+ latest extensions - deployed nginx, apache, php 74 & 81, nvm, automatic databases import and phpmyadmin with nginx basic auth

+ dhcp dnsmasq server playbook for create inner server network

#861m7vaer Шаблон операционной системы на Debian 10

apache-site.yml

@@ -1,18 +0,0 @@
----
-- import_playbook: playbooks/own/allow-releaseinfo-change.yml
-- import_playbook: playbooks/own/locales.yml
-- import_playbook: debops/tzdata.yml
-- import_playbook: debops/pki.yml
-- import_playbook: debops/yadm.yml
-- import_playbook: debops/root_account.yml
-- import_playbook: debops/sudo.yml
-- import_playbook: debops/system_users.yml
-- import_playbook: debops/mariadb_server.yml
-- import_playbook: debops/mariadb-custom-db.yml
-- import_playbook: debops/php-wp.yml
-- import_playbook: debops/apache.yml
-- import_playbook: playbooks/own/var-www-set-ownerships.yml
-
-# Import all other group playbooks in this file...
-
-...

group_vars/all.yml

@@ -8,5 +8,5 @@ keyring__keyserver: hkp://keyserver.ubuntu.com:80
 
 secret__levels: '.'
 
-site_name: '{{ site_name | d(lxc_host) }}'
+site_name: '{{ initial_site_name | d(lxc_host) }}'
 ...

nginx-only.yml

@@ -1,10 +0,0 @@
----
-- import_playbook: playbooks/own/allow-releaseinfo-change.yml
-- import_playbook: playbooks/own/locales.yml
-- import_playbook: debops/tzdata.yml
-- import_playbook: debops/pki.yml
-- import_playbook: debops/yadm.yml
-- import_playbook: debops/root_account.yml
-- import_playbook: debops/sudo.yml
-- import_playbook: debops/system_users.yml
-- import_playbook: debops/nginx.yml

nginx-site.yml

@@ -1,21 +0,0 @@
----
-- import_playbook: playbooks/own/allow-releaseinfo-change.yml
-- import_playbook: playbooks/own/locales.yml
-- import_playbook: debops/tzdata.yml
-- import_playbook: debops/pki.yml
-- import_playbook: debops/yadm.yml
-- import_playbook: debops/root_account.yml
-- import_playbook: debops/sudo.yml
-- import_playbook: debops/system_users.yml
-- import_playbook: debops/mariadb_server.yml
-- import_playbook: debops/mariadb-custom-db.yml
-- import_playbook: debops/php-prod.yml
-- import_playbook: debops/nginx.yml
-- import_playbook: debops/nodejs.yml
-- import_playbook: debops/redis.yml
-- import_playbook: playbooks/own/var-www-set-ownerships.yml
-- import_playbook: playbooks/own/node-version-manager.yml
-
-# Import all other group playbooks in this file...
-
-...

playbooks/apache-site.yml

@@ -0,0 +1,16 @@
+---
+- import_playbook: root-account.yml
+- import_playbook: debops/pki.yml
+- import_playbook: debops/system_users.yml
+- import_playbook: debops/mariadb_server.yml
+- import_playbook: debops/mariadb-custom-db.yml
+- import_playbook: debops/php-wp.yml
+- import_playbook: debops/apache.yml
+- import_playbook: debops/redis.yml
+- import_playbook: own/var-www-set-ownerships.yml
+- import_playbook: own/phpmyadmin.yml
+- import_playbook: own/libgd3-fix-for-php81.yml
+
+# Import all other group playbooks in this file...
+
+...

playbooks/debops/_phpmyadmin.yml

@@ -11,6 +11,5 @@
                    | combine(inventory__host_environment  | d({})) }}'
 
   roles:
-
     - role: phpmyadmin
       tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]

playbooks/debops/apache.yml

@@ -12,7 +12,7 @@
 
   vars:
     apache__base_packages:
-      - libapache2-mod-php7.4
+      - libapache2-mod-php8.1
     apache__role_modules:
       'headers': True
       'alias': True

playbooks/debops/dnsmasq.yml

@@ -0,0 +1,52 @@
+---
+
+- name: Configure dnsmasq
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    dnsmasq__dhcpv4: True
+    dnsmasq__dhcpv6: False
+    dnsmasq__interfaces:
+      - name: 'eth1'
+#        addresses: ['172.16.30.100']
+        domain: local
+        dhcp_range_start: 180
+        dhcp_range_end: -6
+    dnsmasq__base_domain: 'local'
+#    dnsmasq__configuration:
+#      - name: 'dhcp-option.conf'
+#        options:
+#          - name: 'dhcp-option-1'
+#            option: 'dhcp-option'
+#            value: '1,255.255.255.0'
+#          - name: 'dhcp-option-3'
+#            option: 'dhcp-option'
+#            value: '3,172.16.30.100'
+#          - name: 'dhcp-option-6'
+#            option: 'dhcp-option'
+#            value: '6,172.16.30.100'
+
+  pre_tasks:
+
+    - name: Prepare dnsmasq environment
+      import_role:
+        name: 'dnsmasq'
+        tasks_from: 'main_env'
+      tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
+
+  roles:
+
+    - role: resolvconf
+      tags: [ 'role::resolvconf', 'skip::resolvconf' ]
+      resolvconf__dependent_services:
+        - 'dnsmasq'
+
+    - role: dnsmasq
+      tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

