saltstack-formulas/apache-formula
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(formula): align to template-formula & improve ci features

Browse Source 
FEATURE: Archlinux support
FEATURE: Windows support
FEATURE: Enhanced CI/CD
FEATURE: modular states

BREAKING CHANGE: 'apache.sls' converted to new style 'init.ssl'
BREAKING CHANGE: "logrotate.sls" became "config/logrotate.sls"
BREAKING CHANGE: "debian_full.sls" became "config/debian_full.sls"
BREAKING CHANGE: "flags.sls" became "config/flags.sls"
BREAKING CHANGE: "manage_security" became "config/manage_security.sls"
BREAKING CHANGE: "mod_*.sls" became "config/mod_*.sls"
BREAKING CHANGE: "no_default_host.sls" became "config/no_default_host.sls"
BREAKING CHANGE: "own_default_host.sls" became "config/own_default_host.sls"
BREAKING CHANGE: "register_site.sls" became "config/register_site.sls"
BREAKING CHANGE: "server_status.sls" became "config/server_status.sls"
BREAKING CHANGE: "vhosts/" became "config/vhosts/"
BREAKING CHANGE: "mod_security/" became "config/mod_security/"

NOT-BREAKING CHANGE: 'config.sls' became 'config/init.sls'
NOT-BREAKING CHANGE: 'uninstall.sls' symlinked to 'clean.sls'
This commit is contained in:
noelmcloughlin 2020-09-13 05:07:20 +01:00
parent fa93df9f4b
commit 47818fc360
163 changed files with 6023 additions and 2607 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.salt-lint
View File

@ -19,7 +19,8 @@ rules:
ignore: |
apache/files/Debian/ssl.conf.jinja
apache/files/FreeBSD/mod_ssl.conf.jinja
apache/files/tls-defaults.conf.jinja
apache/files/ssl/tls-defaults.conf.jinja
test/salt/pillar/modules.sls
skip_list:
# Using `salt-lint` for linting other files as well, such as Jinja macros/templates
- 205 # Use ".sls" as a Salt State file extension

61
.travis.yml
View File

@ -58,35 +58,38 @@ jobs:
## Define the rest of the matrix based on Kitchen testing
# Make sure the instances listed below match up with
# the `platforms` defined in `kitchen.yml`
- env: INSTANCE=default-debian-10-master-py3
# - env: INSTANCE=default-ubuntu-1804-master-py3
# - env: INSTANCE=default-centos-8-master-py3
# - env: INSTANCE=default-fedora-31-master-py3
# - env: INSTANCE=default-opensuse-leap-151-master-py3
# - env: INSTANCE=default-amazonlinux-2-master-py3
# - env: INSTANCE=default-debian-10-2019-2-py3
# - env: INSTANCE=default-debian-9-2019-2-py3
- env: INSTANCE=default-ubuntu-1804-2019-2-py3
# - env: INSTANCE=default-centos-8-2019-2-py3
# - env: INSTANCE=default-fedora-31-2019-2-py3
# - env: INSTANCE=default-opensuse-leap-151-2019-2-py3
# - env: INSTANCE=default-centos-7-2019-2-py2
- env: INSTANCE=default-amazonlinux-2-2019-2-py3
# - env: INSTANCE=default-arch-base-latest-2019-2-py2
- env: INSTANCE=default-fedora-30-2018-3-py3
# - env: INSTANCE=default-debian-9-2018-3-py2
# - env: INSTANCE=default-ubuntu-1604-2018-3-py2
# - env: INSTANCE=default-centos-7-2018-3-py2
# - env: INSTANCE=default-opensuse-leap-151-2018-3-py2
# - env: INSTANCE=default-amazonlinux-1-2018-3-py2
# - env: INSTANCE=default-arch-base-latest-2018-3-py2
# - env: INSTANCE=default-debian-8-2017-7-py2
# - env: INSTANCE=default-ubuntu-1604-2017-7-py2
- env: INSTANCE=default-centos-6-2017-7-py2
# - env: INSTANCE=default-fedora-30-2017-7-py2
# - env: INSTANCE=default-opensuse-leap-151-2017-7-py2
# - env: INSTANCE=default-amazonlinux-1-2017-7-py2
# - env: INSTANCE=default-arch-base-latest-2017-7-py2
- env: INSTANCE=modules-debian-10-master-py3
# env: INSTANCE=modules-ubuntu-1804-master-py3
- env: INSTANCE=modules-centos-8-master-py3
- env: INSTANCE=modules-fedora-31-master-py3
- env: INSTANCE=modules-opensuse-leap-151-master-py3
# https://community.letsencrypt.org/t/localhost-crt-does-not-exist-or-is-empty/103979
- env: INSTANCE=default-amazonlinux-2-master-py3
# - env: INSTANCE=modules-debian-10-2019-2-py3
# - env: INSTANCE=modules-debian-9-2019-2-py3
- env: INSTANCE=modules-ubuntu-1804-2019-2-py3
# - env: INSTANCE=modules-centos-8-2019-2-py3
# - env: INSTANCE=modules-fedora-31-2019-2-py3
# - env: INSTANCE=suse-opensuse-leap-151-2019-2-py3
- env: INSTANCE=modules-centos-7-2019-2-py2
# env: INSTANCE=default-amazonlinux-2-2019-2-py3
# - env: INSTANCE=modules-arch-base-latest-2019-2-py2
# env: INSTANCE=modules-fedora-30-2018-3-py3
# - env: INSTANCE=modules-debian-9-2018-3-py2
# - env: INSTANCE=modules-ubuntu-1604-2018-3-py2
# - env: INSTANCE=modules-centos-7-2018-3-py2
# - env: INSTANCE=modules-opensuse-leap-151-2018-3-py2
# - env: INSTANCE=modules-amazonlinux-1-2018-3-py2
# - env: INSTANCE=modules-arch-base-latest-2018-3-py2
# - env: INSTANCE=modules-debian-8-2017-7-py2
# - env: INSTANCE=modules-ubuntu-1604-2017-7-py2
# env: INSTANCE=default-centos-6-2017-7-py2
# - env: INSTANCE=modules-fedora-30-2017-7-py2
# - env: INSTANCE=modules-opensuse-leap-151-2017-7-py2
# - env: INSTANCE=modules-amazonlinux-1-2017-7-py2
- env: INSTANCE=arch-arch-base-latest-2017-7-py2
## Define the release stage that runs `semantic-release`
- stage: 'release'

3
.yamllint
View File

@ -12,6 +12,9 @@ ignore: |
node_modules/
test/**/states/**/*.sls
.kitchen/
test/salt/pillar/modules.sls
test/salt/pillar/default.sls
pillar.example
yaml-files:
# Default settings

1
apache/certificates Symbolic link
View File

@ -0,0 +1 @@
config/certificates/

63
apache/certificates.sls
View File

@ -1,63 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
include:
- apache
{%- for site, confcert in salt['pillar.get']('apache:sites', {}).items() %}
{% if confcert.SSLCertificateKeyFile is defined and confcert.SSLCertificateKeyFile_content is defined %}
# Deploy {{ site }} key file
apache_cert_config_{{ site }}_key_file:
file.managed:
- name: {{ confcert.SSLCertificateKeyFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content
- makedirs: True
- mode: 600
- user: root
- group: root
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}
{% if confcert.SSLCertificateFile is defined and confcert.SSLCertificateFile_content is defined %}
# Deploy {{ site }} cert file
apache_cert_config_{{ site }}_cert_file:
file.managed:
- name: {{ confcert.SSLCertificateFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content
- makedirs: True
- mode: 600
- user: root
- group: root
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}
{% if confcert.SSLCertificateChainFile is defined and confcert.SSLCertificateChainFile_content is defined %}
# Deploy {{ site }} bundle file
apache_cert_config_{{ site }}_bundle_file:
file.managed:
- name: {{ confcert.SSLCertificateChainFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content
- makedirs: True
- mode: 600
- user: root
- group: root
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}
{%- endfor %}

7
apache/clean.sls Normal file
View File

@ -0,0 +1,7 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
include:
- .service.clean
- .config.clean
- .package.clean

140
apache/config.sls
View File

@ -1,140 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
include:
- apache
{{ apache.logdir }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ apache.configfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}.config.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{{ apache.vhostdir }}:
file.directory:
- makedirs: True
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% if grains['os_family']=="Debian" %}
/etc/apache2/envvars:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ apache.portsfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{% endif %}
{% if grains['os_family']=="RedHat" %}
{{ apache.confdir }}/welcome.conf:
file.absent:
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endif %}
{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %}
/etc/apache2/global.conf:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/global.config.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{% endif %}
{% if grains['os_family']=="FreeBSD" %}
/usr/local/etc/{{ apache.service }}/envvars.d/by_salt.env:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{{ apache.portsfile }}:
file.managed:
- template: jinja
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- context:
apache: {{ apache | json }}
{% endif %}

52
apache/config/certificates/clean.sls Normal file
View File

@ -0,0 +1,52 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %}
{%- if cert.SSLCertificateKeyFile is defined %}
apache_cert_config_clean_{{ site }}_key_file:
file.absent:
- name: {{ cert.SSLCertificateKeyFile }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if cert.SSLCertificateFile is defined %}
apache_cert_config_clean_{{ site }}_cert_file:
file.absent:
- name: {{ cert.SSLCertificateFile }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if cert.SSLCertificateChainFile is defined %}
apache_cert_config_clean_{{ site }}_bundle_file:
file.managed:
- name: {{ cert.SSLCertificateChainFile }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- endfor %}

5
apache/config/certificates/init.sls Normal file
View File

@ -0,0 +1,5 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
include:
- .install

