gitea/ansible-lxc-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

+ refactored and solve some problems with mariadb and nginx playbook

Browse Source 
+ apps playbooks - docker, caprover
* simple refactore starter scripts
+ apt update debops playboook prepend launch by default
* sury repo changed
* database users locked to localhost only
* phpmyadmin blowfish generate secret fix
This commit is contained in:
dimti
2025-02-10 23:35:41 +03:00
parent bff53b4c1a
commit 3dfacd0822
25 changed files with 227 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
playbooks/apache-site.yml
View File

@ -1,5 +1,5 @@
---
- import_playbook: own/apt-update.yml
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml

17
playbooks/apps/caprover.yml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Configure Firewall
shell: |
ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;
- name: Install caprover
shell: |
docker run -p 80:80 -p 443:443 -p 3000:3000 -e ACCEPTED_TERMS=true -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover
- name: "Install npm caprover package (after that use: caprover serversetup)"
shell: |
export NVM_DIR="$HOME/.nvm"
. "$NVM_DIR/nvm.sh"
. "$NVM_DIR/bash_completion"
npm install -g caprover

33
playbooks/apps/docker-debian.yml Normal file
View File

@ -0,0 +1,33 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
# Add Docker's official GPG key:
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

29
playbooks/apps/docker-ubuntu.yml Normal file
View File

@ -0,0 +1,29 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

22
playbooks/debops/apt.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Manage Advanced Package Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
post_tasks:
- name: Upgrade
ansible.builtin.apt:
upgrade: True
roles:
- role: apt
tags: [ 'role::apt', 'skip::apt' ]

2
playbooks/debops/mariadb-custom-db.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]

2
playbooks/debops/mariadb.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]

17
playbooks/debops/mariadb_server.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb_server/defaults/main.html
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
@ -14,7 +16,20 @@
mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
|d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
mariadb_server__upstream_version: '11.2'
mariadb_server__bind_address: '0.0.0.0'
mariadb_server__bind_address: '127.0.0.1'
mariadb_server__mysqld_performance_options:
'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
'innodb_buffer_pool_size': '{{ (ansible_memtotal_mb / 2) | int }}M'
'innodb_log_file_size': '{{ (ansible_memtotal_mb / 2) / 4 | int }}M'
'query_cache_type': '1'
'query_cache_size': '1M'
'query_cache_limit': '10M'
'join_buffer_size': '1M'
'performance_schema': 'ON'
'skip-name-resolve': 'ON'
# mariadb_server__options:
# 'query_cache_size': '1M'
roles:
- role: keyring

23
playbooks/debops/nginx.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/nginx/defaults/main.html
- name: Manage nginx webserver
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
@ -25,41 +27,38 @@
nginx_ocsp: False
nginx_worker_processes: auto
nginx_manage_ipv6only: False
nginx_default_name: 'welcome'
nginx_default_ssl_name: 'welcome'
# TODO: Replace [::]:443 to 443 and [::]:80 to 80 in site nginx config
nginx_server_localhost:
enabled: False
nginx_listen_port: [ '80' ]
nginx_listen_ssl_port: [ '443' ]
nginx__servers:
- name: '{{ domain_name }}'
type: php
root: '/var/www/{{ site_name }}'
public_dir_name: ''
include_files_begin: '{{ nginx_includes_begin }}'
options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
location_list:
- pattern: '/'
locations:
- pattern: '~ ^/.*-backend/'
options: |
try_files /index.html @october
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock
client_max_body_size 1000M
try_files /index.html @october;
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;
client_max_body_size 1000M;
options: try_files /index.html @october;
- pattern: '@october'
options: rewrite ^/.*$ /index.php last;
- pattern: '~* ^(?!/index).*\.php$'
options: return 403;
php_options: |
fastcgi_read_timeout 3000;
php_upstream: $upstream
#location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
php_location_script_name: ~ ^(?<script_name>/index\.php)
#location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?

8
playbooks/debops/php-prod.yml
View File

@ -12,12 +12,10 @@
vars:
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
@ -25,8 +23,10 @@
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git

10
playbooks/debops/php-wp.yml
View File

@ -14,14 +14,10 @@
- ./../../vars/php.yml
vars:
php__sury: '{{ ansible_local.php.sury
|d(ansible_distribution_release in [ "buster" ]) | bool }}'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
@ -29,8 +25,10 @@
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git

10
playbooks/debops/root_account.yml
View File

@ -13,14 +13,8 @@
vars:
root_account__enabled: True
root_account__password: False
# root_account__dotfiles_enabled: True
# root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
post_tasks:
- name: Tmux Plugins Manager
# Вообще это конструкция не нужна, так как tmux и сам все прекрасно умеет устанавливать, только если бы у него в этот момент была программа git
# Хотя нет, блин, нихрена он не умеет. Последнюю команду он почему не запускает: ~/.tmux/plugins/tpm/bin/install_plugins
shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
root_account__dotfiles_enabled: True
root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
roles:
- role: root_account

1
playbooks/nginx-only.yml
View File

@ -1,5 +1,6 @@
---
- import_playbook: own/allow-releaseinfo-change.yml
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml

1
playbooks/nginx-without-db-site.yml → playbooks/nginx-site-without-db-site.yml
View File

@ -1,4 +1,5 @@
---
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml

3
playbooks/nginx-site.yml
View File

@ -1,4 +1,6 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/apt/getting-started.html#example-playbook
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
@ -6,6 +8,7 @@
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-prod.yml
- import_playbook: own/libgd3-fix-for-php8.yml
when: php_version is defined and php_version != '7.4'
- import_playbook: debops/nginx.yml
- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml

8
playbooks/own/libgd3-fix-for-php8.yml
View File

@ -1,16 +1,18 @@
---
- name: Solve problem with libgd3 for php-gd
hosts: [ 'debian10' ]
when: (php_version != '7.4')
vars_files:
- ./../../vars/php.yml
tasks:
- copy:
- name: Set pin for libgd3 package
copy:
dest: '/etc/apt/preferences.d/libgd-pin100'
content: |-
Package: libgd3
Pin-Priority: 100
- shell: |-
- name: Update apt cache policy and install libgd
shell: |-
apt update
apt install -t bullseye libgd3 -yy
apt-cache policy libgd3

2
playbooks/own/phpmyadmin-nginx-auth.yml
View File

@ -22,7 +22,7 @@
content: |-
server {
listen 80;
listen 443;
listen 443 ssl;
ssl_certificate /etc/pki/realms/domain/default.crt;
ssl_certificate_key /etc/pki/realms/domain/default.key;
server_name pma.{{ domain_name }};

15
playbooks/own/phpmyadmin.yml
View File

@ -9,6 +9,7 @@
vars:
- phpmyadmin_version: 5.2.1
# https://docs.ansible.com/ansible/latest/collections/community/general/random_string_lookup.html#keyword-parameters
- blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
tasks:
@ -24,5 +25,17 @@
mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin
cd phpmyadmin
cp config.sample.inc.php config.inc.php
sed -i "s|'blowfish_secret'] = ''|'blowfish_secret'] = '{{ blowfish_secret }}'|g" config.inc.php
mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
- name: 'Set cookie blowfish secret'
# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "'blowfish_secret'] = ''"
replace: "'blowfish_secret'] = '{{ blowfish_secret | replace('\'', '\\\'') }}'\n\n$cfg['CookieSameSite'] = 'Lax';\n"
- name: 'Set MaxTableList'
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "^//$cfg['MaxRows'](.*)"
replace: "//$cfg['MaxRows']\1\n\n$cfg['MaxTableList'] = 500;\n"

9
playbooks/own/yadm-update.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: ['debian10']
tasks:
- name: Update existing YADM install with remote ip-address plugin and replace own
shell: |
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull
yadm checkout .

34
playbooks/own/yadm.yml
View File

@ -1,30 +1,40 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Install yadm
become_user: root
shell: |
command -v yadm || curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
- name: Install direnv
become_user: root
shell: |
command -v direnv || curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && chmod a+x /usr/local/bin/direnv
command -v direnv > /dev/null || {
curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && \
chmod a+x /usr/local/bin/direnv
}
- name: Install Starship
become_user: root
shell: |
command -v starship || curl -sS https://starship.rs/install.sh | sh -s -- -f
command -v starship> /dev/null || {
curl -sS https://starship.rs/install.sh | sh -s -- -f
}
- name: Clone dotfiles repo
- name: Install with init or update yadm
become_user: root
shell: |
yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout ./
command -v yadm && {
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull && yadm checkout .
} || {
curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .
}
# For manual change: sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
- name: 'Change character for non-root user'
become: false
become_user: root
shell: |
sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
HOME_USER=$(ls /home)
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .'
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'sed -i "s/#/\\$/g" ${HOME}/.config/starship.toml'
exit 0
args:
executable: /bin/bash
executable: /bin/bash

1
playbooks/root-account.yml
View File

@ -1,5 +1,6 @@
---
- import_playbook: own/locales.yml
- import_playbook: debops/apt.yml
- import_playbook: debops/tzdata.yml
#- import_playbook: own/allow-releaseinfo-change.yml# Need only for debian10
- import_playbook: debops/yadm.yml