+ nginx, php-fpm and octobercms playbooks

* separate wp-apache and nginx php-fpm playbooks
2 years ago · 7d745761f2
21 changed files with 477 additions and 16 deletions
--- a/apache-site.yml
+++ b/apache-site.yml
@ -0,0 +1,10 @@
 ---
 - import_playbook: debops/pki.yml
 - import_playbook: debops/mariadb_server.yml
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-wp.yml
 - import_playbook: debops/apache.yml
 # Import all other group playbooks in this file...
 ...
--- a/debops/_phpmyadmin.yml
+++ b/debops/_phpmyadmin.yml
--- a/debops/apache.yml
+++ b/debops/apache.yml
@ -60,10 +60,5 @@
  roles:
 #    - role: ferm
 #      tags: [ 'role::ferm', 'skip::ferm' ]
 #      ferm__dependent_rules:
 #        - '{{ apache__ferm__dependent_rules }}'
    - role: apache
      tags: [ 'role::apache', 'skip::apache' ]
--- a/debops/files/nginx/includes.d/octobercms.conf
+++ b/debops/files/nginx/includes.d/octobercms.conf
@ -0,0 +1,49 @@
 location ~ ^/combine.*\.(css|js) {
    rewrite ^/.*$ /index.php last;
    expires max;
 }
 # Whitelist
 ## Let October handle if static file not exists
 location ~ ^/favicon\.ico { try_files $uri /index.php; }
 location ~ ^/sitemap\.xml { try_files $uri /index.php; }
 location ~ ^/robots\.txt { try_files $uri /index.php; }
 location ~ ^/humans\.txt { try_files $uri /index.php; }
 ## Google & Yandex website promts
 location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
 location ~ ^/.*\.xml { try_files $uri /index.php; }
 ## Let nginx return 404 if static file not exists
 location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; }
 location ~ ^/storage/app/media { access_log off; try_files $uri /404; }
 location ~ ^/storage/app/yml { try_files $uri /404; }
 location ~ ^/files { access_log off; try_files $uri /404; }
 location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
 location ~ ^/storage/temp/public { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
 location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; }
 location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; }
 location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; }
--- a/debops/files/nginx/includes.d/staticfiles.conf
+++ b/debops/files/nginx/includes.d/staticfiles.conf
@ -0,0 +1,29 @@
 location ~* \.(jpg|jpeg|gif|png|svg|ico)$ {
    access_log off;
    expires max;
    log_not_found off;
    error_page 404 = /empty;
 }
 location = /empty {
    expires 0;
    empty_gif;
 }
 location ~* \.(eot|ttf|woff|pdf|css|js)$ {
    access_log off;
    expires max;
 }
 location ~* \.(xml|xls)$ {
    add_header Cache-Control "no-cache";
 }
 location ~ /\. {
    deny all;
 }
 location ~* \.(tpl|ini|sh) {
    deny all;
 }
--- a/debops/files/nginx/includes.d/www.conf
+++ b/debops/files/nginx/includes.d/www.conf
@ -0,0 +1,20 @@
 error_page 418 = @www;
 set $www "0";
 if ( $http_host ~* "^www\.") {
    set $www "${www}1";
 }
 if ( $http_host ~* "^m\.") {
    set $www "${www}2";
 }
 if ( $www = "0" ) {
    return 418;
 }
 location @www {
    rewrite ^ $scheme://www.$host$request_uri? permanent;
 }
--- a/debops/mariadb-custom-db.yml
+++ b/debops/mariadb-custom-db.yml
--- a/debops/mariadb.yml
+++ b/debops/mariadb.yml
@ -0,0 +1,34 @@
 ---
 - name: Manage MariaDB client
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
    mariadb__upstream_version: '10.5'
  roles:
    - role: secret
    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
      keyring__dependent_apt_keys:
        - '{{ mariadb__keyring__dependent_apt_keys }}'
    - role: python
      tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
      python__dependent_packages3:
        - '{{ mariadb__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ mariadb__python__dependent_packages2 }}'
    - role: mariadb
      tags: [ 'role::mariadb', 'skip::mariadb' ]
--- a/debops/mariadb_server.yml
+++ b/debops/mariadb_server.yml
--- a/debops/nginx.yml
+++ b/debops/nginx.yml
@ -0,0 +1,86 @@
 ---
 - name: Manage nginx webserver
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    nginx_acme: False
    nginx_http_extra_options: |
      client_max_body_size 100M;
    nginx_real_ip_from: ['172.16.30.0/24']
    nginx_default_keepalive_timeout: 65
 #    nginx_webroot_create: False
    nginx_ocsp: False
    nginx_worker_processes: auto
    nginx__servers:
      - name: vam-teplee
        type: php
        root: /var/www/vam-teplee
