WMDE
/
wmdeit-cf-wmdelib
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
wmdeit-cf-wmdelib/apache.cf

590 lines
14 KiB
CFEngine3
Raw Blame History

#
# Install and configure Apache with SSL and certbot
#
# Use:
# usebundle => install_apache;
# usebundle => apache_vhost(site_data);
#
#
bundle agent apache
{
classes:
# "apache enable_php";
vars:
"default_php_handler" string => "application/x-httpd-php", unless => isvariable( $(this.promiser));
"admin_email" string => "[]",unless => isvariable( $(this.promiser) ) ;
apache_php_enable::
"php_mod" string => '{m: "$(php.apache_m)",f:"$(php.apache_f)"},';
"service_deps" slist => {
"apache_pkgs_installed",
"apache_php_pkgs_installed",
"apache_www_dir_created",
"apache_dummy_conf_created",
"apache_main_cfg_created"
};
"cfg_deps" slist => { "apache_pkgs_installed","apache_php_installed" };
!apache_php_enable::
"php_mod" string => "";
"service_deps" slist => {
"apache_pkgs_installed",
"apache_www_dir_created",
"apache_dummy_conf_created",
"apache_main_cfg_created"
};
"cfg_deps" slist => { "apache_pkgs_installed" };
any::
"log_dir_mode" string => "750";
freebsd::
"pkgs" slist => {
"apache24",
"mod_dav_svn",
};
"log_dir" string =>"/var/log/httpd";
"log_dir_owner" string => "root";
"log_dir_group" string => "wheel";
"service_name" string => "apache24";
"service_cfg_name" string => "apache24";
"www_user" string => "www";
"www_group" string => "www";
"mime_types" string => "/usr/local/etc/apache24/mime.types";
"service_name" string => "apache24";
"restart_cmd" string => "/usr/sbin/service $(service_name) restart";
"etc_dir" string => "/usr/local/etc";
"cfg_dir" string => "$(etc_dir)/apache24";
"main_cfg" string => "$(cfg_dir)/httpd.conf";
"libexec_dir" string => "libexec/apache24";
"www_dir" string => "/usr/local/www",unless => isvariable( $(this.promiser) ) ;
"default_html_dir" string => "$(www_dir)/apache24";
"server_root" string => "/usr/local";
"modules" data => '[
$(php_mod)
{m: "autoindex",f:"mod_autoindex"},
{m: "log_config",f:"mod_log_config"},
{m: "version",f:"mod_version"},
{m: "unixd",f:"mod_unixd"},
{m: "ssl",f:"mod_ssl"},
{m:"proxy",f:"mod_proxy"},
{m:"proxy_fcgi",f:"mod_proxy_fcgi"},
{m:"proxy_http",f:"mod_proxy_http"},
{m:"proxy_http2",f:"mod_proxy_http2"},
{m:"remoteip",f:"mod_remoteip"},
{m: "dav",f:"mod_dav"},
{m: "dav_svn", f:"mod_dav_svn"},
{m: "authz_svn", f:"mod_authz_svn"}
]';
debian::
"pkgs" slist => {
"apache2",
"libapache2-mod-svn",
};
"log_dir" string =>"/var/log/apache2";
"log_dir_owner" string => "root";
"log_dir_group" string => "adm";
"service_name" string => "apache2";
"restart_cmd" string => "/usr/bin/systemctl restart $(service_name)";
"www_user" string => "www-data";
"www_group" string => "www-data";
"mime_types" string => "/etc/mime.types";
"www_dir" string => "/var/www",unless => isvariable( $(this.promiser) ) ;
"default_html_dir" string => "$(www_dir)/html";
"etc_dir" string => "/etc";
"cfg_dir" string => "$(etc_dir)/apache2";
"main_cfg" string => "$(cfg_dir)/apache2.conf";
"libexec_dir" string => "lib/apache2/modules";
"server_root" string => "/usr";
"modules" data => '[
$(php_mod)
{m:"ssl",f:"mod_ssl"},
{m:"proxy",f:"mod_proxy"},
{m:"proxy_fcgi",f:"mod_proxy_fcgi"},
{m:"proxy_http",f:"mod_proxy_http"},
{m:"proxy_http2",f:"mod_proxy_http2"}
]';