playbooks/debops/mariadb-custom-db.yml

@@ -16,7 +16,7 @@
     mariadb__upstream_version: '10.5'
 
   vars_files:
-    - ./../vars/databases.yml
+    - ./../../vars/databases.yml
 
   roles:
 

playbooks/debops/mariadb_server.yml

@@ -13,7 +13,7 @@
   vars:
     mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
                                 |d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
-    mariadb_server__upstream_version: '10.5'
+    mariadb_server__upstream_version: '11.2'
     mariadb_server__bind_address: '0.0.0.0'
 
   roles:

playbooks/debops/nginx.yml

@@ -12,7 +12,8 @@
 
 
   vars_files:
-    - ./../vars/nginx.yml
+    - ./../../vars/nginx.yml
+    - ./../../vars/php.yml
 
   vars:
     nginx_acme: False
@@ -34,13 +35,13 @@
 
         include_files_begin: '{{ nginx_includes_begin }}'
 
-        options: set $upstream unix:/run/php7.4-fpm-www-data.sock;
+        options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
 
         location_list:
           - pattern: '/'
             locations:
               - pattern: '~ ^/*.-backend/'
-                options: set $upstream unix:/run/php7.4-fpm-backend.sock;
+                options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;'
             options: try_files /index.html @october;
           - pattern: '@october'
             options: rewrite ^/.*$ /index.php last;

playbooks/debops/php-prod.yml

@@ -56,7 +56,7 @@
         pm_max_children: 3
 
   vars_files:
-    - ./../vars/php.yml
+    - ./../../vars/php.yml
 
   pre_tasks:
 

playbooks/debops/php-wp.yml

@@ -10,8 +10,10 @@
                    | combine(inventory__group_environment | d({}))
                    | combine(inventory__host_environment  | d({})) }}'
 
+  vars_files:
+    - ./../../vars/php.yml
+
   vars:
-    php__version_preference: [ 'php7.4' ]
     php__sury: '{{ ansible_local.php.sury
                    |d(ansible_distribution_release in [ "buster" ]) | bool }}'
     php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'

playbooks/debops/root_account.yml

@@ -17,6 +17,8 @@
 
   post_tasks:
     - name: Tmux Plugins Manager
+      # Вообще это конструкция не нужна, так как tmux и сам все прекрасно умеет устанавливать, только если бы у него в этот момент была программа git
+      # Хотя нет, блин, нихрена он не умеет. Последнюю команду он почему не запускает: ~/.tmux/plugins/tpm/bin/install_plugins
       shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
 
   roles:

playbooks/debops/sudo.yml

@@ -11,7 +11,7 @@
                    | combine(inventory__host_environment  | d({})) }}'
 
   vars_files:
-    - ./../vars/sudo.yml
+    - ./../../vars/sudo.yml
 
   roles:
 #    - role: python

playbooks/debops/system_users.yml

@@ -16,11 +16,12 @@
     system_users__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
 
   vars_files:
-    - ./../vars/system_users.yml
+    - ./../../vars/system_users.yml
 
   post_tasks:
     - name: Change starship character to dollar sign
-      shell: "sed -i 's/#/\\\\$/g' /home/{{ site_name }}/.config/starship.toml"
+      shell: |
+        sed -i 's/#/\\\\$/g' /home/{{ site_name }}/.config/starship.toml
       args:
         executable: /bin/bash
 

playbooks/dhcp.yml

@@ -0,0 +1,8 @@
+---
+#- import_playbook: root-account.yml
+- import_playbook: debops/dnsmasq.yml
+#- import_playbook: own/correct-paths-for-pct-enter.yml
+
+# Import all other group playbooks in this file...
+
+...

