* use appropriate php version both for php and apache installations

+ pma for apache with auth and hand made change granted permissions + wp-cli + www-domain alias for apache and revers redirect for that
8 months ago · 6186ab94e0
12 changed files with 109 additions and 52 deletions
--- a/playbooks/apache-site.yml
+++ b/playbooks/apache-site.yml
@ -1,4 +1,5 @@
 ---
+- import_playbook: own/apt-update.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
@ -6,11 +7,12 @@
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-wp.yml
 - import_playbook: debops/apache.yml
- import_playbook: debops/redis.yml
+#- import_playbook: debops/redis.yml
 - import_playbook: own/var-www-set-ownerships.yml
 - import_playbook: own/phpmyadmin.yml
- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
- import_playbook: own/correct-paths-for-pct-enter.yml
+- import_playbook: own/phpmyadmin-apache-auth.yml
+#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
+#- import_playbook: own/correct-paths-for-pct-enter.yml

 # Import all other group playbooks in this file...

--- a/playbooks/debops/apache.yml
+++ b/playbooks/debops/apache.yml
@ -10,45 +10,45 @@
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

+  vars_files:
+    - ./../../vars/site.yml
+    - ./../../vars/php.yml
+    - ./../../vars/apache.yml
+
  vars:
    apache__base_packages:
-      - libapache2-mod-php8.1
-    apache__role_modules:
-      'headers': True
-      'alias': True
-      'php7.4': True
-      'ssl':
-        enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
-      'security2':
-        enabled: '{{ apache__security_module_enabled|bool }}'
-      'status':
-        enabled: '{{ apache__status_enabled|bool }}'
-        config: |
-          <Location /server-status>
-              # Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
-              Require all denied
-          </Location>
-      'socache_shmcb':
-        enabled: '{{ True
-                     if (apache__ocsp_stapling_enabled|bool
-                         and "shmcb" in apache__ocsp_stapling_cache)
-                     else omit }}'
-      'authz_host':
-        enabled: '{{ True
-                     if (apache__status_enabled|bool
-                         and apache__status_allow_localhost)
-                     else omit }}'
+      - 'libapache2-mod-php{{ php_version }}'
+
+    apache__default_vhost_name:
+      - '{{ domain_name }}'
+      - "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
+
+    apache__modules:
+      'php{{ php_version }}': True
+
      'rewrite':
-        enabled: '{{ True
-                     if (apache__register_mod_rewrite_used is defined and
-                         apache__register_mod_rewrite_used.rc|d(1) == 0)
-                     else omit }}'
+        enabled: True
+
    apache__allow:
      - 0.0.0.0
-#    apache__default_vhost:
-#      name: '{{ apache__default_vhost_name }}'
-#      filename: '000-default'
-#      root: '/var/www/html'
+
+    apache__default_vhost:
+      name: '{{ apache__default_vhost_name }}'
+      filename: '000-default'
+      root: '/var/www/html'
+      root_directives: |-
+        RewriteEngine On
+        RewriteBase /
+        {% if www_domain_is_primary %}
+        RewriteCond %{HTTP_HOST} ^([^www].*)$
+        RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
+        {% else %}
+        RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
+        RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
+        {% endif %}
+        RewriteRule "(^|/)\.(?!well-known\/)" - [F]
+        RewriteRule "\.(sh|example)$" - [F]
+
    apache__vhost_allow_override: 'All'

  pre_tasks:
--- a/playbooks/debops/nginx.yml
+++ b/playbooks/debops/nginx.yml
@ -10,10 +10,10 @@
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

-
  vars_files:
-    - ./../../vars/nginx.yml
+    - ./../../vars/site.yml
    - ./../../vars/php.yml
+    - ./../../vars/nginx.yml

