Mercurial > repos > other > Puppet
annotate modules/website/manifests/init.pp @ 120:b00eb9434938 puppet-3.6
Disable PCRE JIT to stop SELinux giving "denied execmem" for Apache
This probably hits performance slightly, but at least now we'll
be able to see what happens in audit.log and it won't roll over
every few hours!
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 13 Aug 2016 13:44:01 +0100 |
| parents | 95502bafeaa3 |
| children | 9337c9ce648a |
| rev | line source |
|---|---|
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 class website( |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
2 $base_dir, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 $cert_dir = '/etc/pki/custom', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 $ssl_chain = 'ca-chain.pem', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 $primary_ip, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
6 $secondary_ip, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
7 $default_owner, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
8 $default_group, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
9 $default_tld = 'com', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 $default_extra_tlds = [] |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
11 ){ |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
12 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 validate_re($base_dir, '^(/[^/]+)*$', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 "${base_dir} is invalid - base_dir must be a directory without trailing slash.") |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 validate_re($cert_dir, '^(/[^/]+)*$', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
16 "${cert_dir} is invalid - cert_dir must be a directory without trailing slash.") |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 validate_array($default_extra_tlds) |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
19 $basedir = $base_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 $certdir = $cert_dir |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 $docroot_owner = $default_owner |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 $docroot_group = $default_group |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 $ca_chain = $ssl_chain |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 $tld = $default_tld |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 $extra_tlds = $default_extra_tlds |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
26 $htmlphpfragment = "Include conf.extra/html-php.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 $filterfragment = "Include conf.custom/filter.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 $cmsfragment = "Include conf.extra/cms_rewrites.conf" |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 class { 'apache': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
31 default_mods => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 default_vhost => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 mpm_module => false, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 class { 'apache::mod::dir': indexes => [ 'index.html' ] } |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
36 class { 'apache::mod::prefork': |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
37 serverlimit => 45, |
|
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
38 maxclients => 45, |
|
98
00453eecda4c
Reduce the number of spare servers, because we're quiet and need spare memory
IBBoard <dev@ibboard.co.uk>
parents:
84
diff
changeset
|
39 maxspareservers => 6, |
|
84
ae30d98f294f
Drop the number of spare servers to save some memory when we normally only have a couple of processes at once
IBBoard <dev@ibboard.co.uk>
parents:
57
diff
changeset
|
40 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 apache::mod { |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
42 'rewrite':; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 'expires':; 'setenvif':; 'headers':; |
|
34
29d330d2056a
Make sure that we have mod_version installed so that Apache config fragments that try to support 2.2 and 2.4 work properly
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
44 'version':; |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 } |
|
119
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
46 |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
47 # Updating the httpd package puts back some configs that we |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
48 # don't load the relevant modules for, so we'll try to make |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
49 # them blank so that RPM/Yum makes ".rpmnew" files instead |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
50 $unused_default_mods = [ |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
51 "${::apache::mod_dir}/autoindex.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
52 "${::apache::mod_dir}/userdir.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
53 "${::apache::mod_dir}/welcome.conf", |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
54 ] |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
55 file { $unused_default_mods: |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
56 ensure => file, |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
57 content => '', |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
58 } |
|
95502bafeaa3
Blank some Apache configs to prevent httpd update breaking the server
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
59 |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
60 file { $base_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
61 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
62 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
63 file { '/var/log/apache': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
64 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
65 mode => '0750', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
66 group => 'apache', |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
67 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
68 file { '/etc/httpd/conf.extra': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
69 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
70 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 source => "puppet:///modules/website/conf.extra", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 file { '/etc/httpd/conf/mime.types': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 source => "puppet:///modules/website/mime.types", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
79 file { '/etc/php.d/datetime.ini': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
80 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 source => "puppet:///modules/website/datetime.ini", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
82 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
84 file { '/etc/httpd/conf.d/zzz-custom.conf': |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
85 ensure => absent, |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
86 notify => Service['httpd']; |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
87 } |
|
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
88 file { '/etc/httpd/conf.d/zzz-0-custom.conf': |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
89 ensure => present, |
|
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
98
diff
changeset
|
90 source => "puppet:///modules/website/zzz-0-custom.conf", |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
91 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
92 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
93 file { '/etc/httpd/conf.d/php.conf': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
94 ensure => present, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
95 source => "puppet:///modules/website/php.conf", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
96 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
98 file { '/etc/httpd/conf.custom': |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
99 ensure => directory, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
100 recurse => true, |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
101 source => "puppet:///private/apache/conf.custom", |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
102 notify => Service['httpd']; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
103 } |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
104 file { $cert_dir: |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
105 ensure => directory; |
|
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
106 } |
|
48
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
107 if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, 7) >= 0 { |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
108 exec { 'set_apache_defaults': |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
109 command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
110 path => '/bin:/usr/bin/:/sbin:/usr/sbin', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
111 require => Package['policycoreutils-python'], |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
112 unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
113 } |
|
5cdc1c96c477
Add SELinux support for website content
IBBoard <dev@ibboard.co.uk>
parents:
1
diff
changeset
|
114 } |
|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
115 } |