Browse Source

+ debops: apache with pki, mariadb_server, php7.4 with extensions, mariadb client role with secret

master
dimti 2 years ago
parent
commit
3c53ae07cd
  1. 1
      .gitignore
  2. 69
      apache.yml
  3. 11
      manala.nginx.yml
  4. 22
      manala.php.yml
  5. 41
      mariadb.yml
  6. 48
      mariadb_server.yml
  7. 80
      php.yml
  8. 16
      phpmyadmin.yml
  9. 36
      pki.yml
  10. 3
      requirements.yml
  11. 3
      role/defaults/main.yml
  12. 0
      roles/php-from-source/files/docker-php-ext-configure
  13. 0
      roles/php-from-source/files/docker-php-ext-enable
  14. 0
      roles/php-from-source/files/docker-php-ext-install
  15. 0
      roles/php-from-source/files/docker-php-source
  16. 0
      roles/php-from-source/tasks/main.yml
  17. 19
      roles/phpmyadmin/COPYRIGHT
  18. 4
      roles/phpmyadmin/README.md
  19. 99
      roles/phpmyadmin/defaults/main.yml
  20. 34
      roles/phpmyadmin/meta/main.yml
  21. 44
      roles/phpmyadmin/tasks/main.yml
  22. 82
      roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2
  23. 55
      roles/phpmyadmin/vars/main.yml
  24. 2
      secret/.gitignore
  25. 7
      site.yml

1
.gitignore

@ -1,2 +1,3 @@
*.retry *.retry
.idea .idea
/secret

69
apache.yml

@ -0,0 +1,69 @@
---
- name: Manage and configure the Apache HTTP Server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
apache__base_packages:
- libapache2-mod-php7.4
apache__role_modules:
'headers': True
'alias': True
'php7.4': True
'ssl':
enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
'security2':
enabled: '{{ apache__security_module_enabled|bool }}'
'status':
enabled: '{{ apache__status_enabled|bool }}'
config: |
<Location /server-status>
# Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
Require all denied
</Location>
'socache_shmcb':
enabled: '{{ True
if (apache__ocsp_stapling_enabled|bool
and "shmcb" in apache__ocsp_stapling_cache)
else omit }}'
'authz_host':
enabled: '{{ True
if (apache__status_enabled|bool
and apache__status_allow_localhost)
else omit }}'
'rewrite':
enabled: '{{ True
if (apache__register_mod_rewrite_used is defined and
apache__register_mod_rewrite_used.rc|d(1) == 0)
else omit }}'
apache__allow:
- 0.0.0.0
# apache__default_vhost:
# name: '{{ apache__default_vhost_name }}'
# filename: '000-default'
# root: '/var/www/html'
pre_tasks:
- name: Prepare apache environment
import_role:
name: 'apache'
tasks_from: 'main_env'
tags: [ 'role::apache', 'role::apache:env' ]
roles:
# - role: ferm
# tags: [ 'role::ferm', 'skip::ferm' ]
# ferm__dependent_rules:
# - '{{ apache__ferm__dependent_rules }}'
- role: apache
tags: [ 'role::apache', 'skip::apache' ]

11
manala.nginx.yml

@ -0,0 +1,11 @@
---
- hosts: debian10
collections:
- nginxinc.nginx_core
- manala.roles
tasks:
- name: Install NGINX
ansible.builtin.include_role:
name: nginx
vars:
nginx_type: opensource

22
manala.php.yml

@ -0,0 +1,22 @@
---
- hosts: debian10
collections:
- nginxinc.nginx_core
- manala.roles
vars:
manala_apt_repositories:
- contrib
manala_apt_preferences:
- git@backports
- sury_php:100
- php@sury_php:300
- nginx@nginx
tasks:
- name: Install Manala APT
ansible.builtin.include_role:
name: manala.roles.apt
- name: Install PHP
ansible.builtin.include_role:
name: manala.roles.php
vars:
manala_php_version: 7.4

41
mariadb.yml

@ -0,0 +1,41 @@
---
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
mariadb__databases:
- name: 'intermetiz'
- name: 'intermetiz-products'
mariadb__users:
- name: 'intermetiz'
host: '%'
database: 'intermetiz%'
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