# {m:"php",f:"libphp$(php.version)"},
# "libapache2-mod-svn",
centos::
"pkgs" slist => {
"httpd",
"mod_ssl",
"mod_dav_svn",
"mod_fcgid"
};
fedora::
"pkgs" slist => {
"httpd",
# "mod_ssl",
};
fedora|centos::
"log_dir" string =>"/var/log/httpd";
"log_dir_owner" string => "root";
"log_dir_group" string => "root";
"log_dir_mode" string => "700";
"service_name" string => "httpd";
"restart_cmd" string => "/usr/bin/systemctl restart $(service_name)";
"www_user" string => "apache";
"www_group" string => "apache";
"mime_types" string => "/etc/mime.types";
"www_dir" string => "/var/www",unless => isvariable( $(this.promiser) ) ;
"default_html_dir" string => "$(www_dir)/html";
"etc_dir" string => "/etc";
"cfg_dir" string => "$(etc_dir)/httpd";
"main_cfg" string => "$(cfg_dir)/conf/httpd.conf";
"libexec_dir" string => "$(cfg_dir)/modules";
"server_root" string => "/etc/httpd";
"modules" data => '[
{m: "autoindex",f:"mod_autoindex"},
{m: "log_config",f:"mod_log_config"},
{m: "version",f:"mod_version"},
{m: "unixd",f:"mod_unixd"},
{m: "systemd",f:"mod_systemd"},
]';
# {m: "php",f:"libphp8"},
centos::
"modules" data => '[
{m:"proxy",f:"mod_proxy"},
{m:"proxy_http",f:"mod_proxy_http"},
{m:"proxy_http2",f:"mod_proxy_http2"},
{m:"proxy_fcgi",f:"mod_proxy_fcgi"},
{m: "autoindex",f:"mod_autoindex"},
{m: "log_config",f:"mod_log_config"},
{m: "version",f:"mod_version"},
{m: "unixd",f:"mod_unixd"},
{m: "systemd",f:"mod_systemd"},
{m:"ssl",f:"mod_ssl"},
{m: "remoteip",f:"mod_remoteip"}
]';
ubuntu_20::
"phpm" string => "php7";
ubuntu_22::
"phpm" string => "php";
ubuntu::
"log_dir_owner" string => "root";
"log_dir_group" string => "adm";
# {m:"$(phpm)",f:"libphp$(install_php.version)"},
"modules" data => '[
$(php_mod)
{m:"proxy",f:"mod_proxy"},
{m:"proxy_http",f:"mod_proxy_http"},
{m: "autoindex",f:"mod_autoindex"},
{m: "dav",f:"mod_dav"},
{m: "dav_svn", f:"mod_dav_svn"},
{m: "authz_svn", f:"mod_authz_svn"},
{m: "ssl",f:"mod_ssl"}
]';
reports:
}
bundle agent install_apache_php
{
vars:
freebsd::
"pkgs" slist => {"mod_php$(php.bsdvs)"};
debian::
"pkgs" slist => {"libapache2-mod-php$(php.version)"};
centos::
"pkgs" slist => {"libapache2-mod-php"};
methods:
"any" usebundle => wmde_install_packages(@(pkgs),"apache_php"),
handle => "apache_php_installed";
commands:
debian|ubuntu::
"/bin/sh"
args => "-c '/usr/sbin/a2dismod mpm_event > /dev/null'",
inform=>"false",
handle => "apache_mpm_event_disabled";
reports:
}
bundle agent install_apache(raw)
{
methods:
"any" usebundle => wmde_install_packages(@(apache.pkgs),"apache");
apache_php_enable::
"any" usebundle => install_apache_php,
depends_on => { "apache_pkgs_installed" };
reports:
files:
"$(apache.log_dir)/."
create=>"true",
perms=>mog("$(apache.log_dir_mode)","$(apache.log_dir_owner)","$(apache.log_dir_group)"),
handle => "apache_log_dir_created";
"$(apache.www_dir)/."
create=>"true",
perms => m("755"),
depends_on => { "apache_pkgs_installed" },
handle => "apache_www_dir_created";
"$(apache.default_html_dir)/."
create=>"true",
perms => uperm("$(apache.www_user)","$(apache.www_group)","755"),
depends_on => {"apache_www_dir_created"},
handle=>"apache_default_html_dir_created";
"$(apache.cfg_dir)/Vhosts/dummy.conf"
create=>"true",
content=>"",
perms => m("644"),
depends_on => { "apache_vhosts_dir_created" },
handle=> "apache_dummy_conf_created";
"$(apache.cfg_dir)/Vhosts/."
