common.pp 9.33 KB
Newer Older
1
# Manages common things amongst webhostings
2
3
# user_access:
#   - sftp: an sftp only user will be created (*default*)
4
# wwwmail:
5
6
7
#   This will include the web run user in a group called wwwmailers.
#   This makes it easier to enable special rights on a webserver's mailserver to
#   this group.
8
#   - default: false
9
define webhosting::common(
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
  $ensure                = present,
  $configuration         = {},
  $uid                   = 'absent',
  $uid_name              = 'absent',
  $gid                   = 'uid',
  $gid_name              = 'absent',
  $user_access           = 'sftp',
  $password              = 'absent',
  $password_crypted      = true,
  $htpasswd_file         = 'absent',
  $ssl_mode              = false,
  $run_mode              = 'normal',
  $run_uid               = 'absent',
  $run_uid_name          = 'absent',
  $run_gid               = 'absent',
  $wwwmail               = false,
  $watch_adjust_webfiles = 'absent',
  $user_scripts          = 'absent',
  $user_scripts_options  = {},
  $nagios_check          = 'ensure',
30
31
  Variant[String,Array[String]]
    $nagios_check_domain   = 'absent',
32
33
34
35
  $nagios_check_url      = '/',
  $nagios_check_code     = '200',
  $nagios_use            = 'generic-service',
  $git_repo              = 'absent',
36
  $php_installation      = false,
37
){
38
39
40
  if ($run_gid == 'absent') {
    if ($gid == 'uid') {
      $real_run_gid = $uid
41
    } else {
42
      $real_run_gid = $gid
43
    }
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
  } else {
    $real_run_gid = $run_gid
  }
  if ($uid_name == 'absent'){
    $real_uid_name = $name
  } else {
    $real_uid_name = $uid_name
  }
  if ($gid_name == 'absent'){
    $real_gid_name = $real_uid_name
  } else {
    $real_gid_name = $gid_name
  }
  if ($run_uid_name == 'absent'){
    $real_run_uid_name = "${name}_run"
  } else {
    $real_run_uid_name = $run_uid_name
  }
62

63
  $vhost_path = "/var/www/vhosts/${name}"
64

65
  if ($user_access == 'sftp') or ('containers' in $configuration) {
66
67
68
69
    $real_uid = $uid ? {
      'iuid'  => iuid($real_uid_name,'webhosting'),
      default => $uid
    }
70
71
    if 'containers' in $configuration {
      if $ensure == 'present' {
72
        if !defined(File["${vhost_path}/tmp"]) {
mh's avatar
mh committed
73
          file{
74
            "${vhost_path}/tmp":
mh's avatar
mh committed
75
76
77
78
79
80
81
82
              ensure  => directory,
              owner   => $real_uid_name,
              group   => $real_gid_name,
              mode    => '0750',
              seltype => 'httpd_sys_rw_content_t';
          }
        }
        file{
83
84
85
86
87
88
          "${vhost_path}/tmp/run":
            ensure  => directory,
            owner   => $real_uid_name,
            group   => $real_gid_name,
            mode    => '0777',
            seltype => 'httpd_var_run_t',
mh's avatar
mh committed
89
        } -> Podman::Container<| tag == "user_${real_uid_name}" |>
90
91
92
93
94
95
96
97
98
99
100
101
102
        # we don't know the users subuid/subgid
        # Must be set if we might want to do keep-user-id
        # https://lists.podman.io/archives/list/podman@lists.podman.io/thread/LA2J5LY6SZMNMPLDGE4DKIV2CFLGPOXC/
        exec{"adjust_path_access_for_keep-user-id_${vhost_path}":
          command => "bash -c \"setfacl -m user:$(grep -E '^${real_uid_name}:' /etc/subuid | cut -d: -f 2):rx ${vhost_path}\"",
          unless  => "getfacl -p -n ${vhost_path}  | grep -qE \"^user:$(grep -E '^${real_uid_name}:' /etc/subuid | cut -d: -f 2):r-x\\$\"",
          require => [File[$vhost_path],User[$real_uid_name]];
        } -> Podman::Container<| tag == "user_${real_uid_name}" |>
      }

