* use appropriate php version both for php and apache installations

+ pma for apache with auth and hand made change granted permissions
+ wp-cli
+ www-domain alias for apache and revers redirect for that

playbooks/apache-site.yml

@@ -1,4 +1,5 @@
 ---
+- import_playbook: own/apt-update.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
@@ -6,11 +7,12 @@
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-wp.yml
 - import_playbook: debops/apache.yml
-- import_playbook: debops/redis.yml
+#- import_playbook: debops/redis.yml
 - import_playbook: own/var-www-set-ownerships.yml
 - import_playbook: own/phpmyadmin.yml
-- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
+- import_playbook: own/phpmyadmin-apache-auth.yml
-- import_playbook: own/correct-paths-for-pct-enter.yml
+#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
+#- import_playbook: own/correct-paths-for-pct-enter.yml
 
 # Import all other group playbooks in this file...
 

playbooks/debops/apache.yml

@@ -10,45 +10,45 @@
                    | combine(inventory__group_environment | d({}))
                    | combine(inventory__host_environment  | d({})) }}'
 
+  vars_files:
+    - ./../../vars/site.yml
+    - ./../../vars/php.yml
+    - ./../../vars/apache.yml
+
   vars:
     apache__base_packages:
-      - libapache2-mod-php8.1
+      - 'libapache2-mod-php{{ php_version }}'
-    apache__role_modules:
+
-      'headers': True
+    apache__default_vhost_name:
-      'alias': True
+      - '{{ domain_name }}'
-      'php7.4': True
+      - "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
-      'ssl':
+
-        enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
+    apache__modules:
-      'security2':
+      'php{{ php_version }}': True
-        enabled: '{{ apache__security_module_enabled|bool }}'
+
-      'status':
-        enabled: '{{ apache__status_enabled|bool }}'
-        config: |
-          <Location /server-status>
-              # Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
-              Require all denied
-          </Location>
-      'socache_shmcb':
-        enabled: '{{ True
-                     if (apache__ocsp_stapling_enabled|bool
-                         and "shmcb" in apache__ocsp_stapling_cache)
-                     else omit }}'
-      'authz_host':
-        enabled: '{{ True
-                     if (apache__status_enabled|bool
-                         and apache__status_allow_localhost)
-                     else omit }}'
       'rewrite':
-        enabled: '{{ True
+        enabled: True
-                     if (apache__register_mod_rewrite_used is defined and
+
-                         apache__register_mod_rewrite_used.rc|d(1) == 0)
-                     else omit }}'
     apache__allow:
       - 0.0.0.0
-#    apache__default_vhost:
+
-#      name: '{{ apache__default_vhost_name }}'
+    apache__default_vhost:
-#      filename: '000-default'
+      name: '{{ apache__default_vhost_name }}'
-#      root: '/var/www/html'
+      filename: '000-default'
+      root: '/var/www/html'
+      root_directives: |-
+        RewriteEngine On
+        RewriteBase /
+        {% if www_domain_is_primary %}
+        RewriteCond %{HTTP_HOST} ^([^www].*)$
+        RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
+        {% else %}
+        RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
+        RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
+        {% endif %}
+        RewriteRule "(^|/)\.(?!well-known\/)" - [F]
+        RewriteRule "\.(sh|example)$" - [F]
+
     apache__vhost_allow_override: 'All'
 
   pre_tasks:

playbooks/debops/nginx.yml

@@ -10,10 +10,10 @@
                    | combine(inventory__group_environment | d({}))
                    | combine(inventory__host_environment  | d({})) }}'
 
-
   vars_files:
-    - ./../../vars/nginx.yml
+    - ./../../vars/site.yml
     - ./../../vars/php.yml
+    - ./../../vars/nginx.yml
 
   vars:
     nginx_acme: False

playbooks/own/apt-update.yml

@@ -0,0 +1,6 @@
+---
+- name: Update system packages
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: apt update
+      shell: apt update && apt upgrade -y

playbooks/own/phpmyadmin-apache-auth.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Create phpmyadmin apache auth passwords file
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: Import DebOps secret role
+      ansible.builtin.import_role:
+        name: 'secret'
+
+    - shell: |-
+        cd /etc/apache2
+        mkdir -p passwords.d
+
+    - name: 'Adding pma apache auth passwords files'
+      shell: |-
+        echo "{{ site_name }}:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
+
+    - name: 'Change require all granted rule, because debops not present appropriate functional'
+      shell: |-
+        sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
+
+    - name: 'Restarting apache'
+      shell: |-
+        systemctl restart apache2

playbooks/own/phpmyadmin.yml

@@ -9,10 +9,8 @@
 
   vars:
     - phpmyadmin_version: 5.2.1
-    - blowfish_secret: lookup('community.general.random_string', length=12)
+    - blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
 
-  # Create phpmyadmin config for apache2
-  # TODO: Set blowfish_secret and make access rights for ./tmp directory
   tasks:
     - name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
       become: true
@@ -27,4 +25,4 @@
         cd phpmyadmin
         cp config.sample.inc.php config.inc.php
         sed -i "s|'blowfish_secret'] = ''|'blowfish_secret'] = '{{ blowfish_secret }}'|g" config.inc.php
-        mkdir tmp && sudo chown :33 && chmod g+w tmp
+        mkdir tmp && sudo chown :33 tmp && chmod g+w tmp

playbooks/own/wp-cli.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Install WP-CLI
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  tasks:
+    - name: Download and install wp-cli
+      shell: |-
+        curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+        chmod +x wp-cli.phar
+        mv wp-cli.phar /usr/local/bin/wp

run-playbook.sh

@@ -11,7 +11,7 @@ while [[ "$#" -gt 0 ]]; do
 done
 
 usage() {
-    echo "Usage: run-vps-playbook.sh server playbook"
+    echo "Usage: run-vps-playbook.sh server playbook [user]"
     echo "server - domain or ip address of the vps server"
     echo "playbook - playbook file"
     echo "[user] - if choose the use it, otherwise used root"

run-site-playbook.sh

@@ -31,6 +31,12 @@ if [[ -z "$PLAYBOOK" ]]; then
   exit 1
 fi
 
+if [[ ! -f "$PLAYBOOK" ]]; then
+  echo "Playbook file is not exists: $PLAYBOOK"
+  usage
+  exit 1
+fi
+
 if [[ -z "$SITE_NAME" ]]; then
   echo "You must defined SITE_NAME as third argument"
   usage
@@ -43,12 +49,6 @@ if [[ -z "$DOMAIN_NAME" ]]; then
   exit 1
 fi
 
-if [[ ! -f "$PLAYBOOK" ]]; then
-  echo "Playbook file is not exists: $PLAYBOOK"
-  usage
-  exit 1
-fi
-
 COMMAND=$(cat <<EOF
 ansible-playbook -e "lxc_host=${SERVER}" -e "initial_site_name=${SITE_NAME}" -e "domain_name=${DOMAIN_NAME}" -e runner=site
 EOF

vars/apache-example.yml

@@ -0,0 +1,8 @@
+apache__dependent_vhosts:
+  - name: 'pma.{{ apache__default_vhost_name[0] }}'
+    filename: 'pma'
+    root: '/var/www/phpmyadmin'
+    root_directives: |-
+      AuthType Basic
+      AuthName "Authorization"
+      AuthUserFile passwords.d/pma.passwords

vars/nginx-example.yml

@@ -1,2 +1,2 @@
-nginx_www_domain: True
+nginx_www_domain: {{ has_www_domain }}
-nginx_www_redirect: www
+nginx_www_redirect: {{ www_domain_is_primary | ternary('www', 'non-www') }}

vars/site-example.yml

@@ -0,0 +1,2 @@
+has_www_domain: True
+www_domain_is_primary: False