67
apache/config/certificates/install.sls Normal file
View File

@ -0,0 +1,67 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %}
{%- if cert.SSLCertificateKeyFile is defined and cert.SSLCertificateKeyFile_content is defined %}
apache_cert_config_install_{{ site }}_key_file:
file.managed:
- name: {{ cert.SSLCertificateKeyFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content
- makedirs: True
- mode: 600
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if cert.SSLCertificateFile is defined and cert.SSLCertificateFile_content is defined %}
apache_cert_config_install_{{ site }}_cert_file:
file.managed:
- name: {{ cert.SSLCertificateFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content
- makedirs: True
- mode: 600
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if cert.SSLCertificateChainFile is defined and cert.SSLCertificateChainFile_content is defined %}
apache_cert_config_install_{{ site }}_bundle_file:
file.managed:
- name: {{ cert.SSLCertificateChainFile }}
- contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content
- makedirs: True
- mode: 600
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- endfor %}

26
apache/config/clean.sls Normal file
View File

@ -0,0 +1,26 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_clean = tplroot ~ '.service.clean' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- .modules.clean
- {{ sls_service_clean }}
apache-config-clean-file-absent:
file.absent:
- names:
- {{ apache.config }}
- {{ apache.logdir }}
- {{ apache.vhostdir }}
- /etc/apache2/envvars
# apache.portsfile
- /etc/apache2/global.conf
- /etc/httpd/conf.modules.d
- /etc/httpd/sites-enabled
- /etc/httpd/var
- {{ apache.confdir }}/server-status{{ apache.confext }}
- require:
- sls: {{ sls_service_clean }}

50
apache/config/debian_full.sls Normal file
View File

@ -0,0 +1,50 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_config_registersite = tplroot ~ '.config.register_site' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family in ('Debian',) %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
- {{ sls_config_registersite }}
extend:
apache-package-install-pkg-installed:
pkg:
- order: 175
apache-service-running:
service:
- order: 455
apache-service-running-reload:
module:
- order: 420
apache-service-running-restart:
module:
- order: 425
apache-config-debian-full-cmd-run:
cmd.run:
- name: a2dissite 000-default{{ apache.confext }} || true
- onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
- require:
- pkg: apache-package-install-pkg-installed
file.absent:
- names:
- /etc/apache2/sites-available/{{ apache.default_site }}
- /etc/apache2/sites-available/{{ apache.default_site_ssl }}
- require:
- pkg: apache-package-install-pkg-installed
{%- endif %} #END: os = debian

166
apache/config/file.sls Normal file
View File

@ -0,0 +1,166 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-file-directory-logdir:
file.directory:
- name: {{ apache.logdir }}
- user: {{ apache.user }}
- group: {{ apache.group }}
- recurse:
- user
- group
- makedirs: True
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
apache-config-file-directory-vhostdir:
file.directory:
- name: {{ apache.vhostdir }}
- makedirs: True
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
apache-config-file-directory-moddir:
file.directory:
- name: {{ apache.moddir }}
- makedirs: True
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
{%- if apache.davlockdbdir %}
apache-config-file-directory-davlockdbdir:
file.directory:
- name: {{ apache.davlockdbdir }}
- makedirs: True
- user: {{ apache.user }}
- group: {{ apache.group }}
- recurse:
- user
- group
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
{%- endif %}
{%- if 'sitesdir' in apache and apache.sitesdir %}
apache-config-file-directory-sites-enabled:
file.directory:
- name: {{ apache.sitesdir }}
- makedirs: True
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
{%- endif %}
{%- if grains.os_family in ('Debian',) and 'confdir' in apache and apache.confdir %}
apache-config-file-directory-conf-enabled:
file.directory:
- name: {{ apache.confdir }}
- makedirs: True
- require:
- sls: {{ sls_package_install }}
- require_in:
- service: apache-service-running
{%- endif %}
apache-config-file-managed:
file.managed:
- name: {{ apache.config }}
- source: 'salt://apache/files/{{ grains.os_family }}/apache-{{ apache.version }}.config.jinja'
- mode: 644
- user: {{ apache.rootuser }}
{%- if grains.kernel != 'Windows' %}
- group: {{ apache.rootgroup }}
{%- endif %}
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- require:
- sls: {{ sls_package_install }}
- context:
apache: {{ apache | json }}
{%- if grains.os_family in ('Debian', 'FreeBSD') %}
apache-config-file-managed-{{ grains.os }}-env:
file.managed:
- name: /etc/apache2/envvars
- source: 'salt://apache/files/{{ grains.os_family }}/envvars-{{ apache.version }}.jinja'
- mode: 644
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache | json }}
- require_in:
- file: apache-config-file-managed-{{ grains.os }}-ports
apache-config-file-managed-{{ grains.os }}-ports:
file.managed:
- name: {{ apache.portsfile }}
- source: salt://apache/files/{{ grains.os_family }}/ports-{{ apache.version }}.conf.jinja
- mode: 644
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache | json }}
{%- elif grains.os_family == "RedHat" %}
apache-config-file-absent-{{ grains.os }}:
file.absent:
- name: {{ apache.confdir }}/welcome.conf
{%- elif grains.os_family == "Suse" %}
apache-config-file-managed-{{ grains.os }}:
file.managed:
- name: /etc/apache2/global.conf
- source: 'salt://apache/files/Suse/global.config.jinja'
- mode: 644
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache | json }}
{%- else %}
apache-config-file-managed-skip:
test.show_notification:
- text: |
No configuration file to manage
{%- endif %}
- require:
- sls: {{ sls_package_install }}
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- service: apache-service-running

48
apache/config/flags.sls Normal file
View File

@ -0,0 +1,48 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
{%- if grains.os_family == 'Suse' %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
{%- for flag in salt['pillar.get']('apache:flags:enabled', []) %}
apache-config-flags-{{ flag }}-cmd-a2en:
cmd.run:
- name: a2enflag {{ flag }}
- unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 |grep {{ flag }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endfor %}
{%- for flag in salt['pillar.get']('apache:flags:disabled', []) %}
apache-config-flags-{{ flag }}-a2dis:
cmd.run:
- name: a2disflag -f {{ flag }}
- onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endfor %}
{%- endif %}

15
apache/config/init.sls Normal file
View File

@ -0,0 +1,15 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
include:
- .file
# .modules.clean # disable (exclude from init state)
# .modules # enable by default (read pillars)
- .debian_full
- .flags
- .logrotate
- .manage_security
- .no_default_vhost
- .own_default_vhost
- .register_site
- .vhosts

31
apache/config/logrotate.sls Normal file
View File

@ -0,0 +1,31 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
apache-config-logrotate-file-managed:
file.managed:
- name: {{ apache.logrotatedir }}
- makedirs: True
- contents: |
{{ apache.logdir }}/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
if /etc/init.d/{{ apache.service }} status >/dev/null; then \
/etc/init.d/{{ apache.service }} reload >/dev/null; \
fi;
endscript
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi; \
endscript
}

44
apache/config/manage_security.sls Normal file
View File

@ -0,0 +1,44 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family in ('Debian', 'FreeBSD') %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
apache-config-manage-security-{{ grains.os_family }}:
file.managed:
{%- if grains.os_family == "Debian" %}
- onlyif: test -f /etc/apache2/conf-available/security.conf
- name: /etc/apache2/conf-available/security.conf
{%- elif grains.os_family == "FreeBSD" %}
- name: {{ apache.confdir + '/security.conf' }}
{%- endif %}
- source:
- salt://apache/files/{{ grains.os_family }}/security.conf.jinja
- salt://apache/files/ssl/security.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache | json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

52
apache/config/modules/clean.sls Normal file
View File

@ -0,0 +1,52 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_clean = tplroot ~ '.package.clean' %}
{%- set sls_service_dead = tplroot ~ '.service.clean' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_dead }}
{%- set existing_states = salt['cp.list_states']() %}
{%- for module in salt['pillar.get']('apache:modules:disabled', []) %}
apache-config-modules-{{ module }}-disable:
{%- if grains['os_family']=="Debian" %}
cmd.run:
- name: a2dismod -f {{ module }}
- onlyif: ls {{ apache.moddir }}/{{ module }}.load
{%- elif grains.os_family in ('Redhat', 'Arch') %}
cmd.run:
- name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;
- onlyif:
- test -d /etc/httpd
- {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module")
file.absent:
- name: /etc/httpd/conf.modules.d/*{{ module }}.conf
{%- elif salt['grains.get']('os_family') == 'Suse' %}
cmd.run:
- name: a2dismod {{ module }}
- onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }}
{%- else %}
test.show_notification:
- text: |
No {{ module }} module change
{%- endif %}
- order: 225
- require:
- sls: {{ sls_service_dead }}
- require_in:
- pkg: apache-package-clean-pkg-removed
{%- endfor %}

11
apache/config/modules/init.sls Normal file
View File

@ -0,0 +1,11 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
include:
- .install
- .mod_rewrite
- .mod_proxy
- .mod_headers
{%- if 'osfinger' in grains and grains.osfinger not in ('Amazon Linux-2',) %}
- .mod_geoip
{%- endif %}

51
apache/config/modules/install.sls Normal file
View File

@ -0,0 +1,51 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_config_file = tplroot ~ '.config.file' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_config_file }}
{% set existing_states = salt['cp.list_states']() %}
{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
apache-config-modules-{{ module }}-enable:
{% if grains['os_family']=="Debian" %}
cmd.run:
- name: a2enmod -f {{ module }}
- onlyif: ls {{ apache.moddir }}/{{ module }}.load
{% elif grains.os_family in ('RedHat', 'Arch') %}
cmd.run:
- name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;
- onlyif: {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module")
{% elif salt['grains.get']('os_family') == 'Suse' %}
cmd.run:
- name: a2enmod {{ module }}
- onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 |grep {{ module }}
{% else %}
test.show_notification:
- text: |
No {{ module }} module change
{%- endif %}
- order: 225
- require:
- sls: {{ sls_config_file }}
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
{%- endfor %}

30
apache/config/modules/mod_actions.sls Normal file
View File

@ -0,0 +1,30 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-actions-cmd-run:
cmd.run:
- name: a2enmod actions
- unless:
- ls {{ apache.moddir }}/actions.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep actions
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

33
apache/config/modules/mod_cgi.sls Normal file
View File

@ -0,0 +1,33 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family']=="FreeBSD" %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-cgi-cmd-run:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_cgi.conf
- source: salt://apache/files/FreeBSD/mod_cgi.conf.jinja
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
- mode: 644
{%- endif %}

