From 5f3ed06fc85c3c9cb8d80c03d157bcc29bf75798 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 2 Nov 2017 13:01:00 -0200 Subject: Support both PHP 5 and 7, defaults to 5 --- manifests/config.pp | 13 +++++-- manifests/defaults.pp | 7 ---- manifests/ffmpeg.pp | 5 --- manifests/hardened.pp | 8 ----- manifests/imap.pp | 9 +++-- manifests/init.pp | 65 ++++----------------------------- manifests/packages/default.pp | 22 ------------ manifests/packages/dpa.pp | 67 ----------------------------------- manifests/packages/ppa.pp | 55 ---------------------------- manifests/series5.pp | 61 +++++++++++++++++++++++++++++++ manifests/series5/defaults.pp | 7 ++++ manifests/series5/hardened.pp | 8 +++++ manifests/series5/packages/default.pp | 22 ++++++++++++ manifests/series5/packages/dpa.pp | 67 +++++++++++++++++++++++++++++++++++ manifests/series5/packages/ppa.pp | 55 ++++++++++++++++++++++++++++ manifests/series7.pp | 25 +++++++++++++ manifests/series7/defaults.pp | 7 ++++ manifests/series7/hardened.pp | 8 +++++ 18 files changed, 283 insertions(+), 228 deletions(-) delete mode 100644 manifests/defaults.pp delete mode 100644 manifests/ffmpeg.pp delete mode 100644 manifests/hardened.pp delete mode 100644 manifests/packages/default.pp delete mode 100644 manifests/packages/dpa.pp delete mode 100644 manifests/packages/ppa.pp create mode 100644 manifests/series5.pp create mode 100644 manifests/series5/defaults.pp create mode 100644 manifests/series5/hardened.pp create mode 100644 manifests/series5/packages/default.pp create mode 100644 manifests/series5/packages/dpa.pp create mode 100644 manifests/series5/packages/ppa.pp create mode 100644 manifests/series7.pp create mode 100644 manifests/series7/defaults.pp create mode 100644 manifests/series7/hardened.pp diff --git a/manifests/config.pp b/manifests/config.pp index b92ea26..93c0e5b 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -1,11 +1,18 @@ -define php::config($order = '20', $value, $ensure = 'present', $sapi = 'apache2') { - file { "${::php::folder}/${sapi}/conf.d/${order}-${name}.ini": +define php::config($series = '5', $order = '20', $value, $ensure = 'present', $sapi = 'apache2') { + if $series == '5' { + $folder = $::php::series5::folder + } + else { + $folder = $::php::series7::folder + } + + file { "${folder}/${sapi}/conf.d/${order}-${name}.ini": ensure => $ensure, owner => root, group => root, mode => '0644', content => "${name}=${value}\n", - require => File["${::php::folder}/${sapi}/conf.d"], + require => File["${folder}/${sapi}/conf.d"], notify => $sapi ? { 'apache2' => Service['apache2'], default => undef, diff --git a/manifests/defaults.pp b/manifests/defaults.pp deleted file mode 100644 index a36c9a9..0000000 --- a/manifests/defaults.pp +++ /dev/null @@ -1,7 +0,0 @@ -class php::defaults { - php::config { - 'error_reporting' : value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; - 'post_max_size' : value => '100M'; - 'upload_max_filesize' : value => '100M'; - } -} diff --git a/manifests/ffmpeg.pp b/manifests/ffmpeg.pp deleted file mode 100644 index 3997cb1..0000000 --- a/manifests/ffmpeg.pp +++ /dev/null @@ -1,5 +0,0 @@ -class php::ffmpeg { - package { 'php-ffmpeg': - ensure => present, - } -} diff --git a/manifests/hardened.pp b/manifests/hardened.pp deleted file mode 100644 index 5340dd7..0000000 --- a/manifests/hardened.pp +++ /dev/null @@ -1,8 +0,0 @@ -class php::hardened { - php::config { - 'allow_url_fopen' : value => 'Off'; - 'allow_url_include' : value => 'Off'; - 'disable_functions' : value => 'phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec'; - #value => 'disable_functions = phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec', - } -} diff --git a/manifests/imap.pp b/manifests/imap.pp index 381add6..805951d 100644 --- a/manifests/imap.pp +++ b/manifests/imap.pp @@ -1,5 +1,10 @@ -class php::imap inherits php { - package { 'php5-imap': +class php::imap { + $pack = $::php::series ? { + '5' => 'php5-imap', + default => 'php-imap', + } + + package { "${pack"}: ensure => installed, } } diff --git a/manifests/init.pp b/manifests/init.pp index edd0c2b..3c699fc 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -16,64 +16,11 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -class php($hardened = true) { - case $::lsbdistcodename { - 'xenial': { - include php::packages::ppa - } - 'stretch': { - include php::packages::dpa - } - default: { - include php::packages::default - } - } - - $folder = $::lsbdistcodename ? { - 'xenial' => '/etc/php/5.6', - 'stretch' => '/etc/php/5.6', - default => '/etc/php5', - } - - file { [ "${folder}", "${folder}/cli", "${folder}/apache2", "${folder}/cli/conf.d", "${folder}/apache2/conf.d" ]: - ensure => directory, - owner => root, - group => root, - mode => '0755', - require => Package['php5'], - } - - #file { "${folder}/cli/php.ini": - # ensure => present, - # owner => root, - # group => root, - # mode => '0644', - # source => [ "puppet:///modules/site_php/cli/${::fqdn}/php.ini", - # "puppet:///modules/site_php/cli/${::domain}/php.ini", - # "puppet:///modules/php/cli/php.${::operatingsystem}_${::lsbdistcodename}.ini", - # "puppet:///modules/php/cli/php.${::operatingsystem}.ini", - # "puppet:///modules/php/cli/php.ini" ], - # require => [ Package['php5'], File["${folder}/cli"] ], - #} - - #file { "${folder}/apache2/php.ini": - # ensure => present, - # owner => root, - # group => root, - # mode => '0644', - # source => [ "puppet:///modules/site_php/apache2/${::fqdn}/php.ini", - # "puppet:///modules/site_php/apache2/${::domain}/php.ini", - # "puppet:///modules/php/apache2/php.${::operatingsystem}_${::lsbdistcodename}.ini", - # "puppet:///modules/php/apache2/php.${::operatingsystem}.ini", - # "puppet:///modules/php/apache2/php.ini" ], - # notify => Service['apache2'], - # require => [ Package['php5'], File["${folder}/apache2"] ], - #} - - include php::resources - include php::defaults - - if $hardened == true { - include php::hardened +class php( + $series = '5', + $hardened = true, +){ + class { "php::series${series}": + hardened => $hardened, } } diff --git a/manifests/packages/default.pp b/manifests/packages/default.pp deleted file mode 100644 index e1f2bf1..0000000 --- a/manifests/packages/default.pp +++ /dev/null @@ -1,22 +0,0 @@ -class php::packages::default { - # The needed packages: we could also try libapache2-mod-php5filter - package { [ 'php5', 'php5-mysql', 'php5-sqlite', 'php5-cli', 'php5-curl', 'php5-gmp', 'libapache2-mod-php5' ]: - ensure => installed, - } - - # Optional packages - package { [ "php5-gd", "php5-imagick" ]: - ensure => installed, - } - - # Not available anymore - package { 'php5-suhosin': - ensure => absent, - } - - # The needed apache modules - apache::module { 'php5': - ensure => present, - require => Package['libapache2-mod-php5'], - } -} diff --git a/manifests/packages/dpa.pp b/manifests/packages/dpa.pp deleted file mode 100644 index b09b061..0000000 --- a/manifests/packages/dpa.pp +++ /dev/null @@ -1,67 +0,0 @@ -class php::packages::dpa { - file { '/etc/apt/trusted.gpg.d/deb.sury.org-php.gpg': - ensure => present, - owner => "root", - group => "root", - mode => "0644", - source => 'puppet:///modules/php/deb.sury.org.gpg', - } - - file { '/etc/apt/sources.list.d/php.list' : - ensure => present, - owner => "root", - group => "root", - mode => "0644", - content => "deb https://packages.sury.org/php/ ${::lsbdistcodename} main\n", - require => File['/etc/apt/trusted.gpg.d/deb.sury.org-php.gpg'], - notify => Exec['php-apt-auto-update'], - } - - exec { 'php-apt-auto-update': - command => "/usr/bin/apt-get update", - user => "root", - refreshonly => true, - } - - # The needed packages: we could also try libapache2-mod-php5.6filter - package { 'php5': - name => 'php5.6', - require => File['/etc/apt/sources.list.d/php.list'], - } - - package { 'php5-cli': - name => 'php5.6-cli', - require => File['/etc/apt/sources.list.d/php.list'], - } - - package { [ 'php5.6-mysql', 'php5.6-sqlite3', 'php5.6-curl', 'php5.6-gmp', 'libapache2-mod-php5.6' ]: - ensure => installed, - require => File['/etc/apt/sources.list.d/php.list'], - } - - # Optional packages - package { [ "php5.6-gd", "php-imagick", "php5.6-xml", "php5.6-mbstring" ]: - ensure => installed, - require => File['/etc/apt/sources.list.d/php.list'], - } - - # Not available anymore - package { 'php5.6-suhosin': - ensure => absent, - require => File['/etc/apt/sources.list.d/php.list'], - } - - # The needed apache modules - apache::module { 'php5.6': - ensure => present, - require => Package['libapache2-mod-php5.6'], - } - - # Default alternative - file { "/etc/alternatives/php": - ensure => "/usr/bin/php5.6", - owner => root, - group => root, - require => Package['php5'], - } -} diff --git a/manifests/packages/ppa.pp b/manifests/packages/ppa.pp deleted file mode 100644 index e38cccb..0000000 --- a/manifests/packages/ppa.pp +++ /dev/null @@ -1,55 +0,0 @@ -class php::packages::ppa { - #package { 'python-software-properties': - # ensure => present, - #} - - ## TODO: check repository key! - #exec { 'add-apt-repository-ondrej-php': - # command => '/usr/bin/add-apt-repository -y ppa:ondrej/php && apt-get update', - # user => 'root', - # creates => '/etc/apt/sources.list.d/ondrej-ubuntu-php-xenial.list', - # require => Package['python-software-properties'], - #} - - # The needed packages: we could also try libapache2-mod-php5.6filter - package { 'php5': - name => 'php5.6', - #require => Exec['add-apt-repository-ondrej-php'], - } - - package { 'php5-cli': - name => 'php5.6-cli', - #require => Exec['add-apt-repository-ondrej-php'], - } - - package { [ 'php5.6-mysql', 'php5.6-sqlite3', 'php5.6-curl', 'php5.6-gmp', 'libapache2-mod-php5.6' ]: - ensure => installed, - #require => Exec['add-apt-repository-ondrej-php'], - } - - # Optional packages - package { [ "php5.6-gd", "php-imagick", "php5.6-xml", "php5.6-mbstring" ]: - ensure => installed, - #require => Exec['add-apt-repository-ondrej-php'], - } - - # Not available anymore - package { 'php5.6-suhosin': - ensure => absent, - #require => Exec['add-apt-repository-ondrej-php'], - } - - # The needed apache modules - apache::module { 'php5.6': - ensure => present, - require => Package['libapache2-mod-php5.6'], - } - - # Default alternative - file { "/etc/alternatives/php": - ensure => "/usr/bin/php5.6", - owner => root, - group => root, - require => Package['php5'], - } -} diff --git a/manifests/series5.pp b/manifests/series5.pp new file mode 100644 index 0000000..50ab6f4 --- /dev/null +++ b/manifests/series5.pp @@ -0,0 +1,61 @@ +class php::series5($hardened = true) { + case $::lsbdistcodename { + 'xenial': { + include php::series5::packages::ppa + } + 'stretch': { + include php::series5::packages::dpa + } + default: { + include php::series5::packages::default + } + } + + $folder = $::lsbdistcodename ? { + 'xenial' => '/etc/php/5.6', + 'stretch' => '/etc/php/5.6', + default => '/etc/php5', + } + + file { [ "${folder}", "${folder}/cli", "${folder}/apache2", "${folder}/cli/conf.d", "${folder}/apache2/conf.d" ]: + ensure => directory, + owner => root, + group => root, + mode => '0755', + require => Package['php5'], + } + + #file { "${folder}/cli/php.ini": + # ensure => present, + # owner => root, + # group => root, + # mode => '0644', + # source => [ "puppet:///modules/site_php/cli/${::fqdn}/php.ini", + # "puppet:///modules/site_php/cli/${::domain}/php.ini", + # "puppet:///modules/php/cli/php.${::operatingsystem}_${::lsbdistcodename}.ini", + # "puppet:///modules/php/cli/php.${::operatingsystem}.ini", + # "puppet:///modules/php/cli/php.ini" ], + # require => [ Package['php5'], File["${folder}/cli"] ], + #} + + #file { "${folder}/apache2/php.ini": + # ensure => present, + # owner => root, + # group => root, + # mode => '0644', + # source => [ "puppet:///modules/site_php/apache2/${::fqdn}/php.ini", + # "puppet:///modules/site_php/apache2/${::domain}/php.ini", + # "puppet:///modules/php/apache2/php.