create => "true",
depends_on => { "apache_pkgs_installed" },
perms => m("755"),
handle=> "apache_vhosts_dir_created";
"$(apache.main_cfg)"
create => "true",
perms => m("644"),
edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd.conf.mustache",
template_method => "mustache",
handle => "apache_main_cfg_created",
depends_on => { @(apache.cfg_deps) },
classes => if_repaired(apache_repaired);
methods:
"any" usebundle => wmde_enable_service("apache");
"any" usebundle => wmde_service("$(apache.service_name)","apache_kept","apache_repaired|php_repaired"),
depends_on => @(apache.service_deps) ;
#depends_on => {
# "apache_php_pkgs_installed"
#};
#
files:
"$(sys.workdir)/data/agent/apache/."
create => "true",
handle => "apache_work_dir_created";
commands:
"/bin/sh"
args => "$(sys.workdir)/inputs/$(def.wmde_libdir)/scripts/del-files-not-in-list.sh $(apache.cfg_dir)/Vhosts $(sys.workdir)/data/agent/apache/domains.txt && echo dummy.conf > $(sys.workdir)/data/agent/apache/domains.txt",
inform => "false",
handle => "apache_vhost_dir_cleaned",
depends_on => {"apache_dummy_conf_created"},
contain => wmde_cmd_useshell;
# "echo"
# args => "dummy.conf > $(sys.workdir)/data/agent/apache/domains.txt",
# inform => "false",
# contain => wmde_cmd_useshell;
reports:
}
bundle agent restart_apache(arg)
{
methods:
"any" usebundle => wmde_restart_service("$(apache.service_name)","$(arg)");
#commands:
# "/bin/sh -c "
# args => "'/bin/echo $(arg) > /dev/null && /usr/bin/systemctl restart $(apache.service_name)'";
}
bundle agent apache_vhost
(site_param)
{
classes:
"delete" expression => $(site[disable]);
"use_ssl" expression => $(site[ssl]);
"use_certbot" expression => strcmp("certbot","$(site[ssl_cert])");
"do_logrotate" expression => $(site[logrotate]);
vars:
# "email":$(apache.admin_email),
"site_defaults" data => '
{
"aliases":[],
"ssl_cert":"certbot",
"doc_root":"$(apache.www_dir)/$(site_param[domain])",
"doc_root_options":"Indexes FollowSymLinks",
"php":true,
"php_handler":"$(apache.default_php_handler)",
"logging80":true,
"logging443":true,
"logrotate":false,
}
';
"site" data => mergedata(site_defaults,site_param);
"cert_file" string => "$(certbot.certbot_dir)/live/$(site[domain])";
"template_file"
string =>
"$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-vhost.conf.mustache";
"domain_file" string => "$(apache.cfg_dir)/Vhosts/$(site[domain]).conf";
"domain_dir" string => "$(apache.www_dir)/$(site[domain])";
"ssl_cert" string => ifelse( use_certbot,
"$(certbot.certbot_dir)/live/$(site[domain])/fullchain.pem",
"$(site[ssl_cert])");
"ssl_key" string => ifelse( use_certbot,
"$(certbot.certbot_dir)/live/$(site[domain])/privkey.pem",
"$(site[ssl_key])");
use_ssl&(use_certbot)::
"vhostdeps" slist => {
"apache_ssl_created$(site[domain])",
"apache_vhost_dir_cleaned"
};
(!use_ssl)|(!use_certbot)::
"vhostdeps" slist => {
"apache_vhost_dir_cleaned"
};
files:
delete::
"$(domain_file)"
delete => tidy,
classes => if_repaired(apache_restart);
!delete::
"$(domain_file)"
perms => uperm("$(apache.www_user)","$(apache.www_group)","644"),
create => "true",
edit_template => "$(template_file)",
template_method => "mustache",
handle => "vhost_cfg_done$(site[domain])",
depends_on => @(vhostdeps),
classes => if_repaired("apache_vhost_restart");
"$(domain_dir)/."
