gitea/ansible-lxc-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: gitea:37014102250de3a34a338221ddec1df976d25c86
Branches Tags
gitea:master
..
compare: gitea:master
Branches Tags
gitea:master

42 Commits
3701410225 ... master

Author SHA1 Message Date
Raptor Dimti Garuda
b70574767e * use debops as separate package 
* set python version via pyenv
 2025-04-08 12:40:45 +03:00
Raptor Dimti Garuda
d9232999ca + probes to use env vars for lxc projects 2025-03-09 20:06:39 +03:00
gitea
db847c8710 * that is debian not ubuntu 2025-02-16 13:00:34 +00:00
dimti
3dfacd0822 + refactored and solve some problems with mariadb and nginx playbook 
+ apps playbooks - docker, caprover
* simple refactore starter scripts
+ apt update debops playboook prepend launch by default
* sury repo changed
* database users locked to localhost only
* phpmyadmin blowfish generate secret fix
 2025-02-10 23:35:41 +03:00
dimti
bff53b4c1a * correct curl options for downloading direnv release binary 
* hard checkout dotfiles after yadm repository fetch
 2024-10-16 18:45:28 +03:00
dimti
2097964fc4 * try to automatic install yadm and direnv if not presented on target system 2024-10-16 17:35:55 +03:00
dimti
74f9f3ef7a * set bigger client max body size for backend fpm socket 
* try to use ${HOME} var instead of ansible user var for detecting home dir
 2024-10-09 15:02:43 +03:00
dimti
3243c81b3d + change starship command prompt sign for non privileged user in separate yadm playbook 2024-09-22 17:51:52 +03:00
dimti
051b7778d6 * set correctly sign character for yadm starship toml when setting up for non-root user 2024-08-05 12:49:44 +03:00
dimti
7f393e79d7 + remove include sub domains from hsts policy 2024-08-01 23:41:36 +03:00
dimti
034988c117 - remove unnecessary blocked dot-files rule for sh and example, because previous rule for all dot files or dot-dirs - blocked that also 2024-07-30 22:53:04 +03:00
dimti
4c90ee6429 + use rewrite options directive with inherit value for merge rewrite rules from base apache site config and htaccess rewrite rules in the site directory 2024-07-30 21:50:50 +03:00
dimti
5a4ec54d3b * correct pass to backend fpm socket 2024-07-22 07:46:53 +03:00
dimti
bbb84079df + php-composer install own playbook with version downgrade for oldest php 7.4 
* automatic detect php version and set php extension (for =>8 php version without installing gd, because Debian 11 need libgd3 fix for that)
* mapping tld hostname for non-www redirection moved to conf.d and copy that file to remote machine with others existing map-files
* some features in this commit not to be a tested in real environment
 2024-07-02 08:47:01 +03:00
dimti
24c9799270 * quotable used variables in nginx vars config 2024-06-28 09:13:07 +03:00
dimti
85c08d9d68 * true installation options for apt xsel 
* use pma user for generate basic auth password for phpmyadmin virtual host
* include wp-cli playbook for apache site by default
 2024-06-04 15:36:16 +03:00
dimti
b3cc57a4d9 + xsel install in yadm playbook post tasks 2024-05-13 09:12:35 +03:00
dimti
b7b67f1c86 * external become_user set for execute nodejs version manager install for possible launch that playbook without become_user interactions (if setting user on execute ansible starter script) 2024-05-08 17:39:34 +03:00
dimti
6186ab94e0 * use appropriate php version both for php and apache installations 
+ pma for apache with auth and hand made change granted permissions
+ wp-cli
+ www-domain alias for apache and revers redirect for that
 2024-04-20 09:11:19 +03:00
dimti
452d5cca79 * usage shared run playbook script extended with user doc 
* example with alternate ssh port
* remove todo from yadm, because that is realized in dotfiles repo
 2024-04-04 18:21:14 +03:00
dimti
f276e83e9a + libgd install for php 8.* now use php version as variable 
#861m7vaer Шаблон операционной системы на Debian 10
 2024-04-03 10:51:47 +03:00
dimti
fd2022333e + todo for nginx and pma configs 
* pma blowfish secret generator and tmp dir fixes

#861m7vaer Шаблон операционной системы на Debian 10
 2024-04-02 10:31:44 +03:00
dimti
fb93943ba5 + yadm initialization for non priveleged and existing users 
#861m7vaer Шаблон операционной системы на Debian 10
 2024-03-22 18:47:05 +03:00
dimti
958e39bce7 * separate launch script by runner type concepts 
* do not launch sudo playbook for simple server install
* use domain_name as env variable from launch script
 2024-01-22 01:25:18 +03:00
dimti
ffb599469e * remove separately groups array from system users vars (fix - adding example var file to git) 2024-01-10 17:48:38 +03:00
dimti
b87659737e * remove separately groups array from system users vars, because task for manager system users - used combined array both with groups and users and same naming users items not included to this array, if use groups with same name before same-name users 2023-12-29 21:45:21 +03:00
dimti
371e8c671b + add install requirements example to readme 
+ nginx site playbook without db
 2023-12-29 20:37:21 +03:00
dimti
6270c71549 + example system unit file 
