refactor(formula): align to template-formula & improve ci features

FEATURE: Archlinux support
FEATURE: Windows support
FEATURE: Enhanced CI/CD
FEATURE: modular states

BREAKING CHANGE: 'apache.sls' converted to new style 'init.ssl'
BREAKING CHANGE: "logrotate.sls" became "config/logrotate.sls"
BREAKING CHANGE: "debian_full.sls" became "config/debian_full.sls"
BREAKING CHANGE: "flags.sls" became "config/flags.sls"
BREAKING CHANGE: "manage_security" became "config/manage_security.sls"
BREAKING CHANGE: "mod_*.sls" became "config/mod_*.sls"
BREAKING CHANGE: "no_default_host.sls" became "config/no_default_host.sls"
BREAKING CHANGE: "own_default_host.sls" became "config/own_default_host.sls"
BREAKING CHANGE: "register_site.sls" became "config/register_site.sls"
BREAKING CHANGE: "server_status.sls" became "config/server_status.sls"
BREAKING CHANGE: "vhosts/" became "config/vhosts/"
BREAKING CHANGE: "mod_security/" became "config/mod_security/"

NOT-BREAKING CHANGE: 'config.sls' became 'config/init.sls'
NOT-BREAKING CHANGE: 'uninstall.sls' symlinked to 'clean.sls'

.salt-lint

@@ -19,7 +19,8 @@ rules:
     ignore: |
       apache/files/Debian/ssl.conf.jinja
       apache/files/FreeBSD/mod_ssl.conf.jinja
-      apache/files/tls-defaults.conf.jinja
+      apache/files/ssl/tls-defaults.conf.jinja
+      test/salt/pillar/modules.sls
 skip_list:
   # Using `salt-lint` for linting other files as well, such as Jinja macros/templates
   - 205  # Use ".sls" as a Salt State file extension

.travis.yml

@@ -58,35 +58,38 @@ jobs:
     ## Define the rest of the matrix based on Kitchen testing
     # Make sure the instances listed below match up with
     # the `platforms` defined in `kitchen.yml`
-    - env: INSTANCE=default-debian-10-master-py3
-    # - env: INSTANCE=default-ubuntu-1804-master-py3
-    # - env: INSTANCE=default-centos-8-master-py3
-    # - env: INSTANCE=default-fedora-31-master-py3
-    # - env: INSTANCE=default-opensuse-leap-151-master-py3
-    # - env: INSTANCE=default-amazonlinux-2-master-py3
-    # - env: INSTANCE=default-debian-10-2019-2-py3
-    # - env: INSTANCE=default-debian-9-2019-2-py3
-    - env: INSTANCE=default-ubuntu-1804-2019-2-py3
-    # - env: INSTANCE=default-centos-8-2019-2-py3
-    # - env: INSTANCE=default-fedora-31-2019-2-py3
-    # - env: INSTANCE=default-opensuse-leap-151-2019-2-py3
-    # - env: INSTANCE=default-centos-7-2019-2-py2
-    - env: INSTANCE=default-amazonlinux-2-2019-2-py3
-    # - env: INSTANCE=default-arch-base-latest-2019-2-py2
-    - env: INSTANCE=default-fedora-30-2018-3-py3
-    # - env: INSTANCE=default-debian-9-2018-3-py2
-    # - env: INSTANCE=default-ubuntu-1604-2018-3-py2
-    # - env: INSTANCE=default-centos-7-2018-3-py2
-    # - env: INSTANCE=default-opensuse-leap-151-2018-3-py2
-    # - env: INSTANCE=default-amazonlinux-1-2018-3-py2
-    # - env: INSTANCE=default-arch-base-latest-2018-3-py2
-    # - env: INSTANCE=default-debian-8-2017-7-py2
-    # - env: INSTANCE=default-ubuntu-1604-2017-7-py2
-    - env: INSTANCE=default-centos-6-2017-7-py2
-    # - env: INSTANCE=default-fedora-30-2017-7-py2
-    # - env: INSTANCE=default-opensuse-leap-151-2017-7-py2
-    # - env: INSTANCE=default-amazonlinux-1-2017-7-py2
-    # - env: INSTANCE=default-arch-base-latest-2017-7-py2
+    - env: INSTANCE=modules-debian-10-master-py3
+    # env: INSTANCE=modules-ubuntu-1804-master-py3
+    - env: INSTANCE=modules-centos-8-master-py3
+    - env: INSTANCE=modules-fedora-31-master-py3
+    - env: INSTANCE=modules-opensuse-leap-151-master-py3
+
+    # https://community.letsencrypt.org/t/localhost-crt-does-not-exist-or-is-empty/103979
+    - env: INSTANCE=default-amazonlinux-2-master-py3
+
+    # - env: INSTANCE=modules-debian-10-2019-2-py3
+    # - env: INSTANCE=modules-debian-9-2019-2-py3
+    - env: INSTANCE=modules-ubuntu-1804-2019-2-py3
+    # - env: INSTANCE=modules-centos-8-2019-2-py3
+    # - env: INSTANCE=modules-fedora-31-2019-2-py3
+    # - env: INSTANCE=suse-opensuse-leap-151-2019-2-py3
+    - env: INSTANCE=modules-centos-7-2019-2-py2
+    # env: INSTANCE=default-amazonlinux-2-2019-2-py3
+    # - env: INSTANCE=modules-arch-base-latest-2019-2-py2
+    # env: INSTANCE=modules-fedora-30-2018-3-py3
+    # - env: INSTANCE=modules-debian-9-2018-3-py2
+    # - env: INSTANCE=modules-ubuntu-1604-2018-3-py2
+    # - env: INSTANCE=modules-centos-7-2018-3-py2
+    # - env: INSTANCE=modules-opensuse-leap-151-2018-3-py2
+    # - env: INSTANCE=modules-amazonlinux-1-2018-3-py2
+    # - env: INSTANCE=modules-arch-base-latest-2018-3-py2
+    # - env: INSTANCE=modules-debian-8-2017-7-py2
+    # - env: INSTANCE=modules-ubuntu-1604-2017-7-py2
+    # env: INSTANCE=default-centos-6-2017-7-py2
+    # - env: INSTANCE=modules-fedora-30-2017-7-py2
+    # - env: INSTANCE=modules-opensuse-leap-151-2017-7-py2
+    # - env: INSTANCE=modules-amazonlinux-1-2017-7-py2
+    - env: INSTANCE=arch-arch-base-latest-2017-7-py2
 
     ## Define the release stage that runs `semantic-release`
     - stage: 'release'

.yamllint

@@ -12,6 +12,9 @@ ignore: |
   node_modules/
   test/**/states/**/*.sls
   .kitchen/
+  test/salt/pillar/modules.sls
+  test/salt/pillar/default.sls
+  pillar.example
 
 yaml-files:
   # Default settings

apache/certificates

@@ -0,0 +1 @@
+config/certificates/

apache/certificates.sls

@@ -1,63 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-include:
-  - apache
-
-{%- for site, confcert in salt['pillar.get']('apache:sites', {}).items() %}
-
-{% if confcert.SSLCertificateKeyFile is defined and confcert.SSLCertificateKeyFile_content is defined %}
-# Deploy {{ site }} key file
-apache_cert_config_{{ site }}_key_file:
-  file.managed:
-    - name: {{ confcert.SSLCertificateKeyFile }}
-    - contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content
-    - makedirs: True
-    - mode: 600
-    - user: root
-    - group: root
-    - watch_in:
-      - module: apache-reload
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endif %}
-
-{% if confcert.SSLCertificateFile is defined and confcert.SSLCertificateFile_content is defined %}
-# Deploy {{ site }} cert file
-apache_cert_config_{{ site }}_cert_file:
-  file.managed:
-    - name: {{ confcert.SSLCertificateFile }}
-    - contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content
-    - makedirs: True
-    - mode: 600
-    - user: root
-    - group: root
-    - watch_in:
-      - module: apache-reload
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endif %}
-
-{% if confcert.SSLCertificateChainFile is defined and confcert.SSLCertificateChainFile_content is defined %}
-# Deploy {{ site }} bundle file
-apache_cert_config_{{ site }}_bundle_file:
-  file.managed:
-    - name: {{ confcert.SSLCertificateChainFile }}
-    - contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content
-    - makedirs: True
-    - mode: 600
-    - user: root
-    - group: root
-    - watch_in:
-      - module: apache-reload
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endif %}
-
-{%- endfor %}
-

apache/clean.sls

@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .service.clean
+  - .config.clean
+  - .package.clean

apache/config.sls

@@ -1,140 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-include:
-  - apache
-
-{{ apache.logdir }}:
-  file.directory:
-    - makedirs: True
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-
-{{ apache.configfile }}:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/apache-{{ apache.version }}.config.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-    - context:
-      apache: {{ apache | json }}
-
-{{ apache.vhostdir }}:
-  file.directory:
-    - makedirs: True
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-
-{% if grains['os_family']=="Debian" %}
-/etc/apache2/envvars:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-
-{{ apache.portsfile }}:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-    - context:
-      apache: {{ apache | json }}
-
-{% endif %}
-
-{% if grains['os_family']=="RedHat" %}
-{{ apache.confdir }}/welcome.conf:
-  file.absent:
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endif %}
-
-{% if grains['os_family']=="Suse" or salt['grains.get']('os') == 'SUSE' %}
-/etc/apache2/global.conf:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/global.config.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-    - context:
-      apache: {{ apache | json }}
-{% endif %}
-
-{% if grains['os_family']=="FreeBSD" %}
-/usr/local/etc/{{ apache.service }}/envvars.d/by_salt.env:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/envvars-{{ apache.version }}.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-
-{{ apache.portsfile }}:
-  file.managed:
-    - template: jinja
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/ports-{{ apache.version }}.conf.jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-    - context:
-      apache: {{ apache | json }}
-{% endif %}

apache/config/certificates/clean.sls

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+
+{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %}
+
+    {%- if cert.SSLCertificateKeyFile is defined %}
+
+apache_cert_config_clean_{{ site }}_key_file:
+  file.absent:
+    - name: {{ cert.SSLCertificateKeyFile }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if cert.SSLCertificateFile is defined %}
+
+apache_cert_config_clean_{{ site }}_cert_file:
+  file.absent:
+    - name: {{ cert.SSLCertificateFile }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if cert.SSLCertificateChainFile is defined %}
+
+apache_cert_config_clean_{{ site }}_bundle_file:
+  file.managed:
+    - name: {{ cert.SSLCertificateChainFile }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+{%- endfor %}

apache/config/certificates/init.sls

@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .install

apache/config/certificates/install.sls

@@ -0,0 +1,67 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+
+{%- for site, cert in salt['pillar.get']('apache:sites', {}).items() %}
+
+    {%- if cert.SSLCertificateKeyFile is defined and cert.SSLCertificateKeyFile_content is defined %}
+
+apache_cert_config_install_{{ site }}_key_file:
+  file.managed:
+    - name: {{ cert.SSLCertificateKeyFile }}
+    - contents_pillar: apache:sites:{{ site }}:SSLCertificateKeyFile_content
+    - makedirs: True
+    - mode: 600
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if cert.SSLCertificateFile is defined and cert.SSLCertificateFile_content is defined %}
+
+apache_cert_config_install_{{ site }}_cert_file:
+  file.managed:
+    - name: {{ cert.SSLCertificateFile }}
+    - contents_pillar: apache:sites:{{ site }}:SSLCertificateFile_content
+    - makedirs: True
+    - mode: 600
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if cert.SSLCertificateChainFile is defined and cert.SSLCertificateChainFile_content is defined %}
+
+apache_cert_config_install_{{ site }}_bundle_file:
+  file.managed:
+    - name: {{ cert.SSLCertificateChainFile }}
+    - contents_pillar: apache:sites:{{ site }}:SSLCertificateChainFile_content
+    - makedirs: True
+    - mode: 600
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+{%- endfor %}

apache/config/clean.sls

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_clean = tplroot ~ '.service.clean' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - .modules.clean
+  - {{ sls_service_clean }}
+
+apache-config-clean-file-absent:
+  file.absent:
+    - names:
+      - {{ apache.config }}
+      - {{ apache.logdir }}
+      - {{ apache.vhostdir }}
+      - /etc/apache2/envvars
+      # apache.portsfile
+      - /etc/apache2/global.conf
+      - /etc/httpd/conf.modules.d
+      - /etc/httpd/sites-enabled
+      - /etc/httpd/var
+      - {{ apache.confdir }}/server-status{{ apache.confext }}
+    - require:
+      - sls: {{ sls_service_clean }}

apache/config/debian_full.sls

@@ -0,0 +1,50 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_config_registersite = tplroot ~ '.config.register_site' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains.os_family in ('Debian',) %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+  - {{ sls_config_registersite }}
+
+extend:
+  apache-package-install-pkg-installed:
+    pkg:
+      - order: 175
+  apache-service-running:
+    service:
+      - order: 455
+  apache-service-running-reload:
+    module:
+      - order: 420
+  apache-service-running-restart:
+    module:
+      - order: 425
+
+apache-config-debian-full-cmd-run:
+  cmd.run:
+    - name: a2dissite 000-default{{ apache.confext }} || true
+    - onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    - require:
+      - pkg: apache-package-install-pkg-installed
+  file.absent:
+    - names:
+      - /etc/apache2/sites-available/{{ apache.default_site }}
+      - /etc/apache2/sites-available/{{ apache.default_site_ssl }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+
+    {%- endif %} #END: os = debian

apache/config/file.sls

@@ -0,0 +1,166 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-file-directory-logdir:
+  file.directory:
+    - name: {{ apache.logdir }}
+    - user: {{ apache.user }}
+    - group: {{ apache.group }}
+    - recurse:
+      - user
+      - group
+    - makedirs: True
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+apache-config-file-directory-vhostdir:
+  file.directory:
+    - name: {{ apache.vhostdir }}
+    - makedirs: True
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+apache-config-file-directory-moddir:
+  file.directory:
+    - name: {{ apache.moddir }}
+    - makedirs: True
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+    {%- if apache.davlockdbdir %}
+
+apache-config-file-directory-davlockdbdir:
+  file.directory:
+    - name: {{ apache.davlockdbdir }}
+    - makedirs: True
+    - user: {{ apache.user }}
+    - group: {{ apache.group }}
+    - recurse:
+      - user
+      - group
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if 'sitesdir' in apache and apache.sitesdir %}
+
+apache-config-file-directory-sites-enabled:
+  file.directory:
+    - name: {{ apache.sitesdir }}
+    - makedirs: True
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+    {%- endif %}
+    {%- if grains.os_family in ('Debian',) and 'confdir' in apache and apache.confdir %}
+
+apache-config-file-directory-conf-enabled:
+  file.directory:
+    - name: {{ apache.confdir }}
+    - makedirs: True
+    - require:
+      - sls: {{ sls_package_install }}
+    - require_in:
+      - service: apache-service-running
+
+    {%- endif %}
+
+apache-config-file-managed:
+  file.managed:
+    - name: {{ apache.config }}
+    - source: 'salt://apache/files/{{ grains.os_family }}/apache-{{ apache.version }}.config.jinja'
+    - mode: 644
+    - user: {{ apache.rootuser }}
+        {%- if grains.kernel != 'Windows' %}
+    - group: {{ apache.rootgroup }}
+        {%- endif %}
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - require:
+      - sls: {{ sls_package_install }}
+    - context:
+        apache: {{ apache | json }}
+
+  {%- if grains.os_family in ('Debian', 'FreeBSD') %}
+
+apache-config-file-managed-{{ grains.os }}-env:
+  file.managed:
+    - name: /etc/apache2/envvars
+    - source: 'salt://apache/files/{{ grains.os_family }}/envvars-{{ apache.version }}.jinja'
+    - mode: 644
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache | json }}
+    - require_in:
+      - file: apache-config-file-managed-{{ grains.os }}-ports
+
+apache-config-file-managed-{{ grains.os }}-ports:
+  file.managed:
+    - name: {{ apache.portsfile }}
+    - source: salt://apache/files/{{ grains.os_family }}/ports-{{ apache.version }}.conf.jinja
+    - mode: 644
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache | json }}
+
+  {%- elif grains.os_family == "RedHat" %}
+
+apache-config-file-absent-{{ grains.os }}:
+  file.absent:
+    - name: {{ apache.confdir }}/welcome.conf
+
+  {%- elif grains.os_family == "Suse" %}
+
+apache-config-file-managed-{{ grains.os }}:
+  file.managed:
+    - name: /etc/apache2/global.conf
+    - source: 'salt://apache/files/Suse/global.config.jinja'
+    - mode: 644
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache | json }}
+
+  {%- else %}
+
+apache-config-file-managed-skip:
+  test.show_notification:
+    - text: |
+        No configuration file to manage
+
+  {%- endif %}
+    - require:
+      - sls: {{ sls_package_install }}
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - service: apache-service-running

apache/config/flags.sls

@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+{%- from tplroot ~ "/libtofs.jinja" import files_switch with context %}
+
+    {%- if grains.os_family == 'Suse' %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+       {%- for flag in salt['pillar.get']('apache:flags:enabled', []) %}
+
+apache-config-flags-{{ flag }}-cmd-a2en:
+  cmd.run:
+    - name: a2enflag {{ flag }}
+    - unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 |grep {{ flag }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+       {%- endfor %}
+       {%- for flag in salt['pillar.get']('apache:flags:disabled', []) %}
+
+apache-config-flags-{{ flag }}-a2dis:
+  cmd.run:
+    - name: a2disflag -f {{ flag }}
+    - onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+        {%- endfor %}
+
+    {%- endif %}

apache/config/init.sls

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .file
+  # .modules.clean  # disable (exclude from init state)
+  # .modules        # enable by default (read pillars)
+  - .debian_full
+  - .flags
+  - .logrotate
+  - .manage_security
+  - .no_default_vhost
+  - .own_default_vhost
+  - .register_site
+  - .vhosts

apache/config/logrotate.sls

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+apache-config-logrotate-file-managed:
+  file.managed:
+    - name: {{ apache.logrotatedir }}
+    - makedirs: True
+    - contents: |
+        {{ apache.logdir }}/*.log {
+                daily
+                missingok
+                rotate 14
+                compress
+                delaycompress
+                notifempty
+                create 640 root adm
+                sharedscripts
+                postrotate
+                    if /etc/init.d/{{ apache.service }} status >/dev/null; then \
+                        /etc/init.d/{{ apache.service }} reload >/dev/null; \
+                    fi;
+                endscript
+                prerotate
+                    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+                       run-parts /etc/logrotate.d/httpd-prerotate; \
+                    fi; \
+                endscript
+        }

apache/config/manage_security.sls

@@ -0,0 +1,44 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains.os_family in ('Debian', 'FreeBSD') %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+apache-config-manage-security-{{ grains.os_family }}:
+  file.managed:
+        {%- if grains.os_family == "Debian" %}
+
+    - onlyif: test -f /etc/apache2/conf-available/security.conf
+    - name: /etc/apache2/conf-available/security.conf
+
+        {%- elif grains.os_family == "FreeBSD" %}
+
+    - name: {{ apache.confdir + '/security.conf' }}
+
+        {%- endif %}
+    - source:
+      - salt://apache/files/{{ grains.os_family }}/security.conf.jinja
+      - salt://apache/files/ssl/security.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache | json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/clean.sls

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_clean = tplroot ~ '.package.clean' %}
+{%- set sls_service_dead = tplroot ~ '.service.clean' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_dead }}
+
+    {%- set existing_states = salt['cp.list_states']() %}
+    {%- for module in salt['pillar.get']('apache:modules:disabled', []) %}
+apache-config-modules-{{ module }}-disable:
+
+        {%- if grains['os_family']=="Debian" %}
+
+  cmd.run:
+    - name: a2dismod -f {{ module }}
+    - onlyif: ls {{ apache.moddir }}/{{ module }}.load
+
+        {%- elif grains.os_family in ('Redhat', 'Arch') %}
+
+  cmd.run:
+    - name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^\s*LoadModule.{{ module }}_module\)/#\1/g' {} \;
+    - onlyif:
+      - test -d /etc/httpd
+      - {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module")
+  file.absent:
+    - name: /etc/httpd/conf.modules.d/*{{ module }}.conf
+
+        {%- elif salt['grains.get']('os_family') == 'Suse' %}
+
+  cmd.run:
+    - name: a2dismod {{ module }}
+    - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep {{ module }}
+
+        {%- else %}
+
+  test.show_notification:
+    - text: |
+        No {{ module }} module change
+
+        {%- endif %}
+
+    - order: 225
+    - require:
+      - sls: {{ sls_service_dead }}
+    - require_in:
+      - pkg: apache-package-clean-pkg-removed
+
+    {%- endfor %}

apache/config/modules/init.sls

@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .install
+  - .mod_rewrite
+  - .mod_proxy
+  - .mod_headers
+  {%- if 'osfinger' in grains and grains.osfinger not in ('Amazon Linux-2',) %}
+  - .mod_geoip
+  {%- endif %}

apache/config/modules/install.sls

@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_config_file }}
+
+    {% set existing_states = salt['cp.list_states']() %}
+    {% for module in salt['pillar.get']('apache:modules:enabled', []) %}
+apache-config-modules-{{ module }}-enable:
+
+        {% if grains['os_family']=="Debian" %}
+
+  cmd.run:
+    - name: a2enmod -f {{ module }}
+    - onlyif: ls {{ apache.moddir }}/{{ module }}.load
+
+        {% elif grains.os_family in ('RedHat', 'Arch') %}
+
+  cmd.run:
+    - name: find /etc/httpd/ -name '*.conf' -type f -exec sed -i -e 's/\(^#\)\(\s*LoadModule.{{ module }}_module\)/\2/g' {} \;
+    - onlyif: {{ grains.os_family in ('Arch',) and 'true' }} || (httpd -M 2> /dev/null |grep "[[:space:]]{{ module }}_module")
+
+        {% elif salt['grains.get']('os_family') == 'Suse' %}
+
+  cmd.run:
+    - name: a2enmod {{ module }}
+    - onlyif: egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 |grep {{ module }}
+
+        {% else %}
+
+  test.show_notification:
+    - text: |
+        No {{ module }} module change
+
+        {%- endif %}
+    - order: 225
+    - require:
+      - sls: {{ sls_config_file }}
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+
+    {%- endfor %}

apache/config/modules/mod_actions.sls

@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-actions-cmd-run:
+  cmd.run:
+    - name: a2enmod actions
+    - unless:
+      - ls {{ apache.moddir }}/actions.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep actions
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_cgi.sls

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family']=="FreeBSD" %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-cgi-cmd-run:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_cgi.conf
+    - source: salt://apache/files/FreeBSD/mod_cgi.conf.jinja
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    - mode: 644
+
+    {%- endif %}

apache/config/modules/mod_dav_svn.sls

@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] == "Debian" %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-dav_svn_pkg_installed:
+  pkg.installed:
+    - name: libapache2-mod-svn
+
+apache-config-modules-dav_svn_cmd-run-a2en:
+  cmd.run:
+    - name: a2enmod dav_svn
+    - unless: ls {{ apache.moddir }}/dav_svn.load
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - pkg: apache-config-modules-dav_svn_pkg_installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+apache-config-modules-dav_svn_cmd-run-a2en-authz:
+  cmd.run:
+    - name: a2enmod authz_svn
+    - unless: ls {{ apache.moddir }}/authz_svn.load
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - pkg: apache-config-modules-dav_svn_pkg_installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_fastcgi.sls

@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] == "Debian" %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+  - .mod_actions
+
+apache-config-modules-fastcgi-pkg:
+  pkgrepo.managed:
+    - name: "deb http://ftp.us.debian.org/debian {{ grains['oscodename'] }}"
+    - file: /etc/apt/sources.list.d/non-free.list
+    - onlyif: grep Debian /proc/version >/dev/null 2>&1
+    - comps: non-free
+  pkg.installed:
+    - name: {{ apache.mod_fastcgi }}
+    - order: 180
+    - require:
+      - pkgrepo: apache-config-modules-fastcgi-pkg
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+apache-config-modules-fastcgi_cmd-run:
+  cmd.run:
+    - name: a2enmod fastcgi
+    - unless: ls {{ apache.moddir }}/fastcgi.load
+    - order: 225
+    - require:
+      - pkg: mod-fastcgi
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_fcgid.sls

@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-fcgid-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_fcgid }}
+    - order: 180
+    - require:
+      - pkg: apache-package-install-pkg-installed
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+  cmd.run:
+    - name: a2enmod fcgid
+    - order: 225
+    - unless: ls {{ apache.moddir }}/fcgid.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' fcgid'
+    - require:
+      - pkg: apache-config-modules-fcgid-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_geoip.sls

@@ -0,0 +1,87 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if 'mod_geoip' in apache and 'finger' in grains and grains.osfinger not in ('Leap-42',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-geoip-pkg:
+  pkg.installed:
+    - pkgs:
+      - {{ apache.mod_geoip }}
+      - {{ apache.mod_geoip_database }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- if grains['os_family']=="RedHat" %}
+
+apache-config-modules-geoip-conf-file-managed:
+  file.managed:
+    - name: {{ apache.confdir }}/geoip.conf
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - makedirs: True
+    - mode: 644
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - salt://apache/files/{{ salt['grains.get']('os_family') }}/geoip.conf
+
+apache-config-modules-geoip-db-file-managed:
+  file.managed:
+    - name: /usr/share/GeoIP/GeoIP.dat
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - makedirs: True
+    - mode: 644
+    - source:
+      - salt://apache/files/{{ salt['grains.get']('os_family') }}/GeoIP.dat
+
+apache-config-modules-geoip-{{ grains.os_family }}-conf-file-managed:
+  file.managed:
+    - name: {{ apache.moddir }}/10-geoip.conf
+    - makedirs: True
+    - source:
+      - salt://apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- elif grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-geoip-cmd-run:
+  cmd.run:
+    - name: a2enmod geoip
+    - unless: ls {{ apache.moddir }}/geoip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep geoip
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - pkg: apache-config-modules-geoip-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- endif %}
+    {%- endif %}

apache/config/modules/mod_headers.sls

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-headers-pkg:
+  cmd.run:
+    - name: a2enmod headers
+    - unless: ls {{ apache.moddir }}/headers.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep headers
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_logio.sls

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-logio-pkg:
+  cmd.run:
+    - name: a2enmod logio
+    - unless: ls {{ apache.moddir }}/logio.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep logio
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_mpm.sls

@@ -0,0 +1,84 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+{%- set mpm_module = salt['pillar.get']('apache:mpm:module', 'mpm_prefork') %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-mpm-pkg:
+  cmd.run:
+    - name: a2enmod {{ mpm_module }}
+    - unless: ls {{ apache.moddir }}/{{ mpm_module }}.load
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+  file.managed:
+    - name: /etc/apache2/mods-available/{{ mpm_module }}.conf
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - salt://apache/files/Debian/mpm/{{ mpm_module }}.conf.jinja
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+         # Deactivate the other mpm modules as a previous step
+         {%- for mod in ['mpm_prefork', 'mpm_worker', 'mpm_event'] if not mod == mpm_module %}
+
+apache-config-modules-mpm-{{ mod }}-cmd-run:
+  cmd.run:
+    - name: a2dismod {{ mod }}
+    - onlyif: ls {{ apache.moddir }}/{{ mod }}.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' {{ mod }}'
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - require_in:
+      - cmd: a2enmod {{ mpm_module }}
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+         {%- endfor %}
+    {%- elif grains['os_family']=="RedHat" %}
+
+apache-config-modules-mpm-{{ grains.os_family }}-conf-file-managed:
+  file.managed:
+    - name: {{ apache.moddir }}/00-mpm.conf
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - salt://apache/files/RedHat/conf.modules.d/00-{{ mpm_module }}.conf.jinja
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_pagespeed.sls

@@ -0,0 +1,68 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+{%- set pagespeed_module = salt['pillar.get']('apache:pagespeed:module', 'pagespeed_prefork') %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-pagespeed-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_pagespeed }}
+    - sources:
+      - mod-pagespeed-stable: {{ apache.mod_pagespeed_source }}
+  cmd.run:
+    - name: a2enmod pagespeed
+    - unless: ls {{ apache.moddir }}/pagespeed.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep pagespeed
+    - order: 255
+    - require:
+      - pkg: apache-config-modules-pagespeed-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- for dir in ['/var/cache/mod_pagespeed', '/var/log/pagespeed'] %}
+
+apache-config-modules-pagespeed-{{ dir }}-file-directory:
+  file.directory
+    - name: {{ dir }}
+    - makedirs: true
+    - user: {{ apache.user }}
+    - group: {{ apache.group }}
+    - require:
+      - pkg: apache-config-modules-pagespeed-pkg
+      - user: {{ apache.user }}
+      - group: {{ apache.group }}
+
+        {%- endfor %}
+        # Here we hardcode a logrotate entry to take care of the logs
+
+apache-config-modules-pagespeed-logrotate-file-managed:
+  file.managed:
+    - name: /etc/logrotate.d/pagespeed
+    - contents: |
+        /var/log/pagespeed/*.log {
+          weekly
+          missingok
+          rotate 52
+          compress
+          delaycompress
+          notifempty
+          sharedscripts
+          postrotate
+            if /etc/init.d/apache2 status > /dev/null ; then \
+              /etc/init.d/apache2 reload > /dev/null; \
+            fi;
+          endscript
+        }
+    {%- endif %}

apache/config/modules/mod_perl2.sls

@@ -0,0 +1,60 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-perl-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_perl2 }}
+    - order: 180
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+  cmd.run:
+    - name: a2enmod perl
+    - unless: ls {{ apache.moddir }}/perl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' perl'
+    - order: 225
+    - require:
+      - pkg: apache-config-modules-perl-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+  file.managed:
+    - name: {{ apache.modulesdir }}/260_mod_perl.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_perl.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_php5.sls

@@ -0,0 +1,84 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+
+apache-config-modules-php5-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_php5 }}
+    - order: 180
+    - require:
+      - pkg: apache-package-install-pkg-installed
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+  cmd.run:
+    - name: a2enmod php5
+    - unless: ls {{ apache.moddir }}/php5.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' php5'
+    - order: 225
+    - require:
+      - pkg: mod-php5
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- if 'apache' in pillar and 'php-ini' in pillar['apache'] %}
+
+  file.managed:
+    - name: /etc/php5/apache2/php.ini
+    - source: {{ pillar['apache']['php-ini'] }}
+    - order: 225
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - pkg: apache-config-modules-php5-pkg
+
+        {%- endif %}
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+  file.managed:
+    - name: {{ apache.modulesdir }}/050_mod_php5.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_php5.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="Suse" %}
+
+  file.replace:
+    - name: /etc/sysconfig/apache2
+    - unless: grep '^APACHE_MODULES=.*php5' /etc/sysconfig/apache2
+    - pattern: '^APACHE_MODULES=(.*)"'
+    - repl: 'APACHE_MODULES=\1 php5"'
+
+    {%- endif %}

apache/config/modules/mod_proxy.sls

@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-proxy-pkg:
+  cmd.run:
+    - name: a2enmod proxy
+    - unless: ls {{ apache.moddir }}/proxy.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' proxy'
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+apache-config-modules-proxy-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_proxy.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_proxy_ajp.sls

@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+  - .mod_proxy
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-proxy_ajp-pkg:
+  cmd.run:
+    - name: a2enmod proxy_ajp
+    - unless: ls {{ apache.moddir }}/proxy_ajp.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_ajp
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      # cmd: a2enmod proxy
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+apache-config-modules-proxy_ajp-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_proxy_ajp.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_ajp.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_proxy_fcgi.sls

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+  - .mod_proxy
+
+apache-config-modules-proxy_fcgi-pkg:
+  cmd.run:
+    - name: a2enmod proxy_fcgi
+    - unless: ls {{ apache.moddir }}/proxy_fcgi.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_fcgi
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      # cmd: a2enmod proxy
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_proxy_http.sls

@@ -0,0 +1,51 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+  - .mod_proxy
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-proxy_http-pkg:
+  cmd.run:
+    - name: a2enmod proxy_http
+    - unless: ls {{ apache.moddir }}/proxy_http.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep proxy_http
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      # cmd: a2enmod proxy
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+apache-config-modules-proxy_http-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_proxy_http.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_proxy_http.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_remoteip.sls

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-remoteip-cmd-run-mod-a2en:
+  cmd.run:
+    - name: a2enmod remoteip
+    - unless: ls {{ apache.moddir }}/remoteip.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep remoteip
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+apache-config-modules-remoteip-cmd-run-conf:
+  cmd.run:
+    - name: a2enconf remoteip
+    - unless: ls /etc/apache2/conf-enabled/remoteip.conf
+    - order: 255
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+  file.managed:
+    - name: /etc/apache2/conf-available/remoteip.conf
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf-available/remoteip.conf.jinja
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+      - cmd: apache-config-modules-remoteip-cmd-run-conf
+
+    {%- elif grains['os_family']=="RedHat" %}
+
+apache-config-modules-remoteip-file-managed-conf:
+  file.managed:
+    - name: /etc/httpd/conf.d/remoteip.conf
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - salt://apache/files/{{ salt['grains.get']('os_family') }}/conf.modules.d/remoteip.conf.jinja
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_rewrite.sls

@@ -0,0 +1,49 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Debian', 'Suse') %}
+
+apache-config-modules-rewrite-cmd-run-mod:
+  cmd.run:
+    - name: a2enmod rewrite
+    - unless: ls {{ apache.moddir }}/rewrite.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep rewrite
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+
+apache-config-modules-rewrite-file-managed-conf:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_rewrite.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_rewrite.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_security/init.sls

@@ -0,0 +1,89 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains.os_family not in ('Arch',) %}
+
+apache-config-modules-security-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_security.package }}
+    - order: 180
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- if apache.mod_security.crs_install and 'crs_package' in apache.mod_security %}
+
+apache-config-modules-security-crs-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_security.crs_package }}
+    - order: 180
+    - require:
+      - pkg: apache-config-modules-security-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- endif %}
+        {%- if apache.mod_security.manage_config and 'config_file' in apache.mod_security %}
+
+apache-config-modules-security-main-config-file-managed:
+  file.managed:
+    - name: {{ apache.mod_security.config_file }}
+    - order: 220
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - source:
+      - {{ 'salt://apache/files/' ~ salt['grains.get']('os_family') ~ '/modsecurity.conf.jinja' }}
+    - context: {{ apache.mod_security|json }}
+    - require:
+      - pkg: apache-config-modules-security-pkg
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+        {%- endif %}
+        {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+apache-config-modules-security-cmd-run-a2en-security2:
+  cmd.run:
+    - name: a2enmod security2
+    - unless: ls {{ apache.moddir }}/security2.load && ls {{ apache.moddir }}/security2.conf
+    - order: 225
+
+        {%- elif grains.os_family in ('Redhat',) %}
+apache-config-modules-security-file-directory-modsecurity:
+  file.directory:
+    - name: /etc/httpd/modsecurity.d
+        {%- endif %}
+
+    - require:
+      - pkg: apache-config-modules-security-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    {%- endif %}

apache/mod_security/rules.sls → apache/config/modules/mod_security/rules.sls

@@ -6,14 +6,14 @@ include:
   - apache.mod_security
 
 {%- for rule_name, rule_details in mod_security.get('rules', {}).items() %}
-  {% set rule_set = rule_details.get('rule_set', '') %}
-  {% set enabled = rule_details.get('enabled', False ) %}
+  {%- set rule_set = rule_details.get('rule_set', '') %}
+  {%- set enabled = rule_details.get('enabled', False ) %}
   {%- if enabled %}
 /etc/modsecurity/{{ rule_name }}:
   file.symlink:
     - target: /usr/share/modsecurity-crs/{{ rule_set }}/{{ rule_name }}
-    - user: root
-    - group: root
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
     - mode: 755
   {%- else %}
 /etc/modsecurity/{{ rule_name }}:
@@ -24,17 +24,18 @@ include:
 {%- endfor %}
 
 {%- for custom_rule, custom_rule_details in mod_security.get('custom_rule_files', {}).items() %}
-  {% set file = custom_rule_details.get('file', None) %}
-  {% set path = custom_rule_details.get('path', None) %}
-  {% set enabled = custom_rule_details.get('enabled', False ) %}
+  {%- set file = custom_rule_details.get('file', None) %}
+  {%- set path = custom_rule_details.get('path', None) %}
+  {%- set enabled = custom_rule_details.get('enabled', False ) %}
 
   {%- if enabled %}
 /etc/modsecurity/{{ file }}:
   file.managed:
     - source: {{ path }}
-    - user: root
-    - group: root
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
     - mode: 755
+    - makedirs: True
   {%- else %}
 /etc/modsecurity/{{ file }}:
   file.absent:
@@ -42,4 +43,4 @@ include:
   {%- endif %}
 {%- endfor %}
 
