Update to 2021-12-01 19:13

2025-10-30 18:31:28 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/glpi/templates/config_db.php.j2
+++ b/roles/glpi/templates/config_db.php.j2
@@ -0,0 +1,8 @@
+<?php
+class DB extends DBmysql {
+  var $dbhost    = '{{ glpi_mysql_server }}';
+  var $dbuser    = '{{ glpi_mysql_user }}';
+  var $dbpassword= '{{ glpi_mysql_pass }}';
+  var $dbdefault = '{{ glpi_mysql_db }}';
+}
+?>
--- a/roles/glpi/templates/filebeat.yml.j2
+++ b/roles/glpi/templates/filebeat.yml.j2
@@ -0,0 +1,7 @@
+- type: log
+  enabled: True
+  paths:
+    - {{ glpi_root_dir }}/data/_log/*.log
+  exclude_files:
+    - '\.[gx]z$'
+    - '\d+$'
--- a/roles/glpi/templates/httpd.conf.j2
+++ b/roles/glpi/templates/httpd.conf.j2
@@ -0,0 +1,29 @@
+{% if glpi_alias is defined %}
+Alias /{{ glpi_alias }} {{ glpi_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ glpi_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if glpi_src_ip is defined %}
+  Require ip {{ glpi_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ glpi_php_fpm_pool | default('glpi_' + glpi_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+  <FilesMatch "(.ansible_version|.git.*|(CONTRIBUTING|SUPPORT|CHANGELOG|COPYING)\.(md|txt))">
+    Require all denied
+  </FilesMatch>
+
+</Directory>
+
+{% for dir in [ 'scripts', 'locales', 'config', 'inc', 'vendor', '.github', 'bin' ] %}
+<Directory {{ glpi_root_dir }}/web/{{ dir }}>
+  Require all denied
+</Directory>
+{% endfor %}
--- a/roles/glpi/templates/local_define.php.j2
+++ b/roles/glpi/templates/local_define.php.j2
@@ -0,0 +1,9 @@
+<?php
+
+define("GLPI_VAR_DIR", "{{ glpi_root_dir }}/data");
+define("GLPI_DOC_DIR", GLPI_VAR_DIR . "/_files");
+define("GLPI_SESSION_DIR", "{{ glpi_root_dir }}/sessions");
+define("GLPI_TMP_DIR", "{{ glpi_root_dir }}/tmp");
+define("GLPI_UPLOAD_DIR", "{{ glpi_root_dir }}/tmp");
+
+?>
--- a/roles/glpi/templates/logrotate.conf.j2
+++ b/roles/glpi/templates/logrotate.conf.j2
@@ -0,0 +1,7 @@
+{{ glpi_root_dir }}/data/_log/*.log {
+  daily
+  rotate 90
+  compress
+  missingok
+  su {{ glpi_php_user }} {{ glpi_php_user }}
+}
--- a/roles/glpi/templates/perms.sh.j2
+++ b/roles/glpi/templates/perms.sh.j2
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+restorecon -R {{ glpi_root_dir }}
+chown root:root {{ glpi_root_dir }}
+chmod 700 {{ glpi_root_dir }}
+chown root:root {{ glpi_root_dir }}/{meta,backup}
+chmod 700 {{ glpi_root_dir }}/{meta,backup}
+setfacl -k -b {{ glpi_root_dir }}
+setfacl -m u:{{ glpi_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ glpi_root_dir }}
+chown -R root:root {{ glpi_root_dir }}/web
+chown -R {{ glpi_php_user }} {{ glpi_root_dir }}/{tmp,sessions,data}
+chmod 700 {{ glpi_root_dir }}/{tmp,sessions,data}
+find {{ glpi_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ glpi_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown -R :{{ glpi_php_user }} {{ glpi_root_dir }}/web/config
+chown -R :{{ glpi_php_user }} {{ glpi_root_dir }}/web/marketplace
+chmod 770 {{ glpi_root_dir }}/web/config
+chmod 660 {{ glpi_root_dir }}/web/config/*
+chmod 770 {{ glpi_root_dir }}/web/marketplace
+chmod 660 {{ glpi_root_dir }}/web/marketplace/*
--- a/roles/glpi/templates/php.conf.j2
+++ b/roles/glpi/templates/php.conf.j2
@@ -0,0 +1,35 @@
+[glpi_{{ glpi_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/glpi_{{ glpi_id }}.sock
+user = {{ glpi_php_user }}
+group = {{ glpi_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 256M
+php_admin_value[session.save_path] = {{ glpi_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ glpi_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ glpi_root_dir }}/tmp
+php_admin_value[post_max_size] = 100M
+php_admin_value[upload_max_filesize] = 100M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ glpi_root_dir }}:/usr/share/pear/:/usr/share/php/
+php_admin_value[max_execution_time] = 60
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on
--- a/roles/glpi/templates/post_backup.j2
+++ b/roles/glpi/templates/post_backup.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ glpi_root_dir }}/backup/*
--- a/roles/glpi/templates/pre_backup.j2
+++ b/roles/glpi/templates/pre_backup.j2
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump --user={{ glpi_mysql_user | quote }} \
+                   --password={{ glpi_mysql_pass | quote }} \
+                   --host={{ glpi_mysql_server | quote }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ glpi_mysql_db | quote }} | zstd -T0 -c > {{ glpi_root_dir }}/backup/{{ glpi_mysql_db }}.sql.zst
+
+[ -e {{ glpi_root_dir }}/web/config/glpicrypt.key ] && cp {{ glpi_root_dir }}/web/config/glpicrypt.key {{ glpi_root_dir }}/backup/
--- a/roles/glpi/templates/sso.php.j2
+++ b/roles/glpi/templates/sso.php.j2
@@ -0,0 +1,6 @@
+<?php
+
+# Just a dummy redirection so we can protect /sso.php with Lemonldap::NG
+header('Location: /');
+
+?>