+ own common tasks of prepared debian for make programs from source
+ ansible ssh port example
 2023-12-29 20:05:20 +03:00
dimti
73647f855d + non-www redirect nginx script (with todo) 
+ domain_name & refactored nginx variables for resolve connect of www-domain logic and redirect to or from
* some installs have error after login to non-privileged user with starship $-symbol - correct escaped function for that
+ use separate domain for pma nginx config based on new domain_name variable (defined in nginx vars file)
* update database example vars (use inventory dir path and bz2 by default)

#861m7vaer Шаблон операционной системы на Debian 10
 2023-10-29 21:57:44 +03:00
dimti
3bf86281d2 + latest extensions - deployed nginx, apache, php 74 & 81, nvm, automatic databases import and phpmyadmin with nginx basic auth 
+ dhcp dnsmasq server playbook for create inner server network

#861m7vaer Шаблон операционной системы на Debian 10
 2023-10-24 17:26:53 +03:00
dimti
9bb3348cce + sample configs for nginx-proxy lxc instance 
+ site_name as general option for different lxc_host and site_name (personally used for vps deployment)
+ vps deploy script
+ node version manager install
+ php version setup vars moved into separate vars-file
+ ansible.cfg that helps to use local inventory and group_vars files
+ root account playbook
 2023-09-27 10:49:04 +03:00
dimti
05c680826c + fix install tmux plugin check 
+ nginx master proxy dummy things

#861m7vaer Шаблон операционной системы на Debian 10
 2023-06-05 23:41:35 +03:00
dimti
796f8a31a7 + change ownerships to var www dir after apache or nginx role processed 
#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-21 11:56:30 +03:00
dimti
cf50453d7d + installing tmux plugin manager for root_account role 
+ starship install via yadm role (multi use installation) and installing Nerd Font
* change straship character for not privileged user
* fix path to normalized css for default nginx page
* own custom roles (allow releaseinfo change and install locales) moved to playbooks dir

#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-18 10:20:49 +03:00
dimti
cb1b727da9 * conditional logic for nginx www redirect 
+ use lxc_host & ssh proxying for resolve connection to inner lxc host in proxmox
+ bash helper for launch playbooks
+ nginx html default template
* create databases moved into own custom variables
+ new using debops roles: yadm (dotfiles), sudo, root_account, system_users

#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-13 07:40:56 +03:00
dimti
38509f5161 + php redis 
#861m7vaer Шаблон операционной системы на Debian 10
 2023-03-19 16:14:49 +03:00
dimti
82a4dc6f55 + php intl 
* fix blocking all php script except index.php
 2023-03-19 14:56:31 +03:00
dimti
7d745761f2 + nginx, php-fpm and octobercms playbooks 
* separate wp-apache and nginx php-fpm playbooks
 2023-03-11 21:23:28 +03:00
dimti
7fa274c876 * simple quote fix 2023-02-20 23:38:58 +03:00
dimti
3c53ae07cd + debops: apache with pki, mariadb_server, php7.4 with extensions, mariadb client role with secret 2023-02-20 23:38:58 +03:00
Sasha Ivanov
abc9e3c177 + install nginx via apt 
+ add octobercms.conf to nginx
 2023-01-31 18:48:33 +01:00
dimti
0ebf538eb3 + php & nginx 2023-01-31 12:26:20 +03:00
104 changed files with 3411 additions and 157 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,2 +1,3 @@
*.retry
.idea .idea
/secret
/ansible.cfg

1
.python-version Normal file
View File

@ -0,0 +1 @@
3.13.2

160
README.md
View File

@ -1,147 +1,19 @@
# Ansible-Boilerplate # Getting Started
## Create symlink for ansible hosts
[![GitHub Issues](https://img.shields.io/github/issues/acch/ansible-boilerplate.svg)](https://github.com/acch/ansible-boilerplate/issues) [![GitHub Stars](https://img.shields.io/github/stars/acch/ansible-boilerplate.svg?label=github%20%E2%98%85)](https://github.com/acch/ansible-boilerplate/) [![License](https://img.shields.io/github/license/acch/ansible-boilerplate.svg)](LICENSE) `sudo ln -s $(realpath hosts) /etc/ansible/hosts`
## Modify your ~/.ssh/config
[Ansible](https://www.ansible.com/) is a configuration management tool, similar to [Chef](https://www.chef.io/) and [Puppet](https://puppet.com/). It allows for performing logical configuration of infrastructure components, such as servers and network switches. The configuration files in this repository can act as a template for your own Ansible projects, in order to get you started quickly. Once you've customized the configuration files then new servers can be configured quickly — excluding their network configuration. This means that adding new servers is as simple as:
- Base OS installation of new server
- Network configuration of new server (including bond, bridge, DNS and routing)
- Configuration of password-less (public key) SSH authentication from the Ansible host (your laptop) to the new server
The remaining configuration (installing packages, configuring services, etc.) can then be achieved using Ansible. In addition, Ansible ensures that configuration of all servers is and remains consistent.
