Sfoglia il codice sorgente

Merge pull request #270 from myii/feat/implement-semantic-release

feat(semantic-release): implement for this formula
tags/v0.38.0
Niels Abspoel 5 anni fa
parent
commit
34324bd2c6
Nessun account collegato all'indirizzo email del committer
42 ha cambiato i file con 1084 aggiunte e 288 eliminazioni
  1. +121
    -1
      .gitignore
  2. +0
    -56
      .kitchen.yml
  3. +10
    -0
      .rubocop.yml
  4. +26
    -0
      .salt-lint
  5. +99
    -11
      .travis.yml
  6. +36
    -0
      .yamllint
  7. +3
    -2
      FORMULA
  8. +6
    -5
      Gemfile
  9. +5
    -5
      apache/defaults.yaml
  10. +6
    -6
      apache/files/Debian/apache-2.2.config.jinja
  11. +16
    -16
      apache/files/FreeBSD/apache-2.4.config.jinja
  12. +1
    -1
      apache/files/RedHat/modsecurity.conf.jinja
  13. +1
    -1
      apache/flags.sls
  14. +3
    -3
      apache/init.sls
  15. +9
    -9
      apache/map.jinja
  16. +1
    -1
      apache/mod_geoip.sls
  17. +8
    -8
      apache/modsecurity.yaml
  18. +2
    -2
      apache/modules.sls
  19. +11
    -12
      apache/oscodenamemap.yaml
  20. +5
    -3
      apache/osfamilymap.yaml
  21. +1
    -0
      apache/osfingermap.yaml
  22. +1
    -1
      apache/server_status.sls
  23. +1
    -1
      apache/uninstall.sls
  24. +1
    -1
      apache/vhosts/cleanup.sls
  25. +1
    -1
      apache/vhosts/minimal.tmpl
  26. +4
    -4
      apache/vhosts/proxy.tmpl
  27. +3
    -3
      apache/vhosts/redirect.tmpl
  28. +5
    -5
      apache/vhosts/standard.tmpl
  29. +32
    -0
      bin/kitchen
  30. +3
    -0
      commitlint.config.js
  31. +116
    -41
      docs/README.rst
  32. +212
    -0
      kitchen.yml
  33. +67
    -51
      pillar.example
  34. +30
    -0
      pre-commit_semantic-release.sh
  35. +18
    -0
      release-rules.js
  36. +106
    -0
      release.config.js
  37. +50
    -0
      test/integration/default/README.md
  38. +29
    -0
      test/integration/default/controls/mod_security_spec.rb
  39. +18
    -0
      test/integration/default/inspec.yml
  40. +0
    -29
      test/integration/mod_security/serverspec/mod_security_spec.rb
  41. +17
    -0
      test/salt/pillar/default.sls
  42. +0
    -9
      test/shared/spec_helper.rb

+ 121
- 1
.gitignore Vedi File

@@ -1,2 +1,122 @@
*.swp
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

# C extensions
*.so

# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg

# PyInstaller
# Usually these files are written by a python script from a packager
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec

# Installer logs
pip-log.txt
pip-delete-this-directory.txt

# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
.kitchen
.kitchen.local.yml
kitchen.local.yml
junit-*.xml

# Translations
*.mo
*.pot

# Django stuff:
*.log
local_settings.py

# Flask stuff:
instance/
.webassets-cache

# Scrapy stuff:
.scrapy

# Sphinx documentation
docs/_build/

# PyBuilder
target/

# Jupyter Notebook
.ipynb_checkpoints

# pyenv
.python-version

# celery beat schedule file
celerybeat-schedule

# SageMath parsed files
*.sage.py

# dotenv
.env

# virtualenv
.venv
venv/
ENV/

# Spyder project settings
.spyderproject
.spyproject

# Rope project settings
.ropeproject

# mkdocs documentation
/site

# mypy
.mypy_cache/

# Bundler
Gemfile.lock

# copied `.md` files used for conversion to `.rst` using `m2r`
docs/*.md

# Vim
*.sw?

## Collected when centralising formulas (check and sort)
# `collectd-formula`
.pytest_cache/
/.idea/
Dockerfile.*_*
ignore/
tmp/

+ 0
- 56
.kitchen.yml Vedi File

@@ -1,56 +0,0 @@
---
driver:
name: docker
use_sudo: false
privileged: true
require_chef_omnibus: false

platforms:
- name: centos-7
- name: ubuntu-16.04
- name: debian-9

provisioner:
name: salt_solo
formula: apache
require_chef: false
data_path: test/shared
pillars:
top.sls:
base:
'*':
- apache
apache.sls:
apache:
manage_service_states: False
mod_security:
crs_install: True
manage_config: True
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'

suites:
- name: default
provisioner:
state_top:
base:
'*':
- apache
- apache.mod_security
- name: apache_norestart
provisioner:
state_top:
base:
'*':
- apache
pillars:
apache.sls:
apache:
manage_service_states: False

+ 10
- 0
.rubocop.yml Vedi File

@@ -0,0 +1,10 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# General overrides used across formulas in the org
Metrics/LineLength:
# Increase from default of `80`
# Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`)
Max: 88

# Any offenses that should be fixed, e.g. collected via. `rubocop --auto-gen-config`

+ 26
- 0
.salt-lint Vedi File

@@ -0,0 +1,26 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
exclude_paths:
# Violation: [203] Most files should not contain tabs
# Violation: [204] Lines should be no longer that 160 chars
- apache/files/Debian/apache-2.4.config.jinja # 203
- apache/files/Debian/mpm/mpm_event.conf.jinja # 203
- apache/files/Debian/mpm/mpm_prefork.conf.jinja # 203
- apache/files/Debian/mpm/mpm_worker.conf.jinja # 203
- apache/files/Debian/ssl.conf.jinja # 203,204
- apache/files/FreeBSD/mod_cgi.conf.jinja # 203
- apache/files/FreeBSD/mod_ssl.conf.jinja # 203,204
- apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja # 203
- apache/files/RedHat/modsecurity.conf.jinja # 203
- apache/files/tls-defaults.conf.jinja # 204
- apache/logrotate.sls # 203
skip_list:
# Using `salt-lint` for linting other files as well, such as Jinja macros/templates
- 205 # Use ".sls" as a Salt State file extension
# Skipping `207` and `208` because `210` is sufficient, at least for the time-being
# I.e. Allows 3-digit unquoted codes to still be used, such as `644` and `755`
- 207 # File modes should always be encapsulated in quotation marks
- 208 # File modes should always contain a leading zero
tags: []
verbosity: 1

+ 99
- 11
.travis.yml Vedi File

@@ -1,16 +1,104 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
## Machine config
dist: bionic
sudo: required
language: python
services:
services:
- docker

before_install:
- bundle install

env:
matrix:
- INSTANCE: default-centos-7
- INSTANCE: default-ubuntu-1604
- INSTANCE: default-debian-9
## Language and cache config
language: ruby
cache: bundler