create => "true",
perms => uperm("$(apache.www_user)","$(apache.www_group)","750");
methods:
use_ssl&use_certbot::
"any" usebundle => certbot_cert(@(site),"$(apache.default_html_dir)"), #,"$(site[domain])"),
handle => "apache_ssl_created$(site[domain])";
"apache_vhost_restart"::
"any" usebundle => restart_apache("$(site[domain])"),
depends_on => {
"vhost_cfg_done$(site[domain])",
"apache_ssl_created$(site[domain])" };
(!use_ssl)|(!use_certbot)::
"apache_vhost_restart"::
"any" usebundle => restart_apache("$(site[domain])"),
depends_on => {"vhost_cfg_done$(site[domain])" };
"any" usebundle => install_logrot;
files:
do_logrotate::
"$(logrot.dir)/$(site[domain])"
create => "true",
edit_defaults => backup("false"),
edit_template => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-weblogrot.mustache",
template_method => "mustache";
commands:
"echo"
args => "$(site[domain]).conf >> $(sys.workdir)/data/agent/apache/domains.txt",
inform => "false",
depends_on => {"vhost_cfg_done$(site[domain])"},
contain => wmde_cmd_useshell;
reports:
# "SITE: $(site[domain]): $(site[logrotate])";
# !do_logrotate::
# "LOGOROOTATE FOR $(site[domain]): FALSE";
# do_logrotate::
# "LOGOROOTATE FOR $(site[domain]): TRUE";
}
bundle agent apache_vhosts(sites)
{
vars:
"idx" slist => getindices(@(sites));
methods:
"any" usebundle => apache_vhost(@(sites[$(idx)]));
reports:
}
bundle agent apache_matomo
(site)
{
vars:
"pid" string => "/var/run/matomo-logger-$(site[domain]).pid";
"log" string => "$(apache.log_dir)/$(site[domain])-access.log";
"siteid" string => "$(site[matomoid])";
"logger_script" string => "/tmp/matomo-logger-$(site[domain]).sh";
freebsd::
"analyt_cmd" string => "/usr/local/bin/python3.9 $(matomo.log_importer)";
debian::
"analyt_cmd" string => "/usr/bin/python3 $(matomo.log_importer)";
centos::
"analyt_cmd" string => "/usr/bin/python3 $(matomo.log_importer)";
matomo::
"cmd" string => "/usr/bin/pkill -P `cat $(pid)` ; exec /bin/sh -c 'echo $$ > $(pid); echo \"hello\" | /usr/bin/tail -n+1 -f $(log) | $(analyt_cmd) --token-auth=$(site[matomotoken]) --disable-bulk-tracking --idsite=$(siteid) --url=$(site[matomosite]) --exclude-path=/wp-login.php --exclude-path=/wp-json/\\* --recorders=1 --recorder-max-payload-size=1 --log-format-name=ncsa_extended --exclude-path=\\*.php --exclude-path=/wp-admin/\\* - > /dev/null'
";
!matomo::
"cmd" string => "";
any::
"cmd_esc" string => escape ($(cmd));
# "cmd": "$(cmd_esc)",
"site_str" string => storejson(@(site));
# "site_json" string => '{
# "site" : "$(site_str)"
# }';
"site_json" string => '{
"cmd": "$(cmd)",
"service": "$(apache.service_name)",
"site": $(site_str)
}';
"template_file"
string => "$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/httpd-weblogrot-matomo.mustache";
methods:
"any" usebundle => install_logrot;
files:
"$(logrot.dir)/$(site[domain])"
create => "true",
edit_defaults => backup("false"),
edit_template => "$(template_file)",
template_method => "mustache";
# template_data => parsejson("$(site_json)");
matomo::
"$(pid)"
create => "true";
"$(logger_script)"
create => "true",
perms => m("755"),
content => '#!/bin/sh
if [ "$1" != "child" ]; then
"$(logger_script)" child &
else
setsid >/dev/null 2>&1
exec 0<&- 1>/dev/null 2>&1
$(cmd)
fi
',
handle => "loggerscript_$(site[domain])_created";
classes:
"matomo" expression => isvariable("site[matomoid]");
commands:
matomo::
"/bin/sh -c "
args => "'kill -0 `cat $(pid)` && echo -start_matomo || echo +start_matomo'",
inform => "false",
module => "true";
start_matomo::
"$(logger_script)"
args => "$(logger_script)",
contain => wmde_cmd_useshell,
depends_on => {"loggerscript_$(site[domain])_created"};
# "/bin/sh"
# args => "$(logger_script) &",
# contain => wmde_cmd_useshell,
# depends_on => {"loggerscript_$(site[domain])_created"};
methods:
# start_matomo::
# "call" usebundle => daemonize( "/bin/sh $(logger_script)" ),
# depends_on => {"loggerscript_$(site[domain])_created"};
reports:
#start_matomo::
# "MUST START - WHY";
#"ESC ESC $(site_json)";
matomo::
}
body edit_defaults backup( edit_backup )
{
edit_backup => "$(edit_backup)";
}
Reference in New Issue View Git Blame Copy Permalink