## Using this repository
Simply download (clone) the repository and start modifying files according to your needs.
``` ```
git clone https://github.com/acch/ansible-boilerplate.git myAnsibleProject/ Host debian10.dedic106-dhcp.dimti.ru
Port 22242
```
## Install needed ansible galaxy collections
``` ```
ansible-galaxy install -g -f -r requirements.yml
Ideally, you'll want to use [Git](https://git-scm.com/) to manage your Ansible configuration files. For that purpose simply [fork](https://help.github.com/articles/fork-a-repo/) this repository into your own Git repository before cloning and customizing it. Alternatively, create your own repository [from the template](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-from-a-template). Git will allow you to version and roll-back changes with ease.
Specifically, you'll want to customize the following files:
- Add your own hosts and groups to file `hosts`. You'll want to replace `[anygroup]` with a more meaningful group name, and add your own groups as required.
- Define roles by adding subdirectories underneath directory `roles/`. You'll want to rename `anyrole/` to a more meaningful role name, and add your own roles as required.
- Associate your hosts (groups) with your roles by adding appropriate playbooks in the root directory. Rename `anygroup.yml` to a more meaningful playbook name.
- Import all your playbooks in the main `site.yml` playbook.
## Using Ansible
Install `ansible` on your laptop and link the `hosts` file from `/etc/ansible/hosts` to the file in your repository. Now you're all set.
To run a single (ad-hoc) task on multiple servers:
``` ```
# Check connectivity # Usage
ansible all -m ping -u root ## Ping
`ansible debian10 -m ping -u root`
# Run single command on all servers ## Playbook
ansible all -m command -a "cat /etc/hosts" -u root `ansible-playbook anygroup.yml`
## Playbook group only tag
# Run single command only on servers in specific group `ansible-playbook anygroup.yml -t nginx`
ansible anygroup -m command -a "cat /etc/hosts" -u root
# Run single command on individual server
ansible server1 -m command -a "cat /etc/hosts" -u root
```
As the `command` module is the default, it can also be omitted:
```
ansible server1 -a "cat /etc/hosts" -u root
```
To use shell variables on the remote server, use the `shell` module instead of `command`, and use single quotes for the argument:
```
ansible server1 -m shell -a 'echo $HOSTNAME' -u root
```
The true power of ansible comes with so called *playbooks* — think of them as scripts, but they're declarative. Playbooks allow for running multiple tasks on any number of servers, as defined in the configuration files (`*.yml`):
```
# Run all tasks on all servers
ansible-playbook site.yml -v
# Run all tasks only on group of servers
ansible-playbook anygroup.yml -v
# Run all tasks only on individual server
ansible-playbook site.yml -v -l server1
```
Note that `-v` produces verbose output. `-vv` and `-vvv` are also available for even more (debug) output.
To verify what tasks would do without changing the actual configuration, use the `--list-hosts` and `--check` parameters:
```
# Show hosts that would be affected by playbook
ansible-playbook site.yml --list-hosts
# Perform dry-run to see what tasks would do
ansible-playbook site.yml -v --check
```
Running all tasks in a playbook may take a long time. *Tags* are available to organize tasks so one can only run specific tasks to configure a certain component:
```
# Show list of available tags
ansible-playbook site.yml --list-tags
# Only run tasks required to configure DNS
ansible-playbook site.yml -v -t dns
```
Note that the above command requires you to have tasks defined with the `tags: dns` attribute.
## Configuration files
The `hosts` file defines all hosts and groups which they belong to. Note that a single host can be member of multiple groups. Define groups for each rack, for each network, or for each environment (e.g. production vs. test).
