gitea/ansible-lxc-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

+ latest extensions - deployed nginx, apache, php 74 & 81, nvm, automatic databases import and phpmyadmin with nginx basic auth

Browse Source 
+ dhcp dnsmasq server playbook for create inner server network

#861m7vaer Шаблон операционной системы на Debian 10
This commit is contained in:
dimti
2023-10-24 17:26:53 +03:00
parent 9bb3348cce
commit 3bf86281d2
47 changed files with 307 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
playbooks/debops/_phpmyadmin.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: phpmyadmin
tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]

65
playbooks/debops/apache.yml Normal file
View File

@ -0,0 +1,65 @@
---
- name: Manage and configure the Apache HTTP Server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
apache__base_packages:
- libapache2-mod-php8.1
apache__role_modules:
'headers': True
'alias': True
'php7.4': True
'ssl':
enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
'security2':
enabled: '{{ apache__security_module_enabled|bool }}'
'status':
enabled: '{{ apache__status_enabled|bool }}'
config: |
<Location /server-status>
# Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
Require all denied
</Location>
'socache_shmcb':
enabled: '{{ True
if (apache__ocsp_stapling_enabled|bool
and "shmcb" in apache__ocsp_stapling_cache)
else omit }}'
'authz_host':
enabled: '{{ True
if (apache__status_enabled|bool
and apache__status_allow_localhost)
else omit }}'
'rewrite':
enabled: '{{ True
if (apache__register_mod_rewrite_used is defined and
apache__register_mod_rewrite_used.rc|d(1) == 0)
else omit }}'
apache__allow:
- 0.0.0.0
# apache__default_vhost:
# name: '{{ apache__default_vhost_name }}'
# filename: '000-default'
# root: '/var/www/html'
apache__vhost_allow_override: 'All'
pre_tasks:
- name: Prepare apache environment
import_role:
name: 'apache'
tasks_from: 'main_env'
tags: [ 'role::apache', 'role::apache:env' ]
roles:
- role: apache
tags: [ 'role::apache', 'skip::apache' ]

52
playbooks/debops/dnsmasq.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Configure dnsmasq
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
dnsmasq__dhcpv4: True
dnsmasq__dhcpv6: False
dnsmasq__interfaces:
- name: 'eth1'
# addresses: ['172.16.30.100']
domain: local
dhcp_range_start: 180
dhcp_range_end: -6
dnsmasq__base_domain: 'local'
# dnsmasq__configuration:
# - name: 'dhcp-option.conf'
# options:
# - name: 'dhcp-option-1'
# option: 'dhcp-option'
# value: '1,255.255.255.0'
# - name: 'dhcp-option-3'
# option: 'dhcp-option'
# value: '3,172.16.30.100'
# - name: 'dhcp-option-6'
# option: 'dhcp-option'
# value: '6,172.16.30.100'
pre_tasks:
- name: Prepare dnsmasq environment
import_role:
name: 'dnsmasq'
tasks_from: 'main_env'
tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
roles:
- role: resolvconf
tags: [ 'role::resolvconf', 'skip::resolvconf' ]
resolvconf__dependent_services:
- 'dnsmasq'
- role: dnsmasq
tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

18
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example Normal file
View File

@ -0,0 +1,18 @@
server {
listen 80;
server_name domain;
client_max_body_size 0;
location / {
proxy_pass http://site_name;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

20
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example Normal file
View File

@ -0,0 +1,20 @@
server {
listen 80;
server_name domain;
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
location / {
proxy_pass http://site_name:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

13
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-website.conf.example Normal file
View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name domain;
location / {
proxy_pass https://site_name;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

32
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example Normal file
View File

@ -0,0 +1,32 @@
server {
listen 80;
server_name domain;
location / {
proxy_pass http://site_name:8080;
access_log off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 60m;
proxy_http_version 1.1;
}
location /api/eventSourceBus {
proxy_pass http://site_name:8080;
access_log off;
proxy_cache off;
proxy_buffering off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

49
playbooks/debops/files/etc/nginx/includes.d/octobercms.conf Normal file
View File

