gitea/ansible-lxc-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

* use appropriate php version both for php and apache installations

Browse Source 
+ pma for apache with auth and hand made change granted permissions
+ wp-cli
+ www-domain alias for apache and revers redirect for that
This commit is contained in:
dimti
2024-04-20 09:11:19 +03:00
parent 452d5cca79
commit 6186ab94e0
12 changed files with 109 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
playbooks/apache-site.yml
View File

@ -1,4 +1,5 @@
---
- import_playbook: own/apt-update.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
@ -6,11 +7,12 @@
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-wp.yml
- import_playbook: debops/apache.yml
- import_playbook: debops/redis.yml
#- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/phpmyadmin.yml
- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
- import_playbook: own/correct-paths-for-pct-enter.yml
- import_playbook: own/phpmyadmin-apache-auth.yml
#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
#- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...

68
playbooks/debops/apache.yml
View File

@ -10,45 +10,45 @@
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/apache.yml
vars:
apache__base_packages:
- libapache2-mod-php8.1
apache__role_modules:
'headers': True
'alias': True
'php7.4': True
'ssl':
enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
'security2':
enabled: '{{ apache__security_module_enabled|bool }}'
'status':
enabled: '{{ apache__status_enabled|bool }}'
config: |
<Location /server-status>
# Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
Require all denied
</Location>
'socache_shmcb':
enabled: '{{ True
if (apache__ocsp_stapling_enabled|bool
and "shmcb" in apache__ocsp_stapling_cache)
else omit }}'
'authz_host':
enabled: '{{ True
if (apache__status_enabled|bool
and apache__status_allow_localhost)
else omit }}'
- 'libapache2-mod-php{{ php_version }}'
apache__default_vhost_name:
- '{{ domain_name }}'
- "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
apache__modules:
'php{{ php_version }}': True
'rewrite':
enabled: '{{ True
if (apache__register_mod_rewrite_used is defined and
apache__register_mod_rewrite_used.rc|d(1) == 0)
else omit }}'
enabled: True
apache__allow:
- 0.0.0.0
# apache__default_vhost:
# name: '{{ apache__default_vhost_name }}'
# filename: '000-default'
# root: '/var/www/html'
apache__default_vhost:
name: '{{ apache__default_vhost_name }}'
filename: '000-default'
root: '/var/www/html'
root_directives: |-
RewriteEngine On
RewriteBase /
{% if www_domain_is_primary %}
RewriteCond %{HTTP_HOST} ^([^www].*)$
RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
{% else %}
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
{% endif %}
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
RewriteRule "\.(sh|example)$" - [F]
apache__vhost_allow_override: 'All'
pre_tasks:

4
playbooks/debops/nginx.yml
View File

@ -10,10 +10,10 @@
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/nginx.yml
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/nginx.yml
vars:
nginx_acme: False

6
playbooks/own/apt-update.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Update system packages
hosts: [ 'debian10' ]
tasks:
- name: apt update
shell: apt update && apt upgrade -y

26
playbooks/own/phpmyadmin-apache-auth.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Create phpmyadmin apache auth passwords file
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- shell: |-
cd /etc/apache2
mkdir -p passwords.d
- name: 'Adding pma apache auth passwords files'
shell: |-
echo "{{ site_name }}:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
- name: 'Change require all granted rule, because debops not present appropriate functional'
shell: |-
sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
- name: 'Restarting apache'
shell: |-
systemctl restart apache2

6
playbooks/own/phpmyadmin.yml
View File

@ -9,10 +9,8 @@
vars:
- phpmyadmin_version: 5.2.1
- blowfish_secret: lookup('community.general.random_string', length=12)
- blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
# Create phpmyadmin config for apache2
# TODO: Set blowfish_secret and make access rights for ./tmp directory
tasks:
- name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
become: true
@ -27,4 +25,4 @@
cd phpmyadmin
cp config.sample.inc.php config.inc.php
sed -i "s|'blowfish_secret'] = ''|'blowfish_secret'] = '{{ blowfish_secret }}'|g" config.inc.php
mkdir tmp && sudo chown :33 && chmod g+w tmp
mkdir tmp && sudo chown :33 tmp && chmod g+w tmp

15
playbooks/own/wp-cli.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install WP-CLI
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Download and install wp-cli
shell: |-
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp