diff options
-rw-r--r-- | manifests/apc.pp | 4 | ||||
-rw-r--r-- | manifests/config.pp | 8 | ||||
-rw-r--r-- | manifests/fpm.pp | 6 | ||||
-rw-r--r-- | manifests/init.pp | 4 | ||||
-rw-r--r-- | manifests/params.pp | 12 | ||||
-rw-r--r-- | manifests/series5.pp | 3 | ||||
-rw-r--r-- | manifests/series7.pp | 3 | ||||
-rw-r--r-- | manifests/series8.pp | 77 | ||||
-rw-r--r-- | manifests/series8/defaults.pp | 7 | ||||
-rw-r--r-- | manifests/series8/hardened.pp | 19 | ||||
-rw-r--r-- | manifests/series8/packages.pp | 24 |
11 files changed, 159 insertions, 8 deletions
diff --git a/manifests/apc.pp b/manifests/apc.pp index 70b17eb..8965857 100644 --- a/manifests/apc.pp +++ b/manifests/apc.pp @@ -4,10 +4,12 @@ class php::apc( $fpm = $::php::fpm $version5 = $::php::params::version5 $version7 = $::php::params::version7 + $version8 = $::php::params::version8 $series = $::php::series $services_version_5 = regsubst($series, '^5$', $version5) $services_version_7 = regsubst($services_version_5, '^7$', $version7) - $services_name = regsubst($services_version_7, '^', 'php') + $services_version_8 = regsubst($services_version_7, '^8$', $version8) + $services_name = regsubst($services_version_8, '^', 'php') $services = regsubst($services_name, '$', '-fpm') package { [ 'php-apcu', 'php-apcu-bc' ]: diff --git a/manifests/config.pp b/manifests/config.pp index e4d143e..ed35153 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,12 +1,16 @@ -define php::config($series = '5', $order = '20', $param = $name, $value, $ensure = 'present', $sapi = 'apache2') { +define php::config($series = '8', $order = '20', $param = $name, $value, $ensure = 'present', $sapi = 'apache2') { if $series == '5' { $version = $::php::series5::version $folder = $::php::series5::folder } - else { + elsif $series == '7' { $version = $::php::series7::version $folder = $::php::series7::folder } + else { + $version = $::php::series8::version + $folder = $::php::series8::folder + } file { "${folder}/${sapi}/conf.d/${order}-${param}.ini": ensure => $ensure, diff --git a/manifests/fpm.pp b/manifests/fpm.pp index 497dc07..c4d5fc8 100644 --- a/manifests/fpm.pp +++ b/manifests/fpm.pp @@ -6,10 +6,14 @@ define php::fpm( $version = $::php::params::version5 $folder = $::php::series5::folder } - else { + elsif $series == '7' { $version = $::php::params::version7 $folder = $::php::series7::folder } + else { + $version = $::php::params::version8 + $folder = $::php::series8::folder + } package { "php${version}-fpm": ensure => $ensure, diff --git a/manifests/init.pp b/manifests/init.pp index 148c069..f170ae5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -17,12 +17,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. class php( - $series = [ '5', '7' ], + $series = [ '5', '7', '8' ], $hardened = true, $apc = absent, $fpm = absent, $manage_mod_php = false, - $default_cli = '7' + $default_cli = '8' ) { include php::params diff --git a/manifests/params.pp b/manifests/params.pp index 07f4ad1..76e2ec6 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,5 +1,16 @@ class php::params { + $version8 = $::lsbdistcodename ? { + 'bookworm' => '8.3', + default => '8.3', + } + + $version8_previous = $::lsbdistcodename ? { + 'bookworm' => [ '8.2', '8.1', '8.0' ], + default => [ '8.2', '8.1', '8.0' ], + } + $version7 = $::lsbdistcodename ? { + 'bookworm' => '7.4', 'bullseye' => '7.4', 'buster' => '7.4', 'stretch' => '7.4', @@ -7,6 +18,7 @@ class php::params { } $version7_previous = $::lsbdistcodename ? { + 'bookworm' => [ '7.3', '7.2', '7.1', '7.0' ], 'bullseye' => [ '7.3', '7.2', '7.1', '7.0' ], 'buster' => [ '7.3', '7.2', '7.1', '7.0' ], 'stretch' => [ '7.3', '7.2', '7.1', '7.0' ], diff --git a/manifests/series5.pp b/manifests/series5.pp index 17e1059..8a9149c 100644 --- a/manifests/series5.pp +++ b/manifests/series5.pp @@ -79,6 +79,7 @@ class php::series5( # The needed apache modules if $manage_mod_php == '5' { $version7 = $::php::params::version7 + $version8 = $::php::params::version8 apache::module { "php${version}": ensure => present, @@ -96,7 +97,7 @@ class php::series5( require => Package["libapache2-mod-php${version}"], } - apache::module { "php8.0": + apache::module { "php${version8}": ensure => absent, require => Package["libapache2-mod-php${version}"], } diff --git a/manifests/series7.pp b/manifests/series7.pp index dce3a89..bc3a4b1 100644 --- a/manifests/series7.pp +++ b/manifests/series7.pp @@ -37,6 +37,7 @@ class php::series7( # The right apache module if $manage_mod_php == '7' { $version5 = $::php::params::version5 + $version8 = $::php::params::version8 $::php::params::version7_previous.each |$item| { apache::module { "php${item}": @@ -54,7 +55,7 @@ class php::series7( require => Package["libapache2-mod-php${version}"], } - apache::module { "php8.0": + apache::module { "php${version8}": ensure => absent, require => Package["libapache2-mod-php${version}"], } diff --git a/manifests/series8.pp b/manifests/series8.pp new file mode 100644 index 0000000..00192ea --- /dev/null +++ b/manifests/series8.pp @@ -0,0 +1,77 @@ +class php::series8( + $hardened = true, + $manage_mod_php = false, +) { + case $::lsbdistcodename { + 'xenial': { + include php::ppa + } + 'trusty': { + include php::ppa + } + 'bookworm': { + include php::dpa + } + 'bullseye': { + include php::dpa + } + 'stretch': { + include php::dpa + } + 'buster': { + include php::dpa + } + } + + $version = $::php::params::version8 + $folder = "/etc/php/${version}" + + include php::series8::packages + include php::resources + include php::series8::defaults + + if $hardened == true { + include php::series8::hardened + } + + # The right apache module + if $manage_mod_php == '8' { + $version5 = $::php::params::version5 + $version7 = $::php::params::version7 + + $::php::params::version7_previous.each |$item| { + apache::module { "php${item}": + ensure => absent, + } + } + + $::php::params::version8_previous.each |$item| { + apache::module { "php${item}": + ensure => absent, + } + } + + apache::module { "php${version5}": + ensure => absent, + require => Package["libapache2-mod-php${version}"], + } + + apache::module { "php${version7}": + ensure => absent, + require => Package["libapache2-mod-php${version}"], + } + + apache::module { "php${version}": + ensure => present, + require => Package["libapache2-mod-php${version}"], + } + } + + file { [ "${folder}", "${folder}/cli", "${folder}/apache2", "${folder}/cli/conf.d", "${folder}/apache2/conf.d" ]: + ensure => directory, + owner => root, + group => root, + mode => '0755', + require => Package['php'], + } +} diff --git a/manifests/series8/defaults.pp b/manifests/series8/defaults.pp new file mode 100644 index 0000000..2f3958c --- /dev/null +++ b/manifests/series8/defaults.pp @@ -0,0 +1,7 @@ +class php::series8::defaults { + php::config { + 'error_reporting_8' : param => 'error_reporting', series => '8', value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; + 'post_max_size_8' : param => 'post_max_size', series => '8', value => '100M'; + 'upload_max_filesize_8' : param => 'upload_max_filesize', series => '8', value => '100M'; + } +} diff --git a/manifests/series8/hardened.pp b/manifests/series8/hardened.pp new file mode 100644 index 0000000..74b81f8 --- /dev/null +++ b/manifests/series8/hardened.pp @@ -0,0 +1,19 @@ +class php::series8::hardened { + $fpm = $::php::fpm + $disable_functions = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec' + #$disable_functions = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec' + + if $fpm == 'present' { + php::config { + 'allow_url_fopen_8_fpm' : param => 'allow_url_fopen', series => '8', sapi => 'fpm', value => 'Off'; + 'allow_url_include_8_fpm' : param => 'allow_url_include', series => '8', sapi => 'fpm', value => 'Off'; + 'disable_functions_8_fpm' : param => 'disable_functions', series => '8', sapi => 'fpm', value => $disable_functions; + } + } + + php::config { + 'allow_url_fopen_8' : param => 'allow_url_fopen', series => '8', value => 'Off'; + 'allow_url_include_8' : param => 'allow_url_include', series => '8', value => 'Off'; + 'disable_functions_8' : param => 'disable_functions', series => '8', value => $disable_functions; + } +} diff --git a/manifests/series8/packages.pp b/manifests/series8/packages.pp new file mode 100644 index 0000000..e3356e9 --- /dev/null +++ b/manifests/series8/packages.pp @@ -0,0 +1,24 @@ +class php::series8::packages inherits php::packages { + $version = $::php::params::version8 + + package { [ "php${version}-common", "php${version}-mysql", "php${version}-cli", "php${version}-curl", "php${version}-gmp", "php${version}-xml", "php${version}-mbstring", "libapache2-mod-php${version}" ]: + ensure => installed, + require => File['/etc/apt/sources.list.d/php.list'], + } + + # Optional packages + package { [ "php${version}-gd" ]: + ensure => installed, + require => File['/etc/apt/sources.list.d/php.list'], + } + + # Default alternative + if $::php::default_cli == '8' { + file { "/etc/alternatives/php": + ensure => "/usr/bin/php${version}", + owner => root, + group => root, + require => Package["php${version}-cli"], + } + } +} |