## Script to run for the test stage
script:
- bundle exec kitchen verify ${INSTANCE}
- bin/kitchen verify "${INSTANCE}"

## Stages and jobs matrix
stages:
- test
- name: release
if: branch = master AND type != pull_request
jobs:
include:
## Define the test stage that runs the linters (and testing matrix, if applicable)

# Run all of the linters in a single job
- language: node_js
node_js: lts/*
env: Lint
name: 'Lint: salt-lint, yamllint, rubocop & commitlint'
before_install: skip
script:
# Install and run `salt-lint`
- pip install --user salt-lint
- git ls-files | grep '\.sls$\|\.jinja$\|\.j2$\|\.tmpl$'
| xargs -I {} salt-lint {}
# Install and run `yamllint`
# Need at least `v1.17.0` for the `yaml-files` setting
- pip install --user yamllint>=1.17.0
- yamllint -s .
# Install and run `rubocop`
- gem install rubocop
- rubocop -d
# Install and run `commitlint`
- npm install @commitlint/config-conventional -D
- npm install @commitlint/travis-cli -D
- commitlint-travis

## Define the rest of the matrix based on Kitchen testing
# Make sure the instances listed below match up with
# the `platforms` defined in `kitchen.yml`
- env: INSTANCE=default-debian-10-develop-py3
# - env: INSTANCE=default-ubuntu-1804-develop-py3
# - env: INSTANCE=default-centos-7-develop-py3
# - env: INSTANCE=default-fedora-30-develop-py3
# - env: INSTANCE=default-opensuse-leap-15-develop-py3
# - env: INSTANCE=default-amazonlinux-2-develop-py2
# - env: INSTANCE=default-arch-base-latest-develop-py2
# - env: INSTANCE=default-debian-9-2019-2-py3
- env: INSTANCE=default-ubuntu-1804-2019-2-py3
# - env: INSTANCE=default-centos-7-2019-2-py3
# - env: INSTANCE=default-fedora-30-2019-2-py3
# - env: INSTANCE=default-opensuse-leap-15-2019-2-py3
- env: INSTANCE=default-amazonlinux-2-2019-2-py2
# - env: INSTANCE=default-arch-base-latest-2019-2-py2
# - env: INSTANCE=default-debian-9-2018-3-py2
# - env: INSTANCE=default-ubuntu-1604-2018-3-py2
# - env: INSTANCE=default-centos-7-2018-3-py2
- env: INSTANCE=default-fedora-29-2018-3-py2
# - env: INSTANCE=default-opensuse-leap-15-2018-3-py2
# - env: INSTANCE=default-amazonlinux-2-2018-3-py2
# - env: INSTANCE=default-arch-base-latest-2018-3-py2
# - env: INSTANCE=default-debian-8-2017-7-py2
# - env: INSTANCE=default-ubuntu-1604-2017-7-py2
- env: INSTANCE=default-centos-6-2017-7-py2
# - env: INSTANCE=default-fedora-29-2017-7-py2
# - env: INSTANCE=default-opensuse-leap-15-2017-7-py2
# - env: INSTANCE=default-amazonlinux-2-2017-7-py2
# - env: INSTANCE=default-arch-base-latest-2017-7-py2

## Define the release stage that runs `semantic-release`
- stage: release
language: node_js
node_js: lts/*
env: Release
name: 'Run semantic-release inc. file updates to AUTHORS, CHANGELOG & FORMULA'
before_install: skip
script:
# Update `AUTHORS.md`
- export MAINTAINER_TOKEN=${GH_TOKEN}
- go get github.com/myii/maintainer
- maintainer contributor

# Install all dependencies required for `semantic-release`
- npm install @semantic-release/changelog@3 -D
- npm install @semantic-release/exec@3 -D
- npm install @semantic-release/git@7 -D
deploy:
provider: script
skip_cleanup: true
script:
# Run `semantic-release`
- npx semantic-release@15

+ 36
- 0
.yamllint Vedi File

@@ -0,0 +1,36 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# Extend the `default` configuration provided by `yamllint`
extends: default

# Files to ignore completely
# 1. All YAML files under directory `node_modules/`, introduced during the Travis run
# 2. Any SLS files under directory `test/`, which are actually state files
# 3. Any YAML files under directory `.kitchen/`, introduced during local testing
ignore: |
node_modules/
test/**/states/**/*.sls
.kitchen/

yaml-files:
# Default settings
- '*.yaml'
- '*.yml'
- .salt-lint
- .yamllint
# SaltStack Formulas additional settings
- '*.example'
- test/**/*.sls

rules:
empty-values:
forbid-in-block-mappings: true
forbid-in-flow-mappings: true
line-length:
# Increase from default of `80`
# Based on https://github.com/PyCQA/flake8-bugbear#opinionated-warnings (`B950`)
max: 88
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

+ 3
- 2
FORMULA Vedi File

@@ -1,8 +1,9 @@
name: apache
os: RedHat, Debian, Ubuntu, Suse, FreeBSD
os: RedHat, Fedora, CentOS, Debian, Ubuntu, Suse, FreeBSD
os_family: RedHat, Debian, Suse, FreeBSD
version: 201507
version: 0.37.4
release: 1
minimum_version: 2015.8
summary: Formula for installing Apache
description: Formula for installing Apache web server
top_level_dir: apache

+ 6
- 5
Gemfile Vedi File

@@ -1,6 +1,7 @@
source "https://rubygems.org"
# frozen_string_literal: true

gem "test-kitchen", '>=1.2.1'
gem "kitchen-docker"
gem "kitchen-salt", ">=0.0.11"
gem "kitchen-inspec"
source 'https://rubygems.org'

gem 'kitchen-docker', '>= 2.9'
gem 'kitchen-inspec', '>= 1.1'
gem 'kitchen-salt', '>= 0.6.0'

+ 5
- 5
apache/defaults.yaml Vedi File

@@ -1,11 +1,11 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
manage_service_states: True
manage_service_states: true
service_state: running
service_enable: True
service_enable: true

mod_security:
crs_install: False
manage_config: False
crs_install: false
manage_config: false

+ 6
- 6
apache/files/Debian/apache-2.2.config.jinja Vedi File

@@ -8,7 +8,7 @@
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
@@ -87,7 +87,7 @@ KeepAliveTimeout 5

##
## Server-Pool Size Regulation (MPM specific)
##
##

# prefork MPM
# StartServers: number of server processes to start
@@ -116,7 +116,7 @@ KeepAliveTimeout 5
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
@@ -133,7 +133,7 @@ KeepAliveTimeout 5
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
@@ -153,8 +153,8 @@ Group ${APACHE_RUN_GROUP}
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny

+ 16
- 16
apache/files/FreeBSD/apache-2.4.config.jinja Vedi File

@@ -2,20 +2,20 @@
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# consult the online docs. You have been warned.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.

