From 33ee6ff1e4f4bc4a70489e637d5250958f74048b Mon Sep 17 00:00:00 2001
From: Christian Boltz <cboltz@opensuse.org>
Date: Nov 16 2021 23:29:20 +0000
Subject: Add a "phpmyadmin" role, and add it on pinot.i.o.o


phpMyAdmin will be used by the membership officials to manage openSUSE Members.

Note: the Apache config and AppArmor profile are somewhat mixed into the
"countdown" role, therefore this commit has to touch files in that role.

---

diff --git a/pillar/id/pinot_infra_opensuse_org.sls b/pillar/id/pinot_infra_opensuse_org.sls
index 0201616..5f4878c 100644
--- a/pillar/id/pinot_infra_opensuse_org.sls
+++ b/pillar/id/pinot_infra_opensuse_org.sls
@@ -7,12 +7,13 @@ grains:
     - countdown
     - documentation
     - mail_reminder
+    - phpmyadmin
   reboot_safe: yes
   salt_cluster: opensuse
   virt_cluster: atreju
 
   aliases: []
-  description: countdown.opensuse.org, board meeting reminder mailer
+  description: countdown.opensuse.org, board meeting reminder mailer, phpMyAdmin
   documentation: []
   responsible:
     - cboltz
@@ -20,3 +21,4 @@ grains:
   weburls:
     - https://counter.opensuse.org
     - https://countdown.opensuse.org
+    - https://pmya.opensuse.org
diff --git a/pillar/role/phpmyadmin.sls b/pillar/role/phpmyadmin.sls
new file mode 100644
index 0000000..a80c482
--- /dev/null
+++ b/pillar/role/phpmyadmin.sls
@@ -0,0 +1,15 @@
+{% if salt['grains.get']('include_secrets', True) %}
+include:
+  - secrets.role.phpmyadmin
+{% endif %}
+
+# apparmor: see salt/profile/countdown for the Apache AppArmor profile, it includes a ^vhost_phpmyadmin hat
+
+profile:
+  phpmyadmin:
+    config:
+      host: 192.168.47.4
+      port: 3307
+      AllowRoot: 'false'
+      only_db: members
+  # htpasswd: included from pillar/secrets/role/phpmyadmin.sls
diff --git a/pillar/secrets/role/phpmyadmin.sls b/pillar/secrets/role/phpmyadmin.sls
new file mode 100644
index 0000000..dfec407
--- /dev/null
+++ b/pillar/secrets/role/phpmyadmin.sls
@@ -0,0 +1,83 @@
+#!yaml|gpg
+
+profile:
+  phpmyadmin:
+    htpasswd: |
+      -----BEGIN PGP MESSAGE-----
+      
+      hQQOA7A9CHm0S6RyEA/+Mf4tSlLEoR79rKMPhNJbnraFQEGpTH5cOxAiw8Vsn1/c
+      dbYASgp3vx+WkDsGiAbBnyYL1ZlDYXlIadqEFXJQ3qdtdhu8GrXQHwoku0jN/pbf
+      Xi8JAg2rooGFW+uw56xjM0RTIbqwquudfjrUX5Uh+OP3EaFsBVKbIK80ZmVM79WZ
+      L0CsE8O4BAO8OpDoW9uOXy/RR+hjNpWSR8MdnFaNb0x+AtAGADV/zvxscIuH58LR