49
apache/config/modules/mod_dav_svn.sls Normal file
View File

@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] == "Debian" %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-dav_svn_pkg_installed:
pkg.installed:
- name: libapache2-mod-svn
apache-config-modules-dav_svn_cmd-run-a2en:
cmd.run:
- name: a2enmod dav_svn
- unless: ls {{ apache.moddir }}/dav_svn.load
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- pkg: apache-config-modules-dav_svn_pkg_installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
apache-config-modules-dav_svn_cmd-run-a2en-authz:
cmd.run:
- name: a2enmod authz_svn
- unless: ls {{ apache.moddir }}/authz_svn.load
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- pkg: apache-config-modules-dav_svn_pkg_installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

49
apache/config/modules/mod_fastcgi.sls Normal file
View File

@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] == "Debian" %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
- .mod_actions
apache-config-modules-fastcgi-pkg:
pkgrepo.managed:
- name: "deb http://ftp.us.debian.org/debian {{ grains['oscodename'] }}"
- file: /etc/apt/sources.list.d/non-free.list
- onlyif: grep Debian /proc/version >/dev/null 2>&1
- comps: non-free
pkg.installed:
- name: {{ apache.mod_fastcgi }}
- order: 180
- require:
- pkgrepo: apache-config-modules-fastcgi-pkg
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
apache-config-modules-fastcgi_cmd-run:
cmd.run:
- name: a2enmod fastcgi
- unless: ls {{ apache.moddir }}/fastcgi.load
- order: 225
- require:
- pkg: mod-fastcgi
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

35
apache/config/modules/mod_fcgid.sls Normal file
View File

@ -0,0 +1,35 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-fcgid-pkg:
pkg.installed:
- name: {{ apache.mod_fcgid }}
- order: 180
- require:
- pkg: apache-package-install-pkg-installed
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
cmd.run:
- name: a2enmod fcgid
- order: 225
- unless: ls {{ apache.moddir }}/fcgid.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' fcgid'
- require:
- pkg: apache-config-modules-fcgid-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

87
apache/config/modules/mod_geoip.sls Normal file
View File

@ -0,0 +1,87 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if 'mod_geoip' in apache and 'finger' in grains and grains.osfinger not in ('Leap-42',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-geoip-pkg:
pkg.installed:
- pkgs:
- {{ apache.mod_geoip }}
- {{ apache.mod_geoip_database }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if grains['os_family']=="RedHat" %}
apache-config-modules-geoip-conf-file-managed:
file.managed:
- name: {{ apache.confdir }}/geoip.conf
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- makedirs: True
- mode: 644
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf
apache-config-modules-geoip-db-file-managed:
file.managed:
- name: /usr/share/GeoIP/GeoIP.dat
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- makedirs: True
- mode: 644
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/GeoIP.dat
apache-config-modules-geoip-{{ grains.os_family }}-conf-file-managed:
file.managed:
- name: {{ apache.moddir }}/10-geoip.conf
- makedirs: True
- source:
- salt://apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-geoip-cmd-run:
cmd.run:
- name: a2enmod geoip
- unless: ls {{ apache.moddir }}/geoip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep geoip
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- pkg: apache-config-modules-geoip-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- endif %}

29
apache/config/modules/mod_headers.sls Normal file
View File

@ -0,0 +1,29 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-headers-pkg:
cmd.run:
- name: a2enmod headers
- unless: ls {{ apache.moddir }}/headers.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep headers
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

29
apache/config/modules/mod_logio.sls Normal file
View File

@ -0,0 +1,29 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-logio-pkg:
cmd.run:
- name: a2enmod logio
- unless: ls {{ apache.moddir }}/logio.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep logio
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

84
apache/config/modules/mod_mpm.sls Normal file
View File

@ -0,0 +1,84 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- set mpm_module = salt['pillar.get']('apache:mpm:module', 'mpm_prefork') %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-mpm-pkg:
cmd.run:
- name: a2enmod {{ mpm_module }}
- unless: ls {{ apache.moddir }}/{{ mpm_module }}.load
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
file.managed:
- name: /etc/apache2/mods-available/{{ mpm_module }}.conf
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- source:
- salt://apache/files/Debian/mpm/{{ mpm_module }}.conf.jinja
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
# Deactivate the other mpm modules as a previous step
{%- for mod in ['mpm_prefork', 'mpm_worker', 'mpm_event'] if not mod == mpm_module %}
apache-config-modules-mpm-{{ mod }}-cmd-run:
cmd.run:
- name: a2dismod {{ mod }}
- onlyif: ls {{ apache.moddir }}/{{ mod }}.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' {{ mod }}'
- require:
- pkg: apache-package-install-pkg-installed
- require_in:
- cmd: a2enmod {{ mpm_module }}
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endfor %}
{%- elif grains['os_family']=="RedHat" %}
apache-config-modules-mpm-{{ grains.os_family }}-conf-file-managed:
file.managed:
- name: {{ apache.moddir }}/00-mpm.conf
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- source:
- salt://apache/files/RedHat/conf.modules.d/00-{{ mpm_module }}.conf.jinja
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

68
apache/config/modules/mod_pagespeed.sls Normal file
View File

@ -0,0 +1,68 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- set pagespeed_module = salt['pillar.get']('apache:pagespeed:module', 'pagespeed_prefork') %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-pagespeed-pkg:
pkg.installed:
- name: {{ apache.mod_pagespeed }}
- sources:
- mod-pagespeed-stable: {{ apache.mod_pagespeed_source }}
cmd.run:
- name: a2enmod pagespeed
- unless: ls {{ apache.moddir }}/pagespeed.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep pagespeed
- order: 255
- require:
- pkg: apache-config-modules-pagespeed-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- for dir in ['/var/cache/mod_pagespeed', '/var/log/pagespeed'] %}
apache-config-modules-pagespeed-{{ dir }}-file-directory:
file.directory
- name: {{ dir }}
- makedirs: true
- user: {{ apache.user }}
- group: {{ apache.group }}
- require:
- pkg: apache-config-modules-pagespeed-pkg
- user: {{ apache.user }}
- group: {{ apache.group }}
{%- endfor %}
# Here we hardcode a logrotate entry to take care of the logs
apache-config-modules-pagespeed-logrotate-file-managed:
file.managed:
- name: /etc/logrotate.d/pagespeed
- contents: |
/var/log/pagespeed/*.log {
weekly
missingok
rotate 52
compress
delaycompress
notifempty
sharedscripts
postrotate
if /etc/init.d/apache2 status > /dev/null ; then \
/etc/init.d/apache2 reload > /dev/null; \
fi;
endscript
}
{%- endif %}

60
apache/config/modules/mod_perl2.sls Normal file
View File

@ -0,0 +1,60 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-perl-pkg:
pkg.installed:
- name: {{ apache.mod_perl2 }}
- order: 180
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
cmd.run:
- name: a2enmod perl
- unless: ls {{ apache.moddir }}/perl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' perl'
- order: 225
- require:
- pkg: apache-config-modules-perl-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
file.managed:
- name: {{ apache.modulesdir }}/260_mod_perl.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_perl.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

84
apache/config/modules/mod_php5.sls Normal file
View File

@ -0,0 +1,84 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-php5-pkg:
pkg.installed:
- name: {{ apache.mod_php5 }}
- order: 180
- require:
- pkg: apache-package-install-pkg-installed
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
cmd.run:
- name: a2enmod php5
- unless: ls {{ apache.moddir }}/php5.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' php5'
- order: 225
- require:
- pkg: mod-php5
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if 'apache' in pillar and 'php-ini' in pillar['apache'] %}
file.managed:
- name: /etc/php5/apache2/php.ini
- source: {{ pillar['apache']['php-ini'] }}
- order: 225
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
- require:
- pkg: apache-package-install-pkg-installed
- pkg: apache-config-modules-php5-pkg
{%- endif %}
{%- elif grains['os_family']=="FreeBSD" %}
file.managed:
- name: {{ apache.modulesdir }}/050_mod_php5.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_php5.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="Suse" %}
file.replace:
- name: /etc/sysconfig/apache2
- unless: grep '^APACHE_MODULES=.*php5' /etc/sysconfig/apache2
- pattern: '^APACHE_MODULES=(.*)"'
- repl: 'APACHE_MODULES=\1 php5"'
{%- endif %}

49
apache/config/modules/mod_proxy.sls Normal file
View File

@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-proxy-pkg:
cmd.run:
- name: a2enmod proxy
- unless: ls {{ apache.moddir }}/proxy.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' proxy'
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
apache-config-modules-proxy-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_proxy.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

51
apache/config/modules/mod_proxy_ajp.sls Normal file
View File

@ -0,0 +1,51 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
- .mod_proxy
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-proxy_ajp-pkg:
cmd.run:
- name: a2enmod proxy_ajp
- unless: ls {{ apache.moddir }}/proxy_ajp.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_ajp
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
# cmd: a2enmod proxy
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
apache-config-modules-proxy_ajp-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_proxy_ajp.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_ajp.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

31
apache/config/modules/mod_proxy_fcgi.sls Normal file
View File

@ -0,0 +1,31 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
- .mod_proxy
apache-config-modules-proxy_fcgi-pkg:
cmd.run:
- name: a2enmod proxy_fcgi
- unless: ls {{ apache.moddir }}/proxy_fcgi.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_fcgi
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
# cmd: a2enmod proxy
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

51
apache/config/modules/mod_proxy_http.sls Normal file
View File

@ -0,0 +1,51 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
- .mod_proxy
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-proxy_http-pkg:
cmd.run:
- name: a2enmod proxy_http
- unless: ls {{ apache.moddir }}/proxy_http.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_http
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
# cmd: a2enmod proxy
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
apache-config-modules-proxy_http-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_proxy_http.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_http.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