#
@@ -168,13 +168,13 @@ LoadModule alias_module libexec/apache24/mod_alias.so

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
Include {{ apache.portsfile }}

<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
@@ -215,7 +215,7 @@ ServerAdmin root@localhost

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
@@ -279,8 +279,8 @@ DocumentRoot "{{ apache.global_document_root }}"
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
@@ -333,8 +333,8 @@ LogLevel warn

<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar
@@ -351,7 +351,7 @@ LogLevel warn
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
@@ -454,10 +454,10 @@ LogLevel warn
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it,
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files. This usually improves server performance, but must
# be turned off when serving from networked-mounted
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
@@ -467,9 +467,9 @@ LogLevel warn

# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)

+ 1
- 1
apache/files/RedHat/modsecurity.conf.jinja Vedi File

@@ -23,7 +23,7 @@ LoadModule security2_module modules/mod_security2.so
# ModSecurity Core Rules Set configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine {{ sec_rule_engine }}
SecRequestBodyAccess {{ sec_request_body_access }}

+ 1
- 1
apache/flags.sls Vedi File

@@ -4,7 +4,7 @@

include:
- apache
{% for flag in salt['pillar.get']('apache:flags:enabled', []) %}
a2enflag {{ flag }}:
cmd.run:

+ 3
- 3
apache/init.sls Vedi File

@@ -12,7 +12,7 @@ apache:
- system: True
{# By default run apache service states (unless pillar is false) #}
{% if salt['pillar.get']('apache:manage_service_states', True) %}
service.{{apache.service_state}}:
service.{{ apache.service_state }}:
- name: {{ apache.service }}
{% if apache.service_state in [ 'running', 'dead' ] %}
- enable: True
@@ -27,7 +27,7 @@ apache-reload:
- m_name: {{ apache.service }}
{% else %}
- name: cmd.run
- cmd: {{apache.custom_reload_command|default('apachectl graceful')}}
- cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
- python_shell: True
{% endif %}

@@ -38,7 +38,7 @@ apache-restart:
- m_name: {{ apache.service }}
{% else %}
- name: cmd.run
- cmd: {{apache.custom_reload_command|default('apachectl graceful')}}
- cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
- python_shell: True
{% endif %}


+ 9
- 9
apache/map.jinja Vedi File

@@ -1,12 +1,12 @@
{# vi: set ft=jinja: #}
{#- vi: set ft=jinja: #}

{% import_yaml "apache/defaults.yaml" as default_settings %}
{% import_yaml "apache/osfamilymap.yaml" as osfamilymap %}
{% import_yaml "apache/oscodenamemap.yaml" as oscodenamemap %}
{% import_yaml "apache/osfingermap.yaml" as osfingermap %}
{% import_yaml "apache/modsecurity.yaml" as modsec %}
{%- import_yaml "apache/defaults.yaml" as default_settings %}
{%- import_yaml "apache/osfamilymap.yaml" as osfamilymap %}
{%- import_yaml "apache/oscodenamemap.yaml" as oscodenamemap %}
{%- import_yaml "apache/osfingermap.yaml" as osfingermap %}
{%- import_yaml "apache/modsecurity.yaml" as modsec %}

{% set defaults = salt['grains.filter_by'](default_settings,
{%- set defaults = salt['grains.filter_by'](default_settings,
default='apache',
merge=salt['grains.filter_by'](modsec, grain='os_family',
merge=salt['grains.filter_by'](osfamilymap, grain='os_family',
@@ -19,5 +19,5 @@
)
) %}

{## Merge the apache pillar ##}
{% set apache = salt['pillar.get']('apache', default=defaults, merge=True) %}
{#- Merge the apache pillar #}
{%- set apache = salt['pillar.get']('apache', default=defaults, merge=True) %}

+ 1
- 1
apache/mod_geoip.sls Vedi File

@@ -27,7 +27,7 @@ geoip conf:
- user: root
- group: root
- mode: 644
- source:
- source:
- salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf

geoip database:

+ 8
- 8
apache/modsecurity.yaml Vedi File

@@ -1,25 +1,25 @@
# -*- coding: utf-8 -*-
# vim: ft=yam
# vim: ft=yaml
---
Debian:
mod_security:
crs_install: False
manage_config: False
crs_install: false
manage_config: false
package: libapache2-mod-security2
crs_package: modsecurity-crs
config_file: /etc/modsecurity/modsecurity.conf-recommended

RedHat:
mod_security:
crs_install: False
manage_config: False
crs_install: false
manage_config: false
package: mod_security
crs_package: mod_security_crs
config_file: /etc/httpd/conf.d/mod_security.conf

Suse:
mod_security:
crs_install: False
manage_config: False
crs_install: false
manage_config: false
package: apache2-mod_security2
config_file: /etc/apache2/conf.d/mod_security2.conf

+ 2
- 2
apache/modules.sls Vedi File

@@ -46,7 +46,7 @@ a2dismod -f {{ module }}:

include:
- apache
{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;:
cmd.run:
@@ -81,7 +81,7 @@ find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ m

include:
- apache
{% for module in salt['pillar.get']('apache:modules:enabled', []) %}
a2enmod {{ module }}:
cmd.run:

+ 11
- 12
apache/oscodenamemap.yaml Vedi File

@@ -1,53 +1,53 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
trusty:
---
trusty:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

utopic:
utopic:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

vivid:
vivid:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

wily:
wily:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

xenial:
xenial:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

yakkety:
yakkety:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

zesty:
zesty:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

artful:
artful:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

jessie:
jessie:
wwwdir: /var/www
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf

stretch:
stretch:
wwwdir: /var/www
confext: .conf
default_site: 000-default.conf
@@ -58,4 +58,3 @@ buster:
confext: .conf
default_site: 000-default.conf
default_site_ssl: default-ssl.conf


+ 5
- 3
apache/osfamilymap.yaml Vedi File

@@ -1,6 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
Debian:
server: apache2
service: apache2
@@ -13,6 +13,7 @@ Debian:
mod_php5: libapache2-mod-php5
mod_perl2: libapache2-mod-perl2
mod_fcgid: libapache2-mod-fcgid
# yamllint disable-line rule:line-length
mod_pagespeed_source: https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
mod_xsendfile: libapache2-mod-xsendfile
mod_fastcgi: libapache2-mod-fastcgi
@@ -40,6 +41,7 @@ RedHat:
conf_mod_wsgi: /etc/httpd/conf.d/wsgi.conf
mod_php5: php
mod_fcgid: mod_fcgid
# yamllint disable-line rule:line-length
mod_pagespeed_source: https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm
mod_geoip: mod_geoip
mod_geoip_database: GeoIP
@@ -53,7 +55,7 @@ RedHat:
logrotatedir: /etc/logrotate.d/httpd
wwwdir: /var/www
default_charset: UTF-8
use_require: False
use_require: false
moddir: /etc/httpd/conf.modules.d