+      +ryN9dp2+ltK7jC/rLLzhVWsBk6P6t95EM8gdKAJFHVoSQuT8j3ivSbcGf2yT+1f
+      j54DeV3zjo2E5t47K+qsqeGAooC0fJBI0JkhTIsoNv48ziC1U4CkR9MCJVv3bDvx
+      /uc+qfMPTcI57gcyKsPOGt2GTqxIRGUYEkBmo3wJXV02k76UMqrKygTDyip8KXXq
+      D/VWbu4SJv6dlDjob+wDmfm8//pQE47Sem4yLk4Z90oUwbwxsW5/y2UbQkYUNHWH
+      FhVY7fPgixAGiyC101SILlVvblpnDvepTEc9Yjm5W8yBA3GG8YFuFNVp9gaqG3cL
+      1cidmZ5gCZoZpdSeigzjfOYDSbNGtzP7bC8JnA1Nqr4s1SNGMZedH9r+2CTzHlC8
+      li8WrlE/BY+F21/q33Fu8GEGD00s96AINK9FrkQpKq+ytRVVSV0/A00T/XbUp3EP
+      /RGykqnZhk28bRWgkkBloAaXOjfsiwZ6x8nIBEzz1ieg8QJ4Mkd0xdEvdkZPIAVq
+      kqZatzkddRHf6hc+XhLlt1kkbeK2KJKohrU2df0JotfO7cvB3MzbaBxDeMDAHr1Q
+      7b0p5IEuvU5yyEflDrF5PeqwEHrsfKc9W5LkEx/WAmxU0BGxB2FYQ09LFmJoaB6r
+      Xulo5vKbAjeMJeGlwvSt1/wuNaO/VxXTDyyA9lE0dMASpK0bArUUOZbQ2VHJ88r3
+      /LDwLssaQo2GpxdU3+Ua5HM6+vtM5VfRaWGJobMyUK1AXqlSe9yQV8qOJlaANcbw
+      ZP3/Q8iXMK19/h0VM1uHam1lMqcu1+5NlQLOxkKjMJo2QXrSuZfOnXzWzSf1o3AS
+      jxuAQzc5TpbP21ruvrv2wmCb9lkEfuWjmXR3ILOcJQv9cRneAN4GNNIyAyRZNNts
+      X7kvYqHoE+mAjNSBoDsc5qYUh+GbLFVjuVpzcr4Y08h5mEEmykJ1lYrJHgTcwFKJ
+      gy1TzNJ4COKffFInN2s2Ue+U7xvqaNNa0Kl6Roh93h50JFRSOXC8Lff9/1Vm9mUO
+      JT0bcdN6+RUzYRQK5mLuPHUhUGe9S8UJo0k5AV5pFKPiQtAeAUACf8aoNvC3T86Q
+      BdVPNJcxiMxkcZz+DfWORLtUABxfmeeoX4xHsoUuCUBjhQIMA8amgupjyC8cAQ//
+      dwMFpnvc9hj1kRK5ix4UYeQglCD0fpe7rSRPebJAvY+wqFINeZugadAMFEW9FvXp
+      +4ZviObBnxR+UR8j7InRUzktP4s26/Dv8F1j230Cu6XXop7QPIjPrFqHxyxqwuvA
+      Omnxh13rySAKF0qF/fk1gDGpxLjWFvMoJmmzaG8eakCFRZZEQY97XvtKOkv/coX6
+      Gna/IaJ8noXwZp44k4gazuG7hFqv53krH30IQa49aRUuae6qkG8wgnimUlmvO2bi
+      F4v4eXHRXPNLwMpiuQ2pN3iVu4YEzdt0b+5dNm5VAk4zq9p1LemuiVas8FguWzaC
+      ofW3pQjKGKQEQg2ZpFS2xsNeO4J1QiqeSuLly5WSwDenEHb1/SajTvLy95V+BT/o
+      rMWCZmMI++PI2ajImc627cTslhhDsqS8agWcCDiB6LAwoXp9/YS0vXjmcdEBgbSM
+      GwKUldeuAOywV7T2a1EVnfDLq09m+y0ayOC36QRNfLwt0JDDS47PL3mXitEyUyCu
+      YguMTutbYie3LPAX5uid8oCb2xcgy8cl9vq3j7Qjta9BnLAOYDJVszwMlCg/rYTm
+      V29sdevY9Yceh7t2662TsU8Y6dUQIZKDX5rmsF5xki9NRmERznyqtMQIUBcPh9MK
+      jyfLkUOZ1WOBBN2i8DJYyv/GDUAce3/s342F+WrlAKKFAQ4DslgfDDfB4G8QBACk
+      HtMshsrxqts4uUWoDGbuCnlghWe1sRFlSdg5/wdM0JA4NAdKiAPwuJ8EzX+8ggzw
+      WMD3K2PBZKjntvQG9nRAuL1v1mMxeOp5s548AJF0RdAC7hTH+Su8DED6d1toFAkQ
+      OiwCiDcOhs5Im6q22wIx/811keqrScLTwi1qavC8/AP/VO3rTdI78x2PR0YqpMtE