playbooks/nginx-only.yml

@@ -0,0 +1,6 @@
+---
+- import_playbook: own/allow-releaseinfo-change.yml
+- import_playbook: root-account.yml
+- import_playbook: debops/pki.yml
+- import_playbook: debops/system_users.yml
+- import_playbook: debops/nginx.yml

playbooks/nginx-site.yml

@@ -0,0 +1,18 @@
+---
+- import_playbook: root-account.yml
+- import_playbook: debops/pki.yml
+- import_playbook: debops/system_users.yml
+- import_playbook: debops/mariadb_server.yml
+- import_playbook: debops/mariadb-custom-db.yml
+- import_playbook: debops/php-prod.yml
+- import_playbook: debops/nginx.yml
+#- import_playbook: debops/nodejs.yml
+- import_playbook: debops/redis.yml
+- import_playbook: own/var-www-set-ownerships.yml
+- import_playbook: own/node-version-manager.yml
+- import_playbook: own/nginx-auth.yml
+- import_playbook: own/phpmyadmin.yml
+
+# Import all other group playbooks in this file...
+
+...

playbooks/own/correct-paths-for-pct-enter.yml

@@ -0,0 +1,13 @@
+---
+- name: Nerest bash PATH var with set true paths after pct enter into lxc container from proxmox host
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: Append .shell-env
+      ansible.builtin.lineinfile:
+        path: '/root/.shell-env'
+        line: |-
+          ##
+          ## Correct PATH for tmux enter
+          ##
+          PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+

playbooks/own/libgd3-fix-for-php81.yml

@@ -0,0 +1,14 @@
+---
+- name: Solve problem with libgd3 for php-gd
+  hosts: [ 'debian10' ]
+  tasks:
+    - copy:
+        dest: '/etc/apt/preferences.d/libgd-pin100'
+        content: |-
+          Package: libgd3
+          Pin-Priority: 100
+    - shell: |-
+        apt update
+        apt install -t bullseye libgd3 -yy
+        apt-cache policy libgd3
+        apt install php8.1-gd -yy

playbooks/own/lookup-password-test.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Configure Locales
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: Set ownerships to /var/www dir
+      set_fact:
+        mariadb__server: '{{ lookup("password", "secret/vam-teplee-2023/testpass " + "length=15") }}'

playbooks/own/nginx-auth.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Setup nginx auth scaffolding dirs
+  hosts: [ 'debian10' ]
+  tasks:
+    - shell: |-
+        cd /etc/nginx
+        mkdir -p auth.d passwords.d
+
+    - copy:
+        dest: '/etc/nginx/auth.d/grant-access-certbot.conf'
+        content: |-
+          set $auth_basic Restricted;
+
+          if ($request_uri ~* "well-known") {
+            set $auth_basic off;
+          }
+            
+          auth_basic $auth_basic;

playbooks/own/phpmyadmin-nginx-auth.yml

@@ -0,0 +1,58 @@
+---
+
+- name: Install PhpMyAdmin
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  vars_files:
+    - ./../../vars/php.yml
+
+  tasks:
+    - name: Import DebOps secret role
+      ansible.builtin.import_role:
+        name: 'secret'
+
+    - name: 'Adding pma nginx config'
+      copy:
+        dest: '/etc/nginx/sites-available/pma.conf'
+        content: |-
+          server {
+              listen 81;
+              server_name {{ site_name }};
+              root /var/www/phpmyadmin;
+              index index.php;
+              include auth.d/pma-auth.conf;
+              location / {
+                  try_files $uri $uri/ /index.php?$args;
+              }
+              set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;
+              location ~ \.php$ {
+                  fastcgi_pass $upstream;
+                  include fastcgi_params;
+                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+                  fastcgi_param SERVER_NAME     $host;
+              }
+          }
+
+    - name: 'Adding pma nginx auth config'
+      copy:
+        dest: '/etc/nginx/auth.d/pma-auth.conf'
+        content: |-
+          include auth.d/grant-access-certbot.conf;
+          auth_basic_user_file passwords.d/pma.passwords;
+
+    - name: 'Adding pma nginx auth passwords files'
+      shell: |-
+        echo "{{ site_name }}:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/nginx/passwords.d/pma.passwords
+
+    - name: 'Turning on pma web site nginx config'
+      shell: |-
+        cd /etc/nginx/sites-enabled
+        ln -s ../sites-available/pma.conf ./
+
+    - name: 'Restarting nginx'
+      shell: |-
+        nginx -t && systemctl restart nginx

playbooks/own/phpmyadmin.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Install PhpMyAdmin
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  vars:
+    - phpmyadmin_version: 5.2.1
+
+  # TODO: Set blowfish_secret and make access rights for ./tmp directory
+  tasks:
+    - name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
+      become: true
+      become_user: '{{ site_name }}'
+      shell: |-
+        cd /var/www
+        rm -rf phpmyadmin
+        wget -q https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
+        unzip -qq phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
+        rm phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
+        mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin

playbooks/root-account.yml

@@ -1,8 +1,10 @@
 ---
-- import_playbook: playbooks/own/locales.yml
+- import_playbook: own/locales.yml
 - import_playbook: debops/tzdata.yml
+- import_playbook: own/allow-releaseinfo-change.yml
 - import_playbook: debops/yadm.yml
 - import_playbook: debops/root_account.yml
+- import_playbook: debops/sudo.yml
 