### Playbooks
Playbooks associate hosts (groups) with roles. Define a separate playbook for each of your groups, and then import all playbooks in the main `site.yml` playbook.
File | Description
---- | -----------
`site.yml` | Main playbook - runs all tasks on all servers
`anygroup.yml` | Group playbook - runs all tasks on servers in group *anygroup*
### Roles
The group playbooks (e.g. `anygroup.yml`) simply associate hosts with roles. Actual tasks are defined in these roles:
```
roles/
├── common/ Applied to all servers
│ ├── handlers/
│ ├── tasks/
│ │ └ main.yml Tasks for all servers
│ └── templates/
└── anyrole/ Applied to servers in specific group(s)
├── handlers/
├── tasks/
│ └ main.yml Tasks for specific group(s)
└── templates/
```
Consider adding separate roles for different applications (e.g. webservers, dbservers, hypervisors, etc.), or for different responsibilities which servers fulfill (e.g. infra_server vs. infra_client).
### Tags
Use the following command to show a list of available tags:
```
ansible-playbook site.yml --list-tags
```
Consider adding tags for individual components (e.g. DNS, NTP, HTTP, etc.).
Role | Tags
--- | ---
Common | all,check
## Copyright and license
Copyright 2017 Achim Christ, released under the [MIT license](LICENSE)

4
ansible.cfg.example Normal file
View File

@ -0,0 +1,4 @@
[defaults]
inventory=./hosts
group_vars=./group_vars
collections_paths=~/.ansible/collections:~/.pyenv/versions/3.13.2/lib/python3.13/site-packages/debops/_data/ansible/collections

6
anygroup.yml
View File

@ -1,9 +1,9 @@
--- ---
- hosts: debian10 - hosts: debian10
roles: roles:
- common - { role: 'nginx', tags: 'nginx' }
- anyrole - { role: 'php', tags: 'php' }
# Associate further roles to servers in specific group in this file... # Associate further roles to servers in specific group in this file...
... ...

2
data/db-dumps/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!.gitignore

13
envs/lxc/server/lxc.env.example Normal file
View File

@ -0,0 +1,13 @@
SERVER=proxmox_host
LXC_HOST=project_lxc_container
PLAYBOOK=nginx-site
# That is a project name and name of the HOME USER
# @see group_vars/all.yml
SITE_NAME=project_name
DOMAIN_NAME=project_domain_name
DATABASE_NAME=project_name

4
group_vars/all.yml
View File

@ -3,6 +3,10 @@
ansible_user: root ansible_user: root
remote_user: root remote_user: root
keyring__keyserver: hkp://keyserver.ubuntu.com:80
# Add further variables which apply to all servers to this file... # Add further variables which apply to all servers to this file...
secret__levels: '.'
home_user: '{{ (ansible_user != "root") | ternary(ansible_user, site_name) }}'
... ...

6
hosts
View File

@ -9,8 +9,10 @@
# - You can enter hostnames or ip addresses # - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups # - A hostname/ip can be a member of multiple groups
[lxc-templates] [lxc_templates]
debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru #debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru ansible_user=root
#debian10 ansible_host='{{ lxc_host }}' ansible_port=22230
debian10 ansible_host='{{ lxc_host }}'
[anygroup] [anygroup]
server1 ansible_host=192.168.0.1 server1 ansible_host=192.168.0.1

11
manala/manala.nginx.yml Normal file
View File

@ -0,0 +1,11 @@
---
- hosts: debian10
collections:
- nginxinc.nginx_core
- manala.roles
tasks:
- name: Install NGINX
ansible.builtin.include_role:
name: nginx
vars:
nginx_type: opensource

22
manala/manala.php.yml Normal file
View File

@ -0,0 +1,22 @@
---
- hosts: debian10
collections:
- nginxinc.nginx_core
- manala.roles
vars:
manala_apt_repositories:
- contrib
manala_apt_preferences:
- git@backports
- sury_php:100
- php@sury_php:300
- nginx@nginx
tasks:
- name: Install Manala APT
ansible.builtin.include_role:
name: manala.roles.apt
- name: Install PHP
ansible.builtin.include_role:
name: manala.roles.php
vars:
manala_php_version: 7.4

9
ping.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: debian10
tasks:
- name: whoami test
shell: whoami
# Associate further roles to servers in specific group in this file...
...

7
playbooks/_mysql-server-site.yml Normal file
View File

@ -0,0 +1,7 @@
---
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
# Import all other group playbooks in this file...
...

20
playbooks/apache-site.yml Normal file
View File

@ -0,0 +1,20 @@
---
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-wp.yml
- import_playbook: debops/apache.yml
#- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/phpmyadmin.yml
- import_playbook: own/phpmyadmin-apache-auth.yml
#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
#- import_playbook: own/correct-paths-for-pct-enter.yml
- import_playbook: own/wp-cli.yml
# Import all other group playbooks in this file...
...

17
playbooks/apps/caprover.yml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Configure Firewall
shell: |
ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;
- name: Install caprover
shell: |
docker run -p 80:80 -p 443:443 -p 3000:3000 -e ACCEPTED_TERMS=true -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover
- name: "Install npm caprover package (after that use: caprover serversetup)"
shell: |
export NVM_DIR="$HOME/.nvm"
. "$NVM_DIR/nvm.sh"
. "$NVM_DIR/bash_completion"
npm install -g caprover

33
playbooks/apps/docker-debian.yml Normal file
View File

@ -0,0 +1,33 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
# Add Docker's official GPG key:
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian /gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

29
playbooks/apps/docker-ubuntu.yml Normal file
View File

@ -0,0 +1,29 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

15
playbooks/debops/_phpmyadmin.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: phpmyadmin
tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]

71
playbooks/debops/apache.yml Normal file
View File

@ -0,0 +1,71 @@
---
- name: Manage and configure the Apache HTTP Server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/apache.yml
vars:
apache__base_packages:
- 'libapache2-mod-php{{ php_version }}'
apache__default_vhost_name:
- '{{ domain_name }}'
- "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
apache__modules:
'php{{ php_version }}': True
'rewrite':
enabled: True
apache__allow:
- 0.0.0.0
apache__default_vhost:
name: '{{ apache__default_vhost_name }}'
filename: '000-default'
root: '/var/www/html'
root_directives: |-
RewriteEngine On
RewriteOptions Inherit
RewriteBase /
{% if www_domain_is_primary %}
RewriteCond %{HTTP_HOST} ^([^www].*)$
RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
{% else %}
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
{% endif %}
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
apache__vhost_allow_override: 'All'
pre_tasks:
- name: Prepare apache environment
import_role:
name: 'apache'
tasks_from: 'main_env'
tags: [ 'role::apache', 'role::apache:env' ]
post_tasks:
- name: Remove include subdomains for HSTS policy
shell: |-
sed -i '/; includeSubDomains/d' etc/apache2/sites-available/000-default.conf
roles:
- role: apache
tags: [ 'role::apache', 'skip::apache' ]

22
playbooks/debops/apt.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Manage Advanced Package Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
post_tasks:
- name: Upgrade
ansible.builtin.apt:
upgrade: True
roles:
- role: apt
tags: [ 'role::apt', 'skip::apt' ]

52
playbooks/debops/dnsmasq.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Configure dnsmasq
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
dnsmasq__dhcpv4: True
dnsmasq__dhcpv6: False
dnsmasq__interfaces:
- name: 'eth1'
# addresses: ['172.16.30.100']
domain: local
dhcp_range_start: 180
dhcp_range_end: -6
dnsmasq__base_domain: 'local'
# dnsmasq__configuration:
# - name: 'dhcp-option.conf'
# options:
# - name: 'dhcp-option-1'
# option: 'dhcp-option'
# value: '1,255.255.255.0'
# - name: 'dhcp-option-3'
# option: 'dhcp-option'
# value: '3,172.16.30.100'
# - name: 'dhcp-option-6'
# option: 'dhcp-option'
# value: '6,172.16.30.100'
pre_tasks:
- name: Prepare dnsmasq environment
import_role:
name: 'dnsmasq'
tasks_from: 'main_env'
tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
roles:
- role: resolvconf
tags: [ 'role::resolvconf', 'skip::resolvconf' ]
resolvconf__dependent_services:
- 'dnsmasq'
- role: dnsmasq
tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

18
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example Normal file
View File

@ -0,0 +1,18 @@
server {
listen 80;
server_name domain;
client_max_body_size 0;
location / {
proxy_pass http://site_name;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

20
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example Normal file
View File

@ -0,0 +1,20 @@
server {
listen 80;
server_name domain;
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
location / {
proxy_pass http://site_name:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

32
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example Normal file
View File

@ -0,0 +1,32 @@
server {
listen 80;
server_name domain;
location / {
proxy_pass http://site_name:8080;
access_log off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 60m;