+      IPn4hTpSm2V5MSQAKxOaQPiiLPwLiVfNBLxmP/qVj0ho1K7oJmsJQH2LPBBNHHB4
+      owgGhaq8LwtxZQ/iYqeZCn/q3rO+MV6S/3xwIkWZFgSlSHjkYtxI/VkfNTcymGWY
+      w/rtkMkQk/Yiw7XOSr80lh2FAg4DiLcKbyvsTOYQCACaN6dqACGbq0TQxor4FV/9
+      LDKlMnW+2s9JU++q0GnivrMFjqF33mOWyUUkywV2iH7K1OeTvIUZZuRWCCjw95eY
+      g0DTnh6+ETpaEn+tkzaFVq5nRt5Or3k9Vw7UhJZrxcPz/exj0mV4AZ03uNz5Q5Gf
+      oXdHlxbeg5lmmEEjvSqw4CYzOZrXPSYYQFry8wHJnpxw71TzyRCOY+WwPX+bk3Pn
+      kBwwPrFaNgCRlcRw9zy3Pct6GQgCpz60iUhJD4KoktlfYEHTxlSai2Nm1ciayRGj
+      FkQRSAfDqilIDzxlZhXf+iZtEwIJlagCqjiU9VeF6MeVUoAIQrKbpYS+3bo0/uL2
+      B/kBrLSiaDZWUl1bEPxpQ2126QBlCwxnlmbdybPcvmScbxWtE+XDU73yrgGV8AVf
+      pGatkP8leFmffQ8bf6DCsPaqwOj65IRah0xmCYJcpQMHNN7iKeizwlOYP4y5dQxB
+      RXgV6UD2MJq4ztSEKfhCYxVPKd5Q7LbbkJa7hOlK5DohLVd5O/tymNlfpe1MqrmC
+      lPzKtIwbOX30iCV/tkcB+qCx1MPASf69G5Aa5duw+BD2TmHi5xomoK6OsYH8GcfV
+      SsO0XHNe5szgR29mCzxbzVOUd/8lrei5vVr8TyGgjRPboukgajdLokuDssN3i29Q
+      0bLfF4tWTrSK5jW2MG+QaSHKhQIMA3GiBwULdMTdARAAhZcgcF+ernMMxs4xRIXD
+      9GHpQzCpEvg5POfwgAh312AcRyvxO/BPm4OFHznVVoEW+ZBAy1afxGfKQI7/jGiQ
+      z4B+6VCvhKwUleeR5dlSYS4cTm1arLB/PGxx8rMaJSt483Rjrp0YrFc8I8rlDFqd
+      Xy3KofOvctGpM5qSVI8saFicZl0wmirElT59VpWsbIdNq8ob7/zYBnvXisHXJwsG
+      poQgCZvlMswAAHmnTevaCkEeMKfffcUOqwN234xDFsWOoB26cR8h4qyk5+8qkg8H
+      DFukwF1RVOhI10aYrxb3DMKLOEzqLlwE1YYvTnfaCUXv8UwizMJ3+8Q6rjPUPNi0
+      1I0Dneqs8PwZx4l0XcEwRdkX+HLy9kop9fcaxSXvj120toQ8H0IcruLFKv+aljja
+      6XlsWcliu+HHiQa5eQ0JbKz4dIPe4PerX/G7VaSKlF/KPgnQDCd6y7r6XgocI+2A
+      j6BzWX1u+bifJfOBhbsWEvj4+9TFQwyvRrj+462MmpU42F9l6MvQPvIL4sfh+uLo
+      QXeuBPIC1j3Zc/ZyM9foTmSQsQgh+xfk+eLG2DaWyt/qeiXhZJ910dRxmmxfG/mh
+      vkwWgFJTBHT/gRTjgbFepeyB+Oz3Iz1XUIC0236gaAHMjZoJpW/t/Cln+unIpDH2
+      4W7HTUUxeODEiXLYGcmB7MmFAgwDrPDOChusaZEBEAC2unL0/R8t0dH7GloDgNXE
+      8L7jOrt+YUhdCtA6lxZdOgn6es56Wc8rTBWmS3Tb7KIsBcGcFc1zmNi5cw27Y2G1
+      c+JadCnpy61aq+UfzR34oYe8uHTxr8K9+XwaMjExqKednTR2szkjC3tO9TcIXGkO
+      lv9wSRuSFK+iVBRH1DC2miKmYHIuuWtORKKDQH+z0FcBZZojBQG3tohNMK7ej2DT
+      6ul/zVxSJSkoeQLp944nnwtjWWoyyi8jKe6ONyMdsyID8+HOoamZ/QJ34t2nKTO4
+      HuJBpGz7FNu5lhkONNb0zeEH/qM5eT/tHBPyJ9TDDwXYPuvKLvauUKYUhnwU1q0j
+      VCDxvkCL1uxHentmsgprFWKntibdUVLrG4s73jqyK1Ox0pMLdx58Fk2d8dZgyI+d
+      tGVE+wthKF4zK4IhDx0mmHejATReek0iSPe6ZDiJJdvcejV199D5JrIf1XG3/YHh
+      +MNB5jUJTqzkJD4gHjVeeXf8V2dNi5AD6/Md4v3/wdMvmsKNfBh8bc0u4q+fz7g6
