Mercurial > repos > other > Puppet
view modules/website/manifests/init.pp @ 120:b00eb9434938 puppet-3.6
Disable PCRE JIT to stop SELinux giving "denied execmem" for Apache
This probably hits performance slightly, but at least now we'll
be able to see what happens in audit.log and it won't roll over
every few hours!
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 13 Aug 2016 13:44:01 +0100 |
parents | 95502bafeaa3 |
children | 9337c9ce648a |
line wrap: on
line source
class website( $base_dir, $cert_dir = '/etc/pki/custom', $ssl_chain = 'ca-chain.pem', $primary_ip, $secondary_ip, $default_owner, $default_group, $default_tld = 'com', $default_extra_tlds = [] ){ validate_re($base_dir, '^(/[^/]+)*$', "${base_dir} is invalid - base_dir must be a directory without trailing slash.") validate_re($cert_dir, '^(/[^/]+)*$', "${cert_dir} is invalid - cert_dir must be a directory without trailing slash.") validate_array($default_extra_tlds) $basedir = $base_dir $certdir = $cert_dir $docroot_owner = $default_owner $docroot_group = $default_group $ca_chain = $ssl_chain $tld = $default_tld $extra_tlds = $default_extra_tlds $htmlphpfragment = "Include conf.extra/html-php.conf" $filterfragment = "Include conf.custom/filter.conf" $cmsfragment = "Include conf.extra/cms_rewrites.conf" class { 'apache': default_mods => false, default_vhost => false, mpm_module => false, } class { 'apache::mod::dir': indexes => [ 'index.html' ] } class { 'apache::mod::prefork': serverlimit => 45, maxclients => 45, maxspareservers => 6, } apache::mod { 'rewrite':; 'expires':; 'setenvif':; 'headers':; 'version':; } # Updating the httpd package puts back some configs that we # don't load the relevant modules for, so we'll try to make # them blank so that RPM/Yum makes ".rpmnew" files instead $unused_default_mods = [ "${::apache::mod_dir}/autoindex.conf", "${::apache::mod_dir}/userdir.conf", "${::apache::mod_dir}/welcome.conf", ] file { $unused_default_mods: ensure => file, content => '', } file { $base_dir: ensure => directory; } file { '/var/log/apache': ensure => directory, mode => '0750', group => 'apache', } file { '/etc/httpd/conf.extra': ensure => directory, recurse => true, source => "puppet:///modules/website/conf.extra", notify => Service['httpd']; } file { '/etc/httpd/conf/mime.types': ensure => present, source => "puppet:///modules/website/mime.types", notify => Service['httpd']; } file { '/etc/php.d/datetime.ini': ensure => present, source => "puppet:///modules/website/datetime.ini", notify => Service['httpd']; } file { '/etc/httpd/conf.d/zzz-custom.conf': ensure => absent, notify => Service['httpd']; } file { '/etc/httpd/conf.d/zzz-0-custom.conf': ensure => present, source => "puppet:///modules/website/zzz-0-custom.conf", notify => Service['httpd']; } file { '/etc/httpd/conf.d/php.conf': ensure => present, source => "puppet:///modules/website/php.conf", notify => Service['httpd']; } file { '/etc/httpd/conf.custom': ensure => directory, recurse => true, source => "puppet:///private/apache/conf.custom", notify => Service['httpd']; } file { $cert_dir: ensure => directory; } if $operatingsystem == 'CentOS' and versioncmp($operatingsystemrelease, 7) >= 0 { exec { 'set_apache_defaults': command => 'semanage fcontext -a -t httpd_sys_content_t "/srv/sites(/.*)?"', path => '/bin:/usr/bin/:/sbin:/usr/sbin', require => Package['policycoreutils-python'], unless => 'semanage fcontext --list | grep "/srv/sites\\(/\\.\\*\\)\\?"', } } }