From abc9e3c1777da07e587bed2ef5c406c3f6753070 Mon Sep 17 00:00:00 2001 From: Sasha Ivanov Date: Tue, 31 Jan 2023 18:48:33 +0100 Subject: [PATCH] + install nginx via apt + add octobercms.conf to nginx --- anygroup.yml | 6 +- hosts | 4 +- requirements.yml | 3 + roles/common/tasks/main.yml | 1 + roles/composer/tasks/main.yml | 8 + roles/nginx/files/octobercms.conf | 51 ++++++ .../nginx/tasks/files/20-envsubst-on-templates.sh | 32 ---- .../nginx/tasks/files/30-tune-worker-processes.sh | 188 --------------------- roles/nginx/tasks/main.yml | 35 ++-- roles/php/tasks/main.yml | 3 + site.yml | 3 +- 11 files changed, 86 insertions(+), 248 deletions(-) create mode 100644 roles/composer/tasks/main.yml create mode 100644 roles/nginx/files/octobercms.conf delete mode 100755 roles/nginx/tasks/files/20-envsubst-on-templates.sh delete mode 100755 roles/nginx/tasks/files/30-tune-worker-processes.sh diff --git a/anygroup.yml b/anygroup.yml index d4b79dc..16f78aa 100644 --- a/anygroup.yml +++ b/anygroup.yml @@ -1,9 +1,9 @@ --- - hosts: debian10 roles: - - nginx - - php + - { role: 'nginx', tags: 'nginx' } + - { role: 'php', tags: 'php' } # Associate further roles to servers in specific group in this file... -... +... \ No newline at end of file diff --git a/hosts b/hosts index 2acfa32..2ea4d98 100644 --- a/hosts +++ b/hosts @@ -9,8 +9,8 @@ # - You can enter hostnames or ip addresses # - A hostname/ip can be a member of multiple groups -[lxc-templates] -debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru +[lxc_templates] +debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru ansible_user=root [anygroup] server1 ansible_host=192.168.0.1 diff --git a/requirements.yml b/requirements.yml index 43b009f..411947a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,4 +1,7 @@ --- + collections: - name: nginxinc.nginx_core version: 0.8.0 + +... \ No newline at end of file diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0c7df72..f6d8c5f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,4 +1,5 @@ --- + # # Tasks to be applied to all servers # diff --git a/roles/composer/tasks/main.yml b/roles/composer/tasks/main.yml new file mode 100644 index 0000000..9e55c19 --- /dev/null +++ b/roles/composer/tasks/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Update packages + shell: apt update + +# TODO: установка композера + +... \ No newline at end of file diff --git a/roles/nginx/files/octobercms.conf b/roles/nginx/files/octobercms.conf new file mode 100644 index 0000000..5c53f9e --- /dev/null +++ b/roles/nginx/files/octobercms.conf @@ -0,0 +1,51 @@ +location / { + rewrite ^/.*$ /index.php last; +} + +location ~ ^/combine.*\.(css|js) { + rewrite ^/.*$ /index.php last; + expires max; +} + +# Whitelist + +## Let October handle if static file does not exists + +location = /favicon.ico { try_files $uri /index.php; } +location ~ ^/.*\.xml { try_files $uri /index.php; } +location = /robots.txt { try_files $uri /index.php; } +location = /humans.txt { try_files $uri /index.php; } +location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; } + +## Let nginx return 404 if static file does not exists + +location /storage/app/uploads/public { try_files $uri /404; } +location /storage/app/media { try_files $uri /404; } +location /storage/app/yml { try_files $uri /404; } +location /storage/app/docx { try_files $uri /404; } +location /storage/app/resized { try_files $uri /404; } +location /storage/temp/public { try_files $uri /404; } +location /files { try_files $uri /404; } +location ~ ^/storage/app/.*\.xls { try_files $uri /404; } + +location ~ ^/modules/.*/assets { try_files $uri /404; } +location ~ ^/modules/.*/resources { try_files $uri /404; } +location ~ ^/modules/.*/behaviors/.*/assets { try_files $uri /404; } +location ~ ^/modules/.*/behaviors/.*/resources { try_files $uri /404; } +location ~ ^/modules/.*/widgets/.*/assets { try_files $uri /404; } +location ~ ^/modules/.*/widgets/.*/resources { try_files $uri /404; } +location ~ ^/modules/.*/formwidgets/.*/assets { try_files $uri /404; } +location ~ ^/modules/.*/formwidgets/.*/resources { try_files $uri /404; } +location ~ ^/modules/.*/reportwidgets/.*/assets { try_files $uri /404; } +location ~ ^/modules/.*/reportwidgets/.*/resources { try_files $uri /404; } +location ~ ^/plugins/.*/.*/assets { try_files $uri /404; } +location ~ ^/plugins/.*/.*/resources { try_files $uri /404; } +location ~ ^/plugins/.*/.*/behaviors/.*/assets { try_files $uri /404; } +location ~ ^/plugins/.*/.*/behaviors/.*/resources { try_files $uri /404; } +location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { try_files $uri /404; } +location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { try_files $uri /404; } +location ~ ^/plugins/.*/.*/formwidgets/.*/assets { try_files $uri /404; } +location ~ ^/plugins/.*/.*/formwidgets/.*/resources { try_files $uri /404; } +location ~ ^/plugins/.*/.*/widgets/.*/assets { try_files $uri /404; } +location ~ ^/plugins/.*/.*/widgets/.*/resources { try_files $uri /404; } +location ~ ^/themes/.*/resources { try_files $uri /404; } diff --git a/roles/nginx/tasks/files/20-envsubst-on-templates.sh b/roles/nginx/tasks/files/20-envsubst-on-templates.sh deleted file mode 100755 index 4f33029..0000000 --- a/roles/nginx/tasks/files/20-envsubst-on-templates.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -set -e - -ME=$(basename $0) - -auto_envsubst() { - local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}" - local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}" - local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}" - - local template defined_envs relative_path output_path subdir - defined_envs=$(printf '${%s} ' $(env | cut -d= -f1)) - [ -d "$template_dir" ] || return 0 - if [ ! -w "$output_dir" ]; then - echo >&3 "$ME: ERROR: $template_dir exists, but $output_dir is not writable" - return 0 - fi - find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do - relative_path="${template#$template_dir/}" - output_path="$output_dir/${relative_path%$suffix}" - subdir=$(dirname "$relative_path") - # create a subdirectory where the template file exists - mkdir -p "$output_dir/$subdir" - echo >&3 "$ME: Running envsubst on $template to $output_path" - envsubst "$defined_envs" < "$template" > "$output_path" - done -} - -auto_envsubst - -exit 0 diff --git a/roles/nginx/tasks/files/30-tune-worker-processes.sh b/roles/nginx/tasks/files/30-tune-worker-processes.sh deleted file mode 100755 index 5650587..0000000 --- a/roles/nginx/tasks/files/30-tune-worker-processes.sh +++ /dev/null @@ -1,188 +0,0 @@ -#!/bin/sh -# vim:sw=2:ts=2:sts=2:et - -set -eu - -LC_ALL=C -ME=$( basename "$0" ) -PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -[ "${NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE:-}" ] || exit 0 - -touch /etc/nginx/nginx.conf 2>/dev/null || { echo >&2 "$ME: error: can not modify /etc/nginx/nginx.conf (read-only file system?)"; exit 0; } - -ceildiv() { - num=$1 - div=$2 - echo $(( (num + div - 1) / div )) -} - -get_cpuset() { - cpusetroot=$1 - cpusetfile=$2 - ncpu=0 - [ -f "$cpusetroot/$cpusetfile" ] || return 1 - for token in $( tr ',' ' ' < "$cpusetroot/$cpusetfile" ); do - case "$token" in - *-*) - count=$( seq $(echo "$token" | tr '-' ' ') | wc -l ) - ncpu=$(( ncpu+count )) - ;; - *) - ncpu=$(( ncpu+1 )) - ;; - esac - done - echo "$ncpu" -} - -get_quota() { - cpuroot=$1 - ncpu=0 - [ -f "$cpuroot/cpu.cfs_quota_us" ] || return 1 - [ -f "$cpuroot/cpu.cfs_period_us" ] || return 