+ nginx, php-fpm and octobercms playbooks

* separate wp-apache and nginx php-fpm playbooks
2023-03-11 21:23:28 +03:00
parent 7fa274c876
commit 7d745761f2
21 changed files with 477 additions and 16 deletions
--- a/apache-site.yml
+++ b/apache-site.yml
@ -0,0 +1,10 @@
+---
+- import_playbook: debops/pki.yml
+- import_playbook: debops/mariadb_server.yml
+- import_playbook: debops/mariadb-custom-db.yml
+- import_playbook: debops/php-wp.yml
+- import_playbook: debops/apache.yml
+
+# Import all other group playbooks in this file...
+
+...
--- a/debops/_phpmyadmin.yml
+++ b/debops/_phpmyadmin.yml
--- a/debops/apache.yml
+++ b/debops/apache.yml
@ -60,10 +60,5 @@

  roles:

-#    - role: ferm
-#      tags: [ 'role::ferm', 'skip::ferm' ]
-#      ferm__dependent_rules:
-#        - '{{ apache__ferm__dependent_rules }}'
-
    - role: apache
      tags: [ 'role::apache', 'skip::apache' ]
--- a/debops/files/nginx/includes.d/octobercms.conf
+++ b/debops/files/nginx/includes.d/octobercms.conf
@ -0,0 +1,49 @@
+location ~ ^/combine.*\.(css|js) {
+    rewrite ^/.*$ /index.php last;
+    expires max;
+}
+
+# Whitelist
+## Let October handle if static file not exists
+location ~ ^/favicon\.ico { try_files $uri /index.php; }
+location ~ ^/sitemap\.xml { try_files $uri /index.php; }
+location ~ ^/robots\.txt { try_files $uri /index.php; }
+location ~ ^/humans\.txt { try_files $uri /index.php; }
+
+## Google & Yandex website promts
+location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
+location ~ ^/.*\.xml { try_files $uri /index.php; }
+
+## Let nginx return 404 if static file not exists
+location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; }
+location ~ ^/storage/app/media { access_log off; try_files $uri /404; }
+location ~ ^/storage/app/yml { try_files $uri /404; }
+location ~ ^/files { access_log off; try_files $uri /404; }
+location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
+location ~ ^/storage/temp/public { access_log off; try_files $uri /404; }
+
+location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
+
+location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
+
+location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; }
+location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; }
+location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; }
--- a/debops/files/nginx/includes.d/staticfiles.conf
+++ b/debops/files/nginx/includes.d/staticfiles.conf
@ -0,0 +1,29 @@
+location ~* \.(jpg|jpeg|gif|png|svg|ico)$ {
+    access_log off;
+    expires max;
+    log_not_found off;
+    error_page 404 = /empty;
+}
+
+location = /empty {
+    expires 0;
+    empty_gif;
+}
+
+location ~* \.(eot|ttf|woff|pdf|css|js)$ {
+    access_log off;
+    expires max;
+}
+
+location ~* \.(xml|xls)$ {
+    add_header Cache-Control "no-cache";
+}
+
+location ~ /\. {
+    deny all;
+}
+
+location ~* \.(tpl|ini|sh) {
+    deny all;
+}
+
--- a/debops/files/nginx/includes.d/www.conf
+++ b/debops/files/nginx/includes.d/www.conf
@ -0,0 +1,20 @@
+error_page 418 = @www;
+
+set $www "0";
+
+if ( $http_host ~* "^www\.") {
+    set $www "${www}1";
+}
+
+if ( $http_host ~* "^m\.") {
+    set $www "${www}2";
+}
+
+if ( $www = "0" ) {
+    return 418;
+}
+
+location @www {
+    rewrite ^ $scheme://www.$host$request_uri? permanent;
+}
+
--- a/debops/mariadb-custom-db.yml
+++ b/debops/mariadb-custom-db.yml
--- a/debops/mariadb.yml
+++ b/debops/mariadb.yml
@ -0,0 +1,34 @@
+---
+
+- name: Manage MariaDB client
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
+    mariadb__upstream_version: '10.5'
+
+  roles:
+
+    - role: secret
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
+      keyring__dependent_apt_keys:
+        - '{{ mariadb__keyring__dependent_apt_keys }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
+      python__dependent_packages3:
+        - '{{ mariadb__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ mariadb__python__dependent_packages2 }}'
+
+    - role: mariadb
+      tags: [ 'role::mariadb', 'skip::mariadb' ]
--- a/debops/mariadb_server.yml
+++ b/debops/mariadb_server.yml
--- a/debops/nginx.yml
+++ b/debops/nginx.yml
@ -0,0 +1,86 @@
+---
+
+- name: Manage nginx webserver
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    nginx_acme: False
+    nginx_http_extra_options: |
+      client_max_body_size 100M;
+    nginx_real_ip_from: ['172.16.30.0/24']
+    nginx_default_keepalive_timeout: 65
+#    nginx_webroot_create: False
+    nginx_ocsp: False
+    nginx_worker_processes: auto
+    nginx__servers:
+      - name: vam-teplee
+
+        type: php
+
+        root: /var/www/vam-teplee
+
+        public_dir_name: ''
+
+        include_files_begin:
+          - includes.d/www.conf
+          - includes.d/octobercms.conf
+          - includes.d/staticfiles.conf
+
+        options: set $upstream unix:/run/php7.4-fpm-www-data.sock;
+
+        location_list:
+          - pattern: '/'
+            options: rewrite ^/.*$ /index.php last;
+            locations:
+              - pattern: '~ ^/*.-backend/'
+                options: set $upstream unix:/run/php7.4-fpm-backend.sock;
+          - pattern: '~* ^(?!.+\.php/)(.+\.php)$'
+            options: return 403;
+
+        php_options: |
+          fastcgi_read_timeout 3000;
+        php_upstream: $upstream
+
+        #location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
+        php_location_script_name: ~ ^(?<script_name>/index\.php)
+
+        #location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
+        php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
+
+  pre_tasks:
+    - name: Copy OctoberCMS nginx conf includes and www redirect
+      copy:
+        src: "{{item}}"
+        dest: /etc/nginx/
+        mode: 0644
+      loop:
+        - nginx/includes.d
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
+      keyring__dependent_apt_keys:
+        - '{{ nginx__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nginx__apt_preferences__dependent_list }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python' ]
+      python__dependent_packages3:
+        - '{{ nginx__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ nginx__python__dependent_packages2 }}'
+
+    - role: nginx
+      tags: [ 'role::nginx', 'skip::nginx' ]
--- a/debops/nodejs.yml
+++ b/debops/nodejs.yml
@ -0,0 +1,30 @@
+---
+
+- name: Manage NodeJS environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    nodejs__node_upstream: True
+    nodejs__node_upstream_release: node_18.x
+
+  roles:
+
+    - role: keyring
+      tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
+      keyring__dependent_apt_keys:
+        - '{{ nodejs__keyring__dependent_apt_keys }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ nodejs__apt_preferences__dependent_list }}'
+
+    - role: nodejs
+      tags: [ 'role::nodejs', 'skip::nodejs' ]
--- a/debops/php-prod.yml
+++ b/debops/php-prod.yml
@ -0,0 +1,94 @@
+---
+
+- name: Install and manage PHP environment
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    php__version_preference: [ 'php7.4' ]
+    php__sury: '{{ ansible_local.php.sury
+                   |d(ansible_distribution_release in [ "buster" ]) | bool }}'
+    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
+    php__sury_apt_key_id_map:
+      'Debian':
+        - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
+          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+          state: '{{ "present" if php__sury|bool else "absent" }}'
+
+        # Key replaced due to security concerns
+        # Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
+        - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
+          state: 'absent'
+    php__sury_apt_repo_map:
+      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      'Ubuntu': 'ppa:ondrej/php'
+    php__base_packages:
+      - unzip
+      - git
+    # mysql - это нужно только для WordPress
+    # mbstring требует только некоторые пакеты в laravel
+    # bcmath - нужно для работы парсера Excel файлов на одном из проектов
+    php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath' ]
+    php__composer_upstream_enabled: '{{ True
+                                        if (ansible_distribution_release in
+                                            [ "buster" ])
+                                        else False }}'
+    php__php_included_packages: '{{ php__common_included_packages
+                                    + [ "sysvsem", "sysvshm" ] }}'
+
+    php__fpm_pm: static
+    php__fpm_pm_max_children: 26
+    php__pools:
+      - name: backend
+        user: www-data
+        group: www-data
+        php_admin_values:
+          memory_limit: 256M
+          post_max_size: 800M
+          upload_max_filesize: 200M
+          max_execution_time: 600
+        pm: static
+        pm_max_children: 3
+
+  pre_tasks:
+
+    - name: Apply keyring configuration for php environment
+      import_role:
+        name: 'keyring'
+      vars:
+        keyring__dependent_apt_keys:
+          - '{{ php__keyring__dependent_apt_keys }}'
+      tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
+
+    - name: Prepare php environment
+      import_role:
+        name: 'php'
+        tasks_from: 'main_env'
+      tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
+
+  roles:
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ php__apt_preferences__dependent_list }}'
+
+    - role: cron
+      tags: [ 'role::cron', 'skip::cron' ]
+
+    - role: logrotate
+      tags: [ 'role::logrotate', 'skip::logrotate' ]
+      logrotate__dependent_config:
+        - '{{ php__logrotate__dependent_config }}'
+
+    - role: apt_install
+
+    - role: php
+      tags: [ 'role::php', 'skip::php' ]
--- a/debops/php-wp.yml
+++ b/debops/php-wp.yml
--- a/debops/pki.yml
+++ b/debops/pki.yml
--- a/debops/redis.yml
+++ b/debops/redis.yml
@ -0,0 +1,91 @@
+---
+
+- name: Manage Redis server
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    redis_server__auth_password:
+    redis_server__configuration:
+
+      - name: 'main'
+        options:
+
+#          - name: 'save'
+#            value: ''
+#            dynamic: True
+
+          - name: 'protected-mode'
+            value: 'no'
+            dynamic: False
+
+          - name: 'stop-writes-on-bgsave-error'
+            value: 'no'
+            dynamic: False
+
+          - name: 'save'
+            value:
+              - name: '900 1'
+                state: absent
+              - name: '300 10'
+                state: absent
+              - name: '60 10000'
+                state: absent
+            dynamic: False
+
+  pre_tasks:
+
+    - name: Prepare sysfs environment
+      import_role:
+        name: 'sysfs'
+        tasks_from: 'main_env'
+      tags: [ 'role::sysfs', 'role::secret' ]
+
+    - name: Prepare redis_server environment
+      import_role:
+        name: 'redis_server'
+        tasks_from: 'main_env'
+      tags: [ 'role::redis_server', 'role::ferm' ]
+
+  roles:
+
+    - role: secret
+      tags: [ 'role::secret', 'role::sysfs' ]
+      secret__directories:
+        - '{{ sysfs__secret__directories | d([]) }}'
+
+    - role: apt_preferences
+      tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
+      apt_preferences__dependent_list:
+        - '{{ redis_server__apt_preferences__dependent_list }}'
+
+    - role: etc_services
+      tags: [ 'role::etc_services', 'skip::etc_services' ]
+      etc_services__dependent_list:
+        - '{{ redis_server__etc_services__dependent_list }}'
+
+    - role: sysctl
+      tags: [ 'role::sysctl', 'skip::sysctl' ]
+      sysctl__dependent_parameters:
+        - '{{ redis_server__sysctl__dependent_parameters }}'
+
+    - role: sysfs
+      tags: [ 'role::sysfs', 'skip::sysfs' ]
+      sysfs__dependent_attributes:
+        - '{{ redis_server__sysfs__dependent_attributes }}'
+
+    - role: python
+      tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
+      python__dependent_packages3:
+        - '{{ redis_server__python__dependent_packages3 }}'
+      python__dependent_packages2:
+        - '{{ redis_server__python__dependent_packages2 }}'
+
+    - role: redis_server
+      tags: [ 'role::redis_server', 'skip::redis_server' ]
--- a/debops/tzdata.yml
+++ b/debops/tzdata.yml
@ -0,0 +1,19 @@
+---
+
+- name: Manage time zone configuration
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  vars:
+    tzdata__timezone: Europe/Moscow
+
+  roles:
+
+    - role: tzdata
+      tags: [ 'role::tzdata', 'skip::tzdata' ]
--- a/manala/manala.nginx.yml
+++ b/manala/manala.nginx.yml
--- a/manala/manala.php.yml
+++ b/manala/manala.php.yml
--- a/nginx-site.yml
+++ b/nginx-site.yml
@ -0,0 +1,12 @@
+---
+- import_playbook: debops/tzdata.yml
+#- import_playbook: debops/pki.yml
+#- import_playbook: debops/mariadb.yml
+#- import_playbook: debops/php-prod.yml
+#- import_playbook: debops/nginx.yml
+#- import_playbook: debops/nodejs.yml
+#- import_playbook: debops/redis.yml
+
+# Import all other group playbooks in this file...
+
+...
--- a/requirements.yml
+++ b/requirements.yml
@ -3,4 +3,6 @@
 collections:
  - name: nginxinc.nginx_core
    version: 0.8.0
-  - name: debops.debops
+  - name: https://github.com/debops/debops.git
+    type: git
+    version: d554096b5cb02f4c37f68d80d9103105dd5de34b
--- a/site.yml
+++ b/site.yml
@ -1,10 +0,0 @@
---
- import_playbook: pki.yml
- import_playbook: mariadb_server.yml
- import_playbook: mariadb.yml
- import_playbook: php.yml
- import_playbook: apache.yml
-
-# Import all other group playbooks in this file...
-
-...