diff --git a/apache-site.yml b/apache-site.yml new file mode 100644 index 0000000..49be9e8 --- /dev/null +++ b/apache-site.yml @@ -0,0 +1,10 @@ +--- +- import_playbook: debops/pki.yml +- import_playbook: debops/mariadb_server.yml +- import_playbook: debops/mariadb-custom-db.yml +- import_playbook: debops/php-wp.yml +- import_playbook: debops/apache.yml + +# Import all other group playbooks in this file... + +... diff --git a/phpmyadmin.yml b/debops/_phpmyadmin.yml similarity index 100% rename from phpmyadmin.yml rename to debops/_phpmyadmin.yml diff --git a/apache.yml b/debops/apache.yml similarity index 93% rename from apache.yml rename to debops/apache.yml index fa1dc54..2c0d82b 100644 --- a/apache.yml +++ b/debops/apache.yml @@ -60,10 +60,5 @@ roles: -# - role: ferm -# tags: [ 'role::ferm', 'skip::ferm' ] -# ferm__dependent_rules: -# - '{{ apache__ferm__dependent_rules }}' - - role: apache tags: [ 'role::apache', 'skip::apache' ] diff --git a/debops/files/nginx/includes.d/octobercms.conf b/debops/files/nginx/includes.d/octobercms.conf new file mode 100644 index 0000000..4094972 --- /dev/null +++ b/debops/files/nginx/includes.d/octobercms.conf @@ -0,0 +1,49 @@ +location ~ ^/combine.*\.(css|js) { + rewrite ^/.*$ /index.php last; + expires max; +} + +# Whitelist +## Let October handle if static file not exists +location ~ ^/favicon\.ico { try_files $uri /index.php; } +location ~ ^/sitemap\.xml { try_files $uri /index.php; } +location ~ ^/robots\.txt { try_files $uri /index.php; } +location ~ ^/humans\.txt { try_files $uri /index.php; } + +## Google & Yandex website promts +location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; } +location ~ ^/.*\.xml { try_files $uri /index.php; } + +## Let nginx return 404 if static file not exists +location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; } +location ~ ^/storage/app/media { access_log off; try_files $uri /404; } +location ~ ^/storage/app/yml { try_files $uri /404; } +location ~ ^/files { access_log off; try_files $uri /404; } +location ~ ^/storage/app/.*\.xls { try_files $uri /404; } +location ~ ^/storage/temp/public { access_log off; try_files $uri /404; } + +location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; } + +location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; } + +location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; } +location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; } +location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; } diff --git a/debops/files/nginx/includes.d/staticfiles.conf b/debops/files/nginx/includes.d/staticfiles.conf new file mode 100644 index 0000000..661b051 --- /dev/null +++ b/debops/files/nginx/includes.d/staticfiles.conf @@ -0,0 +1,29 @@ +location ~* \.(jpg|jpeg|gif|png|svg|ico)$ { + access_log off; + expires max; + log_not_found off; + error_page 404 = /empty; +} + +location = /empty { + expires 0; + empty_gif; +} + +location ~* \.(eot|ttf|woff|pdf|css|js)$ { + access_log off; + expires max; +} + +location ~* \.(xml|xls)$ { + add_header Cache-Control "no-cache"; +} + +location ~ /\. { + deny all; +} + +location ~* \.(tpl|ini|sh) { + deny all; +} + diff --git a/debops/files/nginx/includes.d/www.conf b/debops/files/nginx/includes.d/www.conf new file mode 100644 index 0000000..e1df507 --- /dev/null +++ b/debops/files/nginx/includes.d/www.conf @@ -0,0 +1,20 @@ +error_page 418 = @www; + +set $www "0"; + +if ( $http_host ~* "^www\.") { + set $www "${www}1"; +} + +if ( $http_host ~* "^m\.") { + set $www "${www}2"; +} + +if ( $www = "0" ) { + return 418; +} + +location @www { + rewrite ^ $scheme://www.