80
apache/config/modules/mod_remoteip.sls Normal file
View File

@ -0,0 +1,80 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-remoteip-cmd-run-mod-a2en:
cmd.run:
- name: a2enmod remoteip
- unless: ls {{ apache.moddir }}/remoteip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep remoteip
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
apache-config-modules-remoteip-cmd-run-conf:
cmd.run:
- name: a2enconf remoteip
- unless: ls /etc/apache2/conf-enabled/remoteip.conf
- order: 255
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
file.managed:
- name: /etc/apache2/conf-available/remoteip.conf
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/conf-available/remoteip.conf.jinja
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
- cmd: apache-config-modules-remoteip-cmd-run-conf
{%- elif grains['os_family']=="RedHat" %}
apache-config-modules-remoteip-file-managed-conf:
file.managed:
- name: /etc/httpd/conf.d/remoteip.conf
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/conf.modules.d/remoteip.conf.jinja
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

49
apache/config/modules/mod_rewrite.sls Normal file
View File

@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Debian', 'Suse') %}
apache-config-modules-rewrite-cmd-run-mod:
cmd.run:
- name: a2enmod rewrite
- unless: ls {{ apache.moddir }}/rewrite.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep rewrite
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
apache-config-modules-rewrite-file-managed-conf:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_rewrite.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_rewrite.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

89
apache/config/modules/mod_security/init.sls Normal file
View File

@ -0,0 +1,89 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains.os_family not in ('Arch',) %}
apache-config-modules-security-pkg:
pkg.installed:
- name: {{ apache.mod_security.package }}
- order: 180
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if apache.mod_security.crs_install and 'crs_package' in apache.mod_security %}
apache-config-modules-security-crs-pkg:
pkg.installed:
- name: {{ apache.mod_security.crs_package }}
- order: 180
- require:
- pkg: apache-config-modules-security-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if apache.mod_security.manage_config and 'config_file' in apache.mod_security %}
apache-config-modules-security-main-config-file-managed:
file.managed:
- name: {{ apache.mod_security.config_file }}
- order: 220
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- source:
- {{ 'salt://apache/files/' ~ salt['grains.get']('os_family') ~ '/modsecurity.conf.jinja' }}
- context: {{ apache.mod_security|json }}
- require:
- pkg: apache-config-modules-security-pkg
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
apache-config-modules-security-cmd-run-a2en-security2:
cmd.run:
- name: a2enmod security2
- unless: ls {{ apache.moddir }}/security2.load && ls {{ apache.moddir }}/security2.conf
- order: 225
{%- elif grains.os_family in ('Redhat',) %}
apache-config-modules-security-file-directory-modsecurity:
file.directory:
- name: /etc/httpd/modsecurity.d
{%- endif %}
- require:
- pkg: apache-config-modules-security-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

21
apache/mod_security/rules.sls → apache/config/modules/mod_security/rules.sls
View File

@ -6,14 +6,14 @@ include:
- apache.mod_security
{%- for rule_name, rule_details in mod_security.get('rules', {}).items() %}
{% set rule_set = rule_details.get('rule_set', '') %}
{% set enabled = rule_details.get('enabled', False ) %}
{%- set rule_set = rule_details.get('rule_set', '') %}
{%- set enabled = rule_details.get('enabled', False ) %}
{%- if enabled %}
/etc/modsecurity/{{ rule_name }}:
file.symlink:
- target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }}
- user: root
- group: root
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- mode: 755
{%- else %}
/etc/modsecurity/{{ rule_name }}:
@ -24,17 +24,18 @@ include:
{%- endfor %}
{%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %}
{% set file = custom_rule_details.get('file', None) %}
{% set path = custom_rule_details.get('path', None) %}
{% set enabled = custom_rule_details.get('enabled', False ) %}
{%- set file = custom_rule_details.get('file', None) %}
{%- set path = custom_rule_details.get('path', None) %}
{%- set enabled = custom_rule_details.get('enabled', False ) %}
{%- if enabled %}
/etc/modsecurity/{{ file }}:
file.managed:
- source: {{ path }}
- user: root
- group: root
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- mode: 755
- makedirs: True
{%- else %}
/etc/modsecurity/{{ file }}:
file.absent:
@ -42,4 +43,4 @@ include:
{%- endif %}
{%- endfor %}
{% endif %}
{%- endif %}

35
apache/config/modules/mod_socache_shmcb.sls Normal file
View File

@ -0,0 +1,35 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family']=="FreeBSD" %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-socache_shmcb-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/009_mod_socache_shmcb.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/generic_module.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
- context:
module_name: socache_shmcb
{%- endif %}

129
apache/config/modules/mod_ssl.sls Normal file
View File

@ -0,0 +1,129 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
{%- if grains['os_family'] in ('Debian', 'Suse') %}
apache-config-modules-ssl-cmd-run:
cmd.run:
- name: a2enmod ssl
- unless: ls {{ apache.moddir }}/ssl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' ssl'
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
file.managed:
- name: /etc/apache2/mods-available/ssl.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/ssl.conf.jinja
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- mode: 644
- makedirs: True
- watch_in:
- module: apache-service-running-restart
{%- elif grains['os_family']=="RedHat" %}
apache-config-modules-ssl-pkg:
pkg.installed:
- name: {{ apache.pkg.mod_ssl }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
file.absent:
- name: {{ apache.confdir }}/ssl.conf
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- elif grains['os_family']=="FreeBSD" %}
- .mod_ssl
apache-config-modules-ssl-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/010_mod_ssl.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_ssl.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
apache-config-modules-ssl-file-managed-tls-defaults:
{%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
file.managed:
- name: {{ apache.confdir }}/tls-defaults.conf
- source: salt://apache/files/ssl/tls-defaults.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
{%- else %}
file.absent:
- name: {{ apache.confdir }}/tls-defaults.conf
{%- endif %}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if grains['os_family'] in ('Debian',) %}
apache-config-modules-ssl-cmd-run-debian-tls-defaults:
cmd.run:
{%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
- name: a2enconf tls-defaults
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{%- else %}
- name: a2disconf tls-defaults
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{%- endif %}
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- file: {{ apache.confdir }}/tls-defaults.conf
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

52
apache/config/modules/mod_status.sls Normal file
View File

@ -0,0 +1,52 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_package_install }}
apache-config-server-status:
file.managed:
- name: {{ apache.confdir }}/server-status{{ apache.confext }}
- source: 'salt://apache/files/server-status.conf.jinja'
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if grains['os_family'] == "Debian" %}
apache-config-server-status-file-directory:
file.directory:
- name: /etc/apache2/conf-enabled
- require:
- pkg: apache-package-install-pkg-installed
apache-config-server-status-cmd-run:
cmd.run:
- name: a2enconf server-status
- unless: 'test -L /etc/apache2/conf-enabled/server-status.conf'
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- file: apache-config-server-status
- file: apache-config-server-status-file-directory
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

33
apache/config/modules/mod_suexec.sls Normal file
View File

@ -0,0 +1,33 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family']=="FreeBSD" %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-suexec-file-managed:
file.managed:
- name: {{ apache.modulesdir }}/040_mod_suexec.conf
- source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_suexec.conf.jinja
- mode: 644
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

31
apache/config/modules/mod_upload_progress.sls Normal file
View File

@ -0,0 +1,31 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-upload_progress-pkg:
pkg.installed
- name: {{ apache.mod_upload_progress }}
cmd.run:
- name: a2enmod upload_progress
- unless: ls {{ apache.moddir }}/upload_progress.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep upload_progress
- order: 255
- require:
- pkg: apache-config-modules-upload_progress-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

29
apache/config/modules/mod_vhost_alias.sls Normal file
View File

@ -0,0 +1,29 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-vhost_alias-cmd-run:
cmd.run:
- name: a2enmod vhost_alias
- unless: ls {{ apache.moddir }}/vhost_alias.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep vhost_alias
- order: 225
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

40
apache/config/modules/mod_wsgi.sls Normal file
View File

@ -0,0 +1,40 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-modules-wsgi-pkg:
pkg.installed:
- name: {{ apache.pkg.mod_wsgi }}
- require:
- pkg: apache
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if 'conf_mod_wsgi' in apache %}
file.uncomment:
- name: {{ apache.conf_mod_wsgi }}
- regex: LoadModule
- onlyif: test -f {{ apache.conf_mod_wsgi }}
- require:
- pkg: apache-config-modules-wsgi-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

41
apache/config/modules/mod_xsendfile.sls Normal file
View File

@ -0,0 +1,41 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_service_running }}
- {{ sls_package_install }}
apache-config-xsendfile-pkg:
pkg.installed:
- name: {{ apache.mod_xsendfile }}
- order: 180
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if grains['os_family'] in ('Suse', 'Debian',) %}
cmd.run:
- name: a2enmod xsendfile
- order: 225
- unless: ls {{ apache.moddir }}/xsendfile.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep xsendfile
- require:
- pkg: apache-config-xsendfile-pkg
- watch_in:
- module: apache-service-running-restart
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

1
apache/config/modules/server_status.sls Symbolic link
View File

@ -0,0 +1 @@
mod_status.sls

28
apache/config/no_default_vhost.sls Normal file
View File

@ -0,0 +1,28 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family == "Debian" %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
apache-config-default-vhost:
cmd.run:
- name: a2dissite 000-default.conf || true
- unless: test ! -f /etc/apache2/sites-enabled/000-default.conf
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

32
apache/config/own_default_vhost.sls Normal file
View File

@ -0,0 +1,32 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family == "Debian" %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
apache-config-own-default-vhost:
file.managed:
- name: {{ apache.vhostdir }}/000-default.conf
- source: salt://apache/files/Debian/sites-available/000-default.conf
- makedirs: True
- template: {{ apache.get('template_engine', 'jinja') }}
- context:
apache: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}