Gentoo:
@@ -111,7 +113,7 @@ FreeBSD:
modulesdir: /usr/local/etc/apache24/modules.d
global_document_root: /usr/local/www/apache24/data

confext:
confext: ''
default_site: default
default_site_ssl: default-ssl
logdir: /var/log/

+ 1
- 0
apache/osfingermap.yaml Vedi File

@@ -1,5 +1,6 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
default:
version: '2.4'
Ubuntu-12.04:

+ 1
- 1
apache/server_status.sls Vedi File

@@ -4,7 +4,7 @@ include:
- apache
- apache.config

{{apache.confdir}}/server-status{{apache.confext}}:
{{ apache.confdir }}/server-status{{ apache.confext }}:
file.managed:
- source: salt://apache/files/server-status.conf.jinja
- template: jinja

+ 1
- 1
apache/uninstall.sls Vedi File

@@ -1,5 +1,5 @@
{% from "apache/map.jinja" import apache with context %}
apache-uninstall:
service.dead:
- name: {{ apache.service }}

+ 1
- 1
apache/vhosts/cleanup.sls Vedi File

@@ -26,7 +26,7 @@ include:

a2dissite {{ filename }}:
cmd.run:
- onlyif: "test -L {{ dirpath}}/{{ filename }} || test -f {{ dirpath}}/{{ filename }}"
- onlyif: "test -L {{ dirpath }}/{{ filename }} || test -f {{ dirpath }}/{{ filename }}"
- watch_in:
- module: apache-reload
- require_in:

+ 1
- 1
apache/vhosts/minimal.tmpl Vedi File

@@ -22,7 +22,7 @@
'DocumentRoot': site.get('DocumentRoot', '{0}/{1}'.format(map.wwwdir, sitename))
} -%}

<VirtualHost {% for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
<VirtualHost {% for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}

+ 4
- 4
apache/vhosts/proxy.tmpl Vedi File

@@ -35,7 +35,7 @@
'Require': 'all granted',
},
} %}
<VirtualHost {%- for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
<VirtualHost {%- for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
{% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}
@@ -50,7 +50,7 @@
{% if site.get('SSLCertificateFile') %}SSLEngine on
SSLCertificateFile {{ site.SSLCertificateFile }}
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile }}{% endif %}
{% endif %}
{% if site.get('Rewrite') %}RewriteEngine on
{{ site.Rewrite }}
@@ -82,7 +82,7 @@
} %}
<Location "{{ path }}">
{% if apache.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %}
{%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
@@ -99,7 +99,7 @@
} %}
<LocationMatch "{{ regpath }}">
{% if apache.version == '2.4' %}
{%- if lmvals.get('Require') != False %}Require {{lmvals.Require}}{% endif %}
{%- if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %}
{% else %}
{%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
{%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}

+ 3
- 3
apache/vhosts/redirect.tmpl Vedi File

@@ -20,12 +20,12 @@
'ErrorLog': site.get('ErrorLog', '{0}/{1}-error.log'.format(map.logdir, sitename)),
'LogFormat': site.get('LogFormat', '"%h %l %u %t \\\"%r\\\" %>s %O"'),
'CustomLog': site.get('CustomLog', '{0}/{1}-access.log'.format(map.logdir, sitename)),
'RedirectSource': site.get('RedirectSource', '/'),
'RedirectTarget': site.get('RedirectTarget', 'https://{0}/'.format(sitename)),
} %}

<VirtualHost {%- for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
<VirtualHost {%- for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}

@@ -44,7 +44,7 @@
{% else %}
Redirect {{ vals.RedirectSource }} {{ vals.RedirectTarget }}
{% endif %}
{% if site.get('Formula_Append') %}
{{ site.Formula_Append|indent(4) }}
{% endif %}

+ 5
- 5
apache/vhosts/standard.tmpl Vedi File

@@ -43,7 +43,7 @@
},
} -%}

<VirtualHost {% for intf in vals.interfaces %} {{intf}}:{{ vals.port }}{% endfor -%}>
<VirtualHost {% for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
ServerName {{ vals.ServerName }}
{% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}

@@ -67,9 +67,9 @@
{% if site.get('SSLCertificateFile') %}SSLEngine on
SSLCertificateFile {{ site.SSLCertificateFile }}
{% if site.get('SSLCertificateKeyFile') %}SSLCertificateKeyFile {{ site.SSLCertificateKeyFile }}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile}}{% endif %}
{% if site.get('SSLCertificateChainFile') %}SSLCertificateChainFile {{ site.SSLCertificateChainFile }}{% endif %}
{% endif %}
{% if site.get('Rewrite') %}RewriteEngine on
{{ site.Rewrite }}
{% endif %}
@@ -93,7 +93,7 @@
<Directory "{{ path }}">
{% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %}
{% if map.version == '2.4' %}
{% if dvals.get('Require') != False %}Require {{dvals.Require}}{% endif %}
{% if dvals.get('Require') != False %}Require {{ dvals.Require }}{% endif %}
{% else %}
{% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %}
{% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %}
@@ -117,7 +117,7 @@

<Location "{{ path }}">
{% if map.version == '2.4' %}
{%- if lvals.get('Require') != False %}Require {{lvals.Require}}{% endif %}
{%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
{% else %}
{%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
{%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}

+ 32
- 0
bin/kitchen Vedi File

@@ -0,0 +1,32 @@
#!/usr/bin/env ruby
# frozen_string_literal: true

#
# This file was generated by Bundler.
#
# The application 'kitchen' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'pathname'
ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile',
Pathname.new(__FILE__).realpath)

bundle_binstub = File.expand_path('bundle', __dir__)

if File.file?(bundle_binstub)
if File.read(bundle_binstub, 300) =~ /This file was generated by Bundler/
load(bundle_binstub)
else
abort(
'Your `bin/bundle` was not generated by Bundler, '\
'so this binstub cannot run. Replace `bin/bundle` by running '\
'`bundle binstubs bundler --force`, then run this command again.'
)
end
end

require 'rubygems'
require 'bundler/setup'

load Gem.bin_path('test-kitchen', 'kitchen')

+ 3
- 0
commitlint.config.js Vedi File

@@ -0,0 +1,3 @@
module.exports = {
extends: ['@commitlint/config-conventional'],
};

README.rst → docs/README.rst Vedi File

@@ -1,122 +1,152 @@
======
.. _readme:

apache
======

|img_travis| |img_sr|

.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/apache-formula.svg?branch=master
:alt: Travis CI Build Status
:scale: 100%
:target: https://travis-ci.com/saltstack-formulas/apache-formula
.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
:alt: Semantic Release
:scale: 100%
:target: https://github.com/semantic-release/semantic-release

Formulas to set up and configure the Apache HTTP server.

.. note::
.. contents:: **Table of Contents**

General notes
-------------

See the full `SaltStack Formulas installation and usage instructions
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.

If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section
<https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas>`_.

If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,
which contains the currently released version. This formula is versioned according to `Semantic Versioning <http://semver.org/>`_.