-{% endif %}
+{%- endif %}

apache/config/modules/mod_socache_shmcb.sls

@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family']=="FreeBSD" %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-socache_shmcb-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/009_mod_socache_shmcb.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/generic_module.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    - context:
+      module_name: socache_shmcb
+
+    {%- endif %}

apache/config/modules/mod_ssl.sls

@@ -0,0 +1,129 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+    {%- if grains['os_family'] in ('Debian', 'Suse') %}
+
+apache-config-modules-ssl-cmd-run:
+  cmd.run:
+    - name: a2enmod ssl
+    - unless: ls {{ apache.moddir }}/ssl.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep ' ssl'
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+  file.managed:
+    - name: /etc/apache2/mods-available/ssl.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/ssl.conf.jinja
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - mode: 644
+    - makedirs: True
+    - watch_in:
+      - module: apache-service-running-restart
+
+    {%- elif grains['os_family']=="RedHat" %}
+
+apache-config-modules-ssl-pkg:
+  pkg.installed:
+    - name: {{ apache.pkg.mod_ssl }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+  file.absent:
+    - name: {{ apache.confdir }}/ssl.conf
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- elif grains['os_family']=="FreeBSD" %}
+  - .mod_ssl
+
+apache-config-modules-ssl-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/010_mod_ssl.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_ssl.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}
+
+apache-config-modules-ssl-file-managed-tls-defaults:
+    {%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+  file.managed:
+    - name: {{ apache.confdir }}/tls-defaults.conf
+    - source: salt://apache/files/ssl/tls-defaults.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    {%- else %}
+  file.absent:
+    - name: {{ apache.confdir }}/tls-defaults.conf
+    {%- endif %}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- if grains['os_family'] in ('Debian',) %}
+apache-config-modules-ssl-cmd-run-debian-tls-defaults:
+  cmd.run:
+       {%- if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
+    - name: a2enconf tls-defaults
+    - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+       {%- else %}
+    - name: a2disconf tls-defaults
+    - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
+       {%- endif %}
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - file: {{ apache.confdir }}/tls-defaults.conf
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+    {%- endif %}

apache/config/modules/mod_status.sls

@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_package_install }}
+
+apache-config-server-status:
+  file.managed:
+    - name: {{ apache.confdir }}/server-status{{ apache.confext }}
+    - source: 'salt://apache/files/server-status.conf.jinja'
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+        apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- if grains['os_family'] == "Debian" %}
+
+apache-config-server-status-file-directory:
+  file.directory:
+    - name: /etc/apache2/conf-enabled
+    - require:
+      - pkg: apache-package-install-pkg-installed
+
+apache-config-server-status-cmd-run:
+  cmd.run:
+    - name: a2enconf server-status
+    - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf'
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - file: apache-config-server-status
+      - file: apache-config-server-status-file-directory
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_suexec.sls

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family']=="FreeBSD" %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-suexec-file-managed:
+  file.managed:
+    - name: {{ apache.modulesdir }}/040_mod_suexec.conf
+    - source: salt://apache/files/{{ salt['grains.get']('os_family') }}/mod_suexec.conf.jinja
+    - mode: 644
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_upload_progress.sls

@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-upload_progress-pkg:
+  pkg.installed
+    - name: {{ apache.mod_upload_progress }}
+  cmd.run:
+    - name: a2enmod upload_progress
+    - unless: ls {{ apache.moddir }}/upload_progress.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep upload_progress
+    - order: 255
+    - require:
+      - pkg: apache-config-modules-upload_progress-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_vhost_alias.sls

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-vhost_alias-cmd-run:
+  cmd.run:
+    - name: a2enmod vhost_alias
+    - unless: ls {{ apache.moddir }}/vhost_alias.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep vhost_alias
+    - order: 225
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_wsgi.sls

@@ -0,0 +1,40 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-modules-wsgi-pkg:
+  pkg.installed:
+    - name: {{ apache.pkg.mod_wsgi }}
+    - require:
+      - pkg: apache
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- if 'conf_mod_wsgi' in apache %}
+
+  file.uncomment:
+    - name: {{ apache.conf_mod_wsgi }}
+    - regex: LoadModule
+    - onlyif: test -f {{ apache.conf_mod_wsgi }}
+    - require:
+      - pkg: apache-config-modules-wsgi-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/mod_xsendfile.sls

@@ -0,0 +1,41 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_service_running }}
+  - {{ sls_package_install }}
+
+apache-config-xsendfile-pkg:
+  pkg.installed:
+    - name: {{ apache.mod_xsendfile }}
+    - order: 180
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- if grains['os_family'] in ('Suse', 'Debian',) %}
+
+  cmd.run:
+    - name: a2enmod xsendfile
+    - order: 225
+    - unless: ls {{ apache.moddir }}/xsendfile.load || egrep "^APACHE_MODULES=" /etc/sysconfig/apache2 | grep xsendfile
+    - require:
+      - pkg: apache-config-xsendfile-pkg
+    - watch_in:
+      - module: apache-service-running-restart
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/modules/server_status.sls

@@ -0,0 +1 @@
+mod_status.sls

apache/config/no_default_vhost.sls

@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains.os_family == "Debian" %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+apache-config-default-vhost:
+  cmd.run:
+    - name: a2dissite 000-default.conf || true
+    - unless: test ! -f /etc/apache2/sites-enabled/000-default.conf
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/own_default_vhost.sls

@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains.os_family == "Debian" %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+apache-config-own-default-vhost:
+  file.managed:
+    - name: {{ apache.vhostdir }}/000-default.conf
+    - source: salt://apache/files/Debian/sites-available/000-default.conf
+    - makedirs: True
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - context:
+      apache: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+    {%- endif %}

apache/config/register_site.sls

@@ -0,0 +1,76 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+{%- if grains.os_family == "Debian" %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+apache-config-register-site-file-directory:
+  file.directory:
+    - name: {{ apache.sitesdir }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+
+    {%- if 'apache' in pillar and 'register-site' in pillar['apache'] %}
+        {%- for site in pillar['apache']['register-site'] %}
+            {%- if 'name' in pillar['apache']['register-site'][site] and 'state' in pillar['apache']['register-site'][site] %}
+                {%- if 'path' in pillar['apache']['register-site'][site] %}
+                    {%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %}
+                        {%- set a2modid = "a2ensite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %}
+                    {%- else %}
+                        {%- set a2modid = "a2dissite " ~ pillar['apache']['register-site'][site]['name'] ~ apache.confext %}
+                    {%- endif %}
+
+apache-config-register-site-{{ a2modid }}:
+  cmd.run:
+    - name: {{ a2modid }}
+                {%- if pillar['apache']['register-site'][site]['state'] == 'enabled' %}
+    - unless: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
+                {%- else %}
+    - onlyif: test -f /etc/apache2/sites-enabled/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
+                {%- endif %}
+    - order: 230
+    - require:
+      - pkg: apache-package-install-pkg-installed
+      - file: apache-config-register-site-file-managed
+      - file: apache-config-register-site-file-directory
+    - watch:
+      - file: apache-config-register-site-file-managed
+
+apache-config-register-site-file-managed:
+  file.managed:
+    - name: /etc/apache2/sites-available/{{ pillar['apache']['register-site'][site]['name'] }}{{ apache.confext }}
+    - source: {{ pillar['apache']['register-site'][site]['path'] }}
+    - order: 225
+    - makedirs: True
+    - user: {{ apache.rootuser }}
+    - group: {{ apache.rootgroup }}
+    - mode: 775
+                     {%- if 'template' in pillar['apache']['register-site'][site] and 'defaults' in pillar['apache']['register-site'][site] %}
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - defaults:
+                         {%- for key, value in pillar['apache']['register-site'][site]['defaults'].items() %}
+      {{ key }}: {{ value }}
+                         {%- endfor %}
+                     {%- endif %}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module; apache-service-running-reload
+  cmd.run:
+    - name: echo dummy state to workaround requisite issue >/dev/null 2>&1
+    - require_in:
+      - file: apache-config-register-site-file-managed
+
+                {%- endif %}
+             {%- endif %}
+        {%- endfor %}
+    {%- endif %} #END: apache-service-running-register-site
+{%- endif %} #END: grains['os_family'] == debian

apache/config/vhosts/clean.sls

@@ -0,0 +1 @@
+cleanup.sls

apache/config/vhosts/cleanup.sls

@@ -0,0 +1,42 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+    {%- if grains.os_family == 'Debian' %}
+
+include:
+  - {{ sls_service_running }}
+
+        {%- set dirpath = '/etc/apache2/sites-enabled' %}
+        {# Add . and .. to make it easier to not clean those #}
+        {%- set valid_sites = ['.', '..', ] %}
+
+        {# Take sites from apache.vhosts.standard #}
+        {%- for id, site in salt['pillar.get']('apache:sites', {}).items() %}
+            {%- do valid_sites.append('{}{}'.format(id, apache.confext)) %}
+        {%- endfor %}
+
+        {# Take sites from apache.register_site #}
+        {%- for id, site in salt['pillar.get']('apache:register-site', {}).items() %}
+            {%- do valid_sites.append('{}{}'.format(site.name, apache.confext)) %}
+        {%- endfor %}
+
+        {%- if salt['file.directory_exists'](dirpath) %}
+            {%- for filename in salt['file.readdir'](dirpath) %}
+                {%- if filename not in valid_sites %}
+
+apache-config-vhosts-cleanup-{{ filename }}-cmd-run:
+  cmd.run:
+    - name: a2dissite {{ filename }} || true
+    - onlyif: "test -L {{ dirpath }}/{{ filename }} || test -f {{ dirpath }}/{{ filename }}"
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+
+                {%- endif %}
+            {%- endfor %}
+        {%- endif %}
+    {%- endif %}{# Debian #}

apache/config/vhosts/init.sls

@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .standard

apache/vhosts/proxy.tmpl → apache/config/vhosts/proxy.tmpl

@@ -2,7 +2,6 @@
 # This file is managed by Salt! Do not edit by hand!
 #
 {# Define default values here so the template below can just focus on layout #}
-{% from "apache/map.jinja" import apache with context %}
 {% set sitename = site.get('ServerName', id) %}
 {% set vals = {
     'interfaces': site.get('interface', '*').split(),
@@ -35,7 +34,7 @@
         'Require': 'all granted',
     },
 } %}
-<VirtualHost {%- for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
+<VirtualHost {% for intf in vals.interfaces %} {{ intf }}:{{ vals.port }}{% endfor -%}>
     ServerName {{ vals.ServerName }}
     {% if site.get('ServerAlias') != False %}ServerAlias {{ vals.ServerAlias }}{% endif %}
     {% if site.get('ServerAdmin') != False %}ServerAdmin {{ vals.ServerAdmin }}{% endif %}
@@ -73,8 +72,8 @@
     ProxyPassReverse  {{ proxyvals.ProxyPassReverseSource }} {{ proxyvals.ProxyPassReverseTarget }}
     {% endfor %}
 
-    {%- for path, loc in site.get('Location', {}).items() %}
-    {%- set lvals = {
+    {% for path, loc in site.get('Location', {}).items() %}
+    {% set lvals = {
         'Order': loc.get('Order', vals.Location.Order),
         'Allow': loc.get('Allow', vals.Location.Allow),
         'Require': loc.get('Require', vals.Location.Require),
@@ -82,16 +81,16 @@
     } %}
     <Location "{{ path }}">
       {% if apache.version == '2.4' %}
-      {%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
+      {% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
       {% else %}
-      {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
-      {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
+      {% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
+      {% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
       {% endif %}
-      {%- if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %}
+      {% if loc.get('Formula_Append') %} {{ loc.Formula_Append|indent(8) }} {% endif %}
     </Location>
     {% endfor %}
-    {%- for regpath, locmat in site.get('LocationMatch', {}).items() %}
-    {%- set lmvals = {
+    {% for regpath, locmat in site.get('LocationMatch', {}).items() %}
+    {% set lmvals = {
         'Order': locmat.get('Order', vals.LocationMatch.Order),
         'Allow': locmat.get('Allow', vals.LocationMatch.Allow),
         'Require': locmat.get('Require', vals.LocationMatch.Require),
@@ -99,32 +98,32 @@
     } %}
     <LocationMatch "{{ regpath }}">
       {% if apache.version == '2.4' %}
-      {%- if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %}
+      {% if lmvals.get('Require') != False %}Require {{ lmvals.Require }}{% endif %}
       {% else %}
-      {%- if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
-      {%- if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}
+      {% if lmvals.get('Order') != False %}Order {{ lmvals.Order }}{% endif %}
+      {% if lmvals.get('Allow') != False %}Allow {{ lmvals.Allow }}{% endif %}
       {% endif %}
-      {%- if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %}
+      {% if locmat.get('Formula_Append') %} {{ locmat.Formula_Append|indent(8) }} {% endif %}
     </LocationMatch>
     {% endfor %}
- {%- for proxypath, prox in site.get('Proxy_control', {}).items() %}
-   {%- set proxvals = {
+ {% for proxypath, prox in site.get('Proxy_control', {}).items() %}
+   {% set proxvals = {
      'AllowAll': prox.get('AllowAll', vals.AllowAll),
      'AllowCountry': prox.get('AllowCountry', vals.AllowCountry),
      'AllowIP': prox.get('AllowIP', vals.AllowIP),
    } %}
     <Proxy "{{ proxypath }}">
-      {%- if proxvals.get('AllowAll') != False %}
+      {% if proxvals.get('AllowAll') != False %}
       Require all granted
-      {%- else %}
+      {% else %}
       {% if proxvals.get('AllowCountry') != False %}{% set country_list = proxvals.get('AllowCountry', {}) %}GeoIPEnable On
       {% for every_country in country_list %}SetEnvIf GEOIP_COUNTRY_CODE {{ every_country }} AllowCountry
       {% endfor %}Require env AllowCountry {% endif %}
       {% if proxvals.get('AllowIP') is defined %} {% set ip_list = proxvals.get('AllowIP', {}) %}
       Require ip {% for every_ip in ip_list %}{{ every_ip }} {% endfor %} {% endif %}
-     {%- endif %}
+     {% endif %}
    </Proxy>
- {%- endfor %}
+ {% endfor %}
     {% if site.get('Formula_Append') %}
     {{ site.Formula_Append|indent(4) }}
     {% endif %}

apache/vhosts/redirect.tmpl → apache/config/vhosts/redirect.tmpl

@@ -2,7 +2,6 @@
 # This file is managed by Salt! Do not edit by hand!
 #
 {# Define default values here so the template below can just focus on layout #}
-{%- from "apache/map.jinja" import apache with context %}
 {%- set sitename = site.get('ServerName', id) %}
 
 {%- set vals = {

apache/config/vhosts/standard.sls

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_package_install = tplroot ~ '.package.install' %}
+{%- set sls_service_running = tplroot ~ '.service.running' %}
+{%- from tplroot ~ "/map.jinja" import apache with context %}
+
+include:
+  - {{ sls_package_install }}
+  - {{ sls_service_running }}
+
+  {%- for id, site in salt['pillar.get']('apache:sites', {}).items() %}
+      {%- set documentroot = site.get('DocumentRoot', '{0}/{1}'.format(apache.wwwdir, site.get('ServerName', id))) %}
+
+apache-config-vhosts-standard-{{ id }}:
+  file.managed:
+    - name: {{ apache.vhostdir }}/{{ id }}{{ apache.confext }}
+    - source: {{ site.get('template_file', 'salt://apache/config/vhosts/standard.tmpl') }}
+    - template: {{ apache.get('template_engine', 'jinja') }}
+    - makedirs: True
+    - context:
+      apache: {{ apache|json }}
+      id: {{ id|json }}
+      site: {{ site|json }}
+      map: {{ apache|json }}
+    - require:
+      - pkg: apache-package-install-pkg-installed
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+      {%- if site.get('DocumentRoot') != False %}
+
+apache-config-vhosts-standard-{{ id }}-docroot:
+  file.directory:
+    - name: {{ documentroot }}
+    - makedirs: True
+    - user: {{ site.get('DocumentRootUser', apache.get('document_root_user'))|json or apache.user }}
+    - group: {{ site.get('DocumentRootGroup', apache.get('document_root_group'))|json or apache.group }}
+    - allow_symlink: True
+
+      {%- endif %}
+      {%- if grains.os_family == 'Debian' %}
+          {%- if site.get('enabled', True) %}
+
+apache-config-vhosts-standard-{{ id }}-cmd-run-a2en:
+  cmd.run:
+    - name: a2ensite {{ id }}{{ apache.confext }}
+    - unless: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
+    - require:
+      - file: apache-config-vhosts-standard-{{ id }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+          {%- else %}
+
+apache-config-vhosts-standard-{{ id }}-cmd-run-a2dis:
+  cmd.run:
+    - name: a2dissite {{ id }}{{ apache.confext }}:
+    - onlyif: test -f /etc/apache2/sites-enabled/{{ id }}{{ apache.confext }}
+    - require:
+      - file: apache-config-vhosts-standard-{{ id }}
+    - watch_in:
+      - module: apache-service-running-reload
+    - require_in:
+      - module: apache-service-running-restart
+      - module: apache-service-running-reload
+      - service: apache-service-running
+
+          {%- endif %}
+      {%- endif %} {# Debian #}
+  {%- endfor %}

apache/vhosts/standard.tmpl → apache/config/vhosts/standard.tmpl

@@ -2,9 +2,9 @@
 # This file is managed by Salt! Do not edit by hand!
 #
 {# Define default values here so the template below can just focus on layout #}
-{%- set sitename = site.get('ServerName', id) -%}
+{% set sitename = site.get('ServerName', id) -%}
 
-{%- set vals = {
+{% set vals = {
     'interfaces': site.get('interface', '*').split(),
     'port': site.get('port', '80'),
 
@@ -74,16 +74,16 @@
     {{ site.Rewrite }}
     {%  endif %}
 
-    {%- for loc, path in site.get('Alias', {}).items() %}
+    {% for loc, path in site.get('Alias', {}).items() %}
     Alias {{ loc }} {{ path }}
-    {%- endfor %}
+    {% endfor %}
 
-    {%- for loc, path in site.get('ScriptAlias', {}).items() %}
+    {% for loc, path in site.get('ScriptAlias', {}).items() %}
     ScriptAlias {{ loc }} {{ path }}
-    {%- endfor %}
+    {% endfor %}
 
-    {%- for path, dir in site.get('Directory', {}).items() -%}
-    {%- set dvals = {
+    {% for path, dir in site.get('Directory', {}).items() -%}
+    {% set dvals = {
         'Options': dir.get('Options', vals.Directory.Options),
         'Order': dir.get('Order', vals.Directory.Order),
         'Allow': dir.get('Allow', vals.Directory.Allow),
@@ -92,7 +92,7 @@
         'Dav': dir.get('Dav', False),
     } %}
 
-    {%- if path == 'default' %}{% set path = vals.Directory_default %}{% endif %}
+    {% if path == 'default' %}{% set path = vals.Directory_default %}{% endif %}
 
     <Directory "{{ path }}">
         {% if dvals.get('Options') != False %}Options {{ dvals.Options }}{% endif %}
@@ -100,6 +100,7 @@
         {% if dvals.get('Require') != False %}Require {{ dvals.Require }}{% endif %}
         {% else %}
         {% if dvals.get('Order') != False %}Order {{ dvals.Order }}{% endif %}
+
         {% if dvals.get('Allow') != False %}Allow {{ dvals.Allow }}{% endif %}
         {% endif %}
         {% if dvals.get('AllowOverride') != False %}AllowOverride {{ dvals.AllowOverride }}{% endif %}
@@ -109,10 +110,10 @@
         {{ dir.Formula_Append|indent(8) }}
         {% endif %}
     </Directory>
-    {%- endfor %}
+    {% endfor %}
 
-    {%- for path, loc in site.get('Location', {}).items() %}
-    {%- set lvals = {
+    {% for path, loc in site.get('Location', {}).items() %}
+    {% set lvals = {
         'Order': loc.get('Order', vals.Location.Order),
         'Allow': loc.get('Allow', vals.Location.Allow),
         'Require': loc.get('Require', vals.Location.Require),
@@ -121,20 +122,20 @@
 
     <Location "{{ path }}">
         {% if map.version == '2.4' %}
-        {%- if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
+        {% if lvals.get('Require') != False %}Require {{ lvals.Require }}{% endif %}
         {% else %}
-        {%- if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
-        {%- if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
+        {% if lvals.get('Order') != False %}Order {{ lvals.Order }}{% endif %}
+        {% if lvals.get('Allow') != False %}Allow {{ lvals.Allow }}{% endif %}
         {% endif %}
-        {%- if lvals.get('Dav') != False %}Dav On{% endif %}
+        {% if lvals.get('Dav') != False %}Dav On{% endif %}
 
-        {%- if loc.get('Formula_Append') %}
+        {% if loc.get('Formula_Append') %}
         {{ loc.Formula_Append|indent(8) }}
         {% endif %}
     </Location>
     {% endfor %}
 
-    {%- if site.get('Formula_Append') %}
+    {% if site.get('Formula_Append') %}
     {{ site.Formula_Append|indent(4) }}
     {% endif %}
 </VirtualHost>

apache/debian_full.sls

@@ -1,44 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-{% if grains['os_family']=="Debian" %}
-
-include:
-  - apache
-  - apache.register_site
-
-extend:
-  apache:
-    pkg:
-      - order: 175
-    service:
-      - order: 455
-  apache-reload:
-    module:
-      - order: 420
-  apache-restart:
-    module:
-      - order: 425
-
-a2dissite 000-default{{ apache.confext }}:
-  cmd.run:
-    - onlyif: test -f /etc/apache2/sites-enabled/000-default{{ apache.confext }}
-    - watch_in:
-      - module: apache-reload
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-    - require:
-      - pkg: apache
-
-/etc/apache2/sites-available/{{ apache.default_site }}:
-  file.absent:
-    - require:
-      - pkg: apache
-
-/etc/apache2/sites-available/{{ apache.default_site_ssl }}:
-  file.absent:
-    - require:
-      - pkg: apache
-
-{% endif %} #END: os = debian

apache/defaults.yaml

@@ -2,10 +2,53 @@
 # vim: ft=yaml
 ---
 apache:
+  lookup: {}
+  pkg:
+    name: apache2
+    mod_ssl: mod_ssl
+    mod_wsgi: mod_wsgi
+    deps: []
+
+  rootuser: root
+  rootgroup: root
+  template_engine: jinja
+  config: '/etc/apache'
+  service:
+    name: apache
+  user: www-data
+  group: www-data
+  vhostdir: /etc/apache2/sites-available
+  confdir: /etc/apache2/conf.d
+  davlockdbdir: null
+  logdir: /var/log/apache2
+  wwwdir: /srv/apache2
+  document_root_user: null   # Do not enforce group
+  document_root_group: null  # Do not enforce group
+
   manage_service_states: true
   service_state: running
   service_enable: true
+  flags: {}
+  global: {}
+
+  modules: {}
+
+  mod_remoteip: {}
 
   mod_security:
     crs_install: false
-    manage_config: false
+    manage_config: false  # use software defaults
+
+  mod_ssl:
+    manage_tls_defaults: false  # use software defaults
+
+  # Just here for testing
+  added_in_defaults: defaults_value
+  winner: defaults
+
+  retry_option:
+    # https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states
+    attempts: 2
+    until: true
+    interval: 10
+    splay: 10