48
mariadb_server.yml

@ -0,0 +1,48 @@
---
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
|d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
mariadb_server__upstream_version: '10.5'
mariadb_server__bind_address: '0.0.0.0'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb_server' ]
keyring__dependent_apt_keys:
- '{{ mariadb_server__keyring__dependent_apt_keys }}'
- role: etc_services
tags: [ 'role::etc_services' ]
etc_services__dependent_list:
- '{{ mariadb_server__etc_services__dependent_rules }}'
#
# - role: ferm
# tags: [ 'role::ferm', 'skip::ferm' ]
# ferm__dependent_rules:
# - '{{ mariadb_server__ferm__dependent_rules }}'
# - role: tcpwrappers
# tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
# tcpwrappers__dependent_allow:
# - '{{ mariadb_server__tcpwrappers__dependent_allow }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb_server' ]
python__dependent_packages3:
- '{{ mariadb_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb_server__python__dependent_packages2 }}'
- role: mariadb_server
tags: [ 'role::mariadb_server', 'skip::mariadb_server' ]

80
php.yml

@ -0,0 +1,80 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
php__version_preference: [ 'php7.4' ]
php__sury: '{{ ansible_local.php.sury
|d(ansible_distribution_release in [ "buster" ]) | bool }}'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath'' ]
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

16
phpmyadmin.yml

@ -0,0 +1,16 @@
---
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: phpmyadmin
tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]

36
pki.yml

@ -0,0 +1,36 @@
---
- name: Manage Public Key Infrastructure
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
pki_internal: True
pki_acme: False
pre_tasks:
- name: Prepare pki environment
import_role:
name: 'pki'
tasks_from: 'main_env'
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: pki
tags: [ 'role::pki', 'skip::pki' ]

3
requirements.yml

@ -3,5 +3,4 @@
collections: collections:
- name: nginxinc.nginx_core - name: nginxinc.nginx_core
version: 0.8.0 version: 0.8.0
...
- name: debops.debops

3
role/defaults/main.yml

@ -0,0 +1,3 @@
---
mariadb__root_password: '{{ lookup("password", secret + "/credentials/" +
ansible_fqdn + "/mariadb/root/password length=20") }}'

0
roles/php/files/docker-php-ext-configure → roles/php-from-source/files/docker-php-ext-configure

0
roles/php/files/docker-php-ext-enable → roles/php-from-source/files/docker-php-ext-enable

0
roles/php/files/docker-php-ext-install → roles/php-from-source/files/docker-php-ext-install

0
roles/php/files/docker-php-source → roles/php-from-source/files/docker-php-source

0
roles/php/tasks/main.yml → roles/php-from-source/tasks/main.yml

19
roles/phpmyadmin/COPYRIGHT

@ -0,0 +1,19 @@
debops.phpmyadmin - Manage phpMyAdmin service using Ansible
Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2019 DebOps <https://debops.org/>
SPDX-License-Identifier: GPL-3.0-only
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.

4
roles/phpmyadmin/README.md

@ -0,0 +1,4 @@
### phpmyadmin
This role does not have official documentation.
See [DebOps documentation](https://docs.debops.org/en/tags/v3.0.3^0/) instead.

99
roles/phpmyadmin/defaults/main.yml

@ -0,0 +1,99 @@
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
# .. SPDX-License-Identifier: GPL-3.0-only
# .. _phpmyadmin__ref_defaults:
# debops.phpmyadmin default variables
# ===================================
# .. contents:: Sections
# :local:
#
# .. include:: ../../../../includes/global.rst
# .. envvar:: phpmyadmin_dependencies [[[
#
# Should PHPMyAdmin role manage its own dependencies?
phpmyadmin_dependencies: True
# ]]]
# .. envvar:: phpmyadmin_domain [[[
#
# What subdomain should be used for PHPMyAdmin in nginx configuration
phpmyadmin_domain: [ 'mysql.{{ ansible_domain }}' ]
# ]]]
# .. envvar:: phpmyadmin_password_length [[[
#
# Default length of generated passwords
phpmyadmin_password_length: '20'
# ]]]
# .. envvar:: phpmyadmin_control_password [[[
#
# Default PHPMyAdmin control password
phpmyadmin_control_password: "{{ lookup('password', secret + '/mariadb/' + ansible_local['mariadb'].delegate_to + '/credentials/' + phpmyadmin_control_user + '/password length=' + phpmyadmin_password_length) }}"
# ]]]
# .. envvar:: phpmyadmin_allow [[[
#
# List of IP addresses or network ranges in CIDR format, allowed to access
# PHPMyAdmin. Leave empty to allow access from all IP addresses/networks
phpmyadmin_allow: []
# ]]]
# .. envvar:: phpmyadmin_upload_size [[[
#
# Max upload size for nginx and php5
phpmyadmin_upload_size: '64M'
# ]]]
# .. envvar:: phpmyadmin_php5_max_children [[[
#
# Maximum number of PHP5 processes for PHPMyAdmin
phpmyadmin_php5_max_children: '20'
# ]]]
# Configuration for other Ansible roles [[[
# -----------------------------------------
# .. envvar:: phpmyadmin__php__dependent_packages [[[
#
# Package configuration for the :ref:`debops.php` Ansible role.
phpmyadmin__php__dependent_packages:
- 'mysql'
- 'mcrypt'
- 'gd'
# ]]]
# .. envvar:: phpmyadmin__php__dependent_pools [[[
#
# Pool configuration for the :ref:`debops.php` Ansible role.
phpmyadmin__php__dependent_pools:
- '{{ phpmyadmin_php5_pool }}'
# ]]]
# .. envvar:: phpmyadmin__nginx__dependent_servers [[[
#
# Server configuration for the :ref:`debops.nginx` Ansible role.
phpmyadmin__nginx__dependent_servers:
- '{{ phpmyadmin_nginx_server }}'
# ]]]
# .. envvar:: phpmyadmin__nginx__dependent_upstreams [[[
#
# Upstream configuration for the :ref:`debops.nginx` Ansible role.
phpmyadmin__nginx__dependent_upstreams:
- '{{ phpmyadmin_nginx_upstream_php5 }}'
# ]]]
# ]]]

34
roles/phpmyadmin/meta/main.yml

@ -0,0 +1,34 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# Ensure that custom Ansible plugins and modules included in the main DebOps
# collection are available to roles in other collections.
collections: [ 'debops.debops' ]
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Install and configure PHPMyAdmin on a MySQL database server'
company: 'DebOps'
license: 'GPL-3.0-only'
min_ansible_version: '1.7.0'
platforms:
- name: Ubuntu
versions:
- precise
- quantal
- raring
- saucy
- trusty
- name: Debian
versions:
- wheezy
- jessie
galaxy_tags:
- mysql
- database
- php

44
roles/phpmyadmin/tasks/main.yml

@ -0,0 +1,44 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
- name: Import DebOps secret role
import_role:
name: 'secret'
- name: Install dbconfig-common
apt: pkg=dbconfig-common state=present install_recommends=no
register: phpmyadmin__register_dbconfig_packages
until: phpmyadmin__register_dbconfig_packages is succeeded
- name: Pre-configure PHPMyAdmin database
template: src=etc/dbconfig-common/phpmyadmin.conf.j2
dest=/etc/dbconfig-common/phpmyadmin.conf
owner=root group=root mode=0600
- name: Install PHPMyAdmin packages
apt: pkg=phpmyadmin state=present install_recommends=no
register: phpmyadmin__register_packages
until: phpmyadmin__register_packages is succeeded
- name: Create database for PHPMyAdmin
mysql_db: name={{ phpmyadmin_control_database | default('phpmyadmin') }} state=present
register: phpmyadmin_database
- name: Import PHPMyAdmin schema
mysql_db: # noqa no-handler
name: '{{ phpmyadmin_control_database | default("phpmyadmin") }}'
state: 'import'
target: '/usr/share/dbconfig-common/data/phpmyadmin/install/mysql'
login_unix_socket: '/run/mysqld/mysqld.sock'
when: phpmyadmin_database is defined and phpmyadmin_database is changed
- name: Create PHPMyAdmin control user
mysql_user:
name: "{{ phpmyadmin_control_user | default('phpmyadmin') }}"
state: 'present'
password: '{{ phpmyadmin_control_password }}'
priv: "{{ phpmyadmin_control_database | default('phpmyadmin') }}.*:ALL"
login_unix_socket: '/run/mysqld/mysqld.sock'
no_log: '{{ debops__no_log | d(True) }}'