 # Import all other group playbooks in this file...
 

run-lxc-playbook.sh

@@ -3,6 +3,13 @@ SERVER=$1
 LXC_HOST=$2
 PLAYBOOK=$3
 
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -f|--force) force=1; shift ;;
+    esac
+    shift
+done
+
 usage() {
     echo "Usage: run-lxc-playbook.sh server lxc_host playbook"
     echo "server - main proxmox server IP address and lxc_host that the name of lxc container"
@@ -39,10 +46,14 @@ ansible-playbook -e "lxc_host=$LXC_HOST" --ssh-common-args="-o ProxyCommand='ssh
 EOF
 )
 
-printf 'Launch ansible playbook:\n%s\n' "$COMMAND"
+if [[ -z "$force" ]]; then
-read -p "Are you sure?  " -n 1 -r
+  printf 'Launch ansible playbook:\n%s\n' "$COMMAND"
-echo    # (optional) move to a new line
+  read -p "Are you sure?  " -n 1 -r
-if [[ $REPLY =~ ^[Yy]$ ]]
+  echo    # (optional) move to a new line
-then
+  if [[ $REPLY =~ ^[Yy]$ ]]
-    /bin/bash -c "$COMMAND"
+  then
+      /bin/bash -c "$COMMAND"
+  fi
+else
+  /bin/bash -c "$COMMAND"
 fi

run-vps-playbook.sh

@@ -1,10 +1,17 @@
 #!/bin/bash
 SERVER=$1
-SITE_NAME=$2
+PLAYBOOK=$2
-PLAYBOOK=$3
+SITE_NAME=$3
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -f|--force) force=1; shift ;;
+    esac
+    shift
+done
 
 usage() {
-    echo "Usage: run-vps-playbook.sh server site_name playbook"
+    echo "Usage: run-vps-playbook.sh server playbook [site_name]"
     echo "server - domain or ip adress of the vps server"
     echo "site_name - site name"
     echo "playbook - playbook file"
@@ -16,27 +23,32 @@ if [[ -z "$SERVER" ]]; then
   exit 1
 fi
 
-if [[ -z "$SITE_NAME" ]]; then
-  echo "You must defined SITE_NAME as second argument"
-  usage
-  exit 1
-fi
-
 if [[ -z "$PLAYBOOK" ]]; then
   echo "You must defined PLAYBOOK as third argument"
   usage
   exit 1
 fi
 
+
 COMMAND=$(cat <<EOF
-ansible-playbook -e "lxc_host=$SERVER" -e "site_name=$SITE_NAME" $PLAYBOOK
+ansible-playbook -e "lxc_host=${SERVER}"
 EOF
 )
 
-printf 'Launch ansible playbook:\n%s\n' "$COMMAND"
+if [[ -n "$SITE_NAME" ]]; then
-read -p "Are you sure?  " -n 1 -r
+  COMMAND="${COMMAND} -e initial_site_name=${SITE_NAME}"
-echo    # (optional) move to a new line
+fi
-if [[ $REPLY =~ ^[Yy]$ ]]
+
-then
+COMMAND="${COMMAND} ${PLAYBOOK}"
-    /bin/bash -c "$COMMAND"
+
+if [[ -z "$force" ]]; then
+  printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
+  read -p "Are you sure?  " -n 1 -r
+  echo    # (optional) move to a new line
+  if [[ $REPLY =~ ^[Yy]$ ]]
+  then
+      /bin/bash -c "${COMMAND}"
+  fi
+else
+    /bin/bash -c "${COMMAND}"
 fi

vars/php-example.yml

@@ -1,14 +1,7 @@
-php__version_preference: [ 'php7.4' ]
+php__version_preference: [ 'php7.4']
 php__sury: true
 php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath', 'intl', 'redis' ]
-# For php8.1 automatic install gd is not possible, because https://github.com/debops/debops/issues/2272 and https://github.com/oerdnj/deb.sury.org/issues/1947
+
-# For solve that - touch file: /etc/apt/preferences.d/libgd-pin100
+#php__version_preference: [ 'php8.1' ]
-# with these contents:
+#php__sury: true
-#Package: libgd3
+#php__packages: [ 'curl', 'xml', 'zip', 'mbstring', 'mysql', 'bcmath', 'intl', 'redis' ]
-#Pin-Priority: 100
-# and launch installation process:
-#apt update
-#apt install -t bullseye libgd3
-#apt-cache policy libgd3
-#apt install php8.1-gd
-# TODO: Move that into own script