@ -0,0 +1,49 @@
location ~ ^/combine.*\.(css|js) {
rewrite ^/.*$ /index.php last;
expires max;
}
# Whitelist
## Let October handle if static file not exists
location ~ ^/favicon\.ico { try_files $uri /index.php; }
location ~ ^/sitemap\.xml { try_files $uri /index.php; }
location ~ ^/robots\.txt { try_files $uri /index.php; }
location ~ ^/humans\.txt { try_files $uri /index.php; }
## Google & Yandex website promts
location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
location ~ ^/.*\.xml { try_files $uri /index.php; }
## Let nginx return 404 if static file not exists
location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; }
location ~ ^/storage/app/media { access_log off; try_files $uri /404; }
location ~ ^/storage/app/yml { try_files $uri /404; }
location ~ ^/files { access_log off; try_files $uri /404; }
location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
location ~ ^/storage/temp/public { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; }

29
playbooks/debops/files/etc/nginx/includes.d/staticfiles.conf Normal file
View File

@ -0,0 +1,29 @@
location ~* \.(jpg|jpeg|gif|png|svg|ico)$ {
access_log off;
expires max;
log_not_found off;
error_page 404 = /empty;
}
location = /empty {
expires 0;
empty_gif;
}
location ~* \.(eot|ttf|woff|pdf|css|js)$ {
access_log off;
expires max;
}
location ~* \.(xml|xls)$ {
add_header Cache-Control "no-cache";
}
location ~ /\. {
deny all;
}
location ~* \.(tpl|ini|sh) {
deny all;
}

20
playbooks/debops/files/etc/nginx/includes.d/www.conf Normal file
View File

@ -0,0 +1,20 @@
error_page 418 = @www;
set $www "0";
if ( $http_host ~* "^www\.") {
set $www "${www}1";
}
if ( $http_host ~* "^m\.") {
set $www "${www}2";
}
if ( $www = "0" ) {
return 418;
}
location @www {
rewrite ^ $scheme://www.$host$request_uri? permanent;
}

19
playbooks/debops/keyring.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage APT and GPG keyrings
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
keyring__enabled: True
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring' ]

38
playbooks/debops/mariadb-custom-db.yml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
vars_files:
- ./../../vars/databases.yml
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

34
playbooks/debops/mariadb.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

48
playbooks/debops/mariadb_server.yml Normal file
View File

@ -0,0 +1,48 @@
---
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
|d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
mariadb_server__upstream_version: '11.2'
mariadb_server__bind_address: '0.0.0.0'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb_server' ]
keyring__dependent_apt_keys:
- '{{ mariadb_server__keyring__dependent_apt_keys }}'
- role: etc_services
tags: [ 'role::etc_services' ]
etc_services__dependent_list:
- '{{ mariadb_server__etc_services__dependent_rules }}'
#
# - role: ferm
# tags: [ 'role::ferm', 'skip::ferm' ]
# ferm__dependent_rules:
# - '{{ mariadb_server__ferm__dependent_rules }}'
# - role: tcpwrappers
# tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
# tcpwrappers__dependent_allow:
# - '{{ mariadb_server__tcpwrappers__dependent_allow }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb_server' ]
python__dependent_packages3:
- '{{ mariadb_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb_server__python__dependent_packages2 }}'
- role: mariadb_server
tags: [ 'role::mariadb_server', 'skip::mariadb_server' ]

29
playbooks/debops/nginx-master-proxy.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Manage master nginx proxy
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nginx_acme: True
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
nginx_ocsp: False
nginx_worker_processes: auto
pre_tasks:
- name: Copy Nginx Master Proxy config examples
copy:
src: etc/nginx-master-proxy/conf.d
dest: /etc/nginx/
mode: 0644
roles:
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

