common.pp 6.86 KB
Newer Older
1
# Manages common things amongst webhostings
2
3
# user_access:
#   - sftp: an sftp only user will be created (*default*)
4
# wwwmail:
5
6
7
#   This will include the web run user in a group called wwwmailers.
#   This makes it easier to enable special rights on a webserver's mailserver to
#   this group.
8
#   - default: false
9
define webhosting::common(
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
  $ensure                = present,
  $configuration         = {},
  $uid                   = 'absent',
  $uid_name              = 'absent',
  $gid                   = 'uid',
  $gid_name              = 'absent',
  $user_access           = 'sftp',
  $password              = 'absent',
  $password_crypted      = true,
  $htpasswd_file         = 'absent',
  $ssl_mode              = false,
  $run_mode              = 'normal',
  $run_uid               = 'absent',
  $run_uid_name          = 'absent',
  $run_gid               = 'absent',
  $wwwmail               = false,
  $watch_adjust_webfiles = 'absent',
  $user_scripts          = 'absent',
  $user_scripts_options  = {},
  $nagios_check          = 'ensure',
  $nagios_check_domain   = 'absent',
  $nagios_check_url      = '/',
  $nagios_check_code     = '200',
  $nagios_use            = 'generic-service',
  $git_repo              = 'absent',
35
  $php_installation      = false,
36
){
37
38
39
  if ($run_gid == 'absent') {
    if ($gid == 'uid') {
      $real_run_gid = $uid
40
    } else {
41
      $real_run_gid = $gid
42
    }
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
  } else {
    $real_run_gid = $run_gid
  }
  if ($uid_name == 'absent'){
    $real_uid_name = $name
  } else {
    $real_uid_name = $uid_name
  }
  if ($gid_name == 'absent'){
    $real_gid_name = $real_uid_name
  } else {
    $real_gid_name = $gid_name
  }
  if ($run_uid_name == 'absent'){
    $real_run_uid_name = "${name}_run"
  } else {
    $real_run_uid_name = $run_uid_name
  }
61

62
  $vhost_path = "/var/www/vhosts/${name}"
63

64
  if ($user_access == 'sftp') {
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
    $real_uid = $uid ? {
      'iuid'  => iuid($real_uid_name,'webhosting'),
      default => $uid
    }
    $real_password = $password ? {
      'trocla' => trocla("webhosting_${real_uid_name}",'sha512crypt'),
      default  => $password
    }
    user::sftp_only{$real_uid_name:
      ensure           => $ensure,
      password_crypted => $password_crypted,
      homedir          => $vhost_path,
      gid              => $gid,
      uid              => $real_uid,
      password         => $real_password,
    }
    include ::apache::sftponly
82
  }
83

mh's avatar
mh committed
84
  if $run_mode in ['fpm','fcgid','static'] {
85
86
87
88
    if ($user_access == 'sftp') {
      if ($ensure != 'absent') {
        User::Sftp_only[$real_uid_name]{
          homedir_mode => '0750',
89
        }
90
91
92
      }
      user::groups::manage_user{
        "apache_in_${real_gid_name}":
mh's avatar
mh committed
93
94
95
96
          ensure => $ensure,
          group  => $real_gid_name,
          user   => 'apache',
          notify => Service['apache'],
97
98
      }
      if $ensure == 'present' {
99
        User::Groups::Manage_user["apache_in_${real_gid_name}"]{
100
          require => User::Sftp_only[$real_uid_name],
101
102
103
        }
      }
    }
104
  }
mh's avatar
mh committed
105
  if $run_mode in ['fpm','fcgid'] {
106
    if ($run_uid=='absent') and ($ensure != 'absent') {
mh's avatar
mh committed
107
      fail("you need to define run_uid for ${name} on ${::fqdn} to use fpm or fcgid")
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
    }
    $real_run_uid = $run_uid ? {
      'iuid'  => iuid($real_run_uid_name,'webhosting'),
      default => $run_uid,
    }
    $shell = $::operatingsystem ? {
      /^(Debian|Ubuntu)$/ => '/usr/sbin/nologin',
      default             => '/sbin/nologin',
    }
    user::managed{$real_run_uid_name:
      ensure       => $ensure,
      manage_group => false,
      managehome   => false,
      homedir      => $vhost_path,
      uid          => $real_run_uid,
      shell        => $shell,
    }
    if ($user_access == 'sftp') {
      if ($ensure == 'absent') {
        User::Managed[$real_run_uid_name]{
          before => User::Sftp_only[$real_uid_name],
129
        }
130
131
132
      } else {
        User::Managed[$real_run_uid_name]{
          require => User::Sftp_only[$real_uid_name],
133
        }
134
135
      }
    }
mh's avatar
mh committed
136

137
138
139
140
141
142
143
144
145
146
147
    if $wwwmail {
      user::groups::manage_user{
        "${real_run_uid_name}_in_wwwmailers":
          ensure => $ensure,
          group  => 'wwwmailers',
          user   => $real_run_uid_name,
      }
      if ($ensure == 'present') {
        require ::webhosting::wwwmailers
        User::Groups::Manage_user["${real_run_uid_name}_in_wwwmailers"]{
          require => User::Managed[$real_run_uid_name],
148
        }
149
      }
150
    }
151
152
153
154
155
156
157
158
159
    if ($ensure == 'present') {
      $rreal_run_gid = $real_run_gid ? {
        'iuid'  => iuid($real_uid_name,'webhosting'),
        default => $real_run_gid,
      }
      User::Managed[$real_run_uid_name]{
        gid => $rreal_run_gid,
      }
    }
160
  }
161

162
163
164
165
166
167
168
169
  if $nagios_check != 'unmanaged' {
    if $nagios_check == 'ensure' {
      $nagios_ensure = $ensure
    } else {
      $nagios_ensure = $nagios_check
    }
    $real_nagios_check_code = $htpasswd_file ? {
      'absent'  => $nagios_check_code,
mh's avatar
mh committed
170
      false     => $nagios_check_code,
171
      default   => '401'
172
    }
mh's avatar
mh committed
173

174
    nagios::service::http{$name:
175
176
177
178
179
180
      ensure       => $nagios_ensure,
      check_domain => $nagios_check_domain,
      ssl_mode     => $ssl_mode,
      check_url    => $nagios_check_url,
      use          => $nagios_use,
      check_code   => $real_nagios_check_code,
mh's avatar
mh committed
181
    }
182
183
  }

184
185
186
187
  $watch_webfiles_ensure = $ensure ? {
    'absent'  => 'absent',
    default   => $watch_adjust_webfiles,
  }
188
189
  webhosting::watch_adjust_webfiles{
    $name:
190
      ensure    => $watch_webfiles_ensure,
191
192
193
194
      path      => "${vhost_path}/www/",
      sftp_user => $real_uid_name,
      run_user  => $real_run_uid_name,
  }
195
  if $ensure != 'absent' {
196
197
198
199
200
201
202
203
204
    if $php_installation and $php_installation != 'system' {
      $php_inst = regsubst($php_installation,'^scl','php')
      require "::php::scl::${php_inst}"
      $scl_name = getvar("php::scl::${php_inst}::scl_name")
    } else {
      $scl_name = false
    }
    if $scl_name and !('scl' in $user_scripts_options['global']) {
      $real_user_scripts_options = deep_merge({
mh's avatar
linting    
mh committed
205
          'global' => { 'scl' => $scl_name },
206
207
208
209
        }, $user_scripts_options)
    } else {
      $real_user_scripts_options = $user_scripts_options
    }
210
211
212
213
214
215
    webhosting::user_scripts::manage{$name:
      base_path => $vhost_path,
      scripts   => $user_scripts,
      sftp_user => $real_uid_name,
      run_user  => $real_run_uid_name,
      web_group => $real_gid_name,
216
      options   => $real_user_scripts_options,
217
    }
218
219
220

    if 'mail_ratelimit' in $configuration {
      exim::ratelimit::localforward::entry{
mh's avatar
mh committed
221
222
        $real_run_uid_name:
          key       => $real_run_uid,
223
224
225
          ratelimit => $configuration['mail_ratelimit'];
      }
    }
226
  }
227
228
229
230
231
232
233
234
235
236
237
  if ($git_repo != 'absent') and ($ensure != 'absent') {
    webhosting::utils::clone{
      $name:
        git_repo     => $git_repo,
        documentroot => "${vhost_path}/www",
        uid_name     => $uid_name,
        run_uid_name => $real_run_uid_name,
        gid_name     => $gid_name,
        run_mode     => $run_mode,
    }
  }
238
}