        public_dir_name: ''
        include_files_begin:
          - includes.d/www.conf
          - includes.d/octobercms.conf
          - includes.d/staticfiles.conf
        options: set $upstream unix:/run/php7.4-fpm-www-data.sock;
        location_list:
          - pattern: '/'
            options: rewrite ^/.*$ /index.php last;
            locations:
              - pattern: '~ ^/*.-backend/'
                options: set $upstream unix:/run/php7.4-fpm-backend.sock;
          - pattern: '~* ^(?!.+\.php/)(.+\.php)$'
            options: return 403;
        php_options: |
          fastcgi_read_timeout 3000;
        php_upstream: $upstream
        #location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
        php_location_script_name: ~ ^(?<script_name>/index\.php)
        #location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
        php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
  pre_tasks:
    - name: Copy OctoberCMS nginx conf includes and www redirect
      copy:
        src: "{{item}}"
        dest: /etc/nginx/
        mode: 0644
      loop:
        - nginx/includes.d
  roles:
    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
      keyring__dependent_apt_keys:
        - '{{ nginx__keyring__dependent_apt_keys }}'
    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ nginx__apt_preferences__dependent_list }}'
    - role: python
      tags: [ 'role::python', 'skip::python' ]
      python__dependent_packages3:
        - '{{ nginx__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ nginx__python__dependent_packages2 }}'
    - role: nginx
      tags: [ 'role::nginx', 'skip::nginx' ]
--- a/debops/nodejs.yml
+++ b/debops/nodejs.yml
@ -0,0 +1,30 @@
 ---
 - name: Manage NodeJS environment
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    nodejs__node_upstream: True
    nodejs__node_upstream_release: node_18.x
  roles:
    - role: keyring
      tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
      keyring__dependent_apt_keys:
        - '{{ nodejs__keyring__dependent_apt_keys }}'
    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ nodejs__apt_preferences__dependent_list }}'
    - role: nodejs
      tags: [ 'role::nodejs', 'skip::nodejs' ]
--- a/debops/php-prod.yml
+++ b/debops/php-prod.yml
@ -0,0 +1,94 @@
 ---
 - name: Install and manage PHP environment
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    php__version_preference: [ 'php7.4' ]
    php__sury: '{{ ansible_local.php.sury
                   |d(ansible_distribution_release in [ "buster" ]) | bool }}'
    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
    php__sury_apt_key_id_map:
      'Debian':
        - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
          state: '{{ "present" if php__sury|bool else "absent" }}'
        # Key replaced due to security concerns
        # Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
        - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
          state: 'absent'
    php__sury_apt_repo_map:
      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
      'Ubuntu': 'ppa:ondrej/php'
    php__base_packages:
      - unzip
      - git
    # mysql - это нужно только для WordPress
    # mbstring требует только некоторые пакеты в laravel
    # bcmath - нужно для работы парсера Excel файлов на одном из проектов
    php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath' ]
    php__composer_upstream_enabled: '{{ True
                                        if (ansible_distribution_release in
                                            [ "buster" ])
                                        else False }}'
    php__php_included_packages: '{{ php__common_included_packages
                                    + [ "sysvsem", "sysvshm" ] }}'
    php__fpm_pm: static
    php__fpm_pm_max_children: 26
    php__pools:
      - name: backend
        user: www-data
        group: www-data
        php_admin_values:
          memory_limit: 256M
          post_max_size: 800M
          upload_max_filesize: 200M
          max_execution_time: 600
        pm: static
        pm_max_children: 3
  pre_tasks:
    - name: Apply keyring configuration for php environment
      import_role:
        name: 'keyring'
      vars:
        keyring__dependent_apt_keys:
          - '{{ php__keyring__dependent_apt_keys }}'
      tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