76
apache/config/register_site.sls Normal file
View File

@ -0,0 +1,76 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family == "Debian" %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
apache-config-register-site-file-directory:
file.directory:
- name: {{ apache.sitesdir }}
- require:
- pkg: apache-package-install-pkg-installed
{%- if 'apache' in pillar and 'register-site' in pillar['apache'] %}
{%- for site in pillar['apache']['register-site'] %}
{%- if 'name' in pillar['apache']['register-site'][site] and 'state' in pillar['apache']['register-site'][site] %}
{%- if 'path' in pillar['apache']['register-site'][site] %}
{%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %}
{%- set a2modid = "a2ensite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %}
{%- else %}
{%- set a2modid = "a2dissite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %}
{%- endif %}
apache-config-register-site-{{ a2modid }}:
cmd.run:
- name: {{ a2modid }}
{%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %}
- unless: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
{%- else %}
- onlyif: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
{%- endif %}
- order: 230
- require:
- pkg: apache-package-install-pkg-installed
- file: apache-config-register-site-file-managed
- file: apache-config-register-site-file-directory
- watch:
- file: apache-config-register-site-file-managed
apache-config-register-site-file-managed:
file.managed:
- name: /etc/apache2/sites-available/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
- source: {{ pillar['apache']['register-site'][site]['path'] }}
- order: 225
- makedirs: True
- user: {{ apache.rootuser }}
- group: {{ apache.rootgroup }}
- mode: 775
{%- if 'template' in pillar['apache']['register-site'][site] and 'defaults' in pillar['apache']['register-site'][site] %}
- template: {{ apache.get('template_engine', 'jinja') }}
- defaults:
{%- for key, value in pillar['apache']['register-site'][site]['defaults'].items() %}
{{ key }}: {{ value }}
{%- endfor %}
{%- endif %}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module; apache-service-running-reload
cmd.run:
- name: echo dummy state to workaround requisite issue >/dev/null 2>&1
- require_in:
- file: apache-config-register-site-file-managed
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %} #END: apache-service-running-register-site
{%- endif %} #END: grains['os_family'] == debian

1
apache/config/vhosts/clean.sls Symbolic link
View File

@ -0,0 +1 @@
cleanup.sls

42
apache/config/vhosts/cleanup.sls Normal file
View File

@ -0,0 +1,42 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
{%- if grains.os_family == 'Debian' %}
include:
- {{ sls_service_running }}
{%- set dirpath = '/etc/apache2/sites-enabled' %}
{# Add . and .. to make it easier to not clean those #}
{%- set valid_sites = ['.', '..', ] %}
{# Take sites from apache.vhosts.standard #}
{%- for id, site in salt['pillar.get']('apache:sites', {}).items() %}
{%- do valid_sites.append('{}{}'.format(id, apache.confext)) %}
{%- endfor %}
{# Take sites from apache.register_site #}
{%- for id, site in salt['pillar.get']('apache:register-site', {}).items() %}
{%- do valid_sites.append('{}{}'.format(site.name, apache.confext)) %}
{%- endfor %}
{%- if salt['file.directory_exists'](dirpath) %}
{%- for filename in salt['file.readdir'](dirpath) %}
{%- if filename not in valid_sites %}
apache-config-vhosts-cleanup-{{ filename }}-cmd-run:
cmd.run:
- name: a2dissite {{ filename }} || true
- onlyif: "test -L {{ dirpath }}/{{ filename }} || test -f {{ dirpath }}/{{ filename }}"
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}{# Debian #}

5
apache/config/vhosts/init.sls Normal file
View File

@ -0,0 +1,5 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
include:
- .standard

0
apache/vhosts/minimal.tmpl → apache/config/vhosts/minimal.tmpl
View File

39
apache/vhosts/proxy.tmpl → apache/config/vhosts/proxy.tmpl
View File

@ -2,7 +2,6 @@
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{% from "apache/map.jinja" import apache with context %}
{% set sitename = site.get('ServerName', id) %}
{% set vals = {
'interfaces': site.get('interface', '*').split(),
@ -35,7 +34,7 @@
'Require': 'all granted',
},
} %}
<VirtualHost {%- for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
<VirtualHost {% for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}
@ -73,8 +72,8 @@
ProxyPassReverse {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }}
{% endfor %}
{%- for path, loc in site.get('Location', {}).items() %}
{%- set lvals = {
{% for path, loc in site.get('Location', {}).items() %}
{% set lvals = {
'Order': loc.get('Order', vals.Location.Order),
'Allow': loc.get('Allow', vals.Location.Allow),
'Require': loc.get('Require', vals.Location.Require),
@ -82,16 +81,16 @@
} %}
<Location "{{ path }}">
{% if apache.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% endif %}
{%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %}
{% if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %}
</Location>
{% endfor %}
{%- for regpath, locmat in site.get('LocationMatch', {}).items() %}
{%- set lmvals = {
{% for regpath, locmat in site.get('LocationMatch', {}).items() %}
{% set lmvals = {
'Order': locmat.get('Order', vals.LocationMatch.Order),
'Allow': locmat.get('Allow', vals.LocationMatch.Allow),
'Require': locmat.get('Require', vals.LocationMatch.Require),
@ -99,32 +98,32 @@
} %}
<LocationMatch "{{ regpath }}">
{% if apache.version == '2.4' %}
{%- if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %}
{% if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %}
{% else %}
{%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
{%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}
{% if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
{% if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}
{% endif %}
{%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %}
{% if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %}
</LocationMatch>
{% endfor %}
{%- for proxypath, prox in site.get('Proxy_control', {}).items() %}
{%- set proxvals = {
{% for proxypath, prox in site.get('Proxy_control', {}).items() %}
{% set proxvals = {
'AllowAll': prox.get('AllowAll', vals.AllowAll),
'AllowCountry': prox.get('AllowCountry', vals.AllowCountry),
'AllowIP': prox.get('AllowIP', vals.AllowIP),
} %}
<Proxy "{{ proxypath }}">
{%- if proxvals.get('AllowAll') != False %}
{% if proxvals.get('AllowAll') != False %}
Require all granted
{%- else %}
{% else %}
{% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On
{% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry
{% endfor %}Require env AllowCountry {% endif %}
{% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %}
Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %}
{%- endif %}
{% endif %}
</Proxy>
{%- endfor %}
{% endfor %}
{% if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}

1
apache/vhosts/redirect.tmpl → apache/config/vhosts/redirect.tmpl
View File

@ -2,7 +2,6 @@
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{%- from "apache/map.jinja" import apache with context %}
{%- set sitename = site.get('ServerName', id) %}
{%- set vals = {

80
apache/config/vhosts/standard.sls Normal file
View File

@ -0,0 +1,80 @@
# -*- coding: utf-8 -*-
# vim: ft=sls
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_package_install = tplroot ~ '.package.install' %}
{%- set sls_service_running = tplroot ~ '.service.running' %}
{%- from tplroot ~ "/map.jinja" import apache with context %}
include:
- {{ sls_package_install }}
- {{ sls_service_running }}
{%- for id, site in salt['pillar.get']('apache:sites', {}).items() %}
{%- set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %}
apache-config-vhosts-standard-{{ id }}:
file.managed:
- name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }}
- source: {{ site.get('template_file', 'salt://apache/config/vhosts/standard.tmpl') }}
- template: {{ apache.get('template_engine', 'jinja') }}
- makedirs: True
- context:
apache: {{ apache|json }}
id: {{ id|json }}
site: {{ site|json }}
map: {{ apache|json }}
- require:
- pkg: apache-package-install-pkg-installed
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- if site.get('DocumentRoot') != False %}
apache-config-vhosts-standard-{{ id }}-docroot:
file.directory:
- name: {{ documentroot }}
- makedirs: True
- user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json or apache.user }}
- group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json or apache.group }}
- allow_symlink: True
{%- endif %}
{%- if grains.os_family == 'Debian' %}
{%- if site.get('enabled', True) %}
apache-config-vhosts-standard-{{ id }}-cmd-run-a2en:
cmd.run:
- name: a2ensite {{ id }}{{ apache.confext }}
- unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
- require:
- file: apache-config-vhosts-standard-{{ id }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- else %}
apache-config-vhosts-standard-{{ id }}-cmd-run-a2dis:
cmd.run:
- name: a2dissite {{ id }}{{ apache.confext }}:
- onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
- require:
- file: apache-config-vhosts-standard-{{ id }}
- watch_in:
- module: apache-service-running-reload
- require_in:
- module: apache-service-running-restart
- module: apache-service-running-reload
- service: apache-service-running
{%- endif %}
{%- endif %} {# Debian #}
{%- endfor %}

37
apache/vhosts/standard.tmpl → apache/config/vhosts/standard.tmpl
View File

@ -2,9 +2,9 @@
# This file is managed by Salt! Do not edit by hand!
#
{# Define default values here so the template below can just focus on layout #}
{%- set sitename = site.get('ServerName', id) -%}
{% set sitename = site.get('ServerName', id) -%}
{%- set vals = {
{% set vals = {
'interfaces': site.get('interface', '*').split(),
'port': site.get('port', '80'),
@ -74,16 +74,16 @@
{{ site.Rewrite }}
{% endif %}
{%- for loc, path in site.get('Alias', {}).items() %}
{% for loc, path in site.get('Alias', {}).items() %}
Alias {{ loc }} {{ path }}
{%- endfor %}
{% endfor %}
{%- for loc, path in site.get('ScriptAlias', {}).items() %}
{% for loc, path in site.get('ScriptAlias', {}).items() %}
ScriptAlias {{ loc }} {{ path }}
{%- endfor %}
{% endfor %}
{%- for path, dir in site.get('Directory', {}).items() -%}
{%- set dvals = {
{% for path, dir in site.get('Directory', {}).items() -%}
{% set dvals = {
'Options': dir.get('Options', vals.Directory.Options),
'Order': dir.get('Order', vals.Directory.Order),
'Allow': dir.get('Allow', vals.Directory.Allow),
@ -92,7 +92,7 @@
'Dav': dir.get('Dav', False),
} %}
{%- if path == 'default' %}{% set path = vals.Directory_default %}{% endif %}
{% if path == 'default' %}{% set path = vals.Directory_default %}{% endif %}
<Directory "{{ path }}">
{% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %}
@ -100,6 +100,7 @@
{% if dvals.get('Require') != False %}Require {{ dvals.Require }}{% endif %}
{% else %}
{% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %}
{% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %}
{% endif %}
{% if dvals.get('AllowOverride') != False %}AllowOverride {{ dvals.AllowOverride }}{% endif %}
@ -109,10 +110,10 @@
{{ dir.Formula_Append|indent(8) }}
{% endif %}
</Directory>
{%- endfor %}
{% endfor %}
{%- for path, loc in site.get('Location', {}).items() %}
{%- set lvals = {
{% for path, loc in site.get('Location', {}).items() %}
{% set lvals = {
'Order': loc.get('Order', vals.Location.Order),
'Allow': loc.get('Allow', vals.Location.Allow),
'Require': loc.get('Require', vals.Location.Require),
@ -121,20 +122,20 @@
<Location "{{ path }}">
{% if map.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
{% endif %}
{%- if lvals.get('Dav') != False %}Dav On{% endif %}
{% if lvals.get('Dav') != False %}Dav On{% endif %}
{%- if loc.get('Formula_Append') %}
{% if loc.get('Formula_Append') %}
{{ loc.Formula_Append|indent(8) }}
{% endif %}
</Location>
{% endfor %}
{%- if site.get('Formula_Append') %}
{% if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}
</VirtualHost>