See the full `Salt Formulas installation and usage instructions
<http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_.
See `Formula Versioning Section <https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning>`_ for more details.

Contributing to this repo
-------------------------

**Commit message formatting is significant!!**

Please see `How to contribute <https://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst>`_ for more details.

Available states
================
----------------

.. contents::
:local:
:local:

``apache``
----------
^^^^^^^^^^

Installs the Apache package and starts the service.

``apache.config``
-----------------
^^^^^^^^^^^^^^^^^

Configures apache based on os_family

``apache.certificates``
-----------------
^^^^^^^^^^^^^^^^^^^^^^^

Deploy SSL certificates from pillars

``apache.mod_mpm``
------------------
^^^^^^^^^^^^^^^^^^

Configures the apache mpm modules on Debian ``mpm_prefork``, ``mpm_worker`` or ``mpm_event`` (Debian Only)

``apache.modules``
------------------
^^^^^^^^^^^^^^^^^^

Enables and disables Apache modules.

``apache.mod_rewrite``
----------------------
^^^^^^^^^^^^^^^^^^^^^^

Enabled the Apache module mod_rewrite (Debian and FreeBSD only)

``apache.mod_proxy``
-------------------
^^^^^^^^^^^^^^^^^^^^

Enables the Apache module mod_proxy. (Debian and FreeBSD only)

``apache.mod_proxy_http``
-------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^

Enables the Apache module mod_proxy_http and requires the Apache module mod_proxy to be enabled. (Debian Only)

``apache.mod_proxy_fcgi``
-------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^

Enables the Apache module mod_proxy_fcgi and requires the Apache module mod_proxy to be enabled. (Debian Only)

``apache.mod_wsgi``
-------------------
^^^^^^^^^^^^^^^^^^^

Installs the mod_wsgi package and enables the Apache module.

``apache.mod_actions``
----------------------
^^^^^^^^^^^^^^^^^^^^^^

Enables the Apache module mod_actions. (Debian Only)

``apache.mod_headers``
----------------------
^^^^^^^^^^^^^^^^^^^^^^

Enables the Apache module mod_headers. (Debian Only)

``apache.mod_pagespeed``
------------------------
^^^^^^^^^^^^^^^^^^^^^^^^

Installs and Enables the mod_pagespeed module. (Debian and RedHat Only)

``apache.mod_perl2``
-------------------
^^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_perl2 module (Debian and FreeBSD only)

``apache.mod_geoip``
-------------------
^^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_geoIP (RedHat only)

``apache.mod_php5``
-------------------
^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_php5 module

``apache.mod_cgi``
---------------------
^^^^^^^^^^^^^^^^^^

Enables mod_cgi. (FreeBSD only)

``apache.mod_fcgid``
--------------------
^^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_fcgid module (Debian only)

``apache.mod_fastcgi``
--------------------
^^^^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_fastcgi module

``apache.mod_dav_svn``
--------------------
^^^^^^^^^^^^^^^^^^^^^^

Installs and enables the mod_dav_svn module (Debian only)

``apache.mod_security``
----------------------
^^^^^^^^^^^^^^^^^^^^^^^

Installs an enables the `Apache mod_security2 WAF`<http://modsecurity.org/>`_
using data from Pillar. (Debian and RedHat Only)
@@ -124,53 +154,53 @@ using data from Pillar. (Debian and RedHat Only)
Allows you to install the basic Core Rules (CRS) and some basic configuration for mod_security2

``apache.mod_security.rules``
-----------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This state can create symlinks based on basic Core Rules package. (Debian only)
Or it can distribute a mod_security rule file and place it /etc/modsecurity/

``apache.mod_socache_shmcb``
---------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Enables mod_socache_shmcb. (FreeBSD only)

``apache.mod_ssl``
----------------------
^^^^^^^^^^^^^^^^^^

Installs and enables the mod_ssl module (Debian, RedHat and FreeBSD only)

``apache.mod_suexec``
---------------------
^^^^^^^^^^^^^^^^^^^^^

Enables mod_suexec. (FreeBSD only)

``apache.mod_vhost_alias``
----------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^

Enables the Apache module vhost_alias (Debian Only)

``apache.mod_remoteip``
----------------------
^^^^^^^^^^^^^^^^^^^^^^^

Enables and configures the Apache module mod_remoteip using data from Pillar. (Debian Only)

``apache.mod_xsendfile``
----------------------
^^^^^^^^^^^^^^^^^^^^^^^^

Installs and enables mod_xsendfile module. (Debian Only)

``apache.own_default_vhost``
--------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Replace default vhost with own version. By default, it's 503 code. (Debian Only)

``apache.no_default_vhost``
--------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^^

Remove the default vhost. (Debian Only)

``apache.vhosts.standard``
--------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^

Configures Apache name-based virtual hosts and creates virtual host directories using data from Pillar.

@@ -194,22 +224,22 @@ of interfaces to bind to. For example, to bind both IPv4 and IPv6:
interface: '1.2.3.4 [2001:abc:def:100::3]'
``apache.manage_security``
--------------------------
^^^^^^^^^^^^^^^^^^^^^^^^^^

Configures Apache's security.conf options by reassinging them using data from Pillar.

``apache.server_status``
--------------------------
^^^^^^^^^^^^^^^^^^^^^^^^

Configures Apache's server_status handler for localhost

``apache.debian_full``
----------------------
^^^^^^^^^^^^^^^^^^^^^^

Installs and configures Apache on Debian and Ubuntu systems.

``apache.uninstall``
----------
^^^^^^^^^^^^^^^^^^^^

Stops the Apache service and uninstalls the package.

@@ -238,3 +268,48 @@ Example Pillar:
name: 'my name'
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'

Testing
-------

Linux testing is done with ``kitchen-salt``.

Requirements
^^^^^^^^^^^^

* Ruby
* Docker

.. code-block:: bash

$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]

Where ``[platform]`` is the platform name defined in ``kitchen.yml``,
e.g. ``debian-9-2019-2-py3``.

``bin/kitchen converge``
^^^^^^^^^^^^^^^^^^^^^^^^

Creates the docker instance and runs the ``template`` main state, ready for testing.

``bin/kitchen verify``
^^^^^^^^^^^^^^^^^^^^^^

Runs the ``inspec`` tests on the actual instance.

``bin/kitchen destroy``
^^^^^^^^^^^^^^^^^^^^^^^

Removes the docker instance.

``bin/kitchen test``
^^^^^^^^^^^^^^^^^^^^

Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

``bin/kitchen login``
^^^^^^^^^^^^^^^^^^^^^

Gives you SSH access to the instance for manual testing.

