switch(['formula.conf'], + lookup='formula', + use_subpath=True + ) + }} + +will be rendered on a ``Debian`` minion named ``salt-formula.ci.local`` as: + +.. code-block:: sls + + formula configuration file: + file.managed: + - name: /etc/formula.conf + - user: root + - group: root + - mode: 644 + - template: jinja + - source: + - salt://formula/component/files/salt-formula.ci.local/formula.conf + - salt://formula/component/files/Debian/formula.conf + - salt://formula/component/files/default/formula.conf + - salt://formula/files/salt-formula.ci.local/formula.conf + - salt://formula/files/Debian/formula.conf + - salt://formula/files/default/formula.conf diff --git a/kitchen.yml b/kitchen.yml index dbde1107..55ae442f 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -157,7 +157,6 @@ suites: base: '*': - apache - - apache.config pillars: top.sls: base: @@ -174,8 +173,10 @@ suites: base: '*': - apache - - apache.mod_security - - apache.server_status + - apache.config.modules + - apache.config.certificates + - apache.config.modules.mod_security + - apache.config.modules.server_status pillars: top.sls: base: @@ -186,3 +187,23 @@ suites: verifier: inspec_tests: - path: test/integration/modules + - name: arch + provisioner: + state_top: + base: + '*': + - apache + - apache.config.modules + - apache.config.certificates + - apache.config.modules.mod_security + - apache.config.modules.server_status + pillars: + top.sls: + base: + '*': + - apache + pillars_from_files: + apache.sls: test/salt/pillar/modules.sls + verifier: + inspec_tests: + - path: test/integration/nomodsecurity diff --git a/pillar.example b/pillar.example index 5db4254c..c265866d 100644 --- a/pillar.example +++ b/pillar.example @@ -1,47 +1,39 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- -# ``apache`` formula configuration: apache: - - # By default apache restart/reload states run (false skips) - manage_service_states: true - - # lookup section overrides ``map.jinja`` values lookup: - server: apache2 - service: apache2 - user: some_system_user - group: some_system_group - - vhostdir: /etc/apache2/sites-available - confdir: /etc/apache2/conf.d - confext: .conf - logdir: /var/log/apache2 - wwwdir: /srv/apache2 + master: template-master # apache version (generally '2.2' or '2.4') - version: '2.2' - - # mod_ssl package name - mod_ssl_pkg: mod_ssl - - # ``apache.mod_wsgi`` formula additional configuration: - mod_wsgi: mod_wsgi + # version: '2.2' # Default value for AddDefaultCharset in RedHat configuration default_charset: 'UTF-8' # Should we enforce DocumentRoot user/group? - # Default: do not enforce - document_root_user: www-data # Force user if specified, leave it default if not - document_root_group: null # Do not enforce group + document_root_user: null # Defaults to: apache.user + document_root_group: null # Defaults to: apache.group + + # Just for testing purposes + winner: lookup + added_in_lookup: lookup_value + + # Using bash package and udev service as an example. This allows us to + # test the template formula itself. You should set these parameters to + # examples that make sense in the contexto of the formula you're writing. + # pkg: + # deps: + # mod_ssl # redhat + # mod_security # redhat + # mod_geoip # redhat + # GeoIP # redhat + # libapache2-mod-security2 # Debian global: # global apache directives AllowEncodedSlashes: 'On' - name_virtual_hosts: - interface: '*' port: 80 @@ -49,14 +41,21 @@ apache: port: 443 # ``apache.vhosts`` formula additional configuration: + # fqdn should be added to /etc/hosts i.e. ## + # $ tail -3 /etc/hosts + # 127.0.0.1 example.com + # 127.0.0.1 www.redirectmatch.com + # 127.0.0.1 www.proxyexample.com + sites: example.net: - template_file: salt://apache/vhosts/minimal.tmpl + template_file: salt://apache/config/vhosts/minimal.tmpl + port: '8081' example.com: # must be unique; used as an ID declaration in Salt. enabled: true # or minimal.tmpl or redirect.tmpl or proxy.tmpl - template_file: salt://apache/vhosts/standard.tmpl + template_file: salt://apache/config/vhosts/standard.tmpl ####################### DEFAULT VALUES BELOW ############################ # NOTE: the values below are simply default settings that *can* be @@ -69,7 +68,7 @@ apache: template_engine: jinja interface: '*' - port: '80' + port: '443' exclude_listen_directive: true # Do not add a Listen directive in httpd.conf @@ -80,23 +79,78 @@ apache: LogLevel: warn # E.g.: /var/log/apache2/example.com-error.log - ErrorLog: /path/to/logs/example.com-error.log + # ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-access.log - CustomLog: /path/to/logs/example.com-access.log + # CustomLog: /path/to/logs/example.com-access.log # E.g., /var/www/example.com DocumentRoot: /path/to/www/dir/example.com - # do not enforce user, defaults to lookup:document_root_user + # do not enforce user, defaults to lookup:document_root_user or apache.user DocumentRootUser: null - # Force group, defaults to lookup:document_root_group - DocumentRootGroup: www-data + # Force group, defaults to lookup:document_root_group or apache.user + DocumentRootGroup: null + + {%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %} + SSLCertificateFile: /etc/apache2/conf/server.crt + SSLCertificateKeyFile: /etc/apache2/conf/server.key + {%- else %} + SSLCertificateFile: /etc/httpd/conf/server.crt + SSLCertificateKeyFile: /etc/httpd/conf/server.key + {%- endif %} + # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer + + SSLCertificateFile_content: | + -----BEGIN CERTIFICATE----- + MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x + CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp + Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM + C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL + MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj + bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL + ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL + ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D + mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8 + yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo + th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m + TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY + i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27 + jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl + aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+ + 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO + W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb + 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl + ylssbnQ= + -----END CERTIFICATE----- + + SSLCertificateKeyFile_content: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx + svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY + t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272 + a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw + xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V + 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P + Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS + 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR + zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd + vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj + eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ + viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk + Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS + 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv + ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+ + dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI + FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU + Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc + KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu + UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA + e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu + wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3 + LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF + eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ + qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4 + -----END RSA PRIVATE KEY----- - # if ssl is desired - SSLCertificateFile: /etc/ssl/mycert.pem - # if key for cert is needed or in an extra file - SSLCertificateKeyFile: /etc/ssl/mycert.pem.key - # if you require a chain of server certificates file - SSLCertificateChainFile: /etc/ssl/mycert.chain.pem Directory: # "default" is a special case; uses DocumentRoot value @@ -107,39 +161,39 @@ apache: Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. AllowOverride: None - Formula_Append: | - Additional config as a - multi-line string here + # Formula_Append: | + # Additional config as a + # multi-line string here redirectmatch.com: # Use RedirectMatch Directive # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch # Require module mod_alias enabled: true - template_file: salt://apache/vhosts/redirect.tmpl + template_file: salt://apache/config/vhosts/redirect.tmpl ServerName: www.redirectmatch.com ServerAlias: www.redirectmatch.com RedirectMatch: true RedirectSource: '^/$' RedirectTarget: '/subdirectory' DocumentRoot: /var/www/html/ - ErrorLog: ${APACHE_LOG_DIR}/error.log - CustomLog: ${APACHE_LOG_DIR}/access.log + port: '8083' - 80-proxyexample.com: - template_file: salt://apache/vhosts/redirect.tmpl + 8084-proxyexample.com: + template_file: salt://apache/config/vhosts/redirect.tmpl ServerName: www.proxyexample.com ServerAlias: www.proxyexample.com RedirectSource: '/' RedirectTarget: 'https://www.proxyexample.com/' DocumentRoot: /var/www/proxy + port: '8084' - 443-proxyexample.com: - template_file: salt://apache/vhosts/proxy.tmpl + 8443-proxyexample.com: + template_file: salt://apache/config/vhosts/proxy.tmpl ServerName: www.proxyexample.com ServerAlias: www.proxyexample.com interface: '*' - port: '443' + port: '8443' DocumentRoot: /var/www/proxy Rewrite: | @@ -147,43 +201,61 @@ apache: RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L] RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L] - SSLCertificateFile: /etc/httpd/ssl/example.com.crt - SSLCertificateKeyFile: /etc/httpd/ssl/example.com.key - SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer + SSLCertificateFile: /etc/httpd/conf/server.crt + SSLCertificateKeyFile: /etc/httpd/conf/server.key + # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer SSLCertificateFile_content: | -----BEGIN CERTIFICATE----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO + MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x + CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp + Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM + C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL + MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj + bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL + ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL + ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D + mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8 + yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo + th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m + TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY + i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27 + jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl + aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+ + 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO + W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb + 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl + ylssbnQ= -----END CERTIFICATE----- SSLCertificateKeyFile_content: | - -----BEGIN PRIVATE KEY----- - MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL - MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC - VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx - NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD - TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu - ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j - V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj - gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA - FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE - CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS - BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE - BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju - Wm7DCfrPNGVwFWUQOmsPue9rZBgO - -----END PRIVATE KEY----- + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx + svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY + t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272 + a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw + xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V + 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P + Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS + 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR + zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd + vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj + eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ + viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk + Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS + 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv + ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+ + dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI + FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU + Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc + KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu + UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA + e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu + wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3 + LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF + eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ + qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4 + -----END RSA PRIVATE KEY----- SSLCertificateChainFile_content: | -----BEGIN CERTIFICATE----- @@ -245,9 +317,9 @@ apache: Location: /: Require: false - Formula_Append: | - SecRuleRemoveById 981231 - SecRuleRemoveById 981173 + # Formula_Append: | + # SecRuleRemoveById 981231 + # SecRuleRemoveById 981173 /error: Require: 'all granted' @@ -256,9 +328,9 @@ apache: Order: allow,deny # For Apache < 2.4 Allow: from all # For apache < 2.4 Require: all granted # For apache > 2.4. - Formula_Append: | - Additional config as a - multi-line string here + # Formula_Append: | + # Additional config as a + # multi-line string here LocationMatch: '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]': @@ -274,29 +346,28 @@ apache: Proxy_control: '*': AllowAll: false - AllowCountry: - - DE + AllowCountry: false + # - DE AllowIP: - 12.5.25.32 - 12.5.25.33 - Alias: /docs: /usr/share/docs ScriptAlias: /cgi-bin/: /var/www/cgi-bin/ - Formula_Append: | - Additional config as a - multi-line string here + # Formula_Append: | + # \#Additional config as a + # \#multi-line string here # ``apache.debian_full`` formula additional configuration: register-site: # any name as an array index, and you can duplicate this section - UNIQUE_VALUE_HERE: - name: 'my name' - path: 'salt://path/to/sites-available/conf/file' + unique_value_here: + name: 'myname' + path: 'salt://apache/files/myname.conf' state: 'enabled' # Optional - use managed file as Jinja Template # template: true @@ -305,10 +376,25 @@ apache: modules: enabled: # List modules to enable - - ldap - ssl - disabled: # List modules to disable + - prefork - rewrite + - proxy + - proxy_ajp + - proxy_html + - headers + # geoip + - status + - logio + - dav + - dav_fs + - dav_lock + - auth_digest + - socache_shmcb + - xml2enc + - ldap + disabled: # List modules to disable + - geoip flags: enabled: # List server flags to enable @@ -320,6 +406,8 @@ apache: # one request per connection). Set to "Off" to deactivate. keepalive: 'On' + TimeOut: 60 # software default is 60 seconds + security: # can be Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. @@ -344,7 +432,7 @@ apache: # ``apache.mod_security`` formula additional configuration: mod_security: - crs_install: true + crs_install: false # If not set, default distro's configuration is installed as is manage_config: true sec_rule_engine: 'On' @@ -369,9 +457,10 @@ apache: custom_rule_files: # any name as an array index, and you can duplicate this section UNIQUE_VALUE_HERE: - file: 'my name' - path: 'salt://path/to/modsecurity/custom/file' - enabled: true + file: 'myname' + # path/to/modsecurity/custom/file + path: 'salt://apache/files/dummy.conf' + enabled: false mod_ssl: # set this to true if you want to override your distributions default TLS @@ -396,3 +485,42 @@ apache: - 10.8.8.0/24 host: - foo.example.com + + tofs: + # The files_switch key serves as a selector for alternative + # directories under the formula files directory. See TOFS pattern + # doc for more info. + # Note: Any value not evaluated by `config.get` will be used literally. + # This can be used to set custom paths, as many levels deep as required. + files_switch: + - any/path/can/be/used/here + - id + - roles + - osfinger + - os + - os_family + # All aspects of path/file resolution are customisable using the options below. + # This is unnecessary in most cases; there are sensible defaults. + # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default > + # I.e.: salt://apache/files/default + # path_prefix: template_alt + # dirs: + # files: files_alt + # default: default_alt + # The entries under `source_files` are prepended to the default source files + # given for the state + # source_files: + # apache-config-file-file-managed: + # - 'example_alt.tmpl' + # - 'example_alt.tmpl.jinja' + + # For testing purposes + source_files: + apache-config-file-file-managed: + - 'example.tmpl.jinja' + apache-subcomponent-config-file-file-managed: + - 'subcomponent-example.tmpl.jinja' + + # Just for testing purposes + winner: pillar + added_in_pillar: pillar_value diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb index cd291b69..5847900e 100644 --- a/test/integration/default/controls/config_spec.rb +++ b/test/integration/default/controls/config_spec.rb @@ -1,23 +1,83 @@ # frozen_string_literal: true +# Overide by OS control 'apache configuration' do title 'should match desired lines' - config_file = - case platform[:family] - when 'debian' - '/etc/apache2/apache2.conf' - when 'redhat', 'fedora' - '/etc/httpd/conf/httpd.conf' - when 'suse' - '/etc/apache2/httpd.conf' + case platform[:family] + when 'debian', 'suse' + vhostdir = '/etc/apache2/sites-available' + logrotatedir = '/etc/logrotate.d/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' + when 'redhat', 'fedora' + vhostdir = '/etc/httpd/vhosts.d' + logrotatedir = '/etc/logrotate.d/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + when 'gentoo' + vhostdir = '/etc/apache2/vhosts.d' + logrotatedir = '/etc/logrotate.d/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' # `linux` here is sufficient for `arch` - when 'linux' - '/etc/httpd/conf/httpd.conf' - end + when 'linux', 'arch' + vhostdir = '/etc/httpd/conf/vhosts' + logrotatedir = '/etc/logrotate.d/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + when 'bsd' + vhostdir = '/usr/local/etc/apache24/Includes' + # logrotatedir = ? + # moddir = '?' + # sitesdir = '?' + end + describe file(vhostdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(logrotatedir) do + it { should exist } + its('type') { should eq :file } + end + describe file(moddir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(sitesdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end +end + +control 'apache configuration (unique)' do + title 'should be valid' + + case platform[:family] + when 'debian' + config_file = '/etc/apache2/apache2.conf' + wwwdir = '/srv' + when 'suse' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/srv/www' + when 'redhat', 'fedora' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/var/www' + when 'gentoo' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/var/www' + when 'linux', 'arch' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/srv/http' + when 'bsd' + config_file = '/usr/local/etc/apache24/httpd.conf' + wwwdir = '/usr/local/www/apache24/' + end describe file(config_file) do it { should be_file } - it { should be_owned_by 'root' } it { should be_grouped_into 'root' } its('mode') { should cmp '0644' } its('content') do @@ -26,14 +86,9 @@ ) end end -end -control 'apache configuration' do - title 'should be valid' - - describe command('apachectl -t') do - its('stdout') { should eq '' } - its('stderr') { should include 'Syntax OK' } - - its('exit_status') { should eq 0 } + describe file(wwwdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } end end diff --git a/test/integration/default/controls/packages_spec.rb b/test/integration/default/controls/packages_spec.rb index 6e237467..4741b44c 100644 --- a/test/integration/default/controls/packages_spec.rb +++ b/test/integration/default/controls/packages_spec.rb @@ -1,20 +1,45 @@ # frozen_string_literal: true +# Overide by OS control 'apache package' do title 'should be installed' - package_name = - case platform[:family] - when 'debian', 'suse' - 'apache2' - when 'redhat', 'fedora' - 'httpd' - # `linux` here is sufficient for `arch` - when 'linux' - 'apache' - end + case platform[:family] + when 'debian' + package_name = 'apache2' + user_name = 'www-data' + group_name = 'www-data' + when 'suse' + package_name = 'apache2' + user_name = 'wwwrun' + group_name = 'wwwrun' + when 'redhat', 'fedora' + package_name = 'httpd' + user_name = 'apache' + group_name = 'apache' + when 'gentoo' + package_name = 'www-servers/apache' + user_name = 'apache' + group_name = 'apache' + when 'linux', 'arch' + package_name = 'apache' + user_name = 'http' + group_name = 'http' + when 'bsd' + package_name = 'apache24' + user_name = 'www' + group_name = 'www' + when 'windows' + package_name = 'apache-httpd' + end describe package(package_name) do it { should be_installed } end + describe group(group_name) do + it { should exist } + end + describe user(user_name) do + it { should exist } + end end diff --git a/test/integration/default/controls/services_spec.rb b/test/integration/default/controls/services_spec.rb index a8657e07..97e56461 100644 --- a/test/integration/default/controls/services_spec.rb +++ b/test/integration/default/controls/services_spec.rb @@ -1,5 +1,6 @@ # frozen_string_literal: true +# Overide by OS control 'apache service' do impact 0.5 title 'should be running and enabled' @@ -10,6 +11,12 @@ 'apache2' when 'redhat', 'fedora', 'linux' 'httpd' + when 'gentoo' + 'www-servers/apache' + when 'bsd' + 'apache24' + when 'windows' + 'apache' end describe service(service_name) do diff --git a/test/integration/modules/controls/config_spec.rb b/test/integration/modules/controls/config_spec.rb index 96f6c6a4..eb8443e5 100644 --- a/test/integration/modules/controls/config_spec.rb +++ b/test/integration/modules/controls/config_spec.rb @@ -1,12 +1,110 @@ # frozen_string_literal: true control 'apache configuration' do - title 'should be valid' + title 'should match desired lines' - describe command('apachectl -t') do + apachectl = 'apachectl -t' + case platform[:family] + when 'debian', 'suse' + vhostdir = '/etc/apache2/sites-available' + logrotatedir = '/etc/logrotate.d/apache2' + logdir = '/var/log/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' + when 'redhat', 'fedora' + vhostdir = '/etc/httpd/vhosts.d' + logrotatedir = '/etc/logrotate.d/httpd' + logdir = '/var/log/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + apachectl = 'httpd -t' + when 'gentoo' + vhostdir = '/etc/apache2/vhosts.d' + logrotatedir = '/etc/logrotate.d/apache2' + logdir = '/var/log/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' + # `linux` here is sufficient for `arch` + when 'linux', 'arch' + vhostdir = '/etc/httpd/conf/vhosts' + logrotatedir = '/etc/logrotate.d/httpd' + logdir = '/var/log/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + when 'bsd' + vhostdir = '/usr/local/etc/apache24/Includes' + logdir = '/var/log' + # logrotatedir = ? + # moddir = '?' + # sitesdir = '?' + end + describe command(apachectl) do its('stdout') { should eq '' } its('stderr') { should include 'Syntax OK' } - its('exit_status') { should eq 0 } end + describe file(vhostdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(logrotatedir) do + it { should exist } + its('type') { should eq :file } + end + describe file(logdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(moddir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(sitesdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end +end + +control 'apache configuration (unique)' do + title 'should match desired lines' + + case platform[:family] + when 'debian' + config_file = '/etc/apache2/apache2.conf' + wwwdir = '/srv' + when 'suse' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/srv/www' + when 'redhat', 'fedora' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/var/www' + when 'gentoo' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/var/www' + when 'linux', 'arch' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/srv/http' + when 'bsd' + config_file = '/usr/local/etc/apache24/httpd.conf' + wwwdir = '/usr/local/www/apache24/' + end + describe file(config_file) do + it { should be_file } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') do + should include( + 'This file is managed by Salt! Do not edit by hand!' + ) + end + end + describe file(wwwdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end end diff --git a/test/integration/modules/controls/packages_spec.rb b/test/integration/modules/controls/packages_spec.rb index ecea0956..f0b3772e 100644 --- a/test/integration/modules/controls/packages_spec.rb +++ b/test/integration/modules/controls/packages_spec.rb @@ -1,6 +1,50 @@ # frozen_string_literal: true -control 'apache mod_security package' do +# Overide by OS +control 'apache package' do + title 'should be installed' + + case platform[:family] + when 'debian' + package_name = 'apache2' + user_name = 'www-data' + group_name = 'www-data' + when 'suse' + package_name = 'apache2' + user_name = 'wwwrun' + group_name = 'wwwrun' + when 'redhat', 'fedora' + package_name = 'httpd' + user_name = 'apache' + group_name = 'apache' + when 'gentoo' + package_name = 'www-servers/apache' + user_name = 'apache' + group_name = 'apache' + when 'linux', 'arch' + package_name = 'apache' + user_name = 'http' + group_name = 'http' + when 'bsd' + package_name = 'apache24' + user_name = 'www' + group_name = 'www' + when 'windows' + package_name = 'apache-httpd' + end + + describe package(package_name) do + it { should be_installed } + end + describe group(group_name) do + it { should exist } + end + describe user(user_name) do + it { should exist } + end +end + +control 'apache module packages' do title 'should be installed' package_name = diff --git a/test/integration/modules/controls/services_spec.rb b/test/integration/modules/controls/services_spec.rb index 3f468e1a..97e56461 100644 --- a/test/integration/modules/controls/services_spec.rb +++ b/test/integration/modules/controls/services_spec.rb @@ -1,5 +1,6 @@ # frozen_string_literal: true +# Overide by OS control 'apache service' do impact 0.5 title 'should be running and enabled' @@ -10,10 +11,16 @@ 'apache2' when 'redhat', 'fedora', 'linux' 'httpd' + when 'gentoo' + 'www-servers/apache' + when 'bsd' + 'apache24' + when 'windows' + 'apache' end describe service(service_name) do it { should be_enabled } - it { should_not be_running } + it { should be_running } end end diff --git a/test/integration/nomodsecurity/README.md b/test/integration/nomodsecurity/README.md new file mode 100644 index 00000000..2c2c282e --- /dev/null +++ b/test/integration/nomodsecurity/README.md @@ -0,0 +1,50 @@ +# InSpec Profile: `modules` + +This shows the implementation of the `modules` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). + +## Verify a profile + +InSpec ships with built-in features to verify a profile structure. + +```bash +$ inspec check modules +Summary +------- +Location: modules +Profile: profile +Controls: 4 +Timestamp: 2019-06-24T23:09:01+00:00 +Valid: true + +Errors +------ + +Warnings +-------- +``` + +## Execute a profile + +To run all **supported** controls on a local machine use `inspec exec /path/to/profile`. + +```bash +$ inspec exec modules +.. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +8 examples, 0 failures +``` + +## Execute a specific control from a profile + +To run one control from the profile use `inspec exec /path/to/profile --controls name`. + +```bash +$ inspec exec modules --controls package +. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +1 examples, 0 failures +``` + +See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb). diff --git a/test/integration/nomodsecurity/controls/config_spec.rb b/test/integration/nomodsecurity/controls/config_spec.rb new file mode 100644 index 00000000..eb8443e5 --- /dev/null +++ b/test/integration/nomodsecurity/controls/config_spec.rb @@ -0,0 +1,110 @@ +# frozen_string_literal: true + +control 'apache configuration' do + title 'should match desired lines' + + apachectl = 'apachectl -t' + case platform[:family] + when 'debian', 'suse' + vhostdir = '/etc/apache2/sites-available' + logrotatedir = '/etc/logrotate.d/apache2' + logdir = '/var/log/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' + when 'redhat', 'fedora' + vhostdir = '/etc/httpd/vhosts.d' + logrotatedir = '/etc/logrotate.d/httpd' + logdir = '/var/log/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + apachectl = 'httpd -t' + when 'gentoo' + vhostdir = '/etc/apache2/vhosts.d' + logrotatedir = '/etc/logrotate.d/apache2' + logdir = '/var/log/apache2' + moddir = '/etc/apache2/mods-enabled' + sitesdir = '/etc/apache2/sites-enabled' + # `linux` here is sufficient for `arch` + when 'linux', 'arch' + vhostdir = '/etc/httpd/conf/vhosts' + logrotatedir = '/etc/logrotate.d/httpd' + logdir = '/var/log/httpd' + moddir = '/etc/httpd/conf.modules.d' + sitesdir = '/etc/httpd/sites-enabled' + when 'bsd' + vhostdir = '/usr/local/etc/apache24/Includes' + logdir = '/var/log' + # logrotatedir = ? + # moddir = '?' + # sitesdir = '?' + end + describe command(apachectl) do + its('stdout') { should eq '' } + its('stderr') { should include 'Syntax OK' } + its('exit_status') { should eq 0 } + end + describe file(vhostdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(logrotatedir) do + it { should exist } + its('type') { should eq :file } + end + describe file(logdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(moddir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end + describe file(sitesdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end +end + +control 'apache configuration (unique)' do + title 'should match desired lines' + + case platform[:family] + when 'debian' + config_file = '/etc/apache2/apache2.conf' + wwwdir = '/srv' + when 'suse' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/srv/www' + when 'redhat', 'fedora' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/var/www' + when 'gentoo' + config_file = '/etc/apache2/httpd.conf' + wwwdir = '/var/www' + when 'linux', 'arch' + config_file = '/etc/httpd/conf/httpd.conf' + wwwdir = '/srv/http' + when 'bsd' + config_file = '/usr/local/etc/apache24/httpd.conf' + wwwdir = '/usr/local/www/apache24/' + end + describe file(config_file) do + it { should be_file } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') do + should include( + 'This file is managed by Salt! Do not edit by hand!' + ) + end + end + describe file(wwwdir) do + it { should exist } + it { should be_directory } + its('type') { should eq :directory } + end +end diff --git a/test/integration/nomodsecurity/controls/packages_spec.rb b/test/integration/nomodsecurity/controls/packages_spec.rb new file mode 100644 index 00000000..f0b3772e --- /dev/null +++ b/test/integration/nomodsecurity/controls/packages_spec.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +# Overide by OS +control 'apache package' do + title 'should be installed' + + case platform[:family] + when 'debian' + package_name = 'apache2' + user_name = 'www-data' + group_name = 'www-data' + when 'suse' + package_name = 'apache2' + user_name = 'wwwrun' + group_name = 'wwwrun' + when 'redhat', 'fedora' + package_name = 'httpd' + user_name = 'apache' + group_name = 'apache' + when 'gentoo' + package_name = 'www-servers/apache' + user_name = 'apache' + group_name = 'apache' + when 'linux', 'arch' + package_name = 'apache' + user_name = 'http' + group_name = 'http' + when 'bsd' + package_name = 'apache24' + user_name = 'www' + group_name = 'www' + when 'windows' + package_name = 'apache-httpd' + end + + describe package(package_name) do + it { should be_installed } + end + describe group(group_name) do + it { should exist } + end + describe user(user_name) do + it { should exist } + end +end + +control 'apache module packages' do + title 'should be installed' + + package_name = + case platform[:family] + when 'debian' + 'libapache2-mod-security2' + when 'redhat', 'fedora' + 'mod_security' + when 'suse' + 'apache2-mod_security2' + end + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/nomodsecurity/controls/server_status_spec.rb b/test/integration/nomodsecurity/controls/server_status_spec.rb new file mode 100644 index 00000000..51f6802d --- /dev/null +++ b/test/integration/nomodsecurity/controls/server_status_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +control 'apache server_status configuration' do + title 'should match desired lines' + + server_status_stanza = <<~SS_STANZA + + SetHandler server-status + Require local + Require host foo.example.com + Require ip 10.8.8.0/24 + + SS_STANZA + + confdir = + case platform[:family] + when 'debian' + '/etc/apache2/conf-available' + when 'redhat', 'fedora' + '/etc/httpd/conf.d' + when 'suse' + '/etc/apache2/conf.d' + # `linux` here is sufficient for `arch` + when 'linux' + '/etc/httpd/conf/extra' + end + + describe file("#{confdir}/server-status.conf") do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') { should include '# File managed by Salt' } + its('content') { should include server_status_stanza } + end +end diff --git a/test/integration/nomodsecurity/controls/services_spec.rb b/test/integration/nomodsecurity/controls/services_spec.rb new file mode 100644 index 00000000..97e56461 --- /dev/null +++ b/test/integration/nomodsecurity/controls/services_spec.