Moved PHP stuff to apache.yml

Even though it's not exactly Apache, but it suits there better than in misc.yml
pyllyukko · Oct 26, 2023 · b2dbae0 · b2dbae0
1 parent 89a103d
commit b2dbae0
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 51 deletions.
diff --git a/tasks/apache.yml b/tasks/apache.yml
@@ -103,3 +103,54 @@
         owner: root
         group: root
         mode: '0644'
+
+- name: php.ini
+  tags:
+    - php
+    - configuration
+  block:
+    - name: Stat /etc/php.ini
+      ansible.builtin.stat:
+        path: /etc/php.ini
+      register: stat_result
+      tags: check
+    # https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html
+    # https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/
+    # https://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776
+    # https://www.feistyduck.com/library/apache-security/
+    # The e modifier has been deprecated,
+    # so this list doesn't disable preg_replace function
+    # (https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
+    #
+    # PHP-2372
+    # TODO: Moar content!
+    - name: Configure php.ini (PHP section)
+      become: true
+      when: stat_result.stat.exists
+      community.general.ini_file:
+        path: /etc/php.ini
+        section: PHP
+        option: "{{ item.key }}"
+        value: "{{ item.value }}"
+        owner: root
+        group: root
+        mode: '0644'
+      with_dict:
+        expose_php: 'Off'
+        display_errors: 'Off'
+        display_startup_errors: 'Off'
+        allow_url_include: 'Off'
+        allow_url_fopen: 'Off'
+        disable_functions: 'system,exec,shell_exec,popen,proc_open,pcntl_exec,passthru,str_rot13'
+        enable_dl: 'Off'
+    - name: Configure php.ini (Session section)
+      become: true
+      when: stat_result.stat.exists
+      community.general.ini_file:
+        path: /etc/php.ini
+        section: Session
+        option: session.use_strict_mode
+        value: '1'
+        owner: root
+        group: root
+        mode: '0644'
diff --git a/tasks/misc.yml b/tasks/misc.yml
@@ -196,57 +196,6 @@
       tags:
         - debian
 
-- name: php.ini
-  tags:
-    - php
-    - configuration
-  block:
-    - name: Stat /etc/php.ini
-      ansible.builtin.stat:
-        path: /etc/php.ini
-      register: stat_result
-      tags: check
-    # https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html
-    # https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/
-    # https://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776
-    # https://www.feistyduck.com/library/apache-security/
-    # The e modifier has been deprecated,
-    # so this list doesn't disable preg_replace function
-    # (https://www.php.net/manual/en/reference.pcre.pattern.modifiers.php)
-    #
-    # PHP-2372
-    # TODO: Moar content!
-    - name: Configure php.ini (PHP section)
-      become: true
-      when: stat_result.stat.exists
-      community.general.ini_file:
-        path: /etc/php.ini
-        section: PHP
-        option: "{{ item.key }}"
-        value: "{{ item.value }}"
-        owner: root
-        group: root
-        mode: '0644'
-      with_dict:
-        expose_php: 'Off'
-        display_errors: 'Off'
-        display_startup_errors: 'Off'
-        allow_url_include: 'Off'
-        allow_url_fopen: 'Off'
-        disable_functions: 'system,exec,shell_exec,popen,proc_open,pcntl_exec,passthru,str_rot13'
-        enable_dl: 'Off'
-    - name: Configure php.ini (Session section)
-      become: true
-      when: stat_result.stat.exists
-      community.general.ini_file:
-        path: /etc/php.ini
-        section: Session
-        option: session.use_strict_mode
-        value: '1'
-        owner: root
-        group: root
-        mode: '0644'
-
 # SHLL-6211
 - name: Remove extraneous shells from /etc/shells
   become: true