44
apache/debian_full.sls
View File

@ -1,44 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
{% if grains['os_family']=="Debian" %}
include:
- apache
- apache.register_site
extend:
apache:
pkg:
- order: 175
service:
- order: 455
apache-reload:
module:
- order: 420
apache-restart:
module:
- order: 425
a2dissite 000-default{{ apache.confext }}:
cmd.run:
- onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }}
- watch_in:
- module: apache-reload
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
- require:
- pkg: apache
/etc/apache2/sites-available/{{ apache.default_site }}:
file.absent:
- require:
- pkg: apache
/etc/apache2/sites-available/{{ apache.default_site_ssl }}:
file.absent:
- require:
- pkg: apache
{% endif %} #END: os = debian

45
apache/defaults.yaml
View File

@ -2,10 +2,53 @@
# vim: ft=yaml
---
apache:
lookup: {}
pkg:
name: apache2
mod_ssl: mod_ssl
mod_wsgi: mod_wsgi
deps: []
rootuser: root
rootgroup: root
template_engine: jinja
config: '/etc/apache'
service:
name: apache
user: www-data
group: www-data
vhostdir: /etc/apache2/sites-available
confdir: /etc/apache2/conf.d
davlockdbdir: null
logdir: /var/log/apache2
wwwdir: /srv/apache2
document_root_user: null # Do not enforce group
document_root_group: null # Do not enforce group
manage_service_states: true
service_state: running
service_enable: true
flags: {}
global: {}
modules: {}
mod_remoteip: {}
mod_security:
crs_install: false
manage_config: false
manage_config: false # use software defaults
mod_ssl:
manage_tls_defaults: false # use software defaults
# Just here for testing
added_in_defaults: defaults_value
winner: defaults
retry_option:
# https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states
attempts: 2
until: true
interval: 10
splay: 10

611
apache/files/Arch/apache-2.4.config.jinja Normal file
View File

@ -0,0 +1,611 @@
#
# This file is managed by Salt! Do not edit by hand!
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used. If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}"
#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/run/httpd
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
{% if salt['pillar.get']('apache:sites') is mapping %}
{%- set listen_directives = [] %}
{%- for id, site in salt['pillar.get']('apache:sites').items() %}
{%- set interfaces = site.get('interface', '*').split() %}
{%- set port = site.get('port', 80) %}
{%- for interface in interfaces %}
{%- if not site.get('exclude_listen_directive', False) and not port == '*' %}
{%- set listen_directive = interface ~ ':' ~ port %}
{%- if listen_directive not in listen_directives %}
{%- do listen_directives.append(listen_directive) %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- for listen in listen_directives %}
Listen {{ listen }}
{%- endfor %}
{%- else %}
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
{%- endif %}
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_event_module modules/mod_mpm_event.so
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbd_module modules/mod_authn_dbd.so
#LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_form_module modules/mod_auth_form.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cache_socache_module modules/mod_cache_socache.so
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
#LoadModule socache_redis_module modules/mod_socache_redis.so
#LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule macro_module modules/mod_macro.so
#LoadModule dbd_module modules/mod_dbd.so
#LoadModule dumpio_module modules/mod_dumpio.so
#LoadModule echo_module modules/mod_echo.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule data_module modules/mod_data.so
#LoadModule ratelimit_module modules/mod_ratelimit.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule request_module modules/mod_request.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
#LoadModule reflector_module modules/mod_reflector.so
#LoadModule substitute_module modules/mod_substitute.so
#LoadModule sed_module modules/mod_sed.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule deflate_module modules/mod_deflate.so
#LoadModule xml2enc_module modules/mod_xml2enc.so
#LoadModule proxy_html_module modules/mod_proxy_html.so
#LoadModule brotli_module modules/mod_brotli.so
LoadModule mime_module modules/mod_mime.so
#LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule log_debug_module modules/mod_log_debug.so
#LoadModule log_forensic_module modules/mod_log_forensic.so
#LoadModule logio_module modules/mod_logio.so
#LoadModule lua_module modules/mod_lua.so
LoadModule env_module modules/mod_env.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
#LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
#LoadModule ident_module modules/mod_ident.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
#LoadModule remoteip_module modules/mod_remoteip.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
#LoadModule session_module modules/mod_session.so
#LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_crypto_module modules/mod_session_crypto.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
#LoadModule ssl_module modules/mod_ssl.so
#LoadModule dialup_module modules/mod_dialup.so
#LoadModule http2_module modules/mod_http2.so
#LoadModule proxy_http2_module modules/mod_proxy_http2.so
#LoadModule md_module modules/mod_md.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
LoadModule unixd_module modules/mod_unixd.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
#LoadModule suexec_module modules/mod_suexec.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module modules/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
#LoadModule imagemap_module modules/mod_imagemap.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User {{ apache.user or 'http' }}
Group {{ apache.group or 'http' }}
</IfModule>
# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin you@example.com
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#
#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "{{ apache.get('docroot', apache.wwwdir or '/srv/http') }}"
#
# Relax access to content within {{ apache.wwwdir }}.
#
<Directory "{{ apache.wwwdir }}">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "{{ apache.get('docroot', apache.wwwdir + '/srv/http') }}">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "{{ apache.logdir }}/error_log"
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
{%- for log_format in salt['pillar.get']('apache:log_formats', []) %}
LogFormat {{ log_format }}
{%- endfor %}
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "/var/log/httpd/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
#CustomLog "/var/log/httpd/access_log" combined
CustomLog "{{ apache.logdir }}/access_log" combined
</IfModule>
<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.
#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/"
</IfModule>
<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>
#
# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "{{ apache.wwwdir }}/cgi-bin/">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule headers_module>
#
# Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
# backend servers which have lingering "httpoxy" defects.
# 'Proxy' request header is undefined by the IETF, not listed by IANA
#
RequestHeader unset Proxy early
</IfModule>
<IfModule mime_module>
#
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
#
TypesConfig conf/mime.types
#
# AddType allows you to add to or override the MIME configuration
# file specified in TypesConfig for specific file types.
#
#AddType application/x-gzip .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#
#AddHandler cgi-script .cgi
# For type maps (negotiated resources):
#AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default. To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
{%- if apache.get('default_charset', False) is none %}
# AddDefaultCharset UTF-8
{%- else %}
AddDefaultCharset {{ apache.get('default_charset', 'UTF-8') }}
{%- endif %}
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile conf/magic
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on
{%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %}
{{ directive }} {{ dvalue }}
{%- endfor %}
# Supplemental configuration
#
# The configuration files in the conf/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional {{ apache.confdir }}/*.conf
{% if apache.vhostdir != apache.confdir %}
IncludeOptional {{ apache.vhostdir }}/*.conf
{% endif %}
# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf
# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
<IfModule mod_dav.c>
Include conf/extra/httpd-dav.conf
</IfModule>
# Various default settings
Include conf/extra/httpd-default.conf
# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

3
apache/files/Debian/apache-2.2.config.jinja
View File

@ -1,3 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#

1
apache/files/Debian/envvars-2.2.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{% from "apache/map.jinja" import apache with context -%}
# envvars - default environment variables for apache2ctl

1
apache/files/Debian/envvars-2.4.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{% from "apache/map.jinja" import apache with context -%}
# envvars - default environment variables for apache2ctl

2
apache/files/Debian/modsecurity.conf.jinja
View File

@ -10,7 +10,7 @@
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
#
# This file is managed/autogenerated by salt.
# This file is managed by Salt! Do not edit by hand!
# Modify the salt pillar that generates this file instead
#
# -- Rule engine initialization ----------------------------------------------

1
apache/files/Debian/ports-2.2.conf.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{%- from "apache/map.jinja" import apache with context -%}
{% if salt['pillar.get']('apache:sites') is mapping %}
{%- set listen_directives = [] %}

1
apache/files/Debian/ports-2.4.conf.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{%- from "apache/map.jinja" import apache with context -%}
{% if salt['pillar.get']('apache:sites') is mapping %}
{%- set listen_directives = [] %}

1
apache/files/FreeBSD/envvars-2.4.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{%- from "apache/map.jinja" import apache with context -%}
# envvars - default environment variables for apache2ctl

2
apache/files/FreeBSD/mod_cgi.conf.jinja
View File

@ -1,5 +1,3 @@
{% from "apache/map.jinja" import apache with context %}
<IfModule !mpm_prefork_module>
LoadModule cgid_module libexec/{{ apache.service }}/mod_cgid.so
</IfModule>

2
apache/files/FreeBSD/mod_perl.conf.jinja
View File

@ -1,3 +1 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule perl_module libexec/{{ apache.service }}/mod_perl.so

2
apache/files/FreeBSD/mod_php5.conf.jinja
View File

@ -1,5 +1,3 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule php5_module /usr/local/libexec/{{ apache.service }}/libphp5.so
DirectoryIndex index.html index.php

2
apache/files/FreeBSD/mod_proxy.conf.jinja
View File

@ -1,3 +1 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule proxy_module libexec/{{ apache.service }}/mod_proxy.so

2
apache/files/FreeBSD/mod_proxy_http.conf.jinja
View File

@ -1,3 +1 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule proxy_http_module libexec/{{ apache.service }}/mod_proxy_http.so

2
apache/files/FreeBSD/mod_rewrite.conf.jinja
View File

@ -1,3 +1 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule rewrite_module libexec/{{ apache.service }}/mod_rewrite.so

2
apache/files/FreeBSD/mod_suexec.conf.jinja
View File

@ -1,3 +1 @@
{% from "apache/map.jinja" import apache with context %}
LoadModule suexec_module libexec/{{ apache.service }}/mod_suexec.so

1
apache/files/FreeBSD/ports-2.4.conf.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{%- from "apache/map.jinja" import apache with context -%}
{% if salt['pillar.get']('apache:sites') is mapping %}
{%- set listen_directives = [] %}

3
apache/files/RedHat/apache-2.2.config.jinja
View File

@ -1,4 +1,7 @@
#
# This file is managed by Salt! Do not edit by hand!
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.