+      1GRcb2KZ5jci2/2JpiraP8hu8aKghqs+JvTFf4weLzooEtGk7vfdZiXWeNW/9pNE
+      th4Tw5nEoZKXqPNAhUlHR68jBlXU79kkxb/yM+2TZVS7CPoy3u9Nw5fGbNw2Ydpt
+      ZDDyUZt/sY3v8DifM7ruzNJmAT4/MPG7JGdnUyxUiZCa00JNJynKGn09t8BwQ67G
+      6SnqP9zpy8lsrBiitwaq5Dc125eStcfqUW53H2gkUXeun/eugVsGUC6wLkvH2UE1
+      VdmDY7ybDEdHGkX2lbczOrL1qUoQxzrZ
+      =DvOy
+      -----END PGP MESSAGE-----
diff --git a/salt/profile/countdown/apache.sls b/salt/profile/countdown/apache.sls
index 367ce9c..61f670f 100644
--- a/salt/profile/countdown/apache.sls
+++ b/salt/profile/countdown/apache.sls
@@ -18,7 +18,7 @@ sysconfig_apache2_countdown:
     - name: /etc/sysconfig/apache2
     - pattern: ^APACHE_MODULES=.*$
     # original line:       "actions alias          auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout authn_core php7 rewrite"
-    - repl: APACHE_MODULES="        alias apparmor auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex     dir env expires include log_config mime negotiation setenvif     socache_shmcb         reqtimeout authn_core      rewrite remoteip status"
+    - repl: APACHE_MODULES="        alias apparmor auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex     dir env expires include log_config mime negotiation setenvif     socache_shmcb         reqtimeout authn_core php7 rewrite remoteip status version"
     - listen_in:
       - service: apache2
 
diff --git a/salt/profile/countdown/files/httpd2-prefork.apparmor b/salt/profile/countdown/files/httpd2-prefork.apparmor
index 61a53da..ce6190e 100644
--- a/salt/profile/countdown/files/httpd2-prefork.apparmor
+++ b/salt/profile/countdown/files/httpd2-prefork.apparmor
@@ -105,6 +105,26 @@ profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_discon
 
   }
 
+  ^vhost_phpmyadmin flags=(complain,attach_disconnected) {
+    #include <abstractions/base>
+    #include <abstractions/mysql>
+    #include <abstractions/nameservice>
+    #include <abstractions/php>
+
+    signal receive set=usr1 peer=httpd2-prefork,
+
+    /etc/apache2/conf.d/phpMyAdmin.htpass r,
+    /etc/phpMyAdmin/config.inc.php r,
+    /proc/*/attr/current rw,
+    /srv/www/htdocs/phpMyAdmin/** r,
+    /usr/lib64/gconv/* r,
+    /usr/share/zoneinfo/ r,
+    /var/log/apache2/phpmyadmin-access_log w,
+    /var/log/apache2/phpmyadmin-access_log-20[12][0-9][01][0-9][0-3][0-9] w,
