# # Install and configure Apache with SSL and certbot # # Use: # usebundle => install_apache; # usebundle => apache_vhost(site_data); # # bundle agent apache { classes: # "apache enable_php"; vars: "default_php_handler" string => "application/x-httpd-php", unless => isvariable( $(this.promiser)); "admin_email" string => "[]",unless => isvariable( $(this.promiser) ) ; apache_php_enable:: "php_mod" string => '{m: "$(php.apache_m)",f:"$(php.apache_f)"},'; "service_deps" slist => { "apache_pkgs_installed", "apache_php_pkgs_installed", "apache_www_dir_created", "apache_dummy_conf_created", "apache_main_cfg_created" }; "cfg_deps" slist => { "apache_pkgs_installed","apache_php_installed" }; !apache_php_enable:: "php_mod" string => ""; "service_deps" slist => { "apache_pkgs_installed", "apache_www_dir_created", "apache_dummy_conf_created", "apache_main_cfg_created" }; "cfg_deps" slist => { "apache_pkgs_installed" }; any:: "log_dir_mode" string => "750"; freebsd:: "pkgs" slist => { "apache24", "mod_dav_svn", }; "log_dir" string =>"/var/log/httpd"; "log_dir_owner" string => "root"; "log_dir_group" string => "wheel"; "service_name" string => "apache24"; "service_cfg_name" string => "apache24"; "www_user" string => "www"; "www_group" string => "www"; "mime_types" string => "/usr/local/etc/apache24/mime.types"; "service_name" string => "apache24"; "restart_cmd" string => "/usr/sbin/service $(service_name) restart"; "etc_dir" string => "/usr/local/etc"; "cfg_dir" string => "$(etc_dir)/apache24"; "main_cfg" string => "$(cfg_dir)/httpd.conf"; "libexec_dir" string => "libexec/apache24"; "www_dir" string => "/usr/local/www",unless => isvariable( $(this.promiser) ) ; "default_html_dir" string => "$(www_dir)/apache24"; "server_root" string => "/usr/local"; "modules" data => '[ $(php_mod) {m: "autoindex",f:"mod_autoindex"}, {m: "log_config",f:"mod_log_config"}, {m: "version",f:"mod_version"}, {m: "unixd",f:"mod_unixd"}, {m: "ssl",f:"mod_ssl"}, {m:"proxy",f:"mod_proxy"}, {m:"proxy_fcgi",f:"mod_proxy_fcgi"}, {m:"proxy_http",f:"mod_proxy_http"}, {m:"proxy_http2",f:"mod_proxy_http2"}, {m:"remoteip",f:"mod_remoteip"}, {m: "dav",f:"mod_dav"}, {m: "dav_svn", f:"mod_dav_svn"}, {m: "authz_svn", f:"mod_authz_svn"} ]'; debian:: "pkgs" slist => { "apache2", "libapache2-mod-svn", }; "log_dir" string =>"/var/log/apache2"; "log_dir_owner" string => "root"; "log_dir_group" string => "adm"; "service_name" string => "apache2"; "restart_cmd" string => "/usr/bin/systemctl restart $(service_name)"; "www_user" string => "www-data"; "www_group" string => "www-data"; "mime_types" string => "/etc/mime.types"; "www_dir" string => "/var/www",unless => isvariable( $(this.promiser) ) ; "default_html_dir" string => "$(www_dir)/html"; "etc_dir" string => "/etc"; "cfg_dir" string => "$(etc_dir)/apache2"; "main_cfg" string => "$(cfg_dir)/apache2.conf"; "libexec_dir" string => "lib/apache2/modules"; "server_root" string => "/usr"; "modules" data => '[ $(php_mod) {m:"ssl",f:"mod_ssl"}, {m:"proxy",f:"mod_proxy"}, {m:"proxy_fcgi",f:"mod_proxy_fcgi"}, {m:"proxy_http",f:"mod_proxy_http"}, {m:"proxy_http2",f:"mod_proxy_http2"} ]'; # {m:"php",f:"libphp$(php.version)"}, # "libapache2-mod-svn", centos:: "pkgs" slist => { "httpd", "mod_ssl", "mod_dav_svn", "mod_fcgid" }; fedora:: "pkgs" slist => { "httpd", # "mod_ssl", }; fedora|centos:: "log_dir" string =>"/var/log/httpd"; "log_dir_owner" string => "root"; "log_dir_group" string => "root"; "log_dir_mode" string => "700"; "service_name" string => "httpd"; "restart_cmd" string => "/usr/bin/systemctl restart $(service_name)"; "www_user" string => "apache"; "www_group" string => "apache"; "mime_types" string => "/etc/mime.types"; "www_dir" string => "/var/www",unless => isvariable( $(this.promiser) ) ; "default_html_dir" string => "$(www_dir)/html"; "etc_dir" string => "/etc"; "cfg_dir" string => "$(etc_dir)/httpd"; "main_cfg" string => "$(cfg_dir)/conf/httpd.conf"; "libexec_dir" string => "$(cfg_dir)/modules"; "server_root" string => "/etc/httpd"; "modules" data => '[ {m: "autoindex",f:"mod_autoindex"}, {m: "log_config",f:"mod_log_config"}, {m: "version",f:"mod_version"}, {m: "unixd",f:"mod_unixd"}, {m: "systemd",f:"mod_systemd"}, ]'; # {m: "php",f:"libphp8"}, centos:: "modules" data => '[ {m:"proxy",f:"mod_proxy"}, {m:"proxy_http",f:"mod_proxy_http"}, {m:"proxy_http2",f:"mod_proxy_http2"}, {m:"proxy_fcgi",f:"mod_proxy_fcgi"}, {m: "autoindex",f:"mod_autoindex"}, {m: "log_config",f:"mod_log_config"}, {m: "version",f:"mod_version"}, {m: "unixd",f:"mod_unixd"}, {m: "systemd",f:"mod_systemd"}, {m:"ssl",f:"mod_ssl"}, {m: "remoteip",f:"mod_remoteip"} ]'; ubuntu_20:: "phpm" string => "php7"; ubuntu_22:: "phpm" string => "php"; ubuntu:: "log_dir_owner" string => "root"; "log_dir_group" string => "adm"; # {m:"$(phpm)",f:"libphp$(install_php.version)"}, "modules" data => '[ $(php_mod) {m:"proxy",f:"mod_proxy"}, {m:"proxy_http",f:"mod_proxy_http"}, {m: "autoindex",f:"mod_autoindex"}, {m: "dav",f:"mod_dav"}, {m: "dav_svn", f:"mod_dav_svn"}, {m: "authz_svn", f:"mod_authz_svn"}, {m: "ssl",f:"mod_ssl"} ]'; reports: } bundle agent install_apache_php { vars: freebsd:: "pkgs" slist => {"mod_php$(php.bsdvs)"}; debian:: "pkgs" slist => {"libapache2-mod-php$(php.version)"}; centos:: "pkgs" slist => {"libapache2-mod-php"}; methods: "any" usebundle => wmde_install_packages(@(pkgs),"apache_php"), handle => "apache_php_installed"; commands: debian|ubuntu:: "/bin/sh" args => "-c '/usr/sbin/a2dismod mpm_event > /dev/null'", inform=>"false", handle => "apache_mpm_event_disabled"; reports: } bundle agent install_apache(raw) { methods: "any" usebundle => wmde_install_packages(@(apache.pkgs),"apache"); apache_php_enable:: "any" usebundle => install_apache_php, depends_on => { "apache_pkgs_installed" }; reports: files: "$(apache.log_dir)/." create=>"true", perms=>mog("$(apache.log_dir_mode)","$(apache.log_dir_owner)","$(apache.log_dir_group)"), handle => "apache_log_dir_created"; "$(apache.www_dir)/." create=>"true", perms => m("755"), depends_on => { "apache_pkgs_installed" }, handle => "apache_www_dir_created"; "$(apache.default_html_dir)/." create=>"true", perms => uperm("$(apache.www_user)","$(apache.www_group)","755"), depends_on => {"apache_www_dir_created"}, handle=>"apache_default_html_dir_created"; "$(apache.cfg_dir)/Vhosts/dummy.conf" create=>"true", content=>"", perms => m("644"), depends_on => { "apache_vhosts_dir_created" }, handle=> "apache_dummy_conf_created"; "$(apache.cfg_dir)/Vhosts/." create => "true", depends_on => { "apache_pkgs_installed" }, perms => m("755"), handle=> "apache_vhosts_dir_created"; "$(apache.main_cfg)" create => "true", perms => m("644"), edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd.conf.mustache", template_method => "mustache", handle => "apache_main_cfg_created", depends_on => { @(apache.cfg_deps) }, classes => if_repaired(apache_repaired); methods: "any" usebundle => wmde_enable_service("apache"); "any" usebundle => wmde_service("$(apache.service_name)","apache_kept","apache_repaired|php_repaired"), depends_on => @(apache.service_deps) ; #depends_on => { # "apache_php_pkgs_installed" #}; # files: "$(sys.workdir)/data/agent/apache/." create => "true", handle => "apache_work_dir_created"; commands: "/bin/sh" args => "$(sys.workdir)/inputs/$(def.wmde_libdir)/scripts/del-files-not-in-list.sh $(apache.cfg_dir)/Vhosts $(sys.workdir)/data/agent/apache/domains.txt && echo dummy.conf > $(sys.workdir)/data/agent/apache/domains.txt", inform => "false", handle => "apache_vhost_dir_cleaned", depends_on => {"apache_dummy_conf_created"}, contain => wmde_cmd_useshell; # "echo" # args => "dummy.conf > $(sys.workdir)/data/agent/apache/domains.txt", # inform => "false", # contain => wmde_cmd_useshell; reports: } bundle agent restart_apache(arg) { methods: "any" usebundle => wmde_restart_service("$(apache.service_name)","$(arg)"); #commands: # "/bin/sh -c " # args => "'/bin/echo $(arg) > /dev/null && /usr/bin/systemctl restart $(apache.service_name)'"; } bundle agent apache_vhost (site_param) { classes: "delete" expression => $(site[disable]); "use_ssl" expression => $(site[ssl]); "use_certbot" expression => strcmp("certbot","$(site[ssl_cert])"); "do_logrotate" expression => $(site[logrotate]); vars: # "email":$(apache.admin_email), "site_defaults" data => ' { "aliases":[], "ssl_cert":"certbot", "doc_root":"$(apache.www_dir)/$(site_param[domain])", "doc_root_options":"Indexes FollowSymLinks", "php":true, "php_handler":"$(apache.default_php_handler)", "logging80":true, "logging443":true, "logrotate":false, } '; "site" data => mergedata(site_defaults,site_param); "cert_file" string => "$(certbot.certbot_dir)/live/$(site[domain])"; "template_file" string => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-vhost.conf.mustache"; "domain_file" string => "$(apache.cfg_dir)/Vhosts/$(site[domain]).conf"; "domain_dir" string => "$(apache.www_dir)/$(site[domain])"; "ssl_cert" string => ifelse( use_certbot, "$(certbot.certbot_dir)/live/$(site[domain])/fullchain.pem", "$(site[ssl_cert])"); "ssl_key" string => ifelse( use_certbot, "$(certbot.certbot_dir)/live/$(site[domain])/privkey.pem", "$(site[ssl_key])"); use_ssl&(use_certbot):: "vhostdeps" slist => { "apache_ssl_created$(site[domain])", "apache_vhost_dir_cleaned" }; (!use_ssl)|(!use_certbot):: "vhostdeps" slist => { "apache_vhost_dir_cleaned" }; files: delete:: "$(domain_file)" delete => tidy, classes => if_repaired(apache_restart); !delete:: "$(domain_file)" perms => uperm("$(apache.www_user)","$(apache.www_group)","644"), create => "true", edit_template => "$(template_file)", template_method => "mustache", handle => "vhost_cfg_done$(site[domain])", depends_on => @(vhostdeps), classes => if_repaired("apache_vhost_restart"); "$(domain_dir)/." create => "true", perms => uperm("$(apache.www_user)","$(apache.www_group)","750"); methods: use_ssl&use_certbot:: "any" usebundle => certbot_cert(@(site),"$(apache.default_html_dir)"), #,"$(site[domain])"), handle => "apache_ssl_created$(site[domain])"; "apache_vhost_restart":: "any" usebundle => restart_apache("$(site[domain])"), depends_on => { "vhost_cfg_done$(site[domain])", "apache_ssl_created$(site[domain])" }; (!use_ssl)|(!use_certbot):: "apache_vhost_restart":: "any" usebundle => restart_apache("$(site[domain])"), depends_on => {"vhost_cfg_done$(site[domain])" }; "any" usebundle => install_logrot; files: do_logrotate:: "$(logrot.dir)/$(site[domain])" create => "true", edit_defaults => backup("false"), edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-weblogrot.mustache", template_method => "mustache"; commands: "echo" args => "$(site[domain]).conf >> $(sys.workdir)/data/agent/apache/domains.txt", inform => "false", depends_on => {"vhost_cfg_done$(site[domain])"}, contain => wmde_cmd_useshell; reports: # "SITE: $(site[domain]): $(site[logrotate])"; # !do_logrotate:: # "LOGOROOTATE FOR $(site[domain]): FALSE"; # do_logrotate:: # "LOGOROOTATE FOR $(site[domain]): TRUE"; } bundle agent apache_vhosts(sites) { vars: "idx" slist => getindices(@(sites)); methods: "any" usebundle => apache_vhost(@(sites[$(idx)])); reports: } bundle agent apache_matomo (site) { vars: "pid" string => "/var/run/matomo-logger-$(site[domain]).pid"; "log" string => "$(apache.log_dir)/$(site[domain])-access.log"; "siteid" string => "$(site[matomoid])"; "logger_script" string => "/tmp/matomo-logger-$(site[domain]).sh"; freebsd:: "analyt_cmd" string => "/usr/local/bin/python3.9 $(matomo.log_importer)"; debian:: "analyt_cmd" string => "/usr/bin/python3 $(matomo.log_importer)"; centos:: "analyt_cmd" string => "/usr/bin/python3 $(matomo.log_importer)"; matomo:: "cmd" string => "/usr/bin/pkill -P `cat $(pid)` ; exec /bin/sh -c 'echo $$ > $(pid); echo \"hello\" | /usr/bin/tail -n+1 -f $(log) | $(analyt_cmd) --token-auth=$(site[matomotoken]) --disable-bulk-tracking --idsite=$(siteid) --url=$(site[matomosite]) --exclude-path=/wp-login.php --exclude-path=/wp-json/\\* --recorders=1 --recorder-max-payload-size=1 --log-format-name=ncsa_extended --exclude-path=\\*.php --exclude-path=/wp-admin/\\* - > /dev/null' "; !matomo:: "cmd" string => ""; any:: "cmd_esc" string => escape ($(cmd)); # "cmd": "$(cmd_esc)", "site_str" string => storejson(@(site)); # "site_json" string => '{ # "site" : "$(site_str)" # }'; "site_json" string => '{ "cmd": "$(cmd)", "service": "$(apache.service_name)", "site": $(site_str) }'; "template_file" string => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-weblogrot-matomo.mustache"; methods: "any" usebundle => install_logrot; files: "$(logrot.dir)/$(site[domain])" create => "true", edit_defaults => backup("false"), edit_template => "$(template_file)", template_method => "mustache"; # template_data => parsejson("$(site_json)"); matomo:: "$(pid)" create => "true"; "$(logger_script)" create => "true", perms => m("755"), content => '#!/bin/sh if [ "$1" != "child" ]; then "$(logger_script)" child & else setsid >/dev/null 2>&1 exec 0<&- 1>/dev/null 2>&1 $(cmd) fi ', handle => "loggerscript_$(site[domain])_created"; classes: "matomo" expression => isvariable("site[matomoid]"); commands: matomo:: "/bin/sh -c " args => "'kill -0 `cat $(pid)` && echo -start_matomo || echo +start_matomo'", inform => "false", module => "true"; start_matomo:: "$(logger_script)" args => "$(logger_script)", contain => wmde_cmd_useshell, depends_on => {"loggerscript_$(site[domain])_created"}; # "/bin/sh" # args => "$(logger_script) &", # contain => wmde_cmd_useshell, # depends_on => {"loggerscript_$(site[domain])_created"}; methods: # start_matomo:: # "call" usebundle => daemonize( "/bin/sh $(logger_script)" ), # depends_on => {"loggerscript_$(site[domain])_created"}; reports: #start_matomo:: # "MUST START - WHY"; #"ESC ESC $(site_json)"; matomo:: } body edit_defaults backup( edit_backup ) { edit_backup => "$(edit_backup)"; }