    - name: Prepare php environment
      import_role:
        name: 'php'
        tasks_from: 'main_env'
      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
  roles:
    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ php__apt_preferences__dependent_list }}'
    - role: cron
      tags: [ 'role::cron', 'skip::cron' ]
    - role: logrotate
      tags: [ 'role::logrotate', 'skip::logrotate' ]
      logrotate__dependent_config:
        - '{{ php__logrotate__dependent_config }}'
    - role: apt_install
    - role: php
      tags: [ 'role::php', 'skip::php' ]
--- a/debops/php-wp.yml
+++ b/debops/php-wp.yml
--- a/debops/pki.yml
+++ b/debops/pki.yml
--- a/debops/redis.yml
+++ b/debops/redis.yml
@ -0,0 +1,91 @@
 ---
 - name: Manage Redis server
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    redis_server__auth_password:
    redis_server__configuration:
      - name: 'main'
        options:
 #          - name: 'save'
 #            value: ''
 #            dynamic: True
          - name: 'protected-mode'
            value: 'no'
            dynamic: False
          - name: 'stop-writes-on-bgsave-error'
            value: 'no'
            dynamic: False
          - name: 'save'
            value:
              - name: '900 1'
                state: absent
              - name: '300 10'
                state: absent
              - name: '60 10000'
                state: absent
            dynamic: False
  pre_tasks:
    - name: Prepare sysfs environment
      import_role:
        name: 'sysfs'
        tasks_from: 'main_env'
      tags: [ 'role::sysfs', 'role::secret' ]
    - name: Prepare redis_server environment
      import_role:
        name: 'redis_server'
        tasks_from: 'main_env'
      tags: [ 'role::redis_server', 'role::ferm' ]
  roles:
    - role: secret
      tags: [ 'role::secret', 'role::sysfs' ]
      secret__directories:
        - '{{ sysfs__secret__directories | d([]) }}'
    - role: apt_preferences
      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
      apt_preferences__dependent_list:
        - '{{ redis_server__apt_preferences__dependent_list }}'
    - role: etc_services
      tags: [ 'role::etc_services', 'skip::etc_services' ]
      etc_services__dependent_list:
        - '{{ redis_server__etc_services__dependent_list }}'
    - role: sysctl
      tags: [ 'role::sysctl', 'skip::sysctl' ]
      sysctl__dependent_parameters:
        - '{{ redis_server__sysctl__dependent_parameters }}'
    - role: sysfs
      tags: [ 'role::sysfs', 'skip::sysfs' ]
      sysfs__dependent_attributes:
        - '{{ redis_server__sysfs__dependent_attributes }}'
    - role: python
      tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
      python__dependent_packages3:
        - '{{ redis_server__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ redis_server__python__dependent_packages2 }}'
    - role: redis_server
      tags: [ 'role::redis_server', 'skip::redis_server' ]
--- a/debops/tzdata.yml
+++ b/debops/tzdata.yml
@ -0,0 +1,19 @@
 ---
 - name: Manage time zone configuration
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debian10' ]
  become: True
  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'
  vars:
    tzdata__timezone: Europe/Moscow
  roles:
    - role: tzdata
      tags: [ 'role::tzdata', 'skip::tzdata' ]
--- a/manala/manala.nginx.yml
+++ b/manala/manala.nginx.yml
--- a/manala/manala.php.yml
+++ b/manala/manala.php.yml
--- a/nginx-site.yml
+++ b/nginx-site.yml
@ -0,0 +1,12 @@
 ---
 - import_playbook: debops/tzdata.yml
 #- import_playbook: debops/pki.yml
 #- import_playbook: debops/mariadb.yml
 #- import_playbook: debops/php-prod.yml
 #- import_playbook: debops/nginx.yml
 #- import_playbook: debops/nodejs.yml
 #- import_playbook: debops/redis.yml
 # Import all other group playbooks in this file...
 ...
--- a/requirements.yml
+++ b/requirements.yml
@ -3,4 +3,6 @@
 collections:
  - name: nginxinc.nginx_core
    version: 0.8.0
  - name: debops.debops
  - name: https://github.com/debops/debops.git
    type: git
    version: d554096b5cb02f4c37f68d80d9103105dd5de34b
--- a/site.yml
+++ b/site.yml
@ -1,10 +0,0 @@
 ---
 - import_playbook: pki.yml
 - import_playbook: mariadb_server.yml
 - import_playbook: mariadb.yml
 - import_playbook: php.yml
 - import_playbook: apache.yml
 # Import all other group playbooks in this file...
 ...