112
playbooks/debops/nginx.yml Normal file
View File

@ -0,0 +1,112 @@
---
- name: Manage nginx webserver
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/nginx.yml
- ./../../vars/php.yml
vars:
nginx_acme: False
nginx_http_extra_options: |
client_max_body_size 100M;
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
# nginx_webroot_create: False
nginx_ocsp: False
nginx_worker_processes: auto
nginx__servers:
- name: '{{ site_name }}'
type: php
root: '/var/www/{{ site_name }}'
public_dir_name: ''
include_files_begin: '{{ nginx_includes_begin }}'
options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
location_list:
- pattern: '/'
locations:
- pattern: '~ ^/*.-backend/'
options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;'
options: try_files /index.html @october;
- pattern: '@october'
options: rewrite ^/.*$ /index.php last;
- pattern: '~* ^(?!/index).*\.php$'
options: return 403;
php_options: |
fastcgi_read_timeout 3000;
php_upstream: $upstream
#location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
php_location_script_name: ~ ^(?<script_name>/index\.php)
#location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
pre_tasks:
- name: Set filtered includes
set_fact:
nginx_includes_begin: "{{ (nginx_includes_begin | default([])) | union([item]) }}"
when: item != omit
loop:
- "{{ (nginx_www_redirect | default(False)) | ternary('includes.d/www.conf', omit) }}"
- includes.d/octobercms.conf
- includes.d/staticfiles.conf
- name: Copy OctoberCMS nginx conf includes and www redirect
copy:
src: etc/nginx/includes.d
dest: /etc/nginx/
mode: 0644
post_tasks:
- name: Default index.html
template:
src: var/www/site_name/index.html.j2
dest: '/var/www/{{ site_name }}/index.html'
mode: 0644
owner: '{{ site_name }}'
- name: Copy normalized.css
template:
src: var/www/site_name/normalize.css
dest: '/var/www/{{ site_name }}/'
mode: 0644
owner: '{{ site_name }}'
roles:
# - role: keyring
# tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
# keyring__dependent_apt_keys:
# - '{{ nginx__keyring__dependent_apt_keys }}'
#
# - role: apt_preferences
# tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
# apt_preferences__dependent_list:
# - '{{ nginx__apt_preferences__dependent_list }}'
#
# - role: python
# tags: [ 'role::python', 'skip::python' ]
# python__dependent_packages3:
# - '{{ nginx__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ nginx__python__dependent_packages2 }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

30
playbooks/debops/nodejs.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Manage NodeJS environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nodejs__node_upstream: True
nodejs__node_upstream_release: node_18.x
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
keyring__dependent_apt_keys:
- '{{ nodejs__keyring__dependent_apt_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ nodejs__apt_preferences__dependent_list }}'
- role: nodejs
tags: [ 'role::nodejs', 'skip::nodejs' ]

95
playbooks/debops/php-prod.yml Normal file
View File

@ -0,0 +1,95 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
# Laravel/OctoberCMS: intl, redis
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
php__fpm_pm: static
php__fpm_pm_max_children: 26
php__pools:
- name: backend
user: www-data
group: www-data
php_admin_values:
memory_limit: 256M
post_max_size: 800M
upload_max_filesize: 200M
max_execution_time: 600
pm: static
pm_max_children: 3
vars_files:
- ./../../vars/php.yml
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

82
playbooks/debops/php-wp.yml Normal file
View File

@ -0,0 +1,82 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/php.yml
vars:
php__sury: '{{ ansible_local.php.sury
|d(ansible_distribution_release in [ "buster" ]) | bool }}'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath' ]
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

36
playbooks/debops/pki.yml Normal file
View File

@ -0,0 +1,36 @@
---
- name: Manage Public Key Infrastructure
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
pki_internal: True
pki_acme: False
pre_tasks:
- name: Prepare pki environment
import_role:
name: 'pki'
tasks_from: 'main_env'
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: pki
tags: [ 'role::pki', 'skip::pki' ]

91
playbooks/debops/redis.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Manage Redis server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
redis_server__auth_password:
redis_server__configuration:
- name: 'main'
options:
# - name: 'save'
# value: ''
# dynamic: True
- name: 'protected-mode'
value: 'no'
dynamic: False
- name: 'stop-writes-on-bgsave-error'
value: 'no'
dynamic: False
- name: 'save'
value:
- name: '900 1'
state: absent
- name: '300 10'
state: absent
- name: '60 10000'
state: absent
dynamic: False
pre_tasks:
- name: Prepare sysfs environment
import_role:
name: 'sysfs'
tasks_from: 'main_env'
tags: [ 'role::sysfs', 'role::secret' ]
- name: Prepare redis_server environment
import_role:
name: 'redis_server'
tasks_from: 'main_env'
tags: [ 'role::redis_server', 'role::ferm' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::sysfs' ]
secret__directories:
- '{{ sysfs__secret__directories | d([]) }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ redis_server__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ redis_server__etc_services__dependent_list }}'
- role: sysctl
tags: [ 'role::sysctl', 'skip::sysctl' ]
sysctl__dependent_parameters:
- '{{ redis_server__sysctl__dependent_parameters }}'
- role: sysfs
tags: [ 'role::sysfs', 'skip::sysfs' ]
sysfs__dependent_attributes:
- '{{ redis_server__sysfs__dependent_attributes }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
python__dependent_packages3:
- '{{ redis_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ redis_server__python__dependent_packages2 }}'
- role: redis_server
tags: [ 'role::redis_server', 'skip::redis_server' ]