apache/files/Arch/apache-2.4.config.jinja

@@ -0,0 +1,611 @@
+#
+# This file is managed by Salt! Do not edit by hand!
+#
+
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
+# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
+# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
+# will be interpreted as '/logs/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path.  If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used.  If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "{{ apache.get('serverroot', '/etc/httpd') }}"
+
+#
+# Mutex: Allows you to set the mutex mechanism and mutex file directory
+# for individual mutexes, or change the global defaults
+#
+# Uncomment and change the directory if mutexes are file-based and the default
+# mutex file directory is not on a local disk or is not appropriate for some
+# other reason.
+#
+# Mutex default:/run/httpd
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on specific IP addresses as shown below to
+# prevent Apache from glomming onto all bound IP addresses.
+#
+#Listen 12.34.56.78:80
+{% if salt['pillar.get']('apache:sites') is mapping %}
+    {%- set listen_directives = [] %}
+    {%- for id, site in salt['pillar.get']('apache:sites').items() %}
+        {%- set interfaces = site.get('interface', '*').split() %}
+        {%- set port = site.get('port', 80) %}
+        {%- for interface in interfaces %}
+            {%- if not site.get('exclude_listen_directive', False) and not port == '*' %}
+                {%- set listen_directive = interface ~ ':' ~ port %}
+                {%- if listen_directive not in listen_directives %}
+                    {%- do listen_directives.append(listen_directive) %}
+                {%- endif %}
+            {%- endif %}
+        {%- endfor %}
+    {%- endfor %}
+    {%- for listen in listen_directives %}
+Listen  {{ listen }}
+    {%- endfor %}
+{%- else %}
+Listen 80
+
+<IfModule mod_ssl.c>
+    Listen 443
+</IfModule>
+
+{%- endif %}
+
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+LoadModule mpm_event_module modules/mod_mpm_event.so
+#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+#LoadModule mpm_worker_module modules/mod_mpm_worker.so
+LoadModule authn_file_module modules/mod_authn_file.so
+#LoadModule authn_dbm_module modules/mod_authn_dbm.so
+#LoadModule authn_anon_module modules/mod_authn_anon.so
+#LoadModule authn_dbd_module modules/mod_authn_dbd.so
+#LoadModule authn_socache_module modules/mod_authn_socache.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+#LoadModule authz_dbm_module modules/mod_authz_dbm.so
+#LoadModule authz_owner_module modules/mod_authz_owner.so
+#LoadModule authz_dbd_module modules/mod_authz_dbd.so
+LoadModule authz_core_module modules/mod_authz_core.so
+#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
+#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+#LoadModule auth_form_module modules/mod_auth_form.so
+#LoadModule auth_digest_module modules/mod_auth_digest.so
+#LoadModule allowmethods_module modules/mod_allowmethods.so
+#LoadModule file_cache_module modules/mod_file_cache.so
+#LoadModule cache_module modules/mod_cache.so
+#LoadModule cache_disk_module modules/mod_cache_disk.so
+#LoadModule cache_socache_module modules/mod_cache_socache.so
+#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+#LoadModule socache_dbm_module modules/mod_socache_dbm.so
+#LoadModule socache_memcache_module modules/mod_socache_memcache.so
+#LoadModule socache_redis_module modules/mod_socache_redis.so
+#LoadModule watchdog_module modules/mod_watchdog.so
+#LoadModule macro_module modules/mod_macro.so
+#LoadModule dbd_module modules/mod_dbd.so
+#LoadModule dumpio_module modules/mod_dumpio.so
+#LoadModule echo_module modules/mod_echo.so
+#LoadModule buffer_module modules/mod_buffer.so
+#LoadModule data_module modules/mod_data.so
+#LoadModule ratelimit_module modules/mod_ratelimit.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+#LoadModule ext_filter_module modules/mod_ext_filter.so
+#LoadModule request_module modules/mod_request.so
+LoadModule include_module modules/mod_include.so
+LoadModule filter_module modules/mod_filter.so
+#LoadModule reflector_module modules/mod_reflector.so
+#LoadModule substitute_module modules/mod_substitute.so
+#LoadModule sed_module modules/mod_sed.so
+#LoadModule charset_lite_module modules/mod_charset_lite.so
+#LoadModule deflate_module modules/mod_deflate.so
+#LoadModule xml2enc_module modules/mod_xml2enc.so
+#LoadModule proxy_html_module modules/mod_proxy_html.so
+#LoadModule brotli_module modules/mod_brotli.so
+LoadModule mime_module modules/mod_mime.so
+#LoadModule ldap_module modules/mod_ldap.so
+LoadModule log_config_module modules/mod_log_config.so
+#LoadModule log_debug_module modules/mod_log_debug.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
+#LoadModule logio_module modules/mod_logio.so
+#LoadModule lua_module modules/mod_lua.so
+LoadModule env_module modules/mod_env.so
+#LoadModule mime_magic_module modules/mod_mime_magic.so
+#LoadModule cern_meta_module modules/mod_cern_meta.so
+#LoadModule expires_module modules/mod_expires.so
+LoadModule headers_module modules/mod_headers.so
+#LoadModule ident_module modules/mod_ident.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule unique_id_module modules/mod_unique_id.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+#LoadModule remoteip_module modules/mod_remoteip.so
+#LoadModule proxy_module modules/mod_proxy.so
+#LoadModule proxy_connect_module modules/mod_proxy_connect.so
+#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+#LoadModule proxy_http_module modules/mod_proxy_http.so
+#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
+#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
+#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
+#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
+#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+#LoadModule proxy_express_module modules/mod_proxy_express.so
+#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
+#LoadModule session_module modules/mod_session.so
+#LoadModule session_cookie_module modules/mod_session_cookie.so
+#LoadModule session_crypto_module modules/mod_session_crypto.so
+#LoadModule session_dbd_module modules/mod_session_dbd.so
+LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+#LoadModule ssl_module modules/mod_ssl.so
+#LoadModule dialup_module modules/mod_dialup.so
+#LoadModule http2_module modules/mod_http2.so
+#LoadModule proxy_http2_module modules/mod_proxy_http2.so
+#LoadModule md_module modules/mod_md.so
+#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
+#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
+#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
+#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
+LoadModule unixd_module modules/mod_unixd.so
+#LoadModule heartbeat_module modules/mod_heartbeat.so
+#LoadModule heartmonitor_module modules/mod_heartmonitor.so
+#LoadModule dav_module modules/mod_dav.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule asis_module modules/mod_asis.so
+#LoadModule info_module modules/mod_info.so
+#LoadModule suexec_module modules/mod_suexec.so
+<IfModule !mpm_prefork_module>
+        #LoadModule cgid_module modules/mod_cgid.so
+</IfModule>
+<IfModule mpm_prefork_module>
+        #LoadModule cgi_module modules/mod_cgi.so
+</IfModule>
+#LoadModule dav_fs_module modules/mod_dav_fs.so
+#LoadModule dav_lock_module modules/mod_dav_lock.so
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule dir_module modules/mod_dir.so
+#LoadModule imagemap_module modules/mod_imagemap.so
+#LoadModule actions_module modules/mod_actions.so
+#LoadModule speling_module modules/mod_speling.so
+LoadModule userdir_module modules/mod_userdir.so
+LoadModule alias_module modules/mod_alias.so
+#LoadModule rewrite_module modules/mod_rewrite.so
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User {{ apache.user or 'http' }}
+Group {{ apache.group or 'http' }}
+
+</IfModule>
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin you@example.com
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "{{ apache.get('docroot', apache.wwwdir or '/srv/http') }}"
+
+#
+# Relax access to content within {{ apache.wwwdir }}.
+#
+<Directory "{{ apache.wwwdir }}">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+
+# Further relax access to the default document root:
+<Directory "{{ apache.get('docroot', apache.wwwdir + '/srv/http') }}">
+    #
+    # Possible values for the Options directive are "None", "All",
+    # or any combination of:
+    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+    #
+    # Note that "MultiViews" must be named *explicitly* --- "Options All"
+    # doesn't give it to you.
+    #
+    # The Options directive is both complicated and important.  Please see
+    # http://httpd.apache.org/docs/2.4/mod/core.html#options
+    # for more information.
+    #
+    Options Indexes FollowSymLinks
+
+    #
+    # AllowOverride controls what directives may be placed in .htaccess files.
+    # It can be "All", "None", or any combination of the keywords:
+    #   AllowOverride FileInfo AuthConfig Limit
+    #
+    AllowOverride None
+
+    #
+    # Controls who can get stuff from this server.
+    #
+    Require all granted
+</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being
+# viewed by Web clients.
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog "{{ apache.logdir }}/error_log"
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    {%- for log_format in salt['pillar.get']('apache:log_formats', []) %}
+    LogFormat {{ log_format }}
+    {%- endfor %}
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    #CustomLog "/var/log/httpd/access_log" common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    #CustomLog "/var/log/httpd/access_log" combined
+    CustomLog "{{ apache.logdir }}/access_log" combined
+</IfModule>
+
+<IfModule alias_module>
+    #
+    # Redirect: Allows you to tell clients about documents that used to
+    # exist in your server's namespace, but do not anymore. The client
+    # will make a new request for the document at its new location.
+    # Example:
+    # Redirect permanent /foo http://www.example.com/bar
+
+    #
+    # Alias: Maps web paths into filesystem paths and is used to
+    # access content that does not live under the DocumentRoot.
+    # Example:
+    # Alias /webpath /full/filesystem/path
+    #
+    # If you include a trailing / on /webpath then the server will
+    # require it to be present in the URL.  You will also likely
+    # need to provide a <Directory> section to allow access to
+    # the filesystem path.
+
+    #
+    # ScriptAlias: This controls which directories contain server scripts.
+    # ScriptAliases are essentially the same as Aliases, except that
+    # documents in the target directory are treated as applications and
+    # run by the server when requested rather than as documents sent to the
+    # client.  The same rules about trailing "/" apply to ScriptAlias
+    # directives as to Alias.
+    #
+    ScriptAlias /cgi-bin/ "{{ apache.wwwdir }}/cgi-bin/"
+
+</IfModule>
+
+<IfModule cgid_module>
+    #
+    # ScriptSock: On threaded servers, designate the path to the UNIX
+    # socket used to communicate with the CGI daemon of mod_cgid.
+    #
+    #Scriptsock cgisock
+</IfModule>
+
+#
+# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "{{ apache.wwwdir }}/cgi-bin/">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig conf/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    #AddType text/html .shtml
+    #AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# Specify a default charset for all content served; this enables
+# interpretation of all content as UTF-8 by default.  To use the
+# default browser choice (ISO-8859-1), or to allow the META tags
+# in HTML content to override this choice, comment out this
+# directive:
+#
+{%- if apache.get('default_charset', False) is none %}
+# AddDefaultCharset UTF-8
+{%- else %}
+AddDefaultCharset {{ apache.get('default_charset', 'UTF-8') }}
+{%- endif %}
+
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type.  The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+#
+#MIMEMagicFile conf/magic
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it,
+# memory-mapping or the sendfile syscall may be used to deliver
+# files.  This usually improves server performance, but must
+# be turned off when serving from networked-mounted
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+#EnableSendfile on
+
+{%- for directive, dvalue in salt['pillar.get']('apache:global', {}).items() %}
+{{ directive }} {{ dvalue }}
+{%- endfor %}
+
+# Supplemental configuration
+#
+# The configuration files in the conf/extra/ directory can be
+# included to add extra features or to modify the default configuration of
+# the server, or you may simply copy their contents here and change as
+# necessary.
+
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional {{ apache.confdir }}/*.conf
+{% if apache.vhostdir != apache.confdir %}
+IncludeOptional {{ apache.vhostdir }}/*.conf
+{% endif %}
+
+# Server-pool management (MPM specific)
+Include conf/extra/httpd-mpm.conf
+
+# Multi-language error messages
+Include conf/extra/httpd-multilang-errordoc.conf
+
+# Fancy directory listings
+Include conf/extra/httpd-autoindex.conf
+
+# Language settings
+Include conf/extra/httpd-languages.conf
+
+# User home directories
+Include conf/extra/httpd-userdir.conf
+
+# Real-time info on requests and configuration
+#Include conf/extra/httpd-info.conf
+
+# Virtual hosts
+#Include conf/extra/httpd-vhosts.conf
+
+# Local access to the Apache HTTP Server Manual
+#Include conf/extra/httpd-manual.conf
+
+# Distributed authoring and versioning (WebDAV)
+<IfModule mod_dav.c>
+Include conf/extra/httpd-dav.conf
+</IfModule>
+
+# Various default settings
+Include conf/extra/httpd-default.conf
+
+# Configure mod_proxy_html to understand HTML4/XHTML1
+<IfModule proxy_html_module>
+Include conf/extra/proxy-html.conf
+</IfModule>
+
+# Secure (SSL/TLS) connections
+#Include conf/extra/httpd-ssl.conf
+#
+# Note: The following must must be present to support
+#       starting without SSL on platforms with no /dev/random equivalent
+#       but a statically compiled-in mod_ssl.
+#
+<IfModule ssl_module>
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+</IfModule>
+

apache/files/Debian/apache-2.2.config.jinja

@@ -1,3 +1,6 @@
+#
+# This file is managed by Salt! Do not edit by hand!
+
 #
 # Based upon the NCSA server configuration files originally by Rob McCool.
 #

apache/files/Debian/envvars-2.2.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{% from "apache/map.jinja" import apache with context -%}
 
 # envvars - default environment variables for apache2ctl
 

apache/files/Debian/envvars-2.4.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{% from "apache/map.jinja" import apache with context -%}
 
 # envvars - default environment variables for apache2ctl
 

apache/files/Debian/modsecurity.conf.jinja

@@ -10,7 +10,7 @@
 {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
 {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
 #
-# This file is managed/autogenerated by salt.
+# This file is managed by Salt! Do not edit by hand!
 # Modify the salt pillar that generates this file instead
 #
 # -- Rule engine initialization ----------------------------------------------

apache/files/Debian/ports-2.2.conf.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{%- from "apache/map.jinja" import apache with context -%}
 
 {% if salt['pillar.get']('apache:sites') is mapping %}
     {%- set listen_directives = [] %}

apache/files/Debian/ports-2.4.conf.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{%- from "apache/map.jinja" import apache with context -%}
 
 {% if salt['pillar.get']('apache:sites') is mapping %}
     {%- set listen_directives = [] %}

apache/files/FreeBSD/envvars-2.4.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{%- from "apache/map.jinja" import apache with context -%}
 
 # envvars - default environment variables for apache2ctl
 

apache/files/FreeBSD/mod_cgi.conf.jinja

@@ -1,5 +1,3 @@
-{% from "apache/map.jinja" import apache with context %}
-
 <IfModule !mpm_prefork_module>
 	LoadModule cgid_module libexec/{{ apache.service }}/mod_cgid.so
 </IfModule>

apache/files/FreeBSD/mod_perl.conf.jinja

@@ -1,3 +1 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule perl_module libexec/{{ apache.service }}/mod_perl.so

apache/files/FreeBSD/mod_php5.conf.jinja

@@ -1,5 +1,3 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule php5_module /usr/local/libexec/{{ apache.service }}/libphp5.so
 
 DirectoryIndex index.html index.php

apache/files/FreeBSD/mod_proxy.conf.jinja

@@ -1,3 +1 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule proxy_module libexec/{{ apache.service }}/mod_proxy.so

apache/files/FreeBSD/mod_proxy_http.conf.jinja

@@ -1,3 +1 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule proxy_http_module libexec/{{ apache.service }}/mod_proxy_http.so

apache/files/FreeBSD/mod_rewrite.conf.jinja

@@ -1,3 +1 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule rewrite_module libexec/{{ apache.service }}/mod_rewrite.so

apache/files/FreeBSD/mod_suexec.conf.jinja

@@ -1,3 +1 @@
-{% from "apache/map.jinja" import apache with context %}
-
 LoadModule suexec_module libexec/{{ apache.service }}/mod_suexec.so

apache/files/FreeBSD/ports-2.4.conf.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{%- from "apache/map.jinja" import apache with context -%}
 
 {% if salt['pillar.get']('apache:sites') is mapping %}
     {%- set listen_directives = [] %}

apache/files/RedHat/apache-2.2.config.jinja

@@ -1,4 +1,7 @@
 #
+# This file is managed by Salt! Do not edit by hand!
+#
+
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.