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +# Overide by OS +control 'apache service' do + impact 0.5 + title 'should be running and enabled' + + service_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora', 'linux' + 'httpd' + when 'gentoo' + 'www-servers/apache' + when 'bsd' + 'apache24' + when 'windows' + 'apache' + end + + describe service(service_name) do + it { should be_enabled } + it { should be_running } + end +end diff --git a/test/integration/nomodsecurity/inspec.yml b/test/integration/nomodsecurity/inspec.yml new file mode 100644 index 00000000..eaa99f2d --- /dev/null +++ b/test/integration/nomodsecurity/inspec.yml @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +name: modules +title: apache formula +maintainer: SaltStack Formulas +license: Apache-2.0 +summary: Verify that the apache formula manages modules correctly +supports: + - platform-name: debian + - platform-name: ubuntu + - platform-name: centos + - platform-name: fedora + - platform-name: opensuse + - platform-name: suse + - platform-name: freebsd + - platform-name: amazon + - platform-name: arch diff --git a/test/salt/pillar/modules.sls b/test/salt/pillar/modules.sls index 70eb6eb5..c265866d 100644 --- a/test/salt/pillar/modules.sls +++ b/test/salt/pillar/modules.sls @@ -2,9 +2,438 @@ # vim: ft=yaml --- apache: - manage_service_states: false + lookup: + master: template-master + + # apache version (generally '2.2' or '2.4') + # version: '2.2' + + # Default value for AddDefaultCharset in RedHat configuration + default_charset: 'UTF-8' + + # Should we enforce DocumentRoot user/group? + document_root_user: null # Defaults to: apache.user + document_root_group: null # Defaults to: apache.group + + # Just for testing purposes + winner: lookup + added_in_lookup: lookup_value + + # Using bash package and udev service as an example. This allows us to + # test the template formula itself. You should set these parameters to + # examples that make sense in the contexto of the formula you're writing. + # pkg: + # deps: + # mod_ssl # redhat + # mod_security # redhat + # mod_geoip # redhat + # GeoIP # redhat + # libapache2-mod-security2 # Debian + + global: + # global apache directives + AllowEncodedSlashes: 'On' + + name_virtual_hosts: + - interface: '*' + port: 80 + - interface: '*' + port: 443 + + # ``apache.vhosts`` formula additional configuration: + # fqdn should be added to /etc/hosts i.e. ## + # $ tail -3 /etc/hosts + # 127.0.0.1 example.com + # 127.0.0.1 www.redirectmatch.com + # 127.0.0.1 www.proxyexample.com + + sites: + example.net: + template_file: salt://apache/config/vhosts/minimal.tmpl + port: '8081' + + example.com: # must be unique; used as an ID declaration in Salt. + enabled: true + # or minimal.tmpl or redirect.tmpl or proxy.tmpl + template_file: salt://apache/config/vhosts/standard.tmpl + + ####################### DEFAULT VALUES BELOW ############################ + # NOTE: the values below are simply default settings that *can* be + # overridden and are not required in order to use this formula to create + # vhost entries. + # + # Do not copy the values below into your Pillar unless you intend to + # modify these vaules. + ####################### DEFAULT VALUES BELOW ############################ + template_engine: jinja + + interface: '*' + port: '443' + + exclude_listen_directive: true # Do not add a Listen directive in httpd.conf + + ServerName: example.com # uses the unique ID above unless specified + # ServerAlias: www.example.com # Do not add ServerAlias unless defined + + ServerAdmin: webmaster@example.com + + LogLevel: warn + # E.g.: /var/log/apache2/example.com-error.log + # ErrorLog: /path/to/logs/example.com-error.log + # E.g.: /var/log/apache2/example.com-access.log + # CustomLog: /path/to/logs/example.com-access.log + + # E.g., /var/www/example.com + DocumentRoot: /path/to/www/dir/example.com + # do not enforce user, defaults to lookup:document_root_user or apache.user + DocumentRootUser: null + # Force group, defaults to lookup:document_root_group or apache.user + DocumentRootGroup: null + + {%- if grains.os_family in ('Debian', 'Suse', 'Gentoo') %} + SSLCertificateFile: /etc/apache2/conf/server.crt + SSLCertificateKeyFile: /etc/apache2/conf/server.key + {%- else %} + SSLCertificateFile: /etc/httpd/conf/server.crt + SSLCertificateKeyFile: /etc/httpd/conf/server.key + {%- endif %} + # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer + + SSLCertificateFile_content: | + -----BEGIN CERTIFICATE----- + MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x + CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp + Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM + C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL + MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj + bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL + ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL + ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D + mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8 + yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo + th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m + TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY + i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27 + jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl + aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+ + 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO + W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb + 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl + ylssbnQ= + -----END CERTIFICATE----- + + SSLCertificateKeyFile_content: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx + svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY + t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272 + a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw + xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V + 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P + Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS + 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR + zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd + vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj + eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ + viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk + Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS + 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv + ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+ + dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI + FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU + Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc + KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu + UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA + e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu + wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3 + LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF + eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ + qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4 + -----END RSA PRIVATE KEY----- + + + Directory: + # "default" is a special case; uses DocumentRoot value + # E.g.: /var/www/example.com + default: + Options: -Indexes +FollowSymLinks + Order: allow,deny # For Apache < 2.4 + Allow: from all # For apache < 2.4 + Require: all granted # For apache > 2.4. + AllowOverride: None + # Formula_Append: | + # Additional config as a + # multi-line string here + + redirectmatch.com: + # Use RedirectMatch Directive + # - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch + # Require module mod_alias + enabled: true + template_file: salt://apache/config/vhosts/redirect.tmpl + ServerName: www.redirectmatch.com + ServerAlias: www.redirectmatch.com + RedirectMatch: true + RedirectSource: '^/$' + RedirectTarget: '/subdirectory' + DocumentRoot: /var/www/html/ + port: '8083' + + 8084-proxyexample.com: + template_file: salt://apache/config/vhosts/redirect.tmpl + ServerName: www.proxyexample.com + ServerAlias: www.proxyexample.com + RedirectSource: '/' + RedirectTarget: 'https://www.proxyexample.com/' + DocumentRoot: /var/www/proxy + port: '8084' + + 8443-proxyexample.com: + template_file: salt://apache/config/vhosts/proxy.tmpl + ServerName: www.proxyexample.com + ServerAlias: www.proxyexample.com + interface: '*' + port: '8443' + DocumentRoot: /var/www/proxy + + Rewrite: | + RewriteRule ^/webmail$ /webmail/ [R] + RewriteRule ^/webmail(.*) http://mail.example.com$1 [P,L] + RewriteRule ^/vicescws(.*) http://svc.example.com:92$1 [P,L] + + SSLCertificateFile: /etc/httpd/conf/server.crt + SSLCertificateKeyFile: /etc/httpd/conf/server.key + # SSLCertificateChainFile: /etc/httpd/ssl/example.com.cer + + SSLCertificateFile_content: | + -----BEGIN CERTIFICATE----- + MIIDYTCCAkkCFCKCcuwB/Ze9bI5/75oRChNH8RzHMA0GCSqGSIb3DQEBCwUAMG0x + CzAJBgNVBAYTAklFMREwDwYDVQQIDAhDb25uYWNodDESMBAGA1UEBwwJQ29ubWFp + Y25lMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFDASBgNVBAMM + C2V4YW1wbGUuY29tMB4XDTIwMTAwMzEzMzI1N1oXDTIxMTAwMzEzMzI1N1owbTEL + MAkGA1UEBhMCSUUxETAPBgNVBAgMCENvbm5hY2h0MRIwEAYDVQQHDAlDb25tYWlj + bmUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEUMBIGA1UEAwwL + ZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSl0qL + ol+/b3R9VccpOLe5Cg1Tf1zstAzV5TvjcjSdytdwMDGy9J8Yi2EcMZ1wNdMkvf4D + mr+72Za+qeHHc0ZA+fIJoV+tTcbLbV/mhv0i0i7Zldi3QuvIVBpLR2Z5s5mXZ7C8 + yz8VpF9enQkS3uNnbNuZNT3ElGHmlAj1yHsh0K+TbvZrygFkG0wvYwivhlt1Zcbo + th4LJ+gBwNIdSJUiAa58VO5ZNeenM9DquJfZVcFc1bDFqzU0T9KY4PsxmzO1A2+m + TDHoGR4nCz7B+5Ec4USyBUuKo2FhALBEtYz2hlwaf9XasSSvmzO5hhPCQ3nJ4qeY + i+BLCSpiq2lApPVZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD9/78A4ygQWbO27 + jQPm+2Zg0f9Sn1tcD4tOVao0MlAfWrALjbmj82hg+givEQKAuN7ptthYoaJcOxHl + aUe++y3bQiCznN73yKSJZFgG5fYR8tyMslsYRBcKSay0nvPhN/3Jry0nNehDREQ+ + 2H0vB595bymGNTmux13sNwOZH1i8KEgxdLcFbje87+CbhCGbFhS3lHPY2FeXnHpO + W60Zchwsy06xMjo4rzbQatdJj/HAh6lIx0YmNDX/d3dCLpZlkvUBT6ENVhipi5bb + 2pF/Awob8AYWbIn4N7gmIP5Sb0tugpEgrSgSyDdZNWoFDChvfHXcNUP8lblIftAl + ylssbnQ= + -----END CERTIFICATE----- + + SSLCertificateKeyFile_content: | + -----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEA0pdKi6Jfv290fVXHKTi3uQoNU39c7LQM1eU743I0ncrXcDAx + svSfGIthHDGdcDXTJL3+A5q/u9mWvqnhx3NGQPnyCaFfrU3Gy21f5ob9ItIu2ZXY + t0LryFQaS0dmebOZl2ewvMs/FaRfXp0JEt7jZ2zbmTU9xJRh5pQI9ch7IdCvk272 + a8oBZBtML2MIr4ZbdWXG6LYeCyfoAcDSHUiVIgGufFTuWTXnpzPQ6riX2VXBXNWw + xas1NE/SmOD7MZsztQNvpkwx6BkeJws+wfuRHOFEsgVLiqNhYQCwRLWM9oZcGn/V + 2rEkr5szuYYTwkN5yeKnmIvgSwkqYqtpQKT1WQIDAQABAoIBAQCI39SP1UWuQ17P + Z8U+waKIHkRzFMDtCEmfbJL0TfJs7L4CKRDkY6JUbaL8lDLkD9fgdax340jja5VS + 70/UNtRevxXVtJFfLsIazkgaqXo1+65/talZ06E0X5WHgCzWxSj7A2YYD3I9OszR + zfdr0Hq1akeA2N4AuwC2wVjhhyCg5Lg4xY0l+kRFLrPU4RctsjCAaveVIm3wmJVd + vmHO9hKcR3nxuIx0/cPYe20WgGSqbYJQburE1uXp26uz/Jek/u8FNFIEjWCWB+vj + eRQOcxngebyWCh0dyoxb3nL28Yty9O1MlLP2b0YMmep1ZfEFtwn4M2d8FdW1WCmJ + viOGFx4BAoGBAPTYSIpyxea1qaeNmT97e4YgPwV3rajhdPRYSQKyCsjKHk7Q/uxk + Phddo0ymiGKLCRAUwg9py900slY8mZKbdrVxXV4EEhngrWrr2gpfzxkEF1i0d4bS + 2OuRCbkfE23glxqtVjvnTlrRANaXgk5mUQCL1YDUf+hrpEvF0pTbDRYpAoGBANwv + ffy+Sk+e0v+NlthhNHUDcXisIoW7b/DoT0H8DtbJV/QVexaGln7Ts6EgaH2NdpC+ + dyLKa+l7oIeKgXeHm2Tgm879di/ChQCkoAHIUu5Nm0c5D2Vst26JrfCA7vZb9ddI + FMFt5bsDgRqFzTXFe0k9TEIBiF0Pp5xfHVwNWeuxAoGAGNY3xZOO77BN3WlHumDU + Tu7Gdc+GFjOIoaCzB0r4PRYDrQsWUPR6N/SPtB7Qhu6DpNX2OYoJ3A6UaJsNGQoc + KJuvVPIkw+s+rDHwlEzTvT3lAGKOHWcWCg9UZSr51ZOKwHIE5V65XA0HgL0twrYu + UVfd+IuVzgXdTLJsgh0WXsECgYApcgcU+/yg4BR3Zf9u2100aWGChWQ6J/36KsBA + e2GPrHaRyzlQFCVf2hmFysPgXjBjLnbeZZvKZyrgWIHmLfBiHKU3YR5N/x9p75Lu + wvZZROJllagAP2aHuAK1so9IcCbmTvsZLcaAXTh/9Y+a/4ElWBRymDdCzR+Pn5e3 + LAwxAQKBgBHH42ri6pHbRptINzJ9sw3PhwewQZtGu3sfvrOknBs3togptCrjBWDF + eOGuFmjHO9vnhWs2yWQYETL1jt+CWgzRc4o4akB3qH5sXar5F7h06y16RFV9u6UJ + qaGqPFcy/l/5H6uNPLZt4Ufg3T0Mz0Az+Dti99KqVLKeqWQvXVc4 + -----END RSA PRIVATE KEY----- + + SSLCertificateChainFile_content: | + -----BEGIN CERTIFICATE----- + MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL + MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC + VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx + NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD + TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu + ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j + V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj + gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA + FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE + CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS + BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE + BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju + Wm7DCfrPNGVwFWUQOmsPue9rZBgO + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIICUTCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJDTjEL + MAkGA1UECBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMC + VU4xFDASBgNVBAMTC0hlcm9uZyBZYW5nMB4XDTA1MDcxNTIxMTk0N1oXDTA1MDgx + NDIxMTk0N1owVzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAlBOMQswCQYDVQQHEwJD + TjELMAkGA1UEChMCT04xCzAJBgNVBAsTAlVOMRQwEgYDVQQDEwtIZXJvbmcgWWFu + ZzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCp5hnG7ogBhtlynpOS21cBewKE/B7j + V14qeyslnr26xZUsSVko36ZnhiaO/zbMOoRcKK9vEcgMtcLFuQTWDl3RAgMBAAGj + gbEwga4wHQYDVR0OBBYEFFXI70krXeQDxZgbaCQoR4jUDncEMH8GA1UdIwR4MHaA + FFXI70krXeQDxZgbaCQoR4jUDncEoVukWTBXMQswCQYDVQQGEwJDTjELMAkGA1UE + CBMCUE4xCzAJBgNVBAcTAkNOMQswCQYDVQQKEwJPTjELMAkGA1UECxMCVU4xFDAS + BgNVBAMTC0hlcm9uZyBZYW5nggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE + BQADQQA/ugzBrjjK9jcWnDVfGHlk3icNRq0oV7Ri32z/+HQX67aRfgZu7KWdI+Ju + Wm7DCfrPNGVwFWUQOmsPue9rZBgO + -----END CERTIFICATE----- + + ProxyRequests: 'Off' + ProxyPreserveHost: 'On' + + ProxyRoute: + example prod proxy route: + ProxyPassSource: '/' + ProxyPassTarget: 'http://prod.example.com:85/' + ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' + ProxyPassReverseSource: '/' + ProxyPassReverseTarget: 'http://prod.example.com:85/' + + example webmail proxy route: + ProxyPassSource: '/webmail/' + ProxyPassTarget: 'http://mail.example.com/' + ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' + ProxyPassReverseSource: '/webmail/' + ProxyPassReverseTarget: 'http://mail.example.com/' + + example service proxy route: + ProxyPassSource: '/svc/' + ProxyPassTarget: 'http://svc.example.com:92/' + ProxyPassTargetOptions: 'connectiontimeout=10 timeout=90' + ProxyPassReverseSource: '/svc/' + ProxyPassReverseTarget: 'http://svc.example.com:92/' + + Location: + /: + Require: false + # Formula_Append: | + # SecRuleRemoveById 981231 + # SecRuleRemoveById 981173 + + /error: + Require: 'all granted' + + /docs: + Order: allow,deny # For Apache < 2.4 + Allow: from all # For apache < 2.4 + Require: all granted # For apache > 2.4. + # Formula_Append: | + # Additional config as a + # multi-line string here + + LocationMatch: + '^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]': + Require: false + Formula_Append: | + RequestHeader set Host mail.example.com + + '^[.\\/]+([Ss][Vv][Cc])[.\\/]': + Require: false + Formula_Append: | + Require ip 123.123.13.6 84.24.25.74 + + Proxy_control: + '*': + AllowAll: false + AllowCountry: false + # - DE + AllowIP: + - 12.5.25.32 + - 12.5.25.33 + + Alias: + /docs: /usr/share/docs + + ScriptAlias: + /cgi-bin/: /var/www/cgi-bin/ + + # Formula_Append: | + # \#Additional config as a + # \#multi-line string here + + # ``apache.debian_full`` formula additional configuration: + register-site: + # any name as an array index, and you can duplicate this section + unique_value_here: + name: 'myname' + path: 'salt://apache/files/myname.conf' + state: 'enabled' + # Optional - use managed file as Jinja Template + # template: true + # defaults: + # custom_var: "default value" + + modules: + enabled: # List modules to enable + - ssl + - prefork + - rewrite + - proxy + - proxy_ajp + - proxy_html + - headers + # geoip + - status + - logio + - dav + - dav_fs + - dav_lock + - auth_digest + - socache_shmcb + - xml2enc + - ldap + disabled: # List modules to disable + - geoip + + flags: + enabled: # List server flags to enable + - SSL + disabled: # List server flags to disable + - status + + # KeepAlive: Whether or not to allow persistent connections (more than + # one request per connection). Set to "Off" to deactivate. + keepalive: 'On' + + TimeOut: 60 # software default is 60 seconds + + security: + # can be Full | OS | Minimal | Minor | Major | Prod + # where Full conveys the most information, and Prod the least. + ServerTokens: Prod + + # [debian only] configure mod_ssl + ssl: + SSLCipherSuite: 'HIGH:!aNULL' + SSLHonorCipherOrder: 'Off' + SSLProtocol: 'all -SSLv3' + SSLUseStapling: 'Off' + SSLStaplingResponderTimeout: '5' + SSLStaplingReturnResponderErrors: 'Off' + SSLStaplingCache: 'shmcb:/var/run/ocsp(128000)' + + # ``apache.mod_remoteip`` formula additional configuration: + mod_remoteip: + RemoteIPHeader: X-Forwarded-For + RemoteIPTrustedProxy: + - 10.0.8.0/24 + - 127.0.0.1 + + # ``apache.mod_security`` formula additional configuration: mod_security: - crs_install: true + crs_install: false + # If not set, default distro's configuration is installed as is manage_config: true sec_rule_engine: 'On' sec_request_body_access: 'On' @@ -15,8 +444,83 @@ apache: sec_pcre_match_limit: '15000' sec_pcre_match_limit_recursion: '15000' sec_debug_log_level: '3' + + rules: + enabled: ~ + modsecurity_crs_10_setup.conf: + rule_set: '' + enabled: true + modsecurity_crs_20_protocol_violations.conf: + rule_set: 'base_rules' + enabled: false + + custom_rule_files: + # any name as an array index, and you can duplicate this section + UNIQUE_VALUE_HERE: + file: 'myname' + # path/to/modsecurity/custom/file + path: 'salt://apache/files/dummy.conf' + enabled: false + + mod_ssl: + # set this to true if you want to override your distributions default TLS + # configuration + manage_tls_defaults: false + # This stuff is deliberately not configured via map.jinja resp. + # apache:lookup. We're unable to know sane defaults for each release of + # every distribution. + # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for + # a related discussion Have a look at bettercrypto.org for up-to-date + # settings. + # These are default values: + # yamllint disable-line rule:line-length + SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA + # Mitigate the CRIME attack + SSLCompression: 'Off' + SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 + SSLHonorCipherOrder: 'On' + SSLOptions: "+StrictRequire" server_status_require: ip: - 10.8.8.0/24 host: - foo.example.com + + tofs: + # The files_switch key serves as a selector for alternative + # directories under the formula files directory. See TOFS pattern + # doc for more info. + # Note: Any value not evaluated by `config.get` will be used literally. + # This can be used to set custom paths, as many levels deep as required. + files_switch: + - any/path/can/be/used/here + - id + - roles + - osfinger + - os + - os_family + # All aspects of path/file resolution are customisable using the options below. + # This is unnecessary in most cases; there are sensible defaults. + # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default > + # I.e.: salt://apache/files/default + # path_prefix: template_alt + # dirs: + # files: files_alt + # default: default_alt + # The entries under `source_files` are prepended to the default source files + # given for the state + # source_files: + # apache-config-file-file-managed: + # - 'example_alt.tmpl' + # - 'example_alt.tmpl.jinja' + + # For testing purposes + source_files: + apache-config-file-file-managed: + - 'example.tmpl.jinja' + apache-subcomponent-config-file-file-managed: + - 'subcomponent-example.tmpl.jinja' + + # Just for testing purposes + winner: pillar + added_in_pillar: pillar_value