82
roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2

@ -0,0 +1,82 @@
{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
# This file is managed by Ansible, all changes will be lost
# automatically generated by the maintainer scripts of phpmyadmin
# any changes you make will be preserved, though your comments
# will be lost! to change your settings you should edit this
# file and then run "dpkg-reconfigure phpmyadmin"
# dbc_install: configure database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_install='false'
# dbc_upgrade: upgrade database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_upgrade='false'
# dbc_remove: deconfigure database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_remove=''
# dbc_dbtype: type of underlying database to use
# this exists primarily to let dbconfig-common know what database
# type to use when a package supports multiple database types.
# don't change this value unless you know for certain that this
# package supports multiple database types
dbc_dbtype='mysql'
# dbc_dbuser: database user
# the name of the user who we will use to connect to the database.
dbc_dbuser='{{ phpmyadmin_control_user }}'
# dbc_dbpass: database user password
# the password to use with the above username when connecting
# to a database, if one is required
dbc_dbpass='{{ phpmyadmin_control_password }}'
# dbc_dbserver: database host.
# leave unset to use localhost (or a more efficient local method
# if it exists).
dbc_dbserver=''
# dbc_dbport: remote database port
# leave unset to use the default. only applicable if you are
# using a remote database.
dbc_dbport=''
# dbc_dbname: name of database
# this is the name of your application's database.
dbc_dbname='{{ phpmyadmin_control_database }}'
# dbc_dbadmin: name of the administrative user
# this is the administrative user that is used to create all of the above
dbc_dbadmin='root'
# dbc_basepath: base directory to hold database files
# leave unset to use the default. only applicable if you are
# using a local (filesystem based) database.
dbc_basepath=''
##
## postgresql specific settings. if you don't use postgresql,
## you can safely ignore all of these
##
# dbc_ssl: should we require ssl?
# set to "true" to require that connections use ssl
dbc_ssl=''
# dbc_authmethod_admin: authentication method for admin
# dbc_authmethod_user: authentication method for dbuser
# see the section titled "AUTHENTICATION METHODS" in
# /usr/share/doc/dbconfig-common/README.pgsql for more info
dbc_authmethod_admin=''
dbc_authmethod_user=''
##
## end postgresql specific settings
##

55
roles/phpmyadmin/vars/main.yml

@ -0,0 +1,55 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
phpmyadmin_control_user: 'phpmyadmin'
phpmyadmin_control_database: 'phpmyadmin'
phpmyadmin_nginx_server:
by_role: 'debops.phpmyadmin'
enabled: True
default: False
type: 'php5'
name: '{{ phpmyadmin_domain }}'
root: '/usr/share/phpmyadmin'
webroot_create: False
options: |
client_max_body_size {{ phpmyadmin_upload_size }};
location:
# Required for location_allow to work
'/': 'try_files $uri $uri/ =404;'
'~ ^/(setup|libraries)': 'deny all;'
location_allow:
'/': '{{ phpmyadmin_allow }}'
php5: 'php5_phpmyadmin'
php5_options: |
{% if phpmyadmin_allow is defined and phpmyadmin_allow %}
{% for address in phpmyadmin_allow %}
allow {{ address }};
{% endfor %}
deny all;
{% endif %}
phpmyadmin_nginx_upstream_php5:
enabled: True
name: 'php5_phpmyadmin'
type: 'php5'
php5: 'phpmyadmin'
phpmyadmin_php5_pool:
enabled: True
name: 'phpmyadmin'
user: 'www-data'
group: 'www-data'
pm_max_children: '{{ phpmyadmin_php5_max_children }}'
php_value:
post_max_size: '{{ phpmyadmin_upload_size }}'
upload_max_filesize: '{{ phpmyadmin_upload_size }}'

2
secret/.gitignore

@ -0,0 +1,2 @@
*
!.gitignore

7
site.yml

@ -1,6 +1,9 @@
--- ---
- import_playbook: anygroup.yml
- import_playbook: pki.yml
- import_playbook: mariadb_server.yml
- import_playbook: mariadb.yml
- import_playbook: php.yml
- import_playbook: apache.yml
# Import all other group playbooks in this file... # Import all other group playbooks in this file...
Loading…
Cancel
Save