many improvements - make it work on EL7

* simplify a lot of things, like
** manage settings through ini_settings and not the whole file
** remove this small classes into bigger ones
* support EL7
* support more scls and simplify their management
* also pull in the default settings into scls
* add phpmore repository

files/apache/CentOS/php.conf

-#
-# PHP is an HTML-embedded scripting language which attempts to make it
-# easy for developers to write dynamically generated webpages.
-#
-<IfModule prefork.c>
-  LoadModule php5_module modules/libphp5.so
-</IfModule>
-<IfModule mpm_itk_module>
-  LoadModule php5_module modules/libphp5.so
-</IfModule>
-<IfModule worker.c>
-  LoadModule php5_module modules/libphp5-zts.so
-</IfModule>
-
-#
-# Cause the PHP interpreter to handle files with a .php extension.
-#
-AddHandler php5-script .php
-AddType text/html .php
-
-#
-# Add index.php to the list of files that will be served as directory
-# indexes.
-#
-DirectoryIndex index.php
-
-#
-# Uncomment the following line to allow PHP to pretty-print .phps
-# files as PHP source code:
-#
-#AddType application/x-httpd-php-source .phps
-
-# for security reasons we turn php by default off and only enable it by vhost
-php_admin_flag engine off
-
-# and we turn safe mode by default on
-php_admin_flag safe_mode On

manifests/base.pp

 # setup php
 class php::base {
   package{'php':
-    ensure => present,
-    notify => Service['apache'],
-  }
-  file{
-    'php_ini_config':
-      path    => '/etc/php.ini',
-      source  => [
-        "puppet:///modules/site_php/${::fqdn}/php.ini",
-        "puppet:///modules/site_php/${php::cluster_node}/php.ini",
-        'puppet:///modules/site_php/php.ini',
-        "puppet:///modules/php/config/php.ini.${::architecture}",
-        'puppet:///modules/php/config/php.ini'
-      ],
-      require => Package['php'],
-      notify  => Service['apache'],
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
+    ensure  => present,
+    require => Package['apache'],
+  } -> file{
     '/etc/php.d/timezone.ini':
       content => "date.timezone = '${php::timezone}'\n",
-      require => Package['php'],
       notify  => Service['apache'],
       owner   => root,
       group   => 0,
       mode    => '0644';
   }
 
-  include ::php::suhosin
+  $php_settings = deep_merge($php::security_settings,deep_merge($php::settings,
+    $php::params::global_settings))
+  $defaults = {
+    path    => '/etc/php.ini',
+    require => Package['php'],
+    notify  => Service['apache'],
+  }
+  create_ini_settings($php_settings,$defaults)
+
+  package{'php-suhosin':
+    ensure  => installed,
+    require => Package['php'],
+  }
+  if $php::suhosin_cryptkey {
+    $default_suhosin_settings = {
+      'suhosin.session.cryptkey' => sha1("${php::suhosin_cryptkey}_session"),
+      'suhosin.cookie.cryptkey'  => sha1("${php::suhosin_cryptkey}_cookie"),
+    }
+  } else {
+    $default_suhosin_settings = {}
+  }
+  $suhosin_settings = merge(merge($php::suhosin_settings,
+                                    $php::suhosin_default_settings),
+                              $default_suhosin_settings)
+  $suhosin_defaults = {
+    path    => '/etc/php.d/suhosin.ini',
+    require => Package['php-suhosin'],
+    notify  => Service['apache'],
+  }
+  create_ini_settings({'' => $suhosin_settings},$suhosin_defaults)
+
   include ::php::extensions::common
+
   if versioncmp($::operatingsystemmajrelease,'6') > 0 {
     include ::php::extensions::pecl::opcache
   } else {
     include ::php::apc
   }
+  if versioncmp($::operatingsystemmajrelease,'5') > 0 {
+    yum::repo{
+      "remi-morephp":
+        descr    => "Copr repo for morephp owned by remi",
+        baseurl  => "https://copr-be.cloud.fedoraproject.org/results/remi/morephp/epel-${::operatingsystemmajrelease}-\$basearch/",
+        gpgkey   => 'https://copr-be.cloud.fedoraproject.org/results/remi/morephp/pubkey.gpg',
+        enabled  => 1,
+        gpgcheck => 1,
+        before   => Package['php'],
+    }
+  }
 }

manifests/centos.pp

-# centos specific php stuff
-class php::centos inherits php::base {
-  file{'/etc/httpd/conf.d/php.conf':
-    source  => [
-      "puppet:///modules/site_php/apache/${::operatingsystem}/${::fqdn}/php.conf",
-      "puppet:///modules/site_php/apache/${::operatingsystem}/php.conf",
-      "puppet:///modules/php/apache/${::operatingsystem}/php.conf",
-    ],
-    require => [ Package['php'], Package['apache'] ],
-    notify  => Service['apache'],
-    owner   => root,
-    group   => 0,
-    mode    => '0644';
-  }
-}

manifests/init.pp

@@ -6,11 +6,12 @@
 # Simon Josi josi+puppet(at)puzzle.ch
 # See LICENSE for the full license granted to you.
 class php(
-  $cluster_node = '',
-  $timezone     = 'Europe/Berlin',
-) {
-  case $::operatingsystem {
-    'CentOS': { include php::centos }
-    default: { include php::base }
-  }
+  $settings                 = {},
+  $timezone                 = $php::params::timezone,
+  $security_settings        = $php::params::security_settings,
+  $suhosin_settings         = $php::params::suhosin_settings,
+  $suhosin_default_settings = $php::params::suhosin_default_settings,
+  $suhosin_cryptkey         = $php::params::suhosin_cryptkey,
+) inherits php::params {
+  include ::php::base
 }

manifests/mod_fcgid/centos.pp

 # fcgid on centos
-class php::mod_fcgid::centos inherits php::centos {
-  File['/etc/httpd/conf.d/php.conf']{
-    ensure => absent,
+class php::mod_fcgid::centos {
+  file{'/etc/httpd/conf.d/php.conf':
+    ensure  => absent,
+    require => Package['php'],
+    notify  => Service['apache'],
   }
 }

manifests/params.pp

+# some default params for php
+class php::params(
+  $global_settings          = {},
+  # following https://github.com/sektioneins/pcc
+  # and https://www.owasp.org/index.php/PHP_Configuration_Cheat_Sheet
+  $security_settings        = {
+    'PHP' => {
+      expose_php           => 'Off',
+      default_charset      => 'UTF-8',
+      allow_url_fopen      => 'Off',
+      allow_url_include    => 'Off',
+      disable_functions    => '"phpinfo, pcntl_exec, show_source"',
+    },
+    'Assertion' => {
+      'assert.active' => 'Off',
+    },
+    'mail function' => {
+      'mail.add_x_header' => 'Off',
+    },
+  },
+  $suhosin_default_settings = {
+    'suhosin.cookie.encrypt'                 => 'On',
+    'suhosin.get.disallow_ws'                => 'On',
+    'suhosin.post.disallow_ws'               => 'On',
+    'suhosin.disable.display_errors'         => 'On',
+    'suhosin.executor.include.max_traversal' => '5',
+    'suhosin.executor.disable_emodifier'     => 'On',
+    'session.use_strict_mode'                => 'On',
+  },
+  $suhosin_cryptkey         = undef,
+) {
+}

manifests/scl/params.pp

+# some general params for scl
+class php::scl::params(
+  $timezone         = 'Europe/Berlin',
+  $settings         = {},
+  $suhosin_cryptkey = undef,
+  $suhosin_settings = {},
+) {
+}

manifests/scl/php54.pp

-# manage an scl php54 installation
+# manage an scl php55 installation
 class php::scl::php54(
-  $timezone = 'Europe/Berlin',
-) {
-  require ::scl::php54
-  file{
-    '/opt/rh/php54/root/etc/php.ini':
-      source  => [
-        "puppet:///modules/site_php/scl_php54/${::fqdn}/php.ini",
-        "puppet:///modules/site_php/scl_php54/${php::cluster_node}/php.ini",
-        'puppet:///modules/site_php/scl_php54/php.ini',
-        'puppet:///modules/php/config/scl_php54/php.ini'
-      ],
-      notify  => Service['apache'],
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
-    '/opt/rh/php54/root/etc/php.d/timezone.ini':
-      content => "date.timezone = '${timezone}'\n",
-      require => Package['php'],
-      notify  => Service['apache'],
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
-    }
+  $timezone         = $php::scl::params::timezone,
+  $settings         = $php::scl::params::settings,
+  $suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
+  $suhosin_settings = $php::scl::params::suhosin_settings,
+) inherits php::scl::params {
+  $basedir = '/opt/rh/php54'
+  $etcdir  = "${basedir}/root/etc"
+  php::scl::phpx{'54':
+    etcdir           => $etcdir,
+    timezone         => $timezone,
+    settings         => $settings,
+    suhosin_cryptkey => $suhosin_cryptkey,
+    suhosin_settings => $suhosin_settings,
+  }
 }

manifests/scl/php55.pp

 # manage an scl php55 installation
 class php::scl::php55(
-  $timezone = 'Europe/Berlin',
-) {
-  require ::scl::php55
-  file{
-    '/opt/rh/php55/root/etc/php.ini':
-      source  => [
-        "puppet:///modules/site_php/scl_php55/${::fqdn}/php.ini",
-        "puppet:///modules/site_php/scl_php55/${php::cluster_node}/php.ini",
-        'puppet:///modules/site_php/scl_php55/php.ini',
-        'puppet:///modules/php/config/scl_php55/php.ini'
-      ],
-      notify  => Service['apache'],
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
-    '/opt/rh/php55/root/etc/php.d/timezone.ini':
-      content => "date.timezone = '${timezone}'\n",
-      require => Package['php'],
-      notify  => Service['apache'],
-      owner   => root,
-      group   => 0,
-      mode    => '0644';
+  $timezone         = $php::scl::params::timezone,
+  $settings         = $php::scl::params::settings,
+  $suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
+  $suhosin_settings = $php::scl::params::suhosin_settings,
+) inherits php::scl::params {
+  $basedir = '/opt/rh/php55'
+  $etcdir  = "${basedir}/root/etc"
+  php::scl::phpx{'55':
+    etcdir           => $etcdir,
+    timezone         => $timezone,
+    settings         => $settings,
+    suhosin_cryptkey => $suhosin_cryptkey,
+    suhosin_settings => $suhosin_settings,
   }
 }

manifests/scl/php56.pp

+# manage an scl php56 installation
+class php::scl::php56(
+  $timezone         = $php::scl::params::timezone,
+  $settings         = $php::scl::params::settings,
+  $suhosin_cryptkey = $php::scl::params::suhosin_cryptkey,
+  $suhosin_settings = $php::scl::params::suhosin_settings,
+) inherits php::scl::params {
+  $basedir = '/opt/rh/rh-php56'
+  $etcdir  = '/etc/opt/rh/rh-php56'
+  php::scl::phpx{'56':
+    etcdir           => $etcdir,
+    timezone         => $timezone,
+    settings         => $settings,
+    suhosin_cryptkey => $suhosin_cryptkey,
+    suhosin_settings => $suhosin_settings,
+  }
+}

manifests/scl/phpx.pp

+# manage an scl phpX installation
+# this should do everything you need
+# for an scl installation
+define php::scl::phpx(
+  $etcdir           = "/opt/rh/php${name}/root/etc",
+  $timezone         = 'Europe/Berlin',
+  $settings         = {},
+  $suhosin_cryptkey = undef,
+  $suhosin_settings = {}
+) {
+  require "::scl::php${name}"
+  file{
+    "${etcdir}/php.d/timezone.ini":
+      content => "date.timezone = '${timezone}'\n",
+      require => Class["scl::php${name}"],
+      notify  => Service['apache'],
+      owner   => root,
+      group   => 0,
+      mode    => '0644';
+  }
+  include ::php::params
+  $php_settings = deep_merge(deep_merge($php::params::security_settings,
+                    $php::params::global_settings),$settings)
+  $defaults = {
+    path    => "${etcdir}/php.ini",
+    require => Class["scl::php${name}"],
+    notify  => Service['apache'],
+  }
+  create_ini_settings($php_settings,$defaults)
+
+  if $suhosin_cryptkey {
+    $default_suhosin_settings = {
+      'suhosin.session.cryptkey' => sha1("${suhosin_cryptkey}_session_${name}"),
+      'suhosin.cookie.cryptkey'  => sha1("${suhosin_cryptkey}_cookie_${name}"),
+    }
+  } else {
+    $default_suhosin_settings = {}
+  }
+  $php_suhosin_settings = merge(merge($suhosin_settings,
+                                    $php::params::suhosin_default_settings),
+                              $default_suhosin_settings)
+  $suhosin_defaults = {
+    path    => "${etcdir}/php.d/suhosin.ini",
+    require => Class["scl::php${name}"],
+    notify  => Service['apache'],
+  }
+  create_ini_settings({'' => $php_suhosin_settings},$suhosin_defaults)
+}

manifests/suhosin.pp

 # manage suhosin package
-class php::suhosin {
-  package{'php-suhosin':
-    ensure => installed,
-  }
+class php::suhosin(
+
+) {
 }