apache/files/RedHat/apache-2.4.config.jinja

@@ -1,7 +1,6 @@
 #
 # This file is managed by Salt! Do not edit by hand!
 #
-{% from "apache/map.jinja" import apache with context %}
 #
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.

apache/files/RedHat/conf.modules.d/00-log.conf.jinja

@@ -0,0 +1,9 @@
+#
+# This file is managed by Salt! Do not edit by hand!
+#
+#
+# This file configures all the logging modules:
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule log_debug_module modules/mod_log_debug.so
+LoadModule log_forensic_module modules/mod_log_forensic.so
+LoadModule logio_module modules/mod_logio.so

apache/files/RedHat/conf.modules.d/00-mpm.conf.jinja

@@ -1,4 +1,6 @@
-# managed by saltstack
+#
+# This file is managed by Salt! Do not edit by hand!
+#
 
 {% set mpm_module = 'mpm_prefork' -%}
 {% set mpm_param = salt['pillar.get']('apache:mod_mpm_prefork', {}) -%}

apache/files/RedHat/conf.modules.d/10-geoip.conf.jinja

@@ -0,0 +1,5 @@
+#
+# This file is managed by Salt! Do not edit by hand!
+#
+
+LoadModule geoip_module /usr/lib64/httpd/modules/mod_geoip.so

apache/files/RedHat/conf.modules.d/remoteip.conf.jinja

@@ -1,4 +1,6 @@
-# managed by saltstack
+#
+# This file is managed by Salt! Do not edit by hand!
+#
 
 RemoteIPHeader {{ salt['pillar.get']('apache:mod_remoteip:RemoteIPHeader', 'X-Forwarded-For') }}
 {%- for trusted_proxy in salt['pillar.get']('apache:mod_remoteip:RemoteIPTrustedProxy', []) %}

apache/files/RedHat/modsecurity.conf.jinja

@@ -10,7 +10,7 @@
 {%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
 {%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
 #
-# This file is managed/autogenerated by salt.
+# This file is managed by Salt! Do not edit by hand!
 # Modify the salt pillar that generates this file instead
 #
 
@@ -21,8 +21,13 @@ LoadModule security2_module modules/mod_security2.so
 </IfModule>
 <IfModule mod_security2.c>
     # ModSecurity Core Rules Set configuration
-	Include modsecurity.d/*.conf
-	Include modsecurity.d/activated_rules/*.conf
+           {%- if 'osfinger' in grains and grains.osfinger in ('Red Hat Enterprise Linux Server-6', 'CentOS-6') %}
+        Include modsecurity.d/*.conf
+        Include modsecurity.d/activated_rules/*.conf
+           {%- else %}
+        IncludeOptional modsecurity.d/*.conf
+        IncludeOptional modsecurity.d/activated_rules/*.conf
+           {%- endif %}
 
     # Default recommended configuration
     SecRuleEngine {{ sec_rule_engine }}

apache/files/RedHat/ssl.conf

@@ -1,4 +1,7 @@
-    ##
+    #
+    # This file is managed by Salt! Do not edit by hand!
+    #
+
     ##  SSL Global Context
     ##
     ##  All SSL configuration in this context applies both to

apache/files/Suse/apache-2.2.config.jinja

@@ -0,0 +1,235 @@
+#
+# This file is managed by Salt! Do not edit by hand
+#
+#
+# /etc/apache2/httpd.conf
+#
+# This is the main Apache server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information about
+# the directives.
+
+# Based upon the default apache configuration file that ships with apache,
+# which is based upon the NCSA server configuration files originally by Rob
+# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
+
+# If possible, avoid changes to this file. It does mainly contain Include
+# statements and global settings that can/should be overridden in the
+# configuration of your virtual hosts.
+
+# Quickstart guide:
+# http://en.opensuse.org/SDB:Apache_installation
+
+
+# Overview of include files, chronologically:
+#
+# httpd.conf
+#  |
+#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
+#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
+#  |-- loadmodule.conf . . . . . . . . . . .  [*] load these modules
+#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
+#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
+#  |-- global.conf . . . . . . . . . . . . .  [*] server-wide general settings
+#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
+#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
+#  |-- mod_reqtimeout.conf . . . . . . . . .  set timeout and minimum data rate for receiving requests
+#  |-- mod_cgid-timeout.conf . . . . . . . .  set CGIDScriptTimeout if mod_cgid is loaded/active
+#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
+#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
+#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
+#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
+#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
+#  |
+#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
+#  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
+#  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
+#  |
+#  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
+#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
+#
+#
+# Files marked [*] are NOT read when server is started via systemd service. When server
+# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
+#
+
+
+
+#  Filesystem layout:
+#
+# /etc/apache2/
+#  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
+#  |-- conf.d/
+#  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
+#  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
+#  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
+#  |-- default-server.conf
+#  |-- errors.conf
+#  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
+#  |-- listen.conf
+#  |-- magic
+#  |-- mime.types -> ../mime.types
+#  |-- mod_autoindex-defaults.conf
+#  |-- mod_info.conf
+#  |-- mod_log_config.conf
+#  |-- mod_mime-defaults.conf
+#  |-- mod_perl-startup.pl
+#  |-- mod_status.conf
+#  |-- mod_userdir.conf
+#  |-- mod_usertrack.conf
+#  |-- server-tuning.conf
+#  |-- ssl-global.conf
+#  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
+#  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
+#  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
+#  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
+#  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
+#  |-- global.conf
+#  |-- loadmodule.conf
+#  |-- uid.conf
+#  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
+#      |-- vhost-ssl.template
+#      `-- vhost.template
+
+
+
+### Global Environment ######################################################
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests.
+
+# run under this user/group id
+Include /etc/apache2/uid.conf
+
+# - how many server processes to start (server pool regulation)
+# - usage of KeepAlive
+Include /etc/apache2/server-tuning.conf
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+ErrorLog /var/log/apache2/error_log
+
+# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
+<IfDefine !SYSCONFIG>
+  Include /etc/apache2/loadmodule.conf
+</IfDefine>
+
+# IP addresses / ports to listen on
+Include /etc/apache2/listen.conf
+
+# predefined logging formats
+Include /etc/apache2/mod_log_config.conf
+
+# generated from default values of global settings in /etc/sysconfig/apache2
+<IfDefine !SYSCONFIG>
+  Include /etc/apache2/global.conf
+</IfDefine>
+
+# optional mod_status, mod_info
+Include /etc/apache2/mod_status.conf
+Include /etc/apache2/mod_info.conf
+
+# mod_reqtimeout protects the server from the so-called "slowloris"
+# attack: The server is not swamped with requests in fast succession,
+# but with slowly transmitted request headers and body, thereby filling up
+# the request slots until the server runs out of them.
+# mod_reqtimeout is lightweight and should deliver good results
+# with the configured default values. You shouldn't notice it at all.
+Include /etc/apache2/mod_reqtimeout.conf
+
+# Fix for CVE-2014-0231 introduces new configuration parameter
+# CGIDScriptTimeout. This directive and its effect prevent request
+# workers to be eaten until starvation if cgi programs do not send
+# output back to the server within the timout set by CGIDScriptTimeout.
+Include /etc/apache2/mod_cgid-timeout.conf
+
+# optional cookie-based user tracking
+# read the documentation before using it!!
+Include /etc/apache2/mod_usertrack.conf
+
+# configuration of server-generated directory listings
+Include /etc/apache2/mod_autoindex-defaults.conf
+
+# associate MIME types with filename extensions
+TypesConfig /etc/apache2/mime.types
+Include /etc/apache2/mod_mime-defaults.conf
+
+# set up (customizable) error responses
+Include /etc/apache2/errors.conf
+
+# global (server-wide) SSL configuration, that is not specific to
+# any virtual host
+Include /etc/apache2/ssl-global.conf
+
+{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
+Include /etc/apache24/conf.d/tls-defaults.conf
+{%- endif %}
+
+# forbid access to the entire filesystem by default
+<Directory />
+    Options None
+    AllowOverride None
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order deny,allow
+        Deny from all
+    </IfModule>
+</Directory>
+
+# use .htaccess files for overriding,
+AccessFileName .htaccess
+# and never show them
+<Files ~ "^\.ht">
+    <IfModule !mod_access_compat.c>
+        Require all denied
+    </IfModule>
+    <IfModule mod_access_compat.c>
+        Order allow,deny
+        Deny from all
+    </IfModule>
+</Files>
+
+# List of resources to look for when the client requests a directory
+DirectoryIndex index.html index.html.var
+
+### 'Main' server configuration #############################################
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+Include /etc/apache2/default-server.conf
+
+
+### Virtual server configuration ############################################
+#
+# VirtualHost: If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them. Most configurations
+# use only name-based virtual hosts so the server doesn't need to worry about
+# IP addresses. This is indicated by the asterisks in the directives below.
+#
+# Please see the documentation at
+# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
+# for further details before you try to setup virtual hosts.
+#
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+#
+IncludeOptional /etc/apache2/vhosts.d/*.conf
+
+
+# Note: instead of adding your own configuration here, consider
+#       adding it in your own file (/etc/apache2/httpd.conf.local)
+#       putting its name into APACHE_CONF_INCLUDE_FILES in
+#       /etc/sysconfig/apache2 -- this will make system updates
+#       easier :)

apache/files/Suse/apache-2.4.config.jinja

@@ -1,4 +1,7 @@
 #
+# This file is managed by Salt! Do not edit by hand!
+#
+
 # /etc/apache2/httpd.conf 
 #
 # This is the main Apache server configuration file.  It contains the

apache/files/Suse/modsecurity.conf.jinja

@@ -0,0 +1,72 @@
+{%- set apache = pillar.get('apache', {}) %}
+{%- set modsec = apache.get('mod_security', {}) %}
+{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
+{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
+{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
+{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
+{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
+{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
+{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
+{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
+{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
+#
+# This file is managed by Salt! Do not edit by hand!
+# Modify the salt pillar that generates this file instead
+#
+
+LoadModule security2_module modules/mod_security2.so
+
+<IfModule mod_security2.c>
+    # ModSecurity Core Rules Set configuration
+        IncludeOptional modsecurity.d/*.conf
+        IncludeOptional modsecurity.d/activated_rules/*.conf
+
+    # Default recommended configuration
+    SecRuleEngine {{ sec_rule_engine }}
+    SecRequestBodyAccess {{ sec_request_body_access }}
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit {{ sec_request_body_limit }}
+    SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
+    SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
+    SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
+    SecRule REQBODY_ERROR "!@eq 0" \
+    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+    "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
+    failed strict validation: \
+    PE %{REQBODY_PROCESSOR_ERROR}, \
+    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+    DB %{MULTIPART_DATA_BEFORE}, \
+    DA %{MULTIPART_DATA_AFTER}, \
+    HF %{MULTIPART_HEADER_FOLDING}, \
+    LF %{MULTIPART_LF_LINE}, \
+    SM %{MULTIPART_MISSING_SEMICOLON}, \
+    IQ %{MULTIPART_INVALID_QUOTING}, \
+    IP %{MULTIPART_INVALID_PART}, \
+    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+    SecPcreMatchLimit {{ sec_pcre_match_limit }}
+    SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
+
+    SecRule TX:/^MSC_/ "!@streq 0" \
+            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+    SecResponseBodyAccess Off
+    SecDebugLog /var/log/apache2/modsec_debug.log
+    SecDebugLogLevel {{ sec_debug_log_level }}
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecAuditLog /var/log/apache2/modsec_audit.log
+    SecArgumentSeparator &
+    SecCookieFormat 0
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
+</IfModule>

apache/files/myname.conf

@@ -0,0 +1,2 @@
+<VirtualHost *:8088>
+</VirtualHost>

apache/flags.sls

@@ -1,36 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-{% if salt['grains.get']('os_family') == 'Suse' or salt['grains.get']('os') == 'SUSE' %}
-
-include:
-  - apache
-
-{% for flag in salt['pillar.get']('apache:flags:enabled', []) %}
-a2enflag {{ flag }}:
-  cmd.run:
-    - unless: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endfor %}
-
-{% for module in salt['pillar.get']('apache:flags:disabled', []) %}
-a2disflag -f {{ flag }}:
-  cmd.run:
-    - onlyif: egrep "^APACHE_SERVER_FLAGS=" /etc/sysconfig/apache2 | grep {{ flag }}
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{% endfor %}
-
-{% endif %}

apache/init.sls

@@ -1,57 +1,7 @@
-{% from "apache/map.jinja" import apache with context %}
+# -*- coding: utf-8 -*-
+# vim: ft=sls
 