+ 212
- 0
kitchen.yml Vedi File

@@ -0,0 +1,212 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# For help on this file's format, see https://kitchen.ci/
driver:
name: docker
use_sudo: false
privileged: true
run_command: /lib/systemd/systemd

# Make sure the platforms listed below match up with
# the `env.matrix` instances defined in `.travis.yml`
platforms:
## SALT `develop`
- name: debian-10-develop-py3
driver:
image: netmanagers/salt-develop-py3:debian-10
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: ubuntu-1804-develop-py3
driver:
image: netmanagers/salt-develop-py3:ubuntu-18.04
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: centos-7-develop-py3
driver:
image: netmanagers/salt-develop-py3:centos-7
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: fedora-30-develop-py3
driver:
image: netmanagers/salt-develop-py3:fedora-30
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python3 git develop
- name: opensuse-leap-15-develop-py3
driver:
image: opensuse/leap:15
provision_command:
# yamllint disable-line rule:line-length
- zypper install -y glibc-locale net-tools net-tools-deprecated python-xml python3-pip
- systemctl enable sshd.service
run_command: /usr/lib/systemd/systemd
provisioner:
salt_bootstrap_options: -XdPfrq -x python3 git develop
salt_install: bootstrap
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-develop-py2
driver:
image: netmanagers/salt-develop-py2:amazonlinux-2
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python2 git develop
- name: arch-base-latest-develop-py2
driver:
image: netmanagers/salt-develop-py2:arch-base-latest
provision_command:
- curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
- sh bootstrap-salt.sh -XdPbfrq -x python2 git develop
run_command: /usr/lib/systemd/systemd

## SALT `2019.2`
- name: debian-9-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:debian-9
- name: ubuntu-1804-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:ubuntu-18.04
- name: centos-7-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:centos-7
- name: fedora-30-2019-2-py3
driver:
image: netmanagers/salt-2019.2-py3:fedora-30
- name: opensuse-leap-15-2019-2-py3
driver:
image: opensuse/leap:15
provision_command:
# yamllint disable-line rule:line-length
- zypper install -y glibc-locale net-tools net-tools-deprecated python-xml python3-pip
- systemctl enable sshd.service
run_command: /usr/lib/systemd/systemd
provisioner:
salt_bootstrap_options: -XdPfrq -x python3 git 2019.2
salt_install: bootstrap
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2019-2-py2
driver:
image: netmanagers/salt-2019.2-py2:amazonlinux-2
- name: arch-base-latest-2019-2-py2
driver:
image: netmanagers/salt-2019.2-py2:arch-base-latest
run_command: /usr/lib/systemd/systemd

## SALT `2018.3`
- name: debian-9-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:debian-9
- name: ubuntu-1604-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:ubuntu-16.04
- name: centos-7-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:centos-7
- name: fedora-29-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:fedora-29
- name: opensuse-leap-15-2018-3-py2
driver:
image: opensuse/leap:15
provision_command:
# yamllint disable-line rule:line-length
- zypper install -y glibc-locale net-tools net-tools-deprecated python-xml python2-pip
- systemctl enable sshd.service
run_command: /usr/lib/systemd/systemd
provisioner:
salt_bootstrap_options: -XdPfrq -x python2 git 2018.3
salt_install: bootstrap
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:amazonlinux-2
- name: arch-base-latest-2018-3-py2
driver:
image: netmanagers/salt-2018.3-py2:arch-base-latest
run_command: /usr/lib/systemd/systemd

## SALT `2017.7`
- name: debian-8-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:debian-8
- name: ubuntu-1604-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:ubuntu-16.04
- name: centos-6-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:centos-6
run_command: /sbin/init
- name: fedora-29-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:fedora-29
- name: opensuse-leap-15-2017-7-py2
driver:
image: opensuse/leap:15
provision_command:
# yamllint disable-line rule:line-length
- zypper install -y glibc-locale net-tools net-tools-deprecated python-xml python2-pip
- systemctl enable sshd.service
run_command: /usr/lib/systemd/systemd
provisioner:
salt_bootstrap_options: -XdPfrq -x python2 git 2017.7
salt_install: bootstrap
# Workaround to avoid intermittent failures on `opensuse-leap-15`:
# => SCP did not finish successfully (255): (Net::SCP::Error)
transport:
max_ssh_sessions: 1
- name: amazonlinux-2-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:amazonlinux-2
- name: arch-base-latest-2017-7-py2
driver:
image: netmanagers/salt-2017.7-py2:arch-base-latest
run_command: /usr/lib/systemd/systemd

provisioner:
name: salt_solo
log_level: debug
salt_install: none
require_chef: false
formula: apache
salt_copy_filter:
- .kitchen
- .git

verifier:
# https://www.inspec.io/
name: inspec
sudo: true
# cli, documentation, html, progress, json, json-min, json-rspec, junit
reporter:
- cli

suites:
- name: default
provisioner:
state_top:
base:
'*':
- apache
- apache.mod_security
pillars:
top.sls:
base:
'*':
- apache
pillars_from_files:
apache.sls: test/salt/pillar/default.sls
verifier:
inspec_tests:
- path: test/integration/default

+ 67
- 51
pillar.example Vedi File

@@ -1,8 +1,11 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
# ``apache`` formula configuration:
apache:

# By default apache restart/reload states run (false skips)
manage_service_states: True
manage_service_states: true

# lookup section overrides ``map.jinja`` values
lookup:
@@ -47,9 +50,10 @@ apache:
example.net:
template_file: salt://apache/vhosts/minimal.tmpl

example.com: # must be unique; used as an ID declaration in Salt.
enabled: True
template_file: salt://apache/vhosts/standard.tmpl # or minimal.tmpl or redirect.tmpl or proxy.tmpl
example.com: # must be unique; used as an ID declaration in Salt.
enabled: true
# or minimal.tmpl or redirect.tmpl or proxy.tmpl
template_file: salt://apache/vhosts/standard.tmpl

####################### DEFAULT VALUES BELOW ############################
# NOTE: the values below are simply default settings that *can* be
@@ -64,42 +68,51 @@ apache:
interface: '*'
port: '80'

exclude_listen_directive: True # Do not add a Listen directive in httpd.conf
exclude_listen_directive: true # Do not add a Listen directive in httpd.conf

ServerName: example.com # uses the unique ID above unless specified
#ServerAlias: www.example.com # Do not add ServerAlias unless defined
ServerName: example.com # uses the unique ID above unless specified
# ServerAlias: www.example.com # Do not add ServerAlias unless defined

ServerAdmin: webmaster@example.com

LogLevel: warn
ErrorLog: /path/to/logs/example.com-error.log # E.g.: /var/log/apache2/example.com-error.log
CustomLog: /path/to/logs/example.com-access.log # E.g.: /var/log/apache2/example.com-access.log

DocumentRoot: /path/to/www/dir/example.com # E.g., /var/www/example.com
DocumentRootUser: null # do not enforce user, defaults to lookup:document_root_user
DocumentRootGroup: www-data # Force group, defaults to lookup:document_root_group

SSLCertificateFile: /etc/ssl/mycert.pem # if ssl is desired
SSLCertificateKeyFile: /etc/ssl/mycert.pem.key # if key for cert is needed or in an extra file
SSLCertificateChainFile: /etc/ssl/mycert.chain.pem # if you require a chain of server certificates file
# E.g.: /var/log/apache2/example.com-error.log
ErrorLog: /path/to/logs/example.com-error.log
# E.g.: /var/log/apache2/example.com-access.log
CustomLog: /path/to/logs/example.com-access.log

# E.g., /var/www/example.com
DocumentRoot: /path/to/www/dir/example.com
# do not enforce user, defaults to lookup:document_root_user
DocumentRootUser: null
# Force group, defaults to lookup:document_root_group
DocumentRootGroup: www-data

# if ssl is desired
SSLCertificateFile: /etc/ssl/mycert.pem
# if key for cert is needed or in an extra file
SSLCertificateKeyFile: /etc/ssl/mycert.pem.key
# if you require a chain of server certificates file
SSLCertificateChainFile: /etc/ssl/mycert.chain.pem

Directory:
# "default" is a special case; uses DocumentRoot value
# E.g.: /var/www/example.com
default:
Options: -Indexes +FollowSymLinks
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
AllowOverride: None
Formula_Append: |
Additional config as a
multi-line string here

redirectmatch.com:
# Use RedirectMatch Directive https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: True
# Use RedirectMatch Directive
# - https://httpd.apache.org/docs/2.4/fr/mod/mod_alias.html#redirectmatch
# Require module mod_alias
enabled: true
template_file: salt://apache/vhosts/redirect.tmpl
ServerName: www.redirectmatch.com
ServerAlias: www.redirectmatch.com
@@ -228,7 +241,7 @@ apache:

Location:
/:
Require: False
Require: false
Formula_Append: |
SecRuleRemoveById 981231
SecRuleRemoveById 981173
@@ -237,27 +250,27 @@ apache:
Require: 'all granted'

/docs:
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Order: allow,deny # For Apache < 2.4
Allow: from all # For apache < 2.4
Require: all granted # For apache > 2.4.
Formula_Append: |
Additional config as a
multi-line string here

LocationMatch:
'^[.\\/]+([Ww][Ee][Bb][Mm][Aa][Ii][Ll])[.\\/]':
Require: False
Require: false
Formula_Append: |
RequestHeader set Host mail.example.com

'^[.\\/]+([Ss][Vv][Cc])[.\\/]':
Require: False
Require: false
Formula_Append: |
Require ip 123.123.13.6 84.24.25.74

Proxy_control:
'*':
AllowAll: False
AllowAll: false
AllowCountry:
- DE
AllowIP:
@@ -280,21 +293,21 @@ apache:
path: 'salt://path/to/sites-available/conf/file'
state: 'enabled'
# Optional - use managed file as Jinja Template
#template: true
#defaults:
# custom_var: "default value"
# template: true
# defaults:
# custom_var: "default value"

modules:
enabled: # List modules to enable
enabled: # List modules to enable
- ldap
- ssl
disabled: # List modules to disable
- rewrite

flags:
enabled: # List server flags to enable
enabled: # List server flags to enable
- SSL
disabled: # List server flags to disable
disabled: # List server flags to disable
- status

# KeepAlive: Whether or not to allow persistent connections (more than
@@ -325,9 +338,9 @@ apache:

# ``apache.mod_security`` formula additional configuration:
mod_security:
crs_install: True
crs_install: true
# If not set, default distro's configuration is installed as is
manage_config: True
manage_config: true
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
@@ -339,33 +352,36 @@ apache:
sec_debug_log_level: '3'

rules:
enabled:
enabled: ~
modsecurity_crs_10_setup.conf:
rule_set: ''
enabled: True
enabled: true
modsecurity_crs_20_protocol_violations.conf:
rule_set: 'base_rules'
enabled: False
enabled: false

custom_rule_files:
# any name as an array index, and you can duplicate this section
UNIQUE_VALUE_HERE:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: True
enabled: true

mod_ssl:
# set this to True if you want to override your distributions default TLS configuration
manage_tls_defaults: False
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
# We're unable to know sane defaults for each release of every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
# Have a look at bettercrypto.org for up-to-date settings.
# set this to true if you want to override your distributions default TLS
# configuration
manage_tls_defaults: false
# This stuff is deliberately not configured via map.jinja resp.
# apache:lookup. We're unable to know sane defaults for each release of
# every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for
# a related discussion Have a look at bettercrypto.org for up-to-date
# settings.
# These are default values:
# yamllint disable-line rule:line-length
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: Off
SSLCompression: 'Off'
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: On
SSLHonorCipherOrder: 'On'
SSLOptions: "+StrictRequire"


+ 30
- 0
pre-commit_semantic-release.sh Vedi File

@@ -0,0 +1,30 @@
#!/bin/sh

###############################################################################
# (A) Update `FORMULA` with `${nextRelease.version}`
###############################################################################
sed -i -e "s_^\(version:\).*_\1 ${1}_" FORMULA


###############################################################################
# (B) Use `m2r` to convert automatically produced `.md` docs to `.rst`
###############################################################################

# Install `m2r`
sudo -H pip install m2r

# Copy and then convert the `.md` docs
cp *.md docs/
cd docs/
m2r --overwrite *.md

# Change excess `H1` headings to `H2` in converted `CHANGELOG.rst`
sed -i -e '/^=.*$/s/=/-/g' CHANGELOG.rst
sed -i -e '1,4s/-/=/g' CHANGELOG.rst

# Use for debugging output, when required
# cat AUTHORS.rst
# cat CHANGELOG.rst

# Return back to the main directory
cd ..

+ 18
- 0
release-rules.js Vedi File

@@ -0,0 +1,18 @@
// No release is triggered for the types commented out below.
// Commits using these types will be incorporated into the next release.
//
// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
module.exports = [
{breaking: true, release: 'major'},
// {type: 'build', release: 'patch'},
// {type: 'chore', release: 'patch'},
// {type: 'ci', release: 'patch'},
{type: 'docs', release: 'patch'},
{type: 'feat', release: 'minor'},
{type: 'fix', release: 'patch'},
{type: 'perf', release: 'patch'},
{type: 'refactor', release: 'patch'},
{type: 'revert', release: 'patch'},
{type: 'style', release: 'patch'},
{type: 'test', release: 'patch'},
];

+ 106
- 0
release.config.js Vedi File

@@ -0,0 +1,106 @@
module.exports = {
branch: 'master',
plugins: [
['@semantic-release/commit-analyzer', {
preset: 'angular',
releaseRules: './release-rules.js',
}],
'@semantic-release/release-notes-generator',
['@semantic-release/changelog', {
changelogFile: 'CHANGELOG.md',
changelogTitle: '# Changelog',
}],
['@semantic-release/exec', {
prepareCmd: 'sh ./pre-commit_semantic-release.sh ${nextRelease.version}',
}],
['@semantic-release/git', {
assets: ['*.md', 'docs/*.rst', 'FORMULA'],
}],
'@semantic-release/github',
],
generateNotes: {
preset: 'angular',
writerOpts: {
// Required due to upstream bug preventing all types being displayed.
// Bug: https://github.com/conventional-changelog/conventional-changelog/issues/317
// Fix: https://github.com/conventional-changelog/conventional-changelog/pull/410
transform: (commit, context) => {
const issues = []

commit.notes.forEach(note => {
note.title = `BREAKING CHANGES`
})

// NOTE: Any changes here must be reflected in `CONTRIBUTING.md`.
if (commit.type === `feat`) {
commit.type = `Features`
} else if (commit.type === `fix`) {
commit.type = `Bug Fixes`
} else if (commit.type === `perf`) {
commit.type = `Performance Improvements`
} else if (commit.type === `revert`) {
commit.type = `Reverts`
} else if (commit.type === `docs`) {
commit.type = `Documentation`
} else if (commit.type === `style`) {
commit.type = `Styles`
} else if (commit.type === `refactor`) {
commit.type = `Code Refactoring`
} else if (commit.type === `test`) {
commit.type = `Tests`
} else if (commit.type === `build`) {
commit.type = `Build System`
// } else if (commit.type === `chore`) {
// commit.type = `Maintenance`
} else if (commit.type === `ci`) {
commit.type = `Continuous Integration`
} else {
return
}

if (commit.scope === `*`) {
commit.scope = ``
}

if (typeof commit.hash === `string`) {
commit.hash = commit.hash.substring(0, 7)
}

if (typeof commit.subject === `string`) {
let url = context.repository
? `${context.host}/${context.owner}/${context.repository}`
: context.repoUrl
if (url) {
url = `${url}/issues/`
// Issue URLs.
commit.subject = commit.subject.replace(/#([0-9]+)/g, (_, issue) => {
issues.push(issue)
return `[#${issue}](${url}${issue})`
})
}
if (context.host) {
// User URLs.
commit.subject = commit.subject.replace(/\B@([a-z0-9](?:-?[a-z0-9/]){0,38})/g, (_, username) => {
if (username.includes('/')) {
return `@${username}`
}

return `[@${username}](${context.host}/${username})`
})
}
}

// remove references that already appear in the subject
commit.references = commit.references.filter(reference => {
if (issues.indexOf(reference.issue) === -1) {
return true
}

return false
})

return commit
},
},
},
};

+ 50
- 0
test/integration/default/README.md Vedi File

@@ -0,0 +1,50 @@
# InSpec Profile: `default`

This shows the implementation of the `default` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md).

## Verify a profile

InSpec ships with built-in features to verify a profile structure.

```bash
$ inspec check default
Summary
-------
Location: default
Profile: profile
Controls: 4
Timestamp: 2019-06-24T23:09:01+00:00
Valid: true

Errors
------

Warnings
--------
```

## Execute a profile

To run all **supported** controls on a local machine use `inspec exec /path/to/profile`.

```bash
$ inspec exec default
..

Finished in 0.0025 seconds (files took 0.12449 seconds to load)
8 examples, 0 failures
```

## Execute a specific control from a profile

To run one control from the profile use `inspec exec /path/to/profile --controls name`.

```bash
$ inspec exec default --controls package
.

Finished in 0.0025 seconds (files took 0.12449 seconds to load)
1 examples, 0 failures
```

See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb).

+ 29
- 0
test/integration/default/controls/mod_security_spec.rb Vedi File

@@ -0,0 +1,29 @@
# frozen_string_literal: true

control 'Apache mod_security configuration' do
title 'should match desired lines'

modspec_file =
case platform[:family]
when 'redhat', 'fedora'
'/etc/httpd/conf.d/mod_security.conf'
when 'debian'
'/etc/modsecurity/modsecurity.conf-recommended'
end

describe file(modspec_file) do
it { should be_file }
its('mode') { should cmp '0644' }
its('owner') { should eq 'root' }
its('group') { should eq 'root' }
its('content') { should match(/SecRuleEngine On/) }
its('content') { should match(/SecRequestBodyAccess On/) }
its('content') { should match(/SecRequestBodyLimit 14000000/) }
its('content') { should match(/SecRequestBodyNoFilesLimit 114002/) }
its('content') { should match(/SecRequestBodyInMemoryLimit 114002/) }
its('content') { should match(/SecRequestBodyLimitAction Reject/) }
its('content') { should match(/SecPcreMatchLimit 15000/) }
its('content') { should match(/SecPcreMatchLimitRecursion 15000/) }
its('content') { should match(/SecDebugLogLevel 3/) }
end
end

+ 18
- 0
test/integration/default/inspec.yml Vedi File

@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
name: default
title: apache formula
maintainer: SaltStack Formulas
license: Apache-2.0
summary: Verify that the apache formula is setup and configured correctly
supports:
- platform-name: debian
- platform-name: ubuntu
- platform-name: centos
- platform-name: fedora
- platform-name: opensuse
- platform-name: suse
- platform-name: freebsd
- platform-name: amazon
- platform-name: arch

+ 0
- 29
test/integration/mod_security/serverspec/mod_security_spec.rb Vedi File

@@ -1,29 +0,0 @@
require_relative '../../../kitchen/data/spec_helper'

describe 'apache.mod_security' do

case os[:family]
when 'redhat'
modspec_file = '/etc/httpd/conf.d/mod_security.conf'
when 'debian', 'ubuntu'
modspec_file = '/etc/modsecurity/modsecurity.conf-recommended'
else
# No other supported ATM
end

describe file(modspec_file) do
it { should exist }
it { should be_mode 644 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its(:content) { should match /SecRuleEngine On/ }
its(:content) { should match /SecRequestBodyAccess On/ }
its(:content) { should match /SecRequestBodyLimit 14000000/ }
its(:content) { should match /SecRequestBodyNoFilesLimit 114002/ }
its(:content) { should match /SecRequestBodyInMemoryLimit 114002/ }
its(:content) { should match /SecRequestBodyLimitAction Reject/ }
its(:content) { should match /SecPcreMatchLimit 15000/ }
its(:content) { should match /SecPcreMatchLimitRecursion 15000/ }
its(:content) { should match /SecDebugLogLevel 3/ }
end
end

+ 17
- 0
test/salt/pillar/default.sls Vedi File

@@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
apache:
manage_service_states: false
mod_security:
crs_install: true
manage_config: true
sec_rule_engine: 'On'
sec_request_body_access: 'On'
sec_request_body_limit: '14000000'
sec_request_body_no_files_limit: '114002'
sec_request_body_in_memory_limit: '114002'
sec_request_body_limit_action: 'Reject'
sec_pcre_match_limit: '15000'
sec_pcre_match_limit_recursion: '15000'
sec_debug_log_level: '3'

+ 0
- 9
test/shared/spec_helper.rb Vedi File

@@ -1,9 +0,0 @@
require "serverspec"
require "pathname"

# Set backend type
set :backend, :exec

RSpec.configure do |c|
c.path = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
end

Loading…
Annulla
Salva