From 466eca2e158c7565fe7df037ee1ce33b942a8960 Mon Sep 17 00:00:00 2001 From: Christian Boltz Date: Apr 21 2019 08:52:37 +0000 Subject: add countdown role and apache config --- diff --git a/pillar/role/countdown.sls b/pillar/role/countdown.sls new file mode 100644 index 0000000..2246657 --- /dev/null +++ b/pillar/role/countdown.sls @@ -0,0 +1,40 @@ +apparmor: + profiles: + httpd2-prefork: + source: salt://profile/countdown/files/httpd2-prefork.apparmor + template: jinja + +profile: + countdown: + languages: + - af + - bg + - cs + - da + - de + - el + - en + - es + - fi + - fr + - gl + - hr + - hu + - id + - it + - ja + - lt + - nb + - nl + - pl + - pt + - pt_BR + - ro + - ru + - sk + - sv + - tr + - tw + - wa + - zh + redirect_target: 'Portal:15.0' diff --git a/salt/profile/countdown/apache.sls b/salt/profile/countdown/apache.sls new file mode 100644 index 0000000..062acc6 --- /dev/null +++ b/salt/profile/countdown/apache.sls @@ -0,0 +1,28 @@ +apache2: + pkg.installed: + - pkgs: + - apache2-mod_apparmor + - apache2-prefork + service.running: + - enable: True + +/etc/apache2/vhosts.d/countdown.opensuse.org.conf: + file.managed: + - listen_in: + - service: apache2 + - source: salt://profile/countdown/files/apache-vhost.conf + - template: jinja + +sysconfig_apache2_countdown: + file.replace: + - name: /etc/sysconfig/apache2 + - pattern: ^APACHE_MODULES=.*$ + # original line: "actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout authn_core php7 rewrite" + - repl: APACHE_MODULES=" alias apparmor auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex dir env expires include log_config mime negotiation setenvif socache_shmcb reqtimeout authn_core rewrite remoteip status" + - listen_in: + - service: apache2 + +/etc/logrotate.d/apache2-vhosts: + file.managed: + # same file as used for the wikis, no need to duplicate it + - source: salt://profile/wiki/files/apache2-wiki.logrotate diff --git a/salt/profile/countdown/files/apache-vhost.conf b/salt/profile/countdown/files/apache-vhost.conf new file mode 100644 index 0000000..9348244 --- /dev/null +++ b/salt/profile/countdown/files/apache-vhost.conf @@ -0,0 +1,44 @@ + + ServerName countdown.opensuse.org + ServerAlias counter.opensuse.org + UseCanonicalName Off + + AADefaultHatName vhost_countdown + + DocumentRoot /srv/www/countdown.opensuse.org/public + + + Require all granted + + Options +FollowSymlinks + + + + Options Multiviews FollowSymLinks IncludesNoExec + DirectoryIndex medium + LanguagePriority en + #ForceLanguagePriority Fallback + #ForceLanguagePriority Prefer + + {% for lang in pillar['profile']['countdown']['languages']|sort %} + AddLanguage {{lang}} .{{lang}}.png + {%- endfor %} + + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^(.+)\.png/?$ $1 + RewriteRule ^/?((small|medium|large|wide)-nolabel)/?$ /$1 [PT] + RewriteRule ^/?((small|medium|large|wide)-label)/?$ /$1 [PT] + RewriteRule ^/?(|small|medium|large|wide)/?$ /$1 [PT] + + RedirectTemp /goto/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter + RedirectTemp /link/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter + RedirectTemp /redirect/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combinedproxy + CustomLog "/var/log/apache2/countdown-access_log" combinedproxy + + + +# vim:ft=apache diff --git a/salt/profile/countdown/files/httpd2-prefork.apparmor b/salt/profile/countdown/files/httpd2-prefork.apparmor new file mode 100644 index 0000000..38045ac --- /dev/null +++ b/salt/profile/countdown/files/httpd2-prefork.apparmor @@ -0,0 +1,127 @@ +# managed by salt - do not edit! + +# $Id: usr.sbin.httpd2-prefork 12 2006-04-12 21:35:41Z steve-beattie $ +# ------------------------------------------------------------------ +# +# Copyright (C) 2002-2005 Novell/SUSE +# Copyright (C) 2017 Christian Boltz +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of version 2 of the GNU General Public +# License published by the Free Software Foundation. +# +# ------------------------------------------------------------------ + +#include + +profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) { + #include + #include + #include + #include + #include + #include + #include + + capability dac_override, + capability kill, + capability net_admin, + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_ptrace, + capability sys_tty_config, + + / rw, + /bin/bash rix, + /dev/random r, + /etc/apache2/*.conf r, + owner /etc/apache2/conf.d/ r, + /etc/apache2/magic r, + /etc/apache2/mod_perl-startup.pl r, + /etc/apache2/sysconfig.d/ r, + /etc/apache2/vhosts.d/ r, + /etc/apache2/vhosts.d/hostings/ r, + /etc/apache2/{conf,sysconfig,vhosts}.d/* r, + /etc/fstab r, + /etc/mime.types r, + /etc/mtab r, + /etc/odbcinst.ini r, + /proc/*/attr/current rw, + /proc/meminfo r, + /proc/sys/kernel/ngroups_max r, + /run/httpd.pid rw, + /tmp/magic* rw, + /usr/apache2/error/* r, + /usr/lib/apache2-leader/{lib,mod_}*.so* mr, + /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr, + /usr/lib/apache2-prefork/{lib,mod_}*.so* mr, + /usr/lib/apache2-worker/{lib,mod_}*.so* mr, + /usr/lib/apache2/modules/{lib,mod_}*.so* mr, + /usr/lib/apache2/{lib,mod_}*.so mr, + /usr/lib64/apache2-leader/{lib,mod_}*.so* mr, + /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr, + /usr/lib64/apache2-prefork/{lib,mod_}*.so* mr, + /usr/lib64/apache2-worker/{lib,mod_}*.so* mr, + /usr/lib64/apache2/modules/{lib,mod_}*.so* mr, + /usr/lib64/apache2/{lib,mod_}*.so* mr, + /usr/sbin/httpd{,2}-prefork mr, + /usr/sbin/suexec2 mrix, + /usr/share/apache2/error/** r, + /usr/share/apache2/icons/** r, + /usr/share/misc/magic.mime r, + /usr/share/snmp/mibs r, + /usr/share/snmp/mibs/*.{txt,mib} r, + /usr/share/snmp/mibs/.index rw, + /var/lib/apache2/ssl_mutex w, + /var/log/apache2/* rwl, + + ^DEFAULT_URI flags=(complain,attach_disconnected) { + #include + + /proc/meminfo r, + /usr/share/zoneinfo/ r, + /usr/share/zoneinfo/** r, + /var/log/apache2/access_log w, + /var/log/apache2/error_log w, + + } + + ^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) { + #include + + /**/.htaccess r, + /dev/urandom r, + /proc/*/attr/current w, + /var/lib/apache2/ssl_mutex wk, + /var/log/apache2/access_log w, + /var/log/apache2/error_log w, + /var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w, + /var/log/apache2/ssl_request_log w, + + # strange, but happens in practise + /var/log/apache2/countdown-access_log w, + + } + + ^vhost_countdown flags=(complain,attach_disconnected) { + #include + #include + + / r, +# /bin/bash rix, +# /dev/tty rw, +# /proc/meminfo r, +# /usr/bin/timeout rix, + /var/log/apache2/countdown-access_log w, + /var/log/apache2/countdown-access_log-21[12][0-9][01][0-9][0-3][0-9] w, + /var/log/apache2/error_log w, + + /srv/www/countdown.opensuse.org/ r, + /srv/www/countdown.opensuse.org/** r, + } + +} + +# vim: ft=apparmor expandtab + diff --git a/salt/profile/countdown/init.sls b/salt/profile/countdown/init.sls index 820cab4..9ef6597 100644 --- a/salt/profile/countdown/init.sls +++ b/salt/profile/countdown/init.sls @@ -1,2 +1,3 @@ include: + - profile.countdown.apache - profile.countdown.countdown diff --git a/salt/role/countdown.sls b/salt/role/countdown.sls new file mode 100644 index 0000000..b5bbf8e --- /dev/null +++ b/salt/role/countdown.sls @@ -0,0 +1,2 @@ +include: + - profile.countdown