-apache:
-  pkg.installed:
-    - name: {{ apache.server }}
-  group.present:
-    - name: {{ apache.group }}
-    - system: True
-  user.present:
-    - name: {{ apache.user }}
-    - gid: {{ apache.group }}
-    - system: True
-  {# By default run apache service states (unless pillar is false) #}
-  {% if salt['pillar.get']('apache:manage_service_states', True) %}
-  service.{{ apache.service_state }}:
-    - name: {{ apache.service }}
-    {% if apache.service_state in [ 'running', 'dead' ] %}
-    - enable: True
-    {% endif %}
-
-# The following states are inert by default and can be used by other states to
-# trigger a restart or reload as needed.
-apache-reload:
-  module.wait:
-{% if apache.service_state in ['running'] %}
-    - name: service.reload
-    - m_name: {{ apache.service }}
-{% else %}
-    - name: cmd.run
-    - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
-    - python_shell: True
-{% endif %}
-
-apache-restart:
-  module.wait:
-{% if apache.service_state in ['running'] %}
-    - name: service.restart
-    - m_name: {{ apache.service }}
-{% else %}
-    - name: cmd.run
-    - cmd: {{ apache.custom_reload_command|default('apachectl graceful') }}
-    - python_shell: True
-{% endif %}
-
-  {% else %}
-
-apache-reload:
-  test.show_notification:
-    - name: Skipping reload per user request
-    - text: Pillar manage_service_states is False
-
-apache-restart:
-  test.show_notification:
-    - name: Skipping restart per user request
-    - text: Pillar manage_service_states is False
-
-  {% endif %}
+include:
+  - .package
+  - .config
+  - .service

apache/libsaltcli.jinja

@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
+
+{#- Get the relevant values from the `opts` dict #}
+{%- set opts_cli = opts.get('__cli', '') %}
+{%- set opts_masteropts_cli = opts | traverse('__master_opts__:__cli', '') %}
+
+{#- Determine the type of salt command being run #}
+{%- if opts_cli == 'salt-minion' %}
+{%-   set cli = 'minion' %}
+{%- elif opts_cli == 'salt-call' %}
+{%-   set cli = 'ssh' if opts_masteropts_cli in ('salt-ssh', 'salt-master') else 'local' %}
+{%- else %}
+{%-   set cli = 'unknown' %}
+{%- endif %}
+{%- do salt['log.debug']('[libsaltcli] the salt command type has been identified to be: ' ~ cli) %}

apache/libtofs.jinja

@@ -0,0 +1,112 @@
+{%- macro files_switch(source_files,
+                       lookup=None,
+                       default_files_switch=['id', 'os_family'],
+                       indent_width=6,
+                       use_subpath=False) %}
+  {#-
+    Returns a valid value for the "source" parameter of a "file.managed"
+    state function. This makes easier the usage of the Template Override and
+    Files Switch (TOFS) pattern.
+
+    Params:
+      * source_files: ordered list of files to look for
+      * lookup: key under '<tplroot>:tofs:source_files' to prepend to the
+        list of source files
+      * default_files_switch: if there's no config (e.g. pillar)
+        '<tplroot>:tofs:files_switch' this is the ordered list of grains to
+        use as selector switch of the directories under
+        "<path_prefix>/files"
+      * indent_width: indentation of the result value to conform to YAML
+      * use_subpath: defaults to `False` but if set, lookup the source file
+        recursively from the current state directory up to `tplroot`
+
+    Example (based on a `tplroot` of `xxx`):
+
+    If we have a state:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source: {{ files_switch(['/etc/yyy/zzz.conf', '/etc/yyy/zzz.conf.jinja'],
+                                    lookup='Deploy configuration'
+                    ) }}
+          - template: jinja
+
+    In a minion with id=theminion and os_family=RedHat, it's going to be
+    rendered as:
+
+      Deploy configuration:
+        file.managed:
+          - name: /etc/yyy/zzz.conf
+          - source:
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf
+            - salt://xxx/files/theminion/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf
+            - salt://xxx/files/RedHat/etc/yyy/zzz.conf.jinja
+            - salt://xxx/files/default/etc/yyy/zzz.conf
+            - salt://xxx/files/default/etc/yyy/zzz.conf.jinja
+          - template: jinja
+  #}
+  {#- Get the `tplroot` from `tpldir` #}
+  {%- set tplroot = tpldir.split('/')[0] %}
+  {%- set path_prefix = salt['config.get'](tplroot ~ ':tofs:path_prefix', tplroot) %}
+  {%- set files_dir = salt['config.get'](tplroot ~ ':tofs:dirs:files', 'files') %}
+  {%- set files_switch_list = salt['config.get'](
+      tplroot ~ ':tofs:files_switch',
+      default_files_switch
+  ) %}
+  {#- Lookup source_files (v2), files (v1), or fallback to an empty list #}
+  {%- set src_files = salt['config.get'](
+      tplroot ~ ':tofs:source_files:' ~ lookup,
+      salt['config.get'](tplroot ~ ':tofs:files:' ~ lookup, [])
+  ) %}
+  {#- Append the default source_files #}
+  {%- set src_files = src_files + source_files %}
+  {#- Only add to [''] when supporting older TOFS implementations #}
+  {%- set path_prefix_exts = [''] %}
+  {%- if use_subpath and tplroot != tpldir %}
+    {#- Walk directory tree to find {{ files_dir }} #}
+    {%- set subpath_parts = tpldir.lstrip(tplroot).lstrip('/').split('/') %}
+    {%- for path in subpath_parts %}
+      {%- set subpath = subpath_parts[0:loop.index] | join('/') %}
+      {%- do path_prefix_exts.append('/' ~ subpath) %}
+    {%- endfor %}
+  {%- endif %}
+  {%- for path_prefix_ext in path_prefix_exts|reverse %}
+    {%- set path_prefix_inc_ext = path_prefix ~ path_prefix_ext %}
+    {#- For older TOFS implementation, use `files_switch` from the config #}
+    {#- Use the default, new method otherwise #}
+    {%- set fsl = salt['config.get'](
+        tplroot ~ path_prefix_ext|replace('/', ':') ~ ':files_switch',
+        files_switch_list
+    ) %}
+    {#- Append an empty value to evaluate as `default` in the loop below #}
+    {%- if '' not in fsl %}
+      {%- set fsl = fsl + [''] %}
+    {%- endif %}
+    {%- for fs in fsl %}
+      {%- for src_file in src_files %}
+        {%- if fs %}
+          {%- set fs_dirs = salt['config.get'](fs, fs) %}
+        {%- else %}
+          {%- set fs_dirs = salt['config.get'](tplroot ~ ':tofs:dirs:default', 'default') %}
+        {%- endif %}
+        {#- Force the `config.get` lookup result as a list where necessary #}
+        {#- since we need to also handle grains that are lists #}
+        {%- if fs_dirs is string %}
+          {%- set fs_dirs = [fs_dirs] %}
+        {%- endif %}
+        {%- for fs_dir in fs_dirs %}
+          {%- set url = [
+              '- salt:/',
+              path_prefix_inc_ext.strip('/'),
+              files_dir.strip('/'),
+              fs_dir.strip('/'),
+              src_file.strip('/'),
+          ] | select | join('/') %}
+{{ url | indent(indent_width, true) }}
+        {%- endfor %}
+      {%- endfor %}
+    {%- endfor %}
+  {%- endfor %}
+{%- endmacro %}

apache/logrotate.sls

@@ -1,26 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-{{ apache.logrotatedir }}:
-  file:
-    - managed
-    - contents: |
-        {{ apache.logdir }}/*.log {
-        	daily
-        	missingok
-        	rotate 14
-        	compress
-        	delaycompress
-        	notifempty
-        	create 640 root adm
-        	sharedscripts
-        	postrotate
-                        if /etc/init.d/{{ apache.service }} status > /dev/null ; then \
-                            /etc/init.d/{{ apache.service }} reload > /dev/null; \
-                        fi;
-        	endscript
-        	prerotate
-        		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
-        			run-parts /etc/logrotate.d/httpd-prerotate; \
-        		fi; \
-        	endscript
-        }

apache/manage_security.sls

@@ -1,31 +0,0 @@
-{% from "apache/map.jinja" import apache with context %}
-
-{%- macro security_config(name) %}
-{{ name }}:
-  file.managed:
-    - source:
-      - salt://apache/files/{{ salt['grains.get']('os_family') }}/security.conf.jinja
-      - salt://apache/files/security.conf.jinja
-    - mode: 644
-    - template: jinja
-    - require:
-      - pkg: apache
-    - watch_in:
-      - module: apache-restart
-    - require_in:
-      - module: apache-restart
-      - module: apache-reload
-      - service: apache
-{%- endmacro %}
-
-include:
-  - apache
-
-{% if grains['os_family']=="Debian" %}
-
-{{ security_config('/etc/apache2/conf-available/security.conf') }}
-    - onlyif: test -f '/etc/apache2/conf-available/security.conf'
-
-{% elif grains['os_family']=="FreeBSD" %}
-{{ security_config(apache.confdir+'/security.conf') }}
-{% endif %}

apache/map.jinja

@@ -1,23 +1,79 @@
-{#- vi: set ft=jinja: #}
+# -*- coding: utf-8 -*-
+# vim: ft=jinja
 
-{%- import_yaml "apache/defaults.yaml" as default_settings %}
-{%- import_yaml "apache/osfamilymap.yaml" as osfamilymap %}
-{%- import_yaml "apache/oscodenamemap.yaml" as oscodenamemap %}
-{%- import_yaml "apache/osfingermap.yaml" as osfingermap %}
-{%- import_yaml "apache/modsecurity.yaml" as modsec %}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- import_yaml tplroot ~ "/defaults.yaml" as default_settings %}
+{%- import_yaml tplroot ~ "/osarchmap.yaml" as osarchmap %}
+{%- import_yaml tplroot ~ "/osfamilymap.yaml" as osfamilymap %}
+{%- import_yaml tplroot ~ "/osmap.yaml" as osmap %}
+{%- import_yaml tplroot ~ "/osfingermap.yaml" as osfingermap %}
+{%- import_yaml tplroot ~ "/oscodenamemap.yaml" as oscodename %}
+{%- import_yaml tplroot ~ "/modsecurity.yaml" as modsec %}
 
-{%- set defaults = salt['grains.filter_by'](default_settings,
-    default='apache',
-    merge=salt['grains.filter_by'](modsec, grain='os_family',
-      merge=salt['grains.filter_by'](osfamilymap, grain='os_family',
-        merge=salt['grains.filter_by'](oscodenamemap, grain='oscodename',
-          merge=salt['grains.filter_by'](osfingermap, grain='osfinger',
-            merge=salt['pillar.get']('apache:lookup', default={})
+{#- Retrieve the config dict only once #}
+{%- set _config = salt['config.get'](tplroot, default={}) %}
+
+{%- set defaults = salt['grains.filter_by'](
+      default_settings,
+      default=tplroot,
+      merge=salt['grains.filter_by'](
+        osarchmap,
+        grain='osarch',
+        merge=salt['grains.filter_by'](
+          osfamilymap,
+          grain='os_family',
+          merge=salt['grains.filter_by'](
+            osmap,
+            grain='os',
+            merge=salt['grains.filter_by'](
+              oscodename,
+              grain='oscodename',
+              merge=salt['grains.filter_by'](
+                osfingermap,
+                grain='osfinger',
+                merge=salt['grains.filter_by'](
+                  modsec,
+                  grain='os_family',
+                  merge=salt['grains.filter_by'](
+                    _config,
+                    default='lookup'
+                  )
+                )
+              )
+            )
           )
         )
       )
     )
-) %}
+%}
+
+{%- set config = salt['grains.filter_by'](
+      {'defaults': defaults},
+      default='defaults',
+      merge=_config
+    )
+%}
+
+{%- set apache = config %}
+
+{#- Post-processing for specific non-YAML customisations #}
+{%- if grains.os_family == 'MacOS' %}
+{%-   set rootuser = salt['cmd.run']("stat -f '%Su' /dev/console") %}
+{%-   set rootgroup = salt['cmd.run']("stat -f '%Sg' /dev/console") %}
+{%-   do apache.update({'rootuser': rootgroup}) %}
+{%-   do apache.update({'rootgroup': rootgroup}) %}
+{%- elif grains.os_family == 'Windows' %}
+{%-   set rootuser = salt['cmd.run']("id -un") %}
+{%-   do apache.update({'rootuser': rootuser}) %}
+{%- endif %}
 
-{#- Merge the apache pillar #}
-{%- set apache = salt['pillar.get']('apache', default=defaults, merge=True) %}
+{# legacy pillar support #}
+{%- if 'server' in apache.lookup and apache.lookup.server is string %}
+    {%- do apache.pkg.update({'name': apache.server}) %}
+{%- endif %}
+{%- if 'service' in apache.lookup and apache.lookup.service is string %}
+    {%- do apache.service.update({'name': apache.service}) %}
+{%- endif %}
+{%- if 'configfile' in apache and apache.configfile is string %}
+    {%- do apache.update({'config': apache.configfile}) %}
+{%- endif %}