      $configuration['containers'].each |$con_name,$vals| {
        $run_flags = pick($vals['run_flags'],{})
        $con_values = ($vals - 'run_flags') + {
103
104
105
106
107
108
109
110
111
          ensure         => $ensure,
          user           => $real_uid_name,
          uid            => $real_uid,
          container_name => $con_name,
          gid            => $gid,
          homedir        => $vhost_path,
          manage_user    => false,
          logpath        => "${vhost_path}/logs",
          run_flags      => $run_flags + {
112
113
            'security-opt-label-type' => 'httpd_container_rw_content',
          },
114
          tag            => "user_${real_uid_name}",
115
116
117
118
119
120
        }
        podman::container{
          "${name}-${con_name}":
            * => $con_values,
        }
      }
121
    }
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

    if ($user_access == 'sftp') {
      $real_password = $password ? {
        'trocla' => trocla("webhosting_${real_uid_name}",'sha512crypt'),
        default  => $password
      }
      user::sftp_only{$real_uid_name:
        ensure           => $ensure,
        password_crypted => $password_crypted,
        homedir          => $vhost_path,
        gid              => $gid,
        uid              => $real_uid,
        password         => $real_password,
      }
      include ::apache::sftponly
137
    }
138
  }
139

mh's avatar
mh committed
140
  if $run_mode in ['fpm','fcgid','static'] {
141
142
143
144
    if ($user_access == 'sftp') {
      if ($ensure != 'absent') {
        User::Sftp_only[$real_uid_name]{
          homedir_mode => '0750',
145
        }
146
147
148
      }
      user::groups::manage_user{
        "apache_in_${real_gid_name}":
mh's avatar
mh committed
149
150
151
152
          ensure => $ensure,
          group  => $real_gid_name,
          user   => 'apache',
          notify => Service['apache'],
153
154
      }
      if $ensure == 'present' {
155
        User::Groups::Manage_user["apache_in_${real_gid_name}"]{
156
          require => User::Sftp_only[$real_uid_name],
157
158
159
        }
      }
    }
160
  }
mh's avatar
mh committed
161
  if $run_mode in ['fpm','fcgid'] {
162
    if ($run_uid=='absent') and ($ensure != 'absent') {
mh's avatar
mh committed
163
      fail("you need to define run_uid for ${name} on ${::fqdn} to use fpm or fcgid")
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
    }
    $real_run_uid = $run_uid ? {
      'iuid'  => iuid($real_run_uid_name,'webhosting'),
      default => $run_uid,
    }
    $shell = $::operatingsystem ? {
      /^(Debian|Ubuntu)$/ => '/usr/sbin/nologin',
      default             => '/sbin/nologin',
    }
    user::managed{$real_run_uid_name:
      ensure       => $ensure,
      manage_group => false,
      managehome   => false,
      homedir      => $vhost_path,
      uid          => $real_run_uid,
      shell        => $shell,
    }
    if ($user_access == 'sftp') {
      if ($ensure == 'absent') {
        User::Managed[$real_run_uid_name]{
          before => User::Sftp_only[$real_uid_name],
185
        }
186
187
188
      } else {
        User::Managed[$real_run_uid_name]{
          require => User::Sftp_only[$real_uid_name],
189
        }
190
191
      }
    }
mh's avatar
mh committed
192

193
194
195
196
197
198
199
200
201
202
203
    if $wwwmail {
      user::groups::manage_user{
        "${real_run_uid_name}_in_wwwmailers":
          ensure => $ensure,
          group  => 'wwwmailers',
          user   => $real_run_uid_name,
      }
      if ($ensure == 'present') {
        require ::webhosting::wwwmailers
        User::Groups::Manage_user["${real_run_uid_name}_in_wwwmailers"]{
          require => User::Managed[$real_run_uid_name],
204
        }
205
      }
206
    }
207
208
209
210
211
212
213
214
215
    if ($ensure == 'present') {
      $rreal_run_gid = $real_run_gid ? {
        'iuid'  => iuid($real_uid_name,'webhosting'),
        default => $real_run_gid,
      }
      User::Managed[$real_run_uid_name]{
        gid => $rreal_run_gid,
      }
    }
216
  }
217

218
219
220
221
222
223
224
225
  if $nagios_check != 'unmanaged' {
    if $nagios_check == 'ensure' {
      $nagios_ensure = $ensure
    } else {
      $nagios_ensure = $nagios_check
    }
    $real_nagios_check_code = $htpasswd_file ? {
      'absent'  => $nagios_check_code,
mh's avatar
mh committed
226
      false     => $nagios_check_code,
227
      default   => '401'
228
    }
mh's avatar
mh committed
229

230
    nagios::service::http{$name:
231
232
233
234
235
236
      ensure       => $nagios_ensure,
      check_domain => $nagios_check_domain,
      ssl_mode     => $ssl_mode,
      check_url    => $nagios_check_url,
      use          => $nagios_use,
      check_code   => $real_nagios_check_code,
mh's avatar
mh committed
237
    }
238
239
240
241
242
243
244
245
    if 'additional_nagios_checks' in $configuration {
      $configuration['additional_nagios_checks'].each |$n,$values| {
        nagios::service::http{
          "${name}-${n}":
            * => $values,
        }
      }
    }
246
247
  }

248
249
250
251
  $watch_webfiles_ensure = $ensure ? {
    'absent'  => 'absent',
    default   => $watch_adjust_webfiles,
  }
252
253
  webhosting::watch_adjust_webfiles{
    $name:
254
      ensure    => $watch_webfiles_ensure,
255
256
257
258
      path      => "${vhost_path}/www/",
      sftp_user => $real_uid_name,
      run_user  => $real_run_uid_name,
  }
259
  if $ensure != 'absent' {
260
261
262
263
264
265
266
267
268
    if $php_installation and $php_installation != 'system' {
      $php_inst = regsubst($php_installation,'^scl','php')
      require "::php::scl::${php_inst}"
      $scl_name = getvar("php::scl::${php_inst}::scl_name")
    } else {
      $scl_name = false
    }
    if $scl_name and !('scl' in $user_scripts_options['global']) {
      $real_user_scripts_options = deep_merge({
mh's avatar
linting    
mh committed
269
          'global' => { 'scl' => $scl_name },
270
271
272
273
        }, $user_scripts_options)
    } else {
      $real_user_scripts_options = $user_scripts_options
    }
274
275
276
277
278
279
    webhosting::user_scripts::manage{$name:
      base_path => $vhost_path,
      scripts   => $user_scripts,
      sftp_user => $real_uid_name,
      run_user  => $real_run_uid_name,
      web_group => $real_gid_name,
280
      options   => $real_user_scripts_options,
281
    }
282
283
284

    if 'mail_ratelimit' in $configuration {
      exim::ratelimit::localforward::entry{
mh's avatar
mh committed
285
286
        $real_run_uid_name:
          key       => $real_run_uid,
287
288
289
          ratelimit => $configuration['mail_ratelimit'];
      }
    }
290
  }
291
292
293
294
295
296
297
298
299
300
301
  if ($git_repo != 'absent') and ($ensure != 'absent') {
    webhosting::utils::clone{
      $name:
        git_repo     => $git_repo,
        documentroot => "${vhost_path}/www",
        uid_name     => $uid_name,
        run_uid_name => $real_run_uid_name,
        gid_name     => $gid_name,
        run_mode     => $run_mode,
    }
  }
302
}