$host$request_uri? permanent; +} + diff --git a/mariadb.yml b/debops/mariadb-custom-db.yml similarity index 100% rename from mariadb.yml rename to debops/mariadb-custom-db.yml diff --git a/debops/mariadb.yml b/debops/mariadb.yml new file mode 100644 index 0000000..192ed3c --- /dev/null +++ b/debops/mariadb.yml @@ -0,0 +1,34 @@ +--- + +- name: Manage MariaDB client + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}' + mariadb__upstream_version: '10.5' + + roles: + + - role: secret + + - role: keyring + tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ] + keyring__dependent_apt_keys: + - '{{ mariadb__keyring__dependent_apt_keys }}' + + - role: python + tags: [ 'role::python', 'skip::python', 'role::mariadb' ] + python__dependent_packages3: + - '{{ mariadb__python__dependent_packages3 }}' + python__dependent_packages2: + - '{{ mariadb__python__dependent_packages2 }}' + + - role: mariadb + tags: [ 'role::mariadb', 'skip::mariadb' ] diff --git a/mariadb_server.yml b/debops/mariadb_server.yml similarity index 100% rename from mariadb_server.yml rename to debops/mariadb_server.yml diff --git a/debops/nginx.yml b/debops/nginx.yml new file mode 100644 index 0000000..3271d5d --- /dev/null +++ b/debops/nginx.yml @@ -0,0 +1,86 @@ +--- + +- name: Manage nginx webserver + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + nginx_acme: False + nginx_http_extra_options: | + client_max_body_size 100M; + nginx_real_ip_from: ['172.16.30.0/24'] + nginx_default_keepalive_timeout: 65 +# nginx_webroot_create: False + nginx_ocsp: False + nginx_worker_processes: auto + nginx__servers: + - name: vam-teplee + + type: php + + root: /var/www/vam-teplee + + public_dir_name: '' + + include_files_begin: + - includes.d/www.conf + - includes.d/octobercms.conf + - includes.d/staticfiles.conf + + options: set $upstream unix:/run/php7.4-fpm-www-data.sock; + + location_list: + - pattern: '/' + options: rewrite ^/.*$ /index.php last; + locations: + - pattern: '~ ^/*.-backend/' + options: set $upstream unix:/run/php7.4-fpm-backend.sock; + - pattern: '~* ^(?!.+\.php/)(.+\.php)$' + options: return 403; + + php_options: | + fastcgi_read_timeout 3000; + php_upstream: $upstream + + #location ~ ^(?!.+\.php/)(?.+\.php)$ { + php_location_script_name: ~ ^(?/index\.php) + + #location ~ ^(?.+?\.php)(?/.*)?$ { + php_location_path_info: ~ ^(?/index\.php)(?/.*)? + + pre_tasks: + - name: Copy OctoberCMS nginx conf includes and www redirect + copy: + src: "{{item}}" + dest: /etc/nginx/ + mode: 0644 + loop: + - nginx/includes.d + + roles: + + - role: keyring + tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ] + keyring__dependent_apt_keys: + - '{{ nginx__keyring__dependent_apt_keys }}' + + - role: apt_preferences + tags: [ 'role::apt_preferences', 'skip::apt_preferences' ] + apt_preferences__dependent_list: + - '{{ nginx__apt_preferences__dependent_list }}' + + - role: python + tags: [ 'role::python', 'skip::python' ] + python__dependent_packages3: + - '{{ nginx__python__dependent_packages3 }}' + python__dependent_packages2: + - '{{ nginx__python__dependent_packages2 }}' + + - role: nginx + tags: [ 'role::nginx', 'skip::nginx' ] diff --git a/debops/nodejs.yml b/debops/nodejs.yml new file mode 100644 index 0000000..6ea7115 --- /dev/null +++ b/debops/nodejs.yml @@ -0,0 +1,30 @@ +--- + +- name: Manage NodeJS environment + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + nodejs__node_upstream: True + nodejs__node_upstream_release: node_18.x + + roles: + + - role: keyring + tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ] + keyring__dependent_apt_keys: + - '{{ nodejs__keyring__dependent_apt_keys }}' + + - role: apt_preferences + tags: [ 'role::apt_preferences', 'skip::apt_preferences' ] + apt_preferences__dependent_list: + - '{{ nodejs__apt_preferences__dependent_list }}' + + - role: nodejs + tags: [ 'role::nodejs', 'skip::nodejs' ] diff --git a/debops/php-prod.yml b/debops/php-prod.yml new file mode 100644 index 0000000..5ee20f8 --- /dev/null +++ b/debops/php-prod.yml @@ -0,0 +1,94 @@ +--- + +- name: Install and manage PHP environment + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + php__version_preference: [ 'php7.4' ] + php__sury: '{{ ansible_local.php.sury + |d(ansible_distribution_release in [ "buster" ]) | bool }}' + php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}' + php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}' + php__sury_apt_key_id_map: + 'Debian': + - id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743' + repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main' + state: '{{ "present" if php__sury|bool else "absent" }}' + + # Key replaced due to security concerns + # Ref: https://www.patreon.com/posts/dpa-new-signing-25451165 + - id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D' + state: 'absent' + php__sury_apt_repo_map: + 'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main' + 'Ubuntu': 'ppa:ondrej/php' + php__base_packages: + - unzip + - git + # mysql - это нужно только для WordPress + # mbstring требует только некоторые пакеты в laravel + # bcmath - нужно для работы парсера Excel файлов на одном из проектов + php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath' ] + php__composer_upstream_enabled: '{{ True + if (ansible_distribution_release in + [ "buster" ]) + else False }}' + php__php_included_packages: '{{ php__common_included_packages + + [ "sysvsem", "sysvshm" ] }}' + + php__fpm_pm: static + php__fpm_pm_max_children: 26 + php__pools: + - name: backend + user: www-data + group: www-data + php_admin_values: + memory_limit: 256M + post_max_size: 800M + upload_max_filesize: 200M + max_execution_time: 600 + pm: static + pm_max_children: 3 + + pre_tasks: + + - name: Apply keyring configuration for php environment + import_role: + name: 'keyring' + vars: + keyring__dependent_apt_keys: + - '{{ php__keyring__dependent_apt_keys }}' + tags: [ 'role::keyring', 'skip::keyring', 'role::php' ] + + - name: Prepare php environment + import_role: + name: 'php' + tasks_from: 'main_env' + tags: [ 'role::php', 'role::php:env', 'role::logrotate' ] + + roles: + + - role: apt_preferences + tags: [ 'role::apt_preferences', 'skip::apt_preferences' ] + apt_preferences__dependent_list: + - '{{ php__apt_preferences__dependent_list }}' + + - role: cron + tags: [ 'role::cron', 'skip::cron' ] + + - role: logrotate + tags: [ 'role::logrotate', 'skip::logrotate' ] + logrotate__dependent_config: + - '{{ php__logrotate__dependent_config }}' + + - role: apt_install + + - role: php + tags: [ 'role::php', 'skip::php' ] diff --git a/php.yml b/debops/php-wp.yml similarity index 100% rename from php.yml rename to debops/php-wp.yml diff --git a/pki.yml b/debops/pki.yml similarity index 100% rename from pki.yml rename to debops/pki.yml diff --git a/debops/redis.yml b/debops/redis.yml new file mode 100644 index 0000000..e9cae9e --- /dev/null +++ b/debops/redis.yml @@ -0,0 +1,91 @@ +--- + +- name: Manage Redis server + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + redis_server__auth_password: + redis_server__configuration: + + - name: 'main' + options: + +# - name: 'save' +# value: '' +# dynamic: True + + - name: 'protected-mode' + value: 'no' + dynamic: False + + - name: 'stop-writes-on-bgsave-error' + value: 'no' + dynamic: False + + - name: 'save' + value: + - name: '900 1' + state: absent + - name: '300 10' + state: absent + - name: '60 10000' + state: absent + dynamic: False + + pre_tasks: + + - name: Prepare sysfs environment + import_role: + name: 'sysfs' + tasks_from: 'main_env' + tags: [ 'role::sysfs', 'role::secret' ] + + - name: Prepare redis_server environment + import_role: + name: 'redis_server' + tasks_from: 'main_env' + tags: [ 'role::redis_server', 'role::ferm' ] + + roles: + + - role: secret + tags: [ 'role::secret', 'role::sysfs' ] + secret__directories: + - '{{ sysfs__secret__directories | d([]) }}' + + - role: apt_preferences + tags: [ 'role::apt_preferences', 'skip::apt_preferences' ] + apt_preferences__dependent_list: + - '{{ redis_server__apt_preferences__dependent_list }}' + + - role: etc_services + tags: [ 'role::etc_services', 'skip::etc_services' ] + etc_services__dependent_list: + - '{{ redis_server__etc_services__dependent_list }}' + + - role: sysctl + tags: [ 'role::sysctl', 'skip::sysctl' ] + sysctl__dependent_parameters: + - '{{ redis_server__sysctl__dependent_parameters }}' + + - role: sysfs + tags: [ 'role::sysfs', 'skip::sysfs' ] + sysfs__dependent_attributes: + - '{{ redis_server__sysfs__dependent_attributes }}' + + - role: python + tags: [ 'role::python', 'skip::python', 'role::redis_server' ] + python__dependent_packages3: + - '{{ redis_server__python__dependent_packages3 }}' + python__dependent_packages2: + - '{{ redis_server__python__dependent_packages2 }}' + + - role: redis_server + tags: [ 'role::redis_server', 'skip::redis_server' ] diff --git a/debops/tzdata.yml b/debops/tzdata.yml new file mode 100644 index 0000000..496647b --- /dev/null +++ b/debops/tzdata.yml @@ -0,0 +1,19 @@ +--- + +- name: Manage time zone configuration + collections: [ 'debops.debops', 'debops.roles01', + 'debops.roles02', 'debops.roles03' ] + hosts: [ 'debian10' ] + become: True + + environment: '{{ inventory__environment | d({}) + | combine(inventory__group_environment | d({})) + | combine(inventory__host_environment | d({})) }}' + + vars: + tzdata__timezone: Europe/Moscow + + roles: + + - role: tzdata + tags: [ 'role::tzdata', 'skip::tzdata' ] diff --git a/manala.nginx.yml b/manala/manala.nginx.yml similarity index 100% rename from manala.nginx.yml rename to manala/manala.nginx.yml diff --git a/manala.php.yml b/manala/manala.php.yml similarity index 100% rename from manala.php.yml rename to manala/manala.php.yml diff --git a/nginx-site.yml b/nginx-site.yml new file mode 100644 index 0000000..978a293 --- /dev/null +++ b/nginx-site.yml @@ -0,0 +1,12 @@ +--- +- import_playbook: debops/tzdata.yml +#- import_playbook: debops/pki.yml +#- import_playbook: debops/mariadb.yml +#- import_playbook: debops/php-prod.yml +#- import_playbook: debops/nginx.yml +#- import_playbook: debops/nodejs.yml +#- import_playbook: debops/redis.yml + +# Import all other group playbooks in this file... + +... diff --git a/requirements.yml b/requirements.yml index f1c7a5d..f28ea49 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,4 +3,6 @@ collections: - name: nginxinc.nginx_core version: 0.8.0 - - name: debops.debops + - name: https://github.com/debops/debops.git + type: git + version: d554096b5cb02f4c37f68d80d9103105dd5de34b diff --git a/site.yml b/site.yml deleted file mode 100644 index 6afbba6..0000000 --- a/site.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- import_playbook: pki.yml -- import_playbook: mariadb_server.yml -- import_playbook: mariadb.yml -- import_playbook: php.yml -- import_playbook: apache.yml - -# Import all other group playbooks in this file... - -...