1
apache/files/RedHat/apache-2.4.config.jinja
View File

@ -1,7 +1,6 @@
#
# This file is managed by Salt! Do not edit by hand!
#
{% from "apache/map.jinja" import apache with context %}
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.

9
apache/files/RedHat/conf.modules.d/00-log.conf.jinja Normal file
View File

@ -0,0 +1,9 @@
#
# This file is managed by Salt! Do not edit by hand!
#
#
# This file configures all the logging modules:
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_debug_module modules/mod_log_debug.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so

4
apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja
View File

@ -1,4 +1,6 @@
# managed by saltstack
#
# This file is managed by Salt! Do not edit by hand!
#
{% set mpm_module = 'mpm_prefork' -%}
{% set mpm_param = salt['pillar.get']('apache:mod_mpm_prefork', {}) -%}

5
apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja Normal file
View File

@ -0,0 +1,5 @@
#
# This file is managed by Salt! Do not edit by hand!
#
LoadModule geoip_module /usr/lib64/httpd/modules/mod_geoip.so

4
apache/files/RedHat/conf.modules.d/remoteip.conf.jinja
View File

@ -1,4 +1,6 @@
# managed by saltstack
#
# This file is managed by Salt! Do not edit by hand!
#
RemoteIPHeader {{ salt['pillar.get']('apache:mod_remoteip:RemoteIPHeader', 'X-Forwarded-For') }}
{%- for trusted_proxy in salt['pillar.get']('apache:mod_remoteip:RemoteIPTrustedProxy', []) %}

11
apache/files/RedHat/modsecurity.conf.jinja
View File

@ -10,7 +10,7 @@
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
#
# This file is managed/autogenerated by salt.
# This file is managed by Salt! Do not edit by hand!
# Modify the salt pillar that generates this file instead
#
@ -21,8 +21,13 @@ LoadModule security2_module modules/mod_security2.so
</IfModule>
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
{%- if 'osfinger' in grains and grains.osfinger in ('Red Hat Enterprise Linux Server-6', 'CentOS-6') %}
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
{%- else %}
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
{%- endif %}
# Default recommended configuration
SecRuleEngine {{ sec_rule_engine }}

5
apache/files/RedHat/ssl.conf
View File

@ -1,4 +1,7 @@
##
#
# This file is managed by Salt! Do not edit by hand!
#
## SSL Global Context
##
## All SSL configuration in this context applies both to

235
apache/files/Suse/apache-2.2.config.jinja Normal file
View File

@ -0,0 +1,235 @@
#
# This file is managed by Salt! Do not edit by hand
#
#
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information about
# the directives.
# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.
# Quickstart guide:
# http://en.opensuse.org/SDB:Apache_installation
# Overview of include files, chronologically:
#
# httpd.conf
# |
# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under
# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...)
# |-- loadmodule.conf . . . . . . . . . . . [*] load these modules
# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on
# |-- mod_log_config.conf . . . . . . . . . define logging formats
# |-- global.conf . . . . . . . . . . . . . [*] server-wide general settings
# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring)
# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info
# |-- mod_reqtimeout.conf . . . . . . . . . set timeout and minimum data rate for receiving requests
# |-- mod_cgid-timeout.conf . . . . . . . . set CGIDScriptTimeout if mod_cgid is loaded/active
# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking
# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings
# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration
# |-- errors.conf . . . . . . . . . . . . . customize error responses
# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts
# |
# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded)
# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed)
# |
# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here
# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included)
#
#
# Files marked [*] are NOT read when server is started via systemd service. When server
# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
#
# Filesystem layout:
#
# /etc/apache2/
# |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap
# |-- conf.d/
# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc
# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4
# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages
# |-- default-server.conf
# |-- errors.conf
# |-- httpd.conf . . . . . . . . . . . . . top level configuration file
# |-- listen.conf
# |-- magic
# |-- mime.types -> ../mime.types
# |-- mod_autoindex-defaults.conf
# |-- mod_info.conf
# |-- mod_log_config.conf
# |-- mod_mime-defaults.conf
# |-- mod_perl-startup.pl
# |-- mod_status.conf
# |-- mod_userdir.conf
# |-- mod_usertrack.conf
# |-- server-tuning.conf
# |-- ssl-global.conf
# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL)
# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates
# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests
# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys
# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files
# |-- global.conf
# |-- loadmodule.conf
# |-- uid.conf
# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here
# |-- vhost-ssl.template
# `-- vhost.template
### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# run under this user/group id
Include /etc/apache2/uid.conf
# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log
# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
Include /etc/apache2/loadmodule.conf
</IfDefine>
# IP addresses / ports to listen on
Include /etc/apache2/listen.conf
# predefined logging formats
Include /etc/apache2/mod_log_config.conf
# generated from default values of global settings in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
Include /etc/apache2/global.conf
</IfDefine>
# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
# mod_reqtimeout protects the server from the so-called "slowloris"
# attack: The server is not swamped with requests in fast succession,
# but with slowly transmitted request headers and body, thereby filling up
# the request slots until the server runs out of them.
# mod_reqtimeout is lightweight and should deliver good results
# with the configured default values. You shouldn't notice it at all.
Include /etc/apache2/mod_reqtimeout.conf
# Fix for CVE-2014-0231 introduces new configuration parameter
# CGIDScriptTimeout. This directive and its effect prevent request
# workers to be eaten until starvation if cgi programs do not send
# output back to the server within the timout set by CGIDScriptTimeout.
Include /etc/apache2/mod_cgid-timeout.conf
# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf
# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf
# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf
# set up (customizable) error responses
Include /etc/apache2/errors.conf
# global (server-wide) SSL configuration, that is not specific to
# any virtual host
Include /etc/apache2/ssl-global.conf
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
Include /etc/apache24/conf.d/tls-defaults.conf
{%- endif %}
# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride None
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>
# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
<Files ~ "^\.ht">
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
<IfModule mod_access_compat.c>
Order allow,deny
Deny from all
</IfModule>
</Files>
# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var
### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf
### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
IncludeOptional /etc/apache2/vhosts.d/*.conf
# Note: instead of adding your own configuration here, consider
# adding it in your own file (/etc/apache2/httpd.conf.local)
# putting its name into APACHE_CONF_INCLUDE_FILES in
# /etc/sysconfig/apache2 -- this will make system updates
# easier :)

3
apache/files/Suse/apache-2.4.config.jinja
View File

@ -1,4 +1,7 @@
#
# This file is managed by Salt! Do not edit by hand!
#
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file. It contains the

72
apache/files/Suse/modsecurity.conf.jinja Normal file
View File

@ -0,0 +1,72 @@
{%- set apache = pillar.get('apache', {}) %}
{%- set modsec = apache.get('mod_security', {}) %}
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
#
# This file is managed by Salt! Do not edit by hand!
# Modify the salt pillar that generates this file instead
#
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine {{ sec_rule_engine }}
SecRequestBodyAccess {{ sec_request_body_access }}
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit {{ sec_request_body_limit }}
SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit {{ sec_pcre_match_limit }}
SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel {{ sec_debug_log_level }}
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
</IfModule>

0
apache/files/dummy.conf Normal file
View File

2
apache/files/myname.conf Normal file
View File

@ -0,0 +1,2 @@
<VirtualHost *:8088>
</VirtualHost>

0
apache/files/security.conf.jinja → apache/files/ssl/security.conf.jinja
View File

0
apache/files/tls-defaults.conf.jinja → apache/files/ssl/tls-defaults.conf.jinja
View File

36
apache/flags.sls
View File

@ -1,36 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
include:
- apache
{% for flag in salt['pillar.get']('apache:flags:enabled', []) %}
a2enflag {{ flag }}:
cmd.run:
- unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}
{% for module in salt['pillar.get']('apache:flags:disabled', []) %}
a2disflag -f {{ flag }}:
cmd.run:
- onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{% endfor %}
{% endif %}

62
apache/init.sls
View File

@ -1,57 +1,7 @@
{% from "apache/map.jinja" import apache with context %}
# -*- coding: utf-8 -*-
# vim: ft=sls
apache:
pkg.installed:
- name: {{ apache.server }}
group.present:
- name: {{ apache.group }}
- system: True
user.present:
- name: {{ apache.user }}
- gid: {{ apache.group }}
- system: True
{# By default run apache service states (unless pillar is false) #}
{% if salt['pillar.get']('apache:manage_service_states', True) %}
service.{{ apache.service_state }}:
- name: {{ apache.service }}
{% if apache.service_state in [ 'running', 'dead' ] %}
- enable: True
{% endif %}
# The following states are inert by default and can be used by other states to
# trigger a restart or reload as needed.
apache-reload:
module.wait:
{% if apache.service_state in ['running'] %}
- name: service.reload
- m_name: {{ apache.service }}
{% else %}
- name: cmd.run
- cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
- python_shell: True
{% endif %}
apache-restart:
module.wait:
{% if apache.service_state in ['running'] %}
- name: service.restart
- m_name: {{ apache.service }}
{% else %}
- name: cmd.run
- cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
- python_shell: True
{% endif %}
{% else %}
apache-reload:
test.show_notification:
- name: Skipping reload per user request
- text: Pillar manage_service_states is False
apache-restart:
test.show_notification:
- name: Skipping restart per user request
- text: Pillar manage_service_states is False
{% endif %}
include:
- .package
- .config
- .service