proxy_http_version 1.1;
}
location /api/eventSourceBus {
proxy_pass http://site_name:8080;
access_log off;
proxy_cache off;
proxy_buffering off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

16
playbooks/debops/files/etc/nginx-master-proxy/conf.d/website.conf.example Normal file
View File

@ -0,0 +1,16 @@
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
server_name domain;
location / {
proxy_pass https://lxc;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
# TODO: example site.auth.conf

4
playbooks/debops/files/etc/nginx/conf.d/map_tld_domain.conf Normal file
View File

@ -0,0 +1,4 @@
map $host $tld {
default $host;
'~^www\.(?<domain>.*)$' $domain;
}

12
playbooks/debops/files/etc/nginx/includes.d/non-www.conf Normal file
View File

@ -0,0 +1,12 @@
error_page 418 = @nonwww;
set $nonwww "";
if ( $http_host ~* "^www\.") {
set $nonwww "${nonwww}0";
}
if ( $nonwww ~* "^0+$" ) {
return 418;
}
location @nonwww {
rewrite ^ https://$tld$request_uri permanent;
}

49
playbooks/debops/files/etc/nginx/includes.d/octobercms.conf Normal file
View File

@ -0,0 +1,49 @@
location ~ ^/combine.*\.(css|js) {
rewrite ^/.*$ /index.php last;
expires max;
}
# Whitelist
## Let October handle if static file not exists
location ~ ^/favicon\.ico { try_files $uri /index.php; }
location ~ ^/sitemap\.xml { try_files $uri /index.php; }
location ~ ^/robots\.txt { try_files $uri /index.php; }
location ~ ^/humans\.txt { try_files $uri /index.php; }
## Google & Yandex website promts
location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
location ~ ^/.*\.xml { try_files $uri /index.php; }
## Let nginx return 404 if static file not exists
location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; }
location ~ ^/storage/app/media { access_log off; try_files $uri /404; }
location ~ ^/storage/app/yml { try_files $uri /404; }
location ~ ^/files { access_log off; try_files $uri /404; }
location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
location ~ ^/storage/temp/public { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; }

29
playbooks/debops/files/etc/nginx/includes.d/staticfiles.conf Normal file
View File

@ -0,0 +1,29 @@
location ~* \.(jpg|jpeg|gif|png|svg|ico)$ {
access_log off;
expires max;
log_not_found off;
error_page 404 = /empty;
}
location = /empty {
expires 0;
empty_gif;
}
location ~* \.(eot|ttf|woff|pdf|css|js)$ {
access_log off;
expires max;
}
location ~* \.(xml|xls)$ {
add_header Cache-Control "no-cache";
}
location ~ /\. {
deny all;
}
location ~* \.(tpl|ini|sh) {
deny all;
}

20
playbooks/debops/files/etc/nginx/includes.d/www.conf Normal file
View File

@ -0,0 +1,20 @@
error_page 418 = @www;
set $www "0";
if ( $http_host ~* "^www\.") {
set $www "${www}1";
}
if ( $http_host ~* "^m\.") {
set $www "${www}2";
}
if ( $www = "0" ) {
return 418;
}
location @www {
rewrite ^ $scheme://www.$host$request_uri? permanent;
}

19
playbooks/debops/keyring.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage APT and GPG keyrings
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
keyring__enabled: True
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring' ]

40
playbooks/debops/mariadb-custom-db.yml Normal file
View File

@ -0,0 +1,40 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
vars_files:
- ./../../vars/databases.yml
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

36
playbooks/debops/mariadb.yml Normal file
View File

@ -0,0 +1,36 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

63
playbooks/debops/mariadb_server.yml Normal file
View File

@ -0,0 +1,63 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb_server/defaults/main.html
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
|d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
mariadb_server__upstream_version: '11.2'
mariadb_server__bind_address: '127.0.0.1'
mariadb_server__mysqld_performance_options:
'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
'innodb_buffer_pool_size': '{{ (ansible_memtotal_mb / 2) | int }}M'
'innodb_log_file_size': '{{ (ansible_memtotal_mb / 2) / 4 | int }}M'
'query_cache_type': '1'
'query_cache_size': '1M'
'query_cache_limit': '10M'
'join_buffer_size': '1M'
'performance_schema': 'ON'
'skip-name-resolve': 'ON'
# mariadb_server__options:
# 'query_cache_size': '1M'
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb_server' ]
keyring__dependent_apt_keys:
- '{{ mariadb_server__keyring__dependent_apt_keys }}'
- role: etc_services
tags: [ 'role::etc_services' ]
etc_services__dependent_list:
- '{{ mariadb_server__etc_services__dependent_rules }}'
#
# - role: ferm
# tags: [ 'role::ferm', 'skip::ferm' ]
# ferm__dependent_rules:
# - '{{ mariadb_server__ferm__dependent_rules }}'
# - role: tcpwrappers
# tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
# tcpwrappers__dependent_allow:
# - '{{ mariadb_server__tcpwrappers__dependent_allow }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb_server' ]
python__dependent_packages3:
- '{{ mariadb_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb_server__python__dependent_packages2 }}'
- role: mariadb_server
tags: [ 'role::mariadb_server', 'skip::mariadb_server' ]

29
playbooks/debops/nginx-master-proxy.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Manage master nginx proxy
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nginx_acme: True
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
nginx_ocsp: False
nginx_worker_processes: auto
pre_tasks:
- name: Copy Nginx Master Proxy config examples
copy:
src: etc/nginx-master-proxy/conf.d
dest: /etc/nginx/
mode: 0644
roles:
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

123
playbooks/debops/nginx.yml Normal file
View File

@ -0,0 +1,123 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/nginx/defaults/main.html
- name: Manage nginx webserver
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/nginx.yml
vars:
nginx_acme: False
nginx_http_extra_options: |
client_max_body_size 100M;
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
# nginx_webroot_create: False
nginx_ocsp: False
nginx_worker_processes: auto
nginx_manage_ipv6only: False
nginx_default_name: 'welcome'
nginx_default_ssl_name: 'welcome'
# TODO: Replace [::]:443 to 443 and [::]:80 to 80 in site nginx config
nginx_server_localhost:
enabled: False
nginx_listen_port: [ '80' ]
nginx_listen_ssl_port: [ '443' ]
nginx__servers:
- name: '{{ domain_name }}'
type: php
root: '/var/www/{{ site_name }}'
public_dir_name: ''
include_files_begin: '{{ nginx_includes_begin }}'
options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
location_list:
- pattern: '/'
locations:
- pattern: '~ ^/.*-backend/'
options: |
try_files /index.html @october;
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;
client_max_body_size 1000M;
options: try_files /index.html @october;
- pattern: '@october'
options: rewrite ^/.*$ /index.php last;
- pattern: '~* ^(?!/index).*\.php$'
options: return 403;
php_options: |
fastcgi_read_timeout 3000;
php_upstream: $upstream
#location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
php_location_script_name: ~ ^(?<script_name>/index\.php)
#location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
pre_tasks:
- name: Set filtered includes
set_fact:
nginx_includes_begin: "{{ (nginx_includes_begin | default([])) | union([item]) }}"
when: item != omit
loop:
- "{{ (nginx_www_domain and nginx_www_redirect == 'www') | ternary('includes.d/www.conf', omit) }}"
- "{{ (nginx_www_domain and nginx_www_redirect == 'non-www') | ternary('includes.d/non-www.conf', omit) }}"
- includes.d/octobercms.conf
- includes.d/staticfiles.conf
- name: Copy OctoberCMS nginx conf includes and www redirect
copy:
src: etc/nginx/includes.d
dest: /etc/nginx/
mode: 0644
- name: Copy map config for www/non-www redirects
copy:
src: etc/nginx/conf.d/map_tld_domain.conf
dest: /etc/nginx/conf.d/
mode: 0644
post_tasks:
- name: Default index.html
template:
src: var/www/site_name/index.html.j2
dest: '/var/www/{{ site_name }}/index.html'
mode: 0644
owner: '{{ site_name }}'
- name: Copy normalized.css
template:
src: var/www/site_name/normalize.css
dest: '/var/www/{{ site_name }}/'
mode: 0644
owner: '{{ site_name }}'
roles:
# - role: keyring
# tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
# keyring__dependent_apt_keys:
# - '{{ nginx__keyring__dependent_apt_keys }}'
#
# - role: apt_preferences
# tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
# apt_preferences__dependent_list:
# - '{{ nginx__apt_preferences__dependent_list }}'
#
# - role: python
# tags: [ 'role::python', 'skip::python' ]
# python__dependent_packages3:
# - '{{ nginx__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ nginx__python__dependent_packages2 }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

30
playbooks/debops/nodejs.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Manage NodeJS environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nodejs__node_upstream: True
nodejs__node_upstream_release: node_18.x
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
keyring__dependent_apt_keys:
- '{{ nodejs__keyring__dependent_apt_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ nodejs__apt_preferences__dependent_list }}'
- role: nodejs
tags: [ 'role::nodejs', 'skip::nodejs' ]

95
playbooks/debops/php-prod.yml Normal file
View File

@ -0,0 +1,95 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
# Laravel/OctoberCMS: intl, redis
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
php__fpm_pm: static
php__fpm_pm_max_children: 26
php__pools:
- name: backend
user: www-data
group: www-data
php_admin_values:
memory_limit: 256M
post_max_size: 800M
upload_max_filesize: 200M
max_execution_time: 600
pm: static
pm_max_children: 3
vars_files:
- ./../../vars/php.yml
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

80
playbooks/debops/php-wp.yml Normal file
View File

