diff options
| -rw-r--r-- | manifests/config.pp | 13 | ||||
| -rw-r--r-- | manifests/ffmpeg.pp | 5 | ||||
| -rw-r--r-- | manifests/imap.pp | 9 | ||||
| -rw-r--r-- | manifests/init.pp | 65 | ||||
| -rw-r--r-- | manifests/series5.pp | 61 | ||||
| -rw-r--r-- | manifests/series5/defaults.pp (renamed from manifests/defaults.pp) | 2 | ||||
| -rw-r--r-- | manifests/series5/hardened.pp (renamed from manifests/hardened.pp) | 2 | ||||
| -rw-r--r-- | manifests/series5/packages/default.pp (renamed from manifests/packages/default.pp) | 2 | ||||
| -rw-r--r-- | manifests/series5/packages/dpa.pp (renamed from manifests/packages/dpa.pp) | 2 | ||||
| -rw-r--r-- | manifests/series5/packages/ppa.pp (renamed from manifests/packages/ppa.pp) | 2 | ||||
| -rw-r--r-- | manifests/series7.pp | 25 | ||||
| -rw-r--r-- | manifests/series7/defaults.pp | 7 | ||||
| -rw-r--r-- | manifests/series7/hardened.pp | 8 |
13 files changed, 129 insertions, 74 deletions
diff --git a/manifests/config.pp b/manifests/config.pp index b92ea26..93c0e5b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,11 +1,18 @@ -define php::config($order = '20', $value, $ensure = 'present', $sapi = 'apache2') { - file { "${::php::folder}/${sapi}/conf.d/${order}-${name}.ini": +define php::config($series = '5', $order = '20', $value, $ensure = 'present', $sapi = 'apache2') { + if $series == '5' { + $folder = $::php::series5::folder + } + else { + $folder = $::php::series7::folder + } + + file { "${folder}/${sapi}/conf.d/${order}-${name}.ini": ensure => $ensure, owner => root, group => root, mode => '0644', content => "${name}=${value}\n", - require => File["${::php::folder}/${sapi}/conf.d"], + require => File["${folder}/${sapi}/conf.d"], notify => $sapi ? { 'apache2' => Service['apache2'], default => undef, diff --git a/manifests/ffmpeg.pp b/manifests/ffmpeg.pp deleted file mode 100644 index 3997cb1..0000000 --- a/manifests/ffmpeg.pp +++ /dev/null @@ -1,5 +0,0 @@ -class php::ffmpeg { - package { 'php-ffmpeg': - ensure => present, - } -} diff --git a/manifests/imap.pp b/manifests/imap.pp index 381add6..805951d 100644 --- a/manifests/imap.pp +++ b/manifests/imap.pp @@ -1,5 +1,10 @@ -class php::imap inherits php { - package { 'php5-imap': +class php::imap { + $pack = $::php::series ? { + '5' => 'php5-imap', + default => 'php-imap', + } + + package { "${pack"}: ensure => installed, } } diff --git a/manifests/init.pp b/manifests/init.pp index edd0c2b..3c699fc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,64 +16,11 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -class php($hardened = true) { - case $::lsbdistcodename { - 'xenial': { - include php::packages::ppa - } - 'stretch': { - include php::packages::dpa - } - default: { - include php::packages::default - } - } - - $folder = $::lsbdistcodename ? { - 'xenial' => '/etc/php/5.6', - 'stretch' => '/etc/php/5.6', - default => '/etc/php5', - } - - file { [ "${folder}", "${folder}/cli", "${folder}/apache2", "${folder}/cli/conf.d", "${folder}/apache2/conf.d" ]: - ensure => directory, - owner => root, - group => root, - mode => '0755', - require => Package['php5'], - } - - #file { "${folder}/cli/php.ini": - # ensure => present, - # owner => root, - # group => root, - # mode => '0644', - # source => [ "puppet:///modules/site_php/cli/${::fqdn}/php.ini", - # "puppet:///modules/site_php/cli/${::domain}/php.ini", - # "puppet:///modules/php/cli/php.${::operatingsystem}_${::lsbdistcodename}.ini", - # "puppet:///modules/php/cli/php.${::operatingsystem}.ini", - # "puppet:///modules/php/cli/php.ini" ], - # require => [ Package['php5'], File["${folder}/cli"] ], - #} - - #file { "${folder}/apache2/php.ini": - # ensure => present, - # owner => root, - # group => root, - # mode => '0644', - # source => [ "puppet:///modules/site_php/apache2/${::fqdn}/php.ini", - # "puppet:///modules/site_php/apache2/${::domain}/php.ini", - # "puppet:///modules/php/apache2/php.${::operatingsystem}_${::lsbdistcodename}.ini", - # "puppet:///modules/php/apache2/php.${::operatingsystem}.ini", - # "puppet:///modules/php/apache2/php.ini" ], - # notify => Service['apache2'], - # require => [ Package['php5'], File["${folder}/apache2"] ], - #} - - include php::resources - include php::defaults - - if $hardened == true { - include php::hardened +class php( + $series = '5', + $hardened = true, +){ + class { "php::series${series}": + hardened => $hardened, } } diff --git a/manifests/series5.pp b/manifests/series5.pp new file mode 100644 index 0000000..50ab6f4 --- /dev/null +++ b/manifests/series5.pp @@ -0,0 +1,61 @@ +class php::series5($hardened = true) { + case $::lsbdistcodename { + 'xenial': { + include php::series5::packages::ppa + } + 'stretch': { + include php::series5::packages::dpa + } + default: { + include php::series5::packages::default + } + } + + $folder = $::lsbdistcodename ? { + 'xenial' => '/etc/php/5.6', + 'stretch' => '/etc/php/5.6', + default => '/etc/php5', + } + + file { [ "${folder}", "${folder}/cli", "${folder}/apache2", "${folder}/cli/conf.d", "${folder}/apache2/conf.d" ]: + ensure => directory, + owner => root, + group => root, + mode => '0755', + require => Package['php5'], + } + + #file { "${folder}/cli/php.ini": + # ensure => present, + # owner => root, + # group => root, + # mode => '0644', + # source => [ "puppet:///modules/site_php/cli/${::fqdn}/php.ini", + # "puppet:///modules/site_php/cli/${::domain}/php.ini", + # "puppet:///modules/php/cli/php.${::operatingsystem}_${::lsbdistcodename}.ini", + # "puppet:///modules/php/cli/php.${::operatingsystem}.ini", + # "puppet:///modules/php/cli/php.ini" ], + # require => [ Package['php5'], File["${folder}/cli"] ], + #} + + #file { "${folder}/apache2/php.ini": + # ensure => present, + # owner => root, + # group => root, + # mode => '0644', + # source => [ "puppet:///modules/site_php/apache2/${::fqdn}/php.ini", + # "puppet:///modules/site_php/apache2/${::domain}/php.ini", + # "puppet:///modules/php/apache2/php.${::operatingsystem}_${::lsbdistcodename}.ini", + # "puppet:///modules/php/apache2/php.${::operatingsystem}.ini", + # "puppet:///modules/php/apache2/php.ini" ], + # notify => Service['apache2'], + # require => [ Package['php5'], File["${folder}/apache2"] ], + #} + + include php::resources + include php::series5::defaults + + if $hardened == true { + include php::series5::hardened + } +} diff --git a/manifests/defaults.pp b/manifests/series5/defaults.pp index a36c9a9..15cb8a2 100644 --- a/manifests/defaults.pp +++ b/manifests/series5/defaults.pp @@ -1,4 +1,4 @@ -class php::defaults { +class php::series5::defaults { php::config { 'error_reporting' : value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; 'post_max_size' : value => '100M'; diff --git a/manifests/hardened.pp b/manifests/series5/hardened.pp index 5340dd7..e512402 100644 --- a/manifests/hardened.pp +++ b/manifests/series5/hardened.pp @@ -1,4 +1,4 @@ -class php::hardened { +class php::series5::hardened { php::config { 'allow_url_fopen' : value => 'Off'; 'allow_url_include' : value => 'Off'; diff --git a/manifests/packages/default.pp b/manifests/series5/packages/default.pp index e1f2bf1..f16e03e 100644 --- a/manifests/packages/default.pp +++ b/manifests/series5/packages/default.pp @@ -1,4 +1,4 @@ -class php::packages::default { +class php::series5::packages::default { # The needed packages: we could also try libapache2-mod-php5filter package { [ 'php5', 'php5-mysql', 'php5-sqlite', 'php5-cli', 'php5-curl', 'php5-gmp', 'libapache2-mod-php5' ]: ensure => installed, diff --git a/manifests/packages/dpa.pp b/manifests/series5/packages/dpa.pp index b09b061..f9fad94 100644 --- a/manifests/packages/dpa.pp +++ b/manifests/series5/packages/dpa.pp @@ -1,4 +1,4 @@ -class php::packages::dpa { +class php::series5::packages::dpa { file { '/etc/apt/trusted.gpg.d/deb.sury.org-php.gpg': ensure => present, owner => "root", diff --git a/manifests/packages/ppa.pp b/manifests/series5/packages/ppa.pp index e38cccb..f821ab4 100644 --- a/manifests/packages/ppa.pp +++ b/manifests/series5/packages/ppa.pp @@ -1,4 +1,4 @@ -class php::packages::ppa { +class php::series5::packages::ppa { #package { 'python-software-properties': # ensure => present, #} diff --git a/manifests/series7.pp b/manifests/series7.pp new file mode 100644 index 0000000..47fa8f9 --- /dev/null +++ b/manifests/series7.pp @@ -0,0 +1,25 @@ +class php::series7($hardened = true) { + $folder = '/etc/php/7.0' + + package { [ 'php', 'php-mysql', 'php-sqlite3', 'php-cli', 'php-curl', 'php-gmp', 'libapache2-mod-php7.0' ]: + ensure => installed, + } + + # Optional packages + package { [ "php-gd", "php-imagick" ]: + ensure => installed, + } + + # The needed apache modules + #apache::module { 'php': + # ensure => present, + # require => Package['libapache2-mod-php7.0'], + #} + + include php::resources + include php::series7::defaults + + if $hardened == true { + include php::series7::hardened + } +} diff --git a/manifests/series7/defaults.pp b/manifests/series7/defaults.pp new file mode 100644 index 0000000..936d165 --- /dev/null +++ b/manifests/series7/defaults.pp @@ -0,0 +1,7 @@ +class php::series7::defaults { + php::config { + 'error_reporting' : series => '7', value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; + 'post_max_size' : series => '7', value => '100M'; + 'upload_max_filesize' : series => '7', value => '100M'; + } +} diff --git a/manifests/series7/hardened.pp b/manifests/series7/hardened.pp new file mode 100644 index 0000000..73cf21a --- /dev/null +++ b/manifests/series7/hardened.pp @@ -0,0 +1,8 @@ +class php::series7::hardened { + php::config { + 'allow_url_fopen' : series => '7', value => 'Off'; + 'allow_url_include' : series => '7', value => 'Off'; + 'disable_functions' : series => '7', value => 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec'; + #series => '7', value => 'disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec', + } +} |