+    /var/log/apache2/error_log w,
+
+  }
+
   ^vhost_countdown flags=(complain,attach_disconnected) {
     #include <abstractions/apache2-common>
     #include <abstractions/base>
diff --git a/salt/profile/phpmyadmin/files/apache-vhost.conf b/salt/profile/phpmyadmin/files/apache-vhost.conf
new file mode 100644
index 0000000..7f6ed57
--- /dev/null
+++ b/salt/profile/phpmyadmin/files/apache-vhost.conf
@@ -0,0 +1,23 @@
+<VirtualHost *:80>
+    ServerName pmya.opensuse.org
+    UseCanonicalName Off
+
+    AADefaultHatName vhost_phpmyadmin
+
+    DocumentRoot /srv/www/htdocs/phpMyAdmin/
+
+    <Directory /srv/www/htdocs/phpMyAdmin/>
+        AuthType Basic
+        AuthName "Restricted Resource"
+        AuthBasicProvider file
+        AuthUserFile "/etc/apache2/conf.d/phpMyAdmin.htpass"
+
+        Require valid-user
+    </Directory>
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combinedproxy
+    CustomLog "/var/log/apache2/phpmyadmin-access_log" combinedproxy
+
+</VirtualHost>
+
+# vim:ft=apache
diff --git a/salt/profile/phpmyadmin/init.sls b/salt/profile/phpmyadmin/init.sls
new file mode 100644
index 0000000..47639c4
--- /dev/null
+++ b/salt/profile/phpmyadmin/init.sls
@@ -0,0 +1,32 @@
+phpmyadmin:
+  pkg.installed:
+    - pkgs:
+      - apache2-mod_apparmor
+      - apache2-prefork
+      - phpMyAdmin
+
+  service.running:
+    - enable: True
+    - name: apache2
+
+/etc/apache2/vhosts.d/pmya.opensuse.org.conf:
+  file.managed:
+    - listen_in:
+      - service: apache2
+    - source: salt://profile/phpmyadmin/files/apache-vhost.conf
+
+/etc/apache2/conf.d/phpMyAdmin.htpass:
+  file.managed:
+    - contents_pillar: profile:phpmyadmin:htpasswd
+
+{% for key, value in pillar.profile.phpmyadmin.config.items() %}
+{% if value != 'false' and value != 'true' %}
+  {% set value = "'%s'" % value %}  # add quotes around non-boolean values
+{% endif %}
+phpmyadmin_config_{{ key }}:
+  file.append:
+    - name: /etc/phpMyAdmin/config.inc.php
+    - text: $cfg['Servers'][$i]['{{ key }}'] = {{ value }};
+{% endfor %}
+
+# see profile/countdown/apache.sls for /etc/sysconfig/apache2
diff --git a/salt/role/phpmyadmin.sls b/salt/role/phpmyadmin.sls
new file mode 100644
index 0000000..92a28dd
--- /dev/null
+++ b/salt/role/phpmyadmin.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.phpmyadmin