@ -0,0 +1,80 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/php.yml
vars:
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath' ]
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

36
playbooks/debops/pki.yml Normal file
View File

@ -0,0 +1,36 @@
---
- name: Manage Public Key Infrastructure
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
pki_internal: True
pki_acme: False
pre_tasks:
- name: Prepare pki environment
import_role:
name: 'pki'
tasks_from: 'main_env'
tags: [ 'role::pki', 'role::pki:secret', 'role::secret' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::pki', 'role::pki:secret' ]
secret_directories:
- '{{ pki_env_secret_directories }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: pki
tags: [ 'role::pki', 'skip::pki' ]

91
playbooks/debops/redis.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Manage Redis server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
redis_server__auth_password:
redis_server__configuration:
- name: 'main'
options:
# - name: 'save'
# value: ''
# dynamic: True
- name: 'protected-mode'
value: 'no'
dynamic: False
- name: 'stop-writes-on-bgsave-error'
value: 'no'
dynamic: False
- name: 'save'
value:
- name: '900 1'
state: absent
- name: '300 10'
state: absent
- name: '60 10000'
state: absent
dynamic: False
pre_tasks:
- name: Prepare sysfs environment
import_role:
name: 'sysfs'
tasks_from: 'main_env'
tags: [ 'role::sysfs', 'role::secret' ]
- name: Prepare redis_server environment
import_role:
name: 'redis_server'
tasks_from: 'main_env'
tags: [ 'role::redis_server', 'role::ferm' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::sysfs' ]
secret__directories:
- '{{ sysfs__secret__directories | d([]) }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ redis_server__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ redis_server__etc_services__dependent_list }}'
- role: sysctl
tags: [ 'role::sysctl', 'skip::sysctl' ]
sysctl__dependent_parameters:
- '{{ redis_server__sysctl__dependent_parameters }}'
- role: sysfs
tags: [ 'role::sysfs', 'skip::sysfs' ]
sysfs__dependent_attributes:
- '{{ redis_server__sysfs__dependent_attributes }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
python__dependent_packages3:
- '{{ redis_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ redis_server__python__dependent_packages2 }}'
- role: redis_server
tags: [ 'role::redis_server', 'skip::redis_server' ]

21
playbooks/debops/root_account.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Manage root system account
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
root_account__enabled: True
root_account__password: False
root_account__dotfiles_enabled: True
root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
roles:
- role: root_account
tags: [ 'role::root_account', 'skip::root_account' ]

30
playbooks/debops/sudo.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Configure sudo service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/sudo.yml
roles:
# - role: python
# tags: [ 'role::python', 'skip::python', 'role::ldap' ]
# python__dependent_packages3:
# - '{{ ldap__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ ldap__python__dependent_packages2 }}'
#
# - role: ldap
# tags: [ 'role::ldap', 'skip::ldap' ]
# ldap__dependent_tasks:
# - '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]

34
playbooks/debops/system_users.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Manage local users and groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
system_users__self: False
system_users__dotfiles_enabled: True
system_users__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
vars_files:
- ./../../vars/system_users.yml
post_tasks:
- name: Change starship character to dollar sign
shell: |
sed -i 's/#/\\$/g' /home/{{ site_name }}/.config/starship.toml
args:
executable: /bin/bash
roles:
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: system_users
tags: [ 'role::system_users', 'skip::system_users' ]

76
playbooks/debops/templates/var/www/site_name/index.html.j2 Normal file
View File

@ -0,0 +1,76 @@
{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
# Copyright (C) 2014-2017 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
<!DOCTYPE html>
<html lang="en">
{% set nginx_tpl_domain = item.welcome_domain | d(item.name if (item.name is string) else item.name[0] | d(ansible_domain)) %}
{% if nginx_tpl_domain %}
{% set nginx_tpl_welcome_title = '<a href="' + item.welcome_url_scheme | d("https") + '://' + nginx_tpl_domain + '/">' + nginx_tpl_domain + '</a>' %}
{% else %}
{% set nginx_tpl_welcome_title = '<a href="http://companyname.website/">CompanyName.website</a>' %}
{% endif %}
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="referrer" content="no-referrer">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ nginx_tpl_domain | d("CompanyName.website") }}</title>
{% if item.welcome_css | d(True) | bool %}
<link rel="stylesheet" type="text/css" media="screