Commit dc60e288 authored by mh's avatar mh
Browse files

kill itk & ldap and lots of other legacy support, also make it more modern

parent 664d3a51
# Manages common things amongst webhostings
# user_provider:
# - local: user will be crated locally (*default*)
# - ldap: ldap settings will be passed and ldap authorization
# is mandatory using webdav as user_access
# - everything else will currently do noting
# user_access:
# - sftp: an sftp only user will be created (*default*)
# - webdav: a webdav vhost will be created which will point to the webhostings root
# wwwmail:
# With a local user_provider this will include the web run user in a group called wwwmailers.
# This makes it easier to enable special rights on a webserver's mailserver to this group.
# - default: false
# ldap_user: Used if you have set user_provider to `ldap`
# - absent: $name will be passed
# - any: any authenticated ldap user will work
# - everything else will be used as a required ldap username
define webhosting::common(
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$user_provider = 'local',
$user_access = 'sftp',
$webdav_domain = 'absent',
$webdav_ssl_mode = false,
$password = 'absent',
$password_crypted = true,
$htpasswd_file = 'absent',
$ssl_mode = false,
$run_mode = 'normal',
$run_uid = 'absent',
$run_uid_name = 'absent',
$run_gid = 'absent',
$wwwmail = false,
$watch_adjust_webfiles = 'absent',
$user_scripts = 'absent',
$user_scripts_options = {},
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$ldap_user = 'absent'
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$user_provider = 'local',
$user_access = 'sftp',
$password = 'absent',
$password_crypted = true,
$htpasswd_file = 'absent',
$ssl_mode = false,
$run_mode = 'normal',
$run_uid = 'absent',
$run_uid_name = 'absent',
$run_gid = 'absent',
$wwwmail = false,
$watch_adjust_webfiles = 'absent',
$user_scripts = 'absent',
$user_scripts_options = {},
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$git_repo = 'absent',
){
if ($run_gid == 'absent') {
if ($gid == 'uid') {
......@@ -70,35 +61,34 @@ define webhosting::common(
$real_run_uid_name = $run_uid_name
}
$vhost_path = $::operatingsystem ? {
openbsd => "/var/www/htdocs/${name}",
default => "/var/www/vhosts/${name}"
}
$vhost_path = "/var/www/vhosts/${name}"
if ($user_provider == 'local') and ($user_access == 'sftp') {
user::sftp_only{$real_uid_name:
ensure => $ensure,
password_crypted => $password_crypted,
homedir => $vhost_path,
gid => $gid,
uid => $uid ? {
'iuid' => iuid($real_uid_name,'webhosting'),
default => $uid
},
password => $password ? {
'trocla' => trocla("webhosting_${real_uid_name}",'sha512crypt'),
default => $password
},
}
include apache::sftponly
$real_uid = $uid ? {
'iuid' => iuid($real_uid_name,'webhosting'),
default => $uid
}
$real_password = $password ? {
'trocla' => trocla("webhosting_${real_uid_name}",'sha512crypt'),
default => $password
}
user::sftp_only{$real_uid_name:
ensure => $ensure,
password_crypted => $password_crypted,
homedir => $vhost_path,
gid => $gid,
uid => $real_uid,
password => $real_password,
}
include ::apache::sftponly
}
case $run_mode {
'fcgid','static','itk','proxy-itk','static-itk': {
'fcgid','static': {
if ($user_access == 'sftp') {
if ($ensure != 'absent') {
User::Sftp_only[$real_uid_name]{
homedir_mode => 0755,
homedir_mode => '0755',
}
}
user::groups::manage_user{
......@@ -106,46 +96,38 @@ define webhosting::common(
group => $real_gid_name,
user => 'apache'
}
case $run_mode {
'fcgid','static','static-itk': {
User::Groups::Manage_user["apache_in_${real_gid_name}"]{
ensure => $ensure,
}
if $ensure == 'present' {
User::Groups::Manage_user["apache_in_${real_gid_name}"]{
require => User::Sftp_only[$real_uid_name],
}
}
}
default: {
User::Groups::Manage_user["apache_in_${real_gid_name}"]{
ensure => 'absent'
}
User::Groups::Manage_user["apache_in_${real_gid_name}"]{
ensure => $ensure,
}
if $ensure == 'present' {
User::Groups::Manage_user["apache_in_${real_gid_name}"]{
require => User::Sftp_only[$real_uid_name],
}
}
}
}
}
case $run_mode {
'fcgid','itk','proxy-itk','static-itk': {
'fcgid': {
if ($run_uid=='absent') and ($ensure != 'absent') {
fail("you need to define run_uid for ${name} on ${::fqdn} to use itk")
fail("you need to define run_uid for ${name} on ${::fqdn} to use fcgid")
}
if ($user_provider == 'local') {
$real_run_uid = $run_uid ? {
'iuid' => iuid($real_run_uid_name,'webhosting'),
default => $run_uid,
}
$shell = $::operatingsystem ? {
/^(Debian|Ubuntu)$/ => '/usr/sbin/nologin',
default => '/sbin/nologin',
}
user::managed{$real_run_uid_name:
ensure => $ensure,
uid => $run_uid ? {
'iuid' => iuid($real_run_uid_name,'webhosting'),
default => $run_uid,
},
manage_group => false,
managehome => false,
homedir => $vhost_path,
shell => $::operatingsystem ? {
debian => '/usr/sbin/nologin',
ubuntu => '/usr/sbin/nologin',
default => '/sbin/nologin'
},
ensure => $ensure,
manage_group => false,
managehome => false,
homedir => $vhost_path,
uid => $real_run_uid,
shell => $shell,
}
if ($user_access == 'sftp') {
if ($ensure == 'absent') {
......@@ -162,54 +144,30 @@ define webhosting::common(
if $wwwmail {
user::groups::manage_user{
"${real_run_uid_name}_in_wwwmailers":
ensure => $ensure,
group => 'wwwmailers',
user => $real_run_uid_name
ensure => $ensure,
group => 'wwwmailers',
user => $real_run_uid_name
}
if ($ensure == 'present') {
require webhosting::wwwmailers
require ::webhosting::wwwmailers
User::Groups::Manage_user["${real_run_uid_name}_in_wwwmailers"]{
require => User::Managed[$real_run_uid_name],
}
}
}
if ($ensure == 'present') {
$rreal_run_gid = $real_run_gid ? {
'iuid' => iuid($real_uid_name,'webhosting'),
default => $real_run_gid,
}
User::Managed[$real_run_uid_name]{
gid => $real_run_gid ? {
'iuid' => iuid($real_uid_name,'webhosting'),
default => $real_run_gid,
},
gid => $rreal_run_gid,
}
}
}
}
}
if ($user_access == 'webdav'){
apache::vhost::webdav{"webdav.${name}":
domain => $webdav_domain,
configuration => $configuration,
manage_webdir => false,
path => $vhost_path,
path_is_webdir => true,
run_mode => $run_mode,
run_uid => $run_uid,
run_gid => $run_gid,
ssl_mode => $webdav_ssl_mode,
}
if ($user_provider == 'ldap'){
if ($ldap_user == 'absent') {
$real_ldap_user = $name
} else {
$real_ldap_user = $ldap_user
}
Apache::Vhost::Webdav["webdav.${name}"]{
ldap_auth => true,
ldap_user => $real_ldap_user,
}
}
}
if $nagios_check != 'unmanaged' {
if $nagios_check == 'ensure' {
$nagios_ensure = $ensure
......@@ -222,31 +180,33 @@ define webhosting::common(
}
nagios::service::http{$name:
ensure => $nagios_ensure,
check_domain => $nagios_check_domain,
ssl_mode => $ssl_mode,
check_url => $nagios_check_url,
use => $nagios_use,
check_code => $real_nagios_check_code,
ensure => $nagios_ensure,
check_domain => $nagios_check_domain,
ssl_mode => $ssl_mode,
check_url => $nagios_check_url,
use => $nagios_use,
check_code => $real_nagios_check_code,
}
}
$watch_webfiles_ensure = $ensure ? {
'absent' => 'absent',
default => $watch_adjust_webfiles,
}
webhosting::watch_adjust_webfiles{
$name:
ensure => $ensure ? {
'absent' => 'absent',
default => $watch_adjust_webfiles,
},
ensure => $watch_webfiles_ensure,
path => "${vhost_path}/www/",
sftp_user => $real_uid_name,
run_user => $real_run_uid_name,
}
$user_scripts_ensure = $ensure ? {
'absent' => 'absent',
default => $user_scripts
}
webhosting::user_scripts::manage{$name:
ensure => $ensure ? {
'absent' => 'absent',
default => $user_scripts
},
ensure => $user_scripts_ensure,
base_path => $vhost_path,
scripts => $user_scripts,
sftp_user => $real_uid_name,
......@@ -254,4 +214,15 @@ define webhosting::common(
web_group => $real_gid_name,
options => $user_scripts_options,
}
if ($git_repo != 'absent') and ($ensure != 'absent') {
webhosting::utils::clone{
$name:
git_repo => $git_repo,
documentroot => "${vhost_path}/www",
uid_name => $uid_name,
run_uid_name => $real_run_uid_name,
gid_name => $gid_name,
run_mode => $run_mode,
}
}
}
......@@ -7,10 +7,10 @@
# - everything else will currently do noting
# run_mode:
# - normal: nothing special (*default*)
# - itk: apache is running with the itk module
# - fcgid: apache is running with the fcgid module and suexec
# and run_uid and run_gid are used as vhost users
# run_uid: the uid the vhost should run as with the itk module
# run_gid: the gid the vhost should run as with the itk module
# run_uid: the uid the vhost should run as with the suexec module
# run_gid: the gid the vhost should run as with the suexec module
#
# logmode:
# - default: Do normal logging to CustomLog and ErrorLog
......@@ -18,141 +18,144 @@
# - anonym: Don't log ips for CustomLog, send ErrorLog to /dev/null
# - semianonym: Don't log ips for CustomLog, log normal ErrorLog
define webhosting::modperl(
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$user_provider = 'local',
$password = 'absent',
$password_crypted = true,
$domain = 'absent',
$domainalias = 'www',
$server_admin = 'absent',
$logmode = 'default',
$owner = root,
$group = 'sftponly',
$run_mode = 'normal',
$run_uid = 'absent',
$run_uid_name = 'absent',
$run_gid = 'absent',
$run_gid_name = 'absent',
$watch_adjust_webfiles = 'absent',
$wwwmail = false,
$allow_override = 'None',
$do_includes = false,
$options = 'absent',
$additional_options = 'absent',
$default_charset = 'absent',
$ssl_mode = false,
$vhost_mode = 'template',
$template_partial = 'absent',
$vhost_source = 'absent',
$vhost_destination = 'absent',
$htpasswd_file = 'absent',
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$mod_security = true
$ensure = present,
$configuration = {},
$uid = 'absent',
$uid_name = 'absent',
$gid = 'uid',
$gid_name = 'absent',
$user_provider = 'local',
$password = 'absent',
$password_crypted = true,
$domain = 'absent',
$domainalias = 'www',
$server_admin = 'absent',
$logmode = 'default',
$owner = root,
$group = 'sftponly',
$run_mode = 'normal',
$run_uid = 'absent',
$run_uid_name = 'absent',
$run_gid = 'absent',
$run_gid_name = 'absent',
$watch_adjust_webfiles = 'absent',
$wwwmail = false,
$allow_override = 'None',
$do_includes = false,
$options = 'absent',
$additional_options = 'absent',
$default_charset = 'absent',
$ssl_mode = false,
$vhost_mode = 'template',
$template_partial = 'absent',
$vhost_source = 'absent',
$vhost_destination = 'absent',
$htpasswd_file = 'absent',
$nagios_check = 'ensure',
$nagios_check_domain = 'absent',
$nagios_check_url = '/',
$nagios_check_code = '200',
$nagios_use = 'generic-service',
$mod_security = true,
$git_repo = 'absent',
){
if ($uid_name == 'absent'){
$real_uid_name = $name
} else {
$real_uid_name = $uid_name
}
if ($gid_name == 'absent'){
$real_gid_name = $real_uid_name
} else {
$real_gid_name = $gid_name
}
webhosting::common{$name:
ensure => $ensure,
configuration => $configuration,
uid => $uid,
uid_name => $real_uid_name,
gid => $gid,
gid_name => $real_gid_name,
user_provider => $user_provider,
password => $password,
password_crypted => $password_crypted,
htpasswd_file => $htpasswd_file,
ssl_mode => $ssl_mode,
run_mode => $run_mode,
run_uid => $run_uid,
run_uid_name => $run_uid_name,
run_gid => $run_gid,
watch_adjust_webfiles => $watch_adjust_webfiles,
wwwmail => $wwwmail,
nagios_check => $nagios_check,
nagios_check_domain => $nagios_check_domain,
nagios_check_url => $nagios_check_url,
nagios_check_code => $nagios_check_code,
nagios_use => $nagios_use,
}
apache::vhost::modperl{"${name}":
ensure => $ensure,
configuration => $configuration,
domain => $domain,
domainalias => $domainalias,
server_admin => $server_admin,
logmode => $logmode,
group => $group,
allow_override => $allow_override,
do_includes => $do_includes,
options => $options,
additional_options => $additional_options,
default_charset => $default_charset,
run_mode => $run_mode,
ssl_mode => $ssl_mode,
vhost_mode => $vhost_mode,
vhost_source => $vhost_source,
vhost_destination => $vhost_destination,
htpasswd_file => $htpasswd_file,
mod_security => $mod_security,
}
case $run_mode {
'fcgid','itk','proxy-itk','static-itk': {
if ($run_uid_name == 'absent'){
$real_run_uid_name = "${name}_run"
} else {
$real_run_uid_name = $run_uid_name
}
if ($run_gid_name == 'absent'){
$real_run_gid_name = $gid_name ? {
'absent' => $name,
default => $gid_name
}
} else {
$real_run_gid_name = $run_gid_name
}
Apache::Vhost::Modperl[$name]{
documentroot_owner => $real_uid_name,
documentroot_group => $real_gid_name,
documentroot_mode => 0750,
run_uid => $real_run_uid_name,
run_gid => $real_run_gid_name,
}
if ($user_provider == 'local') {
Apache::Vhost::Modperl[$name]{
require => [ User::Sftp_only["${real_uid_name}"], User::Managed["${real_run_uid_name}"] ],
}
}
if ($uid_name == 'absent'){
$real_uid_name = $name
} else {
$real_uid_name = $uid_name
}
if ($gid_name == 'absent'){
$real_gid_name = $real_uid_name
} else {
$real_gid_name = $gid_name
}
webhosting::common{$name:
ensure => $ensure,
configuration => $configuration,
uid => $uid,
uid_name => $real_uid_name,
gid => $gid,
gid_name => $real_gid_name,
user_provider => $user_provider,
password => $password,
password_crypted => $password_crypted,
htpasswd_file => $htpasswd_file,
ssl_mode => $ssl_mode,
run_mode => $run_mode,
run_uid => $run_uid,
run_uid_name => $run_uid_name,
run_gid => $run_gid,
watch_adjust_webfiles => $watch_adjust_webfiles,
wwwmail => $wwwmail,
nagios_check => $nagios_check,
nagios_check_domain => $nagios_check_domain,
nagios_check_url => $nagios_check_url,
nagios_check_code => $nagios_check_code,
nagios_use => $nagios_use,
git_repo => $git_repo,
}
apache::vhost::modperl{$name:
ensure => $ensure,
configuration => $configuration,
domain => $domain,
domainalias => $domainalias,
server_admin => $server_admin,
logmode => $logmode,
group => $group,
allow_override => $allow_override,
do_includes => $do_includes,
options => $options,
additional_options => $additional_options,
default_charset => $default_charset,
run_mode => $run_mode,
ssl_mode => $ssl_mode,
vhost_mode => $vhost_mode,
vhost_source => $vhost_source,
vhost_destination => $vhost_destination,
htpasswd_file => $htpasswd_file,
mod_security => $mod_security,
}
case $run_mode {
'fcgid': {
if ($run_uid_name == 'absent'){
$real_run_uid_name = "${name}_run"
} else {
$real_run_uid_name = $run_uid_name
}
if ($run_gid_name == 'absent'){
$real_run_gid_name = $gid_name ? {
'absent' => $name,
default => $gid_name
}
default: {
if ($user_provider == 'local') {
Apache::Vhost::Modperl[$name]{
require => User::Sftp_only["${real_uid_name}"],
}
}
} else {
$real_run_gid_name = $run_gid_name
}
Apache::Vhost::Modperl[$name]{
documentroot_owner => $real_uid_name,
documentroot_group => $real_gid_name,
documentroot_mode => '0750',
run_uid => $real_run_uid_name,
run_gid => $real_run_gid_name,
}
if ($user_provider == 'local') {
Apache::Vhost::Modperl[$name]{
require => [ User::Sftp_only[$real_uid_name],
User::Managed[$real_run_uid_name] ],
}
}
}
if ($template_partial != 'absent') {
Apache::Vhost::Modperl[$name]{
template_partial => $template_partial,
default: {
if ($user_provider == 'local') {
Apache::Vhost::Modperl[$name]{
require => User::Sftp_only[$real_uid_name],
}
}
}
}
if ($template_partial != 'absent') {
Apache::Vhost::Modperl[$name]{
template_partial => $template_partial,
}
}
}
......@@ -4,18 +4,11 @@
# - default: add the string
# user_provider:
# - local: user will be crated locally (*default*)
# - ldap: ldap settings will be passed and ldap authorization
# is mandatory using webdav as user_access
# - everything else will currently do noting
<