16
apache/libsaltcli.jinja Normal file
View File

@ -0,0 +1,16 @@
# -*- coding: utf-8 -*-
# vim: ft=jinja
{#- Get the relevant values from the `opts` dict #}
{%- set opts_cli = opts.get('__cli', '') %}
{%- set opts_masteropts_cli = opts | traverse('__master_opts__:__cli', '') %}
{#- Determine the type of salt command being run #}
{%- if opts_cli == 'salt-minion' %}
{%- set cli = 'minion' %}
{%- elif opts_cli == 'salt-call' %}
{%- set cli = 'ssh' if opts_masteropts_cli in ('salt-ssh', 'salt-master') else 'local' %}
{%- else %}
{%- set cli = 'unknown' %}
{%- endif %}
{%- do salt['log.debug']('[libsaltcli] the salt command type has been identified to be: ' ~ cli) %}

112
apache/libtofs.jinja Normal file
View File

@ -0,0 +1,112 @@
{%- macro files_switch(source_files,
lookup=None,
default_files_switch=['id', 'os_family'],
indent_width=6,
use_subpath=False) %}
{#-
Returns a valid value for the "source" parameter of a "file.managed"
state function. This makes easier the usage of the Template Override and
Files Switch (TOFS) pattern.
Params:
* source_files: ordered list of files to look for
* lookup: key under '<tplroot>:tofs:source_files' to prepend to the
list of source files
* default_files_switch: if there's no config (e.g. pillar)
'<tplroot>:tofs:files_switch' this is the ordered list of grains to
use as selector switch of the directories under
"<path_prefix>/files"
* indent_width: indentation of the result value to conform to YAML
* use_subpath: defaults to `False` but if set, lookup the source file
recursively from the current state directory up to `tplroot`
Example (based on a `tplroot` of `xxx`):
If we have a state:
Deploy configuration:
file.managed:
- name: /etc/yyy/zzz.conf
- source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'],
lookup='Deploy configuration'
) }}
- template: jinja
In a minion with id=theminion and os_family=RedHat, it's going to be
rendered as:
Deploy configuration:
file.managed:
- name: /etc/yyy/zzz.conf
- source:
- salt://xxx/files/theminion/etc/yyy/zzz.conf
- salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja
- salt://xxx/files/RedHat/etc/yyy/zzz.conf
- salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja
- salt://xxx/files/default/etc/yyy/zzz.conf
- salt://xxx/files/default/etc/yyy/zzz.conf.jinja
- template: jinja
#}
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %}
{%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %}
{%- set files_switch_list = salt['config.get'](
tplroot ~ ':tofs:files_switch',
default_files_switch
) %}
{#- Lookup source_files (v2), files (v1), or fallback to an empty list #}
{%- set src_files = salt['config.get'](
tplroot ~ ':tofs:source_files:' ~ lookup,
salt['config.get'](tplroot ~ ':tofs:files:' ~ lookup, [])
) %}
{#- Append the default source_files #}
{%- set src_files = src_files + source_files %}
{#- Only add to [''] when supporting older TOFS implementations #}
{%- set path_prefix_exts = [''] %}
{%- if use_subpath and tplroot != tpldir %}
{#- Walk directory tree to find {{ files_dir }} #}
{%- set subpath_parts = tpldir.lstrip(tplroot).lstrip('/').split('/') %}
{%- for path in subpath_parts %}
{%- set subpath = subpath_parts[0:loop.index] | join('/') %}
{%- do path_prefix_exts.append('/' ~ subpath) %}
{%- endfor %}
{%- endif %}
{%- for path_prefix_ext in path_prefix_exts|reverse %}
{%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %}
{#- For older TOFS implementation, use `files_switch` from the config #}
{#- Use the default, new method otherwise #}
{%- set fsl = salt['config.get'](
tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch',
files_switch_list
) %}
{#- Append an empty value to evaluate as `default` in the loop below #}
{%- if '' not in fsl %}
{%- set fsl = fsl + [''] %}
{%- endif %}
{%- for fs in fsl %}
{%- for src_file in src_files %}
{%- if fs %}
{%- set fs_dirs = salt['config.get'](fs, fs) %}
{%- else %}
{%- set fs_dirs = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %}
{%- endif %}
{#- Force the `config.get` lookup result as a list where necessary #}
{#- since we need to also handle grains that are lists #}
{%- if fs_dirs is string %}
{%- set fs_dirs = [fs_dirs] %}
{%- endif %}
{%- for fs_dir in fs_dirs %}
{%- set url = [
'- salt:/',
path_prefix_inc_ext.strip('/'),
files_dir.strip('/'),
fs_dir.strip('/'),
src_file.strip('/'),
] | select | join('/') %}
{{ url | indent(indent_width, true) }}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endmacro %}

26
apache/logrotate.sls
View File

@ -1,26 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
{{ apache.logrotatedir }}:
file:
- managed
- contents: |
{{ apache.logdir }}/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
if /etc/init.d/{{ apache.service }} status > /dev/null ; then \
/etc/init.d/{{ apache.service }} reload > /dev/null; \
fi;
endscript
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi; \
endscript
}

31
apache/manage_security.sls
View File

@ -1,31 +0,0 @@
{% from "apache/map.jinja" import apache with context %}
{%- macro security_config(name) %}
{{ name }}:
file.managed:
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
- salt://apache/files/security.conf.jinja
- mode: 644
- template: jinja
- require:
- pkg: apache
- watch_in:
- module: apache-restart
- require_in:
- module: apache-restart
- module: apache-reload
- service: apache
{%- endmacro %}
include:
- apache
{% if grains['os_family']=="Debian" %}
{{ security_config('/etc/apache2/conf-available/security.conf') }}
- onlyif: test -f '/etc/apache2/conf-available/security.conf'
{% elif grains['os_family']=="FreeBSD" %}
{{ security_config(apache.confdir+'/security.conf') }}
{% endif %}

88
apache/map.jinja
View File

@ -1,23 +1,79 @@
{#- vi: set ft=jinja: #}
# -*- coding: utf-8 -*-
# vim: ft=jinja
{%- import_yaml "apache/defaults.yaml" as default_settings %}
{%- import_yaml "apache/osfamilymap.yaml" as osfamilymap %}
{%- import_yaml "apache/oscodenamemap.yaml" as oscodenamemap %}
{%- import_yaml "apache/osfingermap.yaml" as osfingermap %}
{%- import_yaml "apache/modsecurity.yaml" as modsec %}
{%- set tplroot = tpldir.split('/')[0] %}
{%- import_yaml tplroot ~ "/defaults.yaml" as default_settings %}
{%- import_yaml tplroot ~ "/osarchmap.yaml" as osarchmap %}
{%- import_yaml tplroot ~ "/osfamilymap.yaml" as osfamilymap %}
{%- import_yaml tplroot ~ "/osmap.yaml" as osmap %}
{%- import_yaml tplroot ~ "/osfingermap.yaml" as osfingermap %}
{%- import_yaml tplroot ~ "/oscodenamemap.yaml" as oscodename %}
{%- import_yaml tplroot ~ "/modsecurity.yaml" as modsec %}
{%- set defaults = salt['grains.filter_by'](default_settings,
default='apache',
merge=salt['grains.filter_by'](modsec, grain='os_family',
merge=salt['grains.filter_by'](osfamilymap, grain='os_family',
merge=salt['grains.filter_by'](oscodenamemap, grain='oscodename',
merge=salt['grains.filter_by'](osfingermap, grain='osfinger',
merge=salt['pillar.get']('apache:lookup', default={})
{#- Retrieve the config dict only once #}
{%- set _config = salt['config.get'](tplroot, default={}) %}
{%- set defaults = salt['grains.filter_by'](
default_settings,
default=tplroot,
merge=salt['grains.filter_by'](
osarchmap,
grain='osarch',
merge=salt['grains.filter_by'](
osfamilymap,
grain='os_family',
merge=salt['grains.filter_by'](
osmap,
grain='os',
merge=salt['grains.filter_by'](
oscodename,
grain='oscodename',
merge=salt['grains.filter_by'](
osfingermap,
grain='osfinger',
merge=salt['grains.filter_by'](
modsec,
grain='os_family',
merge=salt['grains.filter_by'](
_config,
default='lookup'
)
)
)
)
)
)
)
)
) %}
%}
{#- Merge the apache pillar #}
{%- set apache = salt['pillar.get']('apache', default=defaults, merge=True) %}
{%- set config = salt['grains.filter_by'](
{'defaults': defaults},
default='defaults',
merge=_config
)
%}
{%- set apache = config %}
{#- Post-processing for specific non-YAML customisations #}
{%- if grains.os_family == 'MacOS' %}
{%- set rootuser = salt['cmd.run']("stat -f '%Su' /dev/console") %}
{%- set rootgroup = salt['cmd.run']("stat -f '%Sg' /dev/console") %}
{%- do apache.update({'rootuser': rootgroup}) %}
{%- do apache.update({'rootgroup': rootgroup}) %}
{%- elif grains.os_family == 'Windows' %}
{%- set rootuser = salt['cmd.run']("id -un") %}
{%- do apache.update({'rootuser': rootuser}) %}
{%- endif %}
{# legacy pillar support #}
{%- if 'server' in apache.lookup and apache.lookup.server is string %}
{%- do apache.pkg.update({'name': apache.server}) %}
{%- endif %}
{%- if 'service' in apache.lookup and apache.lookup.service is string %}
{%- do apache.service.update({'name': apache.service}) %}
{%- endif %}
{%- if 'configfile' in apache and apache.configfile is string %}
{%- do apache.update({'config': apache.configfile}) %}
{%- endif %}

Some files were not shown because too many files have changed in this diff Show More