1 - cfs_quota=$( cat "$cpuroot/cpu.cfs_quota_us" ) - cfs_period=$( cat "$cpuroot/cpu.cfs_period_us" ) - [ "$cfs_quota" = "-1" ] && return 1 - [ "$cfs_period" = "0" ] && return 1 - ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) - [ "$ncpu" -gt 0 ] || return 1 - echo "$ncpu" -} - -get_quota_v2() { - cpuroot=$1 - ncpu=0 - [ -f "$cpuroot/cpu.max" ] || return 1 - cfs_quota=$( cut -d' ' -f 1 < "$cpuroot/cpu.max" ) - cfs_period=$( cut -d' ' -f 2 < "$cpuroot/cpu.max" ) - [ "$cfs_quota" = "max" ] && return 1 - [ "$cfs_period" = "0" ] && return 1 - ncpu=$( ceildiv "$cfs_quota" "$cfs_period" ) - [ "$ncpu" -gt 0 ] || return 1 - echo "$ncpu" -} - -get_cgroup_v1_path() { - needle=$1 - found= - foundroot= - mountpoint= - - [ -r "/proc/self/mountinfo" ] || return 1 - [ -r "/proc/self/cgroup" ] || return 1 - - while IFS= read -r line; do - case "$needle" in - "cpuset") - case "$line" in - *cpuset*) - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - break - ;; - esac - ;; - "cpu") - case "$line" in - *cpuset*) - ;; - *cpu,cpuacct*|*cpuacct,cpu|*cpuacct*|*cpu*) - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - break - ;; - esac - esac - done << __EOF__ -$( grep -F -- '- cgroup ' /proc/self/mountinfo ) -__EOF__ - - while IFS= read -r line; do - controller=$( echo "$line" | cut -d: -f 2 ) - case "$needle" in - "cpuset") - case "$controller" in - cpuset) - mountpoint=$( echo "$line" | cut -d: -f 3 ) - break - ;; - esac - ;; - "cpu") - case "$controller" in - cpu,cpuacct|cpuacct,cpu|cpuacct|cpu) - mountpoint=$( echo "$line" | cut -d: -f 3 ) - break - ;; - esac - ;; - esac -done << __EOF__ -$( grep -F -- 'cpu' /proc/self/cgroup ) -__EOF__ - - case "${found%% *}" in - "/") - foundroot="${found##* }$mountpoint" - ;; - "$mountpoint") - foundroot="${found##* }" - ;; - esac - echo "$foundroot" -} - -get_cgroup_v2_path() { - found= - foundroot= - mountpoint= - - [ -r "/proc/self/mountinfo" ] || return 1 - [ -r "/proc/self/cgroup" ] || return 1 - - while IFS= read -r line; do - found=$( echo "$line" | cut -d ' ' -f 4,5 ) - done << __EOF__ -$( grep -F -- '- cgroup2 ' /proc/self/mountinfo ) -__EOF__ - - while IFS= read -r line; do - mountpoint=$( echo "$line" | cut -d: -f 3 ) -done << __EOF__ -$( grep -F -- '0::' /proc/self/cgroup ) -__EOF__ - - case "${found%% *}" in - "") - return 1 - ;; - "/") - foundroot="${found##* }$mountpoint" - ;; - "$mountpoint") - foundroot="${found##* }" - ;; - esac - echo "$foundroot" -} - -ncpu_online=$( getconf _NPROCESSORS_ONLN ) -ncpu_cpuset= -ncpu_quota= -ncpu_cpuset_v2= -ncpu_quota_v2= - -cpuset=$( get_cgroup_v1_path "cpuset" ) && ncpu_cpuset=$( get_cpuset "$cpuset" "cpuset.effective_cpus" ) || ncpu_cpuset=$ncpu_online -cpu=$( get_cgroup_v1_path "cpu" ) && ncpu_quota=$( get_quota "$cpu" ) || ncpu_quota=$ncpu_online -cgroup_v2=$( get_cgroup_v2_path ) && ncpu_cpuset_v2=$( get_cpuset "$cgroup_v2" "cpuset.cpus.effective" ) || ncpu_cpuset_v2=$ncpu_online -cgroup_v2=$( get_cgroup_v2_path ) && ncpu_quota_v2=$( get_quota_v2 "$cgroup_v2" ) || ncpu_quota_v2=$ncpu_online - -ncpu=$( printf "%s\n%s\n%s\n%s\n%s\n" \ - "$ncpu_online" \ - "$ncpu_cpuset" \ - "$ncpu_quota" \ - "$ncpu_cpuset_v2" \ - "$ncpu_quota_v2" \ - | sort -n \ - | head -n 1 ) - -sed -i.bak -r 's/^(worker_processes)(.