${::operatingsystem}_${::lsbdistcodename}.ini", + # "puppet:///modules/php/apache2/php.${::operatingsystem}.ini", + # "puppet:///modules/php/apache2/php.ini" ], + # notify => Service['apache2'], + # require => [ Package['php5'], File["${folder}/apache2"] ], + #} + + include php::resources + include php::series5::defaults + + if $hardened == true { + include php::series5::hardened + } +} diff --git a/manifests/series5/defaults.pp b/manifests/series5/defaults.pp new file mode 100644 index 0000000..15cb8a2 --- /dev/null +++ b/manifests/series5/defaults.pp @@ -0,0 +1,7 @@ +class php::series5::defaults { + php::config { + 'error_reporting' : value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; + 'post_max_size' : value => '100M'; + 'upload_max_filesize' : value => '100M'; + } +} diff --git a/manifests/series5/hardened.pp b/manifests/series5/hardened.pp new file mode 100644 index 0000000..e512402 --- /dev/null +++ b/manifests/series5/hardened.pp @@ -0,0 +1,8 @@ +class php::series5::hardened { + php::config { + 'allow_url_fopen' : value => 'Off'; + 'allow_url_include' : value => 'Off'; + 'disable_functions' : value => 'phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec'; + #value => 'disable_functions = phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec', + } +} diff --git a/manifests/series5/packages/default.pp b/manifests/series5/packages/default.pp new file mode 100644 index 0000000..f16e03e --- /dev/null +++ b/manifests/series5/packages/default.pp @@ -0,0 +1,22 @@ +class php::series5::packages::default { + # The needed packages: we could also try libapache2-mod-php5filter + package { [ 'php5', 'php5-mysql', 'php5-sqlite', 'php5-cli', 'php5-curl', 'php5-gmp', 'libapache2-mod-php5' ]: + ensure => installed, + } + + # Optional packages + package { [ "php5-gd", "php5-imagick" ]: + ensure => installed, + } + + # Not available anymore + package { 'php5-suhosin': + ensure => absent, + } + + # The needed apache modules + apache::module { 'php5': + ensure => present, + require => Package['libapache2-mod-php5'], + } +} diff --git a/manifests/series5/packages/dpa.pp b/manifests/series5/packages/dpa.pp new file mode 100644 index 0000000..f9fad94 --- /dev/null +++ b/manifests/series5/packages/dpa.pp @@ -0,0 +1,67 @@ +class php::series5::packages::dpa { + file { '/etc/apt/trusted.gpg.d/deb.sury.org-php.gpg': + ensure => present, + owner => "root", + group => "root", + mode => "0644", + source => 'puppet:///modules/php/deb.sury.org.gpg', + } + + file { '/etc/apt/sources.list.d/php.list' : + ensure => present, + owner => "root", + group => "root", + mode => "0644", + content => "deb https://packages.sury.org/php/ ${::lsbdistcodename} main\n", + require => File['/etc/apt/trusted.gpg.d/deb.sury.org-php.gpg'], + notify => Exec['php-apt-auto-update'], + } + + exec { 'php-apt-auto-update': + command => "/usr/bin/apt-get update", + user => "root", + refreshonly => true, + } + + # The needed packages: we could also try libapache2-mod-php5.6filter + package { 'php5': + name => 'php5.6', + require => File['/etc/apt/sources.list.d/php.list'], + } + + package { 'php5-cli': + name => 'php5.6-cli', + require => File['/etc/apt/sources.list.d/php.list'], + } + + package { [ 'php5.6-mysql', 'php5.6-sqlite3', 'php5.6-curl', 'php5.6-gmp', 'libapache2-mod-php5.6' ]: + ensure => installed, + require => File['/etc/apt/sources.list.d/php.list'], + } + + # Optional packages + package { [ "php5.6-gd", "php-imagick", "php5.6-xml", "php5.6-mbstring" ]: + ensure => installed, + require => File['/etc/apt/sources.list.d/php.list'], + } + + # Not available anymore + package { 'php5.6-suhosin': + ensure => absent, + require => File['/etc/apt/sources.list.d/php.list'], + } + + # The needed apache modules + apache::module { 'php5.6': + ensure => present, + require => Package['libapache2-mod-php5.6'], + } + + # Default alternative + file { "/etc/alternatives/php": + ensure => "/usr/bin/php5.6", + owner => root, + group => root, + require => Package['php5'], + } +} diff --git a/manifests/series5/packages/ppa.pp b/manifests/series5/packages/ppa.pp new file mode 100644 index 0000000..f821ab4 --- /dev/null +++ b/manifests/series5/packages/ppa.pp @@ -0,0 +1,55 @@ +class php::series5::packages::ppa { + #package { 'python-software-properties': + # ensure => present, + #} + + ## TODO: check repository key! + #exec { 'add-apt-repository-ondrej-php': + # command => '/usr/bin/add-apt-repository -y ppa:ondrej/php && apt-get update', + # user => 'root', + # creates => '/etc/apt/sources.list.d/ondrej-ubuntu-php-xenial.list', + # require => Package['python-software-properties'], + #} + + # The needed packages: we could also try libapache2-mod-php5.6filter + package { 'php5': + name => 'php5.6', + #require => Exec['add-apt-repository-ondrej-php'], + } + + package { 'php5-cli': + name => 'php5.6-cli', + #require => Exec['add-apt-repository-ondrej-php'], + } + + package { [ 'php5.6-mysql', 'php5.6-sqlite3', 'php5.6-curl', 'php5.6-gmp', 'libapache2-mod-php5.6' ]: + ensure => installed, + #require => Exec['add-apt-repository-ondrej-php'], + } + + # Optional packages + package { [ "php5.6-gd", "php-imagick", "php5.6-xml", "php5.6-mbstring" ]: + ensure => installed, + #require => Exec['add-apt-repository-ondrej-php'], + } + + # Not available anymore + package { 'php5.6-suhosin': + ensure => absent, + #require => Exec['add-apt-repository-ondrej-php'], + } + + # The needed apache modules + apache::module { 'php5.6': + ensure => present, + require => Package['libapache2-mod-php5.6'], + } + + # Default alternative + file { "/etc/alternatives/php": + ensure => "/usr/bin/php5.6", + owner => root, + group => root, + require => Package['php5'], + } +} diff --git a/manifests/series7.pp b/manifests/series7.pp new file mode 100644 index 0000000..47fa8f9 --- /dev/null +++ b/manifests/series7.pp @@ -0,0 +1,25 @@ +class php::series7($hardened = true) { + $folder = '/etc/php/7.0' + + package { [ 'php', 'php-mysql', 'php-sqlite3', 'php-cli', 'php-curl', 'php-gmp', 'libapache2-mod-php7.0' ]: + ensure => installed, + } + + # Optional packages + package { [ "php-gd", "php-imagick" ]: + ensure => installed, + } + + # The needed apache modules + #apache::module { 'php': + # ensure => present, + # require => Package['libapache2-mod-php7.0'], + #} + + include php::resources + include php::series7::defaults + + if $hardened == true { + include php::series7::hardened + } +} diff --git a/manifests/series7/defaults.pp b/manifests/series7/defaults.pp new file mode 100644 index 0000000..936d165 --- /dev/null +++ b/manifests/series7/defaults.pp @@ -0,0 +1,7 @@ +class php::series7::defaults { + php::config { + 'error_reporting' : series => '7', value => 'E_ALL & ~E_NOTICE & ~E_STRICT'; + 'post_max_size' : series => '7', value => '100M'; + 'upload_max_filesize' : series => '7', value => '100M'; + } +} diff --git a/manifests/series7/hardened.pp b/manifests/series7/hardened.pp new file mode 100644 index 0000000..73cf21a --- /dev/null +++ b/manifests/series7/hardened.pp @@ -0,0 +1,8 @@ +class php::series7::hardened { + php::config { + 'allow_url_fopen' : series => '7', value => 'Off'; + 'allow_url_include' : series => '7', value => 'Off'; + 'disable_functions' : series => '7', value => 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, show_source, dl, symlink, system_exec'; + #series => '7', value => 'disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo, system, exec, shell_exec, passthru, proc_get_status, proc_open, popen, proc_close, proc_nice, proc_terminate, pcntl_exec, proc_open, curl_init, parse_ini_file, show_source, dl, symlink, syslog, mail, system_exec', + } +} -- cgit v1.2.3