  vars:
    nginx_acme: False
--- a/playbooks/own/apt-update.yml
+++ b/playbooks/own/apt-update.yml
@ -0,0 +1,6 @@
+---
+- name: Update system packages
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: apt update
+      shell: apt update && apt upgrade -y
--- a/playbooks/own/phpmyadmin-apache-auth.yml
+++ b/playbooks/own/phpmyadmin-apache-auth.yml
@ -0,0 +1,26 @@
+---
+
+- name: Create phpmyadmin apache auth passwords file
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: Import DebOps secret role
+      ansible.builtin.import_role:
+        name: 'secret'
+
+    - shell: |-
+        cd /etc/apache2
+        mkdir -p passwords.d
+
+    - name: 'Adding pma apache auth passwords files'
+      shell: |-
+        echo "{{ site_name }}:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
+
+    - name: 'Change require all granted rule, because debops not present appropriate functional'
+      shell: |-
+        sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
+
+    - name: 'Restarting apache'
+      shell: |-
+        systemctl restart apache2
--- a/playbooks/own/phpmyadmin.yml
+++ b/playbooks/own/phpmyadmin.yml
@ -9,10 +9,8 @@

  vars:
    - phpmyadmin_version: 5.2.1
-    - blowfish_secret: lookup('community.general.random_string', length=12)
+    - blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"

-  # Create phpmyadmin config for apache2
-  # TODO: Set blowfish_secret and make access rights for ./tmp directory
  tasks:
    - name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
      become: true
@ -27,4 +25,4 @@
        cd phpmyadmin
        cp config.sample.inc.php config.inc.php
        sed -i "s|'blowfish_secret'] = ''|'blowfish_secret'] = '{{ blowfish_secret }}'|g" config.inc.php
-        mkdir tmp && sudo chown :33 && chmod g+w tmp
+        mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
--- a/playbooks/own/wp-cli.yml
+++ b/playbooks/own/wp-cli.yml
@ -0,0 +1,15 @@
+---
+
+- name: Install WP-CLI
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  tasks:
+    - name: Download and install wp-cli
+      shell: |-
+        curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+        chmod +x wp-cli.phar
+        mv wp-cli.phar /usr/local/bin/wp
--- a/run-playbook.sh
+++ b/run-playbook.sh
@ -11,7 +11,7 @@ while [[ "$#" -gt 0 ]]; do
 done

 usage() {
-    echo "Usage: run-vps-playbook.sh server playbook"
+    echo "Usage: run-vps-playbook.sh server playbook [user]"
    echo "server - domain or ip address of the vps server"
    echo "playbook - playbook file"
    echo "[user] - if choose the use it, otherwise used root"
--- a/run-site-playbook.sh
+++ b/run-site-playbook.sh
@ -31,20 +31,20 @@ if [[ -z "$PLAYBOOK" ]]; then
  exit 1
 fi

-if [[ -z "$SITE_NAME" ]]; then
-  echo "You must defined SITE_NAME as third argument"
+if [[ ! -f "$PLAYBOOK" ]]; then
+  echo "Playbook file is not exists: $PLAYBOOK"
  usage
  exit 1
 fi

-if [[ -z "$DOMAIN_NAME" ]]; then
-  echo "You must defined DOMAIN_NAME as fourth argument"
+if [[ -z "$SITE_NAME" ]]; then
+  echo "You must defined SITE_NAME as third argument"
  usage
  exit 1
 fi

-if [[ ! -f "$PLAYBOOK" ]]; then
-  echo "Playbook file is not exists: $PLAYBOOK"
+if [[ -z "$DOMAIN_NAME" ]]; then
+  echo "You must defined DOMAIN_NAME as fourth argument"
  usage
  exit 1
 fi
--- a/vars/apache-example.yml
+++ b/vars/apache-example.yml
@ -0,0 +1,8 @@
+apache__dependent_vhosts:
+  - name: 'pma.{{ apache__default_vhost_name[0] }}'
+    filename: 'pma'
+    root: '/var/www/phpmyadmin'
+    root_directives: |-
+      AuthType Basic
+      AuthName "Authorization"
+      AuthUserFile passwords.d/pma.passwords
--- a/vars/nginx-example.yml
+++ b/vars/nginx-example.yml
@ -1,2 +1,2 @@
-nginx_www_domain: True
-nginx_www_redirect: www
+nginx_www_domain: {{ has_www_domain }}
+nginx_www_redirect: {{ www_domain_is_primary | ternary('www', 'non-www') }}
--- a/vars/site-example.yml
+++ b/vars/site-example.yml
@ -0,0 +1,2 @@
+has_www_domain: True
+www_domain_is_primary: False