*)$/# Commented out by '"$ME"' on '"$(date)"'\n#\1\2\n\1 '"$ncpu"';/' /etc/nginx/nginx.conf diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index fa75c08..409392e 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,30 +1,21 @@ --- -- name: Set ENV vars - lineinfile: - dest: ~/.bashrc - line: "{{item}}" - loop: - - 'export NGINX_VERSION="1.21.3"' - - 'export NJS_VERSION="0.6.2"' - - 'export PKG_RELEASE="1~buster"' -- name: Install gnupg - shell: apt-get update && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 gnupg2 gnupg ca-certificates +- name: Update packages + shell: apt update - name: Install nginx - environment: - NGINX_GPGKEY: 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 - shell: >- - set -x && addgroup --system --gid 101 nginx && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx && found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; done; test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* && dpkgArch="$(dpkg --print-architecture)" && nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${PKG_RELEASE} " && case "$dpkgArch" in amd64|i386|arm64) echo "deb https://nginx.org/packages/mainline/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list && apt-get update ;; *) echo "deb-src https://nginx.org/packages/mainline/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list && tempDir="$(mktemp -d)" && chmod 777 "$tempDir" && savedAptMark="$(apt-mark showmanual)" && apt-get update && apt-get build-dep -y $nginxPackages && ( cd "$tempDir" && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages ) && apt-mark showmanual | xargs apt-mark auto > /dev/null && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } && ls -lAFh "$tempDir" && ( cd "$tempDir" && dpkg-scanpackages . > Packages ) && grep '^Package: ' "$tempDir/Packages" && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list && apt-get -o Acquire::GzipIndexes=false update ;; esac && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base curl && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list && if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi && ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log + shell: apt install nginx -y -- name: Create dir for additional helper scripts /docker-entrypoint.d - shell: mkdir -p /docker-entrypoint.d +- name: Enable nginx + shell: systemctl enable nginx -- name: Copy envsubst and tune worker to /docker-entrypoint.d +- name: Copy nginx config copy: - src: "{{item}}" - dest: /docker-entrypoint.d + src: 'octobercms.conf' + dest: '/etc/nginx/includes.d' mode: 0744 - loop: - - 20-envsubst-on-templates.sh - - 30-tune-worker-processes.sh + +- name: Restart nginx + shell: systemctl restart nginx + +... \ No newline at end of file diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 1fb64ee..2874072 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Copy docker-php-* helpers to /usr/local/bin/ copy: src: "{{item}}" @@ -80,3 +81,5 @@ - name: Nerest php-fpm pool config shell: set -eux; cd /usr/local/etc; if [ -d php-fpm.d ]; then sed 's!=NONE/!=!g' php-fpm.conf.default | tee php-fpm.conf > /dev/null; cp php-fpm.d/www.conf.default php-fpm.d/www.conf; else mkdir php-fpm.d; cp php-fpm.conf.default php-fpm.d/www.conf; { echo '[global]'; echo 'include=etc/php-fpm.d/*.conf'; } | tee php-fpm.conf; fi; { echo '[global]'; echo 'error_log = /proc/self/fd/2'; echo; echo '; https://github.com/docker-library/php/pull/725#issuecomment-443540114'; echo 'log_limit = 8192'; echo; echo '[www]'; echo '; if we send this to /proc/self/fd/1, it never appears'; echo 'access.log = /proc/self/fd/2'; echo; echo 'clear_env = no'; echo; echo '; Ensure worker stdout and stderr are sent to the main error log.'; echo 'catch_workers_output = yes'; echo 'decorate_workers_output = no'; } | tee php-fpm.d/docker.conf; { echo '[global]'; echo 'daemonize = no'; echo; echo '[www]'; echo 'listen = 9000'; } | tee php-fpm.d/zz-docker.conf + +... \ No newline at end of file diff --git a/site.yml b/site.yml index 6f9c89b..4e8afad 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,7 @@ --- + - import_playbook: anygroup.yml # Import all other group playbooks in this file... -... +... \ No newline at end of file