26
playbooks/debops/root_account.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Manage root system account
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
root_account__enabled: True
# root_account__dotfiles_enabled: True
# root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
post_tasks:
- name: Tmux Plugins Manager
# Вообще это конструкция не нужна, так как tmux и сам все прекрасно умеет устанавливать, только если бы у него в этот момент была программа git
# Хотя нет, блин, нихрена он не умеет. Последнюю команду он почему не запускает: ~/.tmux/plugins/tpm/bin/install_plugins
shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
roles:
- role: root_account
tags: [ 'role::root_account', 'skip::root_account' ]

30
playbooks/debops/sudo.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Configure sudo service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/sudo.yml
roles:
# - role: python
# tags: [ 'role::python', 'skip::python', 'role::ldap' ]
# python__dependent_packages3:
# - '{{ ldap__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ ldap__python__dependent_packages2 }}'
#
# - role: ldap
# tags: [ 'role::ldap', 'skip::ldap' ]
# ldap__dependent_tasks:
# - '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]

34
playbooks/debops/system_users.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Manage local users and groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
system_users__self: False
system_users__dotfiles_enabled: True
system_users__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
vars_files:
- ./../../vars/system_users.yml
post_tasks:
- name: Change starship character to dollar sign
shell: |
sed -i 's/#/\\\\$/g' /home/{{ site_name }}/.config/starship.toml
args:
executable: /bin/bash
roles:
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: system_users
tags: [ 'role::system_users', 'skip::system_users' ]

76
playbooks/debops/templates/var/www/site_name/index.html.j2 Normal file
View File

@ -0,0 +1,76 @@
{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
# Copyright (C) 2014-2017 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
<!DOCTYPE html>
<html lang="en">
{% set nginx_tpl_domain = item.welcome_domain | d(item.name if (item.name is string) else item.name[0] | d(ansible_domain)) %}
{% if nginx_tpl_domain %}
{% set nginx_tpl_welcome_title = '<a href="' + item.welcome_url_scheme | d("https") + '://' + nginx_tpl_domain + '/">' + nginx_tpl_domain + '</a>' %}
{% else %}
{% set nginx_tpl_welcome_title = '<a href="http://companyname.website/">CompanyName.website</a>' %}
{% endif %}
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="referrer" content="no-referrer">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ nginx_tpl_domain | d("CompanyName.website") }}</title>
{% if item.welcome_css | d(True) | bool %}
<link rel="stylesheet" type="text/css" media="screen" href="normalize.css">
<style type="text/css" media="screen">
html {
font-size: 17px;
font-family: "Droid Sans Condensed", sans-serif;
}
@media (max-width: 900px) {
html { font-size: 15px; }
}
@media (max-width: 400px) {
html { font-size: 13px; }
}
#content {
margin: 0 auto;
width: 600px;
padding: 2rem;
text-align: center;
}
@media (max-width: 900px) {
#content {
width: 70%;
padding: 1.5rem;
}
}
h1 {
padding-bottom: 0.05em;
border-bottom: 2px solid #0092DF;
}
a {
text-decoration: none;
color: #0092DF;
}
</style>
{% endif %}
</head>
<body>
<div id="content">
<h2>{{ nginx_tpl_welcome_title }}</h2>
{% if nginx_tpl_domain %}
<p id="http-status"><strong>{{ item.welcome_status_choices | d([ '200 OK', "418 I'm a teapot" ]) | random }}</strong></p>
{% elif not nginx_tpl_domain %}
<p>If you're reading this, the web server was installed correctly.</p>
{% endif %}
</div>
</body>
</html>

427
playbooks/debops/templates/var/www/site_name/normalize.css vendored Normal file
View File

@ -0,0 +1,427 @@
/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
/* Copyright (C) 2015 Nicolas Gallagher <nicolasgallagher@gmail.com> */
/* Copyright (C) 2015 Jonathan Neal <jonathantneal@hotmail.com> */
/* SPDX-License-Identifier: MIT */
/**
* 1. Set default font family to sans-serif.
* 2. Prevent iOS and IE text size adjust after device orientation change,
* without disabling user zoom.
*/
html {
font-family: sans-serif; /* 1 */
-ms-text-size-adjust: 100%; /* 2 */
-webkit-text-size-adjust: 100%; /* 2 */
}
/**
* Remove default margin.
*/
body {
margin: 0;
}
/* HTML5 display definitions
========================================================================== */
/**
* Correct `block` display not defined for any HTML5 element in IE 8/9.
* Correct `block` display not defined for `details` or `summary` in IE 10/11
* and Firefox.
* Correct `block` display not defined for `main` in IE 11.
*/
article,
aside,
details,
figcaption,
figure,
footer,
header,
hgroup,
main,
menu,
nav,
section,
summary {
display: block;
}
/**
* 1. Correct `inline-block` display not defined in IE 8/9.
* 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
*/
audio,
canvas,
progress,
video {
display: inline-block; /* 1 */
vertical-align: baseline; /* 2 */
}
/**
* Prevent modern browsers from displaying `audio` without controls.
* Remove excess height in iOS 5 devices.
*/
audio:not([controls]) {
display: none;
height: 0;
}
/**
* Address `[hidden]` styling not present in IE 8/9/10.
* Hide the `template` element in IE 8/9/10/11, Safari, and Firefox < 22.
*/
[hidden],
template {
display: none;
}
/* Links
========================================================================== */
/**
* Remove the gray background color from active links in IE 10.
*/
a {
background-color: transparent;
}
/**
* Improve readability of focused elements when they are also in an
* active/hover state.
*/
a:active,
a:hover {
outline: 0;
}
/* Text-level semantics
========================================================================== */
/**
* Address styling not present in IE 8/9/10/11, Safari, and Chrome.
*/
abbr[title] {
border-bottom: 1px dotted;
}
/**
* Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
*/
b,
strong {
font-weight: bold;
}
/**
* Address styling not present in Safari and Chrome.
*/
dfn {
font-style: italic;
}
/**
* Address variable `h1` font-size and margin within `section` and `article`
* contexts in Firefox 4+, Safari, and Chrome.
*/
h1 {
font-size: 2em;
margin: 0.67em 0;
}
/**
* Address styling not present in IE 8/9.
*/
mark {
background: #ff0;
color: #000;
}
/**
* Address inconsistent and variable font size in all browsers.
*/
small {
font-size: 80%;
}
/**
* Prevent `sub` and `sup` affecting `line-height` in all browsers.
*/
sub,
sup {
font-size: 75%;
line-height: 0;
position: relative;
vertical-align: baseline;
}
sup {
top: -0.5em;
}
sub {
bottom: -0.25em;
}
/* Embedded content
========================================================================== */
/**
* Remove border when inside `a` element in IE 8/9/10.
*/
img {
border: 0;
}
/**
* Correct overflow not hidden in IE 9/10/11.
*/
svg:not(:root) {
overflow: hidden;
}
/* Grouping content
========================================================================== */
/**
* Address margin not present in IE 8/9 and Safari.
*/
figure {
margin: 1em 40px;
}
/**
* Address differences between Firefox and other browsers.
*/
hr {
box-sizing: content-box;
height: 0;
}
/**
* Contain overflow in all browsers.
*/
pre {
overflow: auto;
}
/**
* Address odd `em`-unit font size rendering in all browsers.
*/
code,
kbd,
pre,
samp {
font-family: monospace, monospace;
font-size: 1em;
}
/* Forms
========================================================================== */
/**
* Known limitation: by default, Chrome and Safari on OS X allow very limited
* styling of `select`, unless a `border` property is set.
*/
/**
* 1. Correct color not being inherited.
* Known issue: affects color of disabled elements.
* 2. Correct font properties not being inherited.
* 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
*/
button,
input,
optgroup,
select,
textarea {
color: inherit; /* 1 */
font: inherit; /* 2 */
margin: 0; /* 3 */
}
/**
* Address `overflow` set to `hidden` in IE 8/9/10/11.
*/
button {
overflow: visible;
}
/**
* Address inconsistent `text-transform` inheritance for `button` and `select`.
* All other form control elements do not inherit `text-transform` values.
* Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
* Correct `select` style inheritance in Firefox.
*/
button,
select {
text-transform: none;
}
/**
* 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
* and `video` controls.
* 2. Correct inability to style clickable `input` types in iOS.
* 3. Improve usability and consistency of cursor style between image-type
* `input` and others.
*/
button,
html input[type="button"], /* 1 */
input[type="reset"],
input[type="submit"] {
-webkit-appearance: button; /* 2 */
cursor: pointer; /* 3 */
}
/**
* Re-set default cursor for disabled elements.
*/
button[disabled],
html input[disabled] {
cursor: default;
}
/**
* Remove inner padding and border in Firefox 4+.
*/
button::-moz-focus-inner,
input::-moz-focus-inner {
border: 0;
padding: 0;
}
/**
* Address Firefox 4+ setting `line-height` on `input` using `!important` in
* the UA stylesheet.
*/
input {
line-height: normal;
}
/**
* It's recommended that you don't attempt to style these elements.
* Firefox's implementation doesn't respect box-sizing, padding, or width.
*
* 1. Address box sizing set to `content-box` in IE 8/9/10.
* 2. Remove excess padding in IE 8/9/10.
*/
input[type="checkbox"],
input[type="radio"] {
box-sizing: border-box; /* 1 */
padding: 0; /* 2 */
}
/**
* Fix the cursor style for Chrome's increment/decrement buttons. For certain
* `font-size` values of the `input`, it causes the cursor style of the
* decrement button to change from `default` to `text`.
*/
input[type="number"]::-webkit-inner-spin-button,
input[type="number"]::-webkit-outer-spin-button {
height: auto;
}
/**
* 1. Address `appearance` set to `searchfield` in Safari and Chrome.
* 2. Address `box-sizing` set to `border-box` in Safari and Chrome.
*/
input[type="search"] {
-webkit-appearance: textfield; /* 1 */
box-sizing: content-box; /* 2 */
}
/**
* Remove inner padding and search cancel button in Safari and Chrome on OS X.
* Safari (but not Chrome) clips the cancel button when the search input has
* padding (and `textfield` appearance).
*/
input[type="search"]::-webkit-search-cancel-button,
input[type="search"]::-webkit-search-decoration {
-webkit-appearance: none;
}
/**
* Define consistent border, margin, and padding.
*/
fieldset {
border: 1px solid #c0c0c0;
margin: 0 2px;
padding: 0.35em 0.625em 0.75em;
}
/**
* 1. Correct `color` not being inherited in IE 8/9/10/11.
* 2. Remove padding so people aren't caught out if they zero out fieldsets.
*/
legend {
border: 0; /* 1 */
padding: 0; /* 2 */
}
/**
* Remove default vertical scrollbar in IE 8/9/10/11.
*/
textarea {
overflow: auto;
}
/**
* Don't inherit the `font-weight` (applied by a rule above).
* NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
*/
optgroup {
font-weight: bold;
}
/* Tables
========================================================================== */
/**
* Remove most spacing between table cells.
*/
table {
border-collapse: collapse;
border-spacing: 0;
}
td,
th {
padding: 0;
}

19
playbooks/debops/tzdata.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage time zone configuration
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
tzdata__timezone: Europe/Moscow
roles:
- role: tzdata
tags: [ 'role::tzdata', 'skip::tzdata' ]

69
playbooks/debops/yadm.yml Normal file
View File

@ -0,0 +1,69 @@
---
- name: Configure yadm, Yet Another Dotfiles Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
yadm__enabled: True
yadm__dotfiles_enabled: True
yadm__upstream_enabled: True
yadm__upstream_version: '2.5.0'
# That be used in yadm.fact.j2 - python script for resolving ansible.local.yadm.dotfile git repo
yadm__dotfiles_host: vcs.wpstudio.ru
yadm__dotfiles_owner: gitea
yadm__default_dotfiles:
- name: 'gitea'
git: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
yadm__packages:
- curl
- git
- ncdu
- fontconfig
- vim
- direnv
post_tasks:
- name: Starship
shell: |
curl -sS https://starship.rs/install.sh | sh -s -- -f
- name: Nerd Font
shell: |
download_font () {
url="https://raw.githubusercontent.com/ryanoasis/nerd-fonts/master/patched-fonts/SourceCodePro/Regular/complete/${1// /%20}"
path="/usr/share/fonts/$1"
curl -s -o "$path" "$url"
}
install_fonts () {
download_font "Sauce Code Pro Nerd Font Complete.ttf"
fc-cache -fv > /dev/null
}
install_fonts
args:
executable: /bin/bash
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ yadm__apt_preferences__dependent_list }}'
- role: yadm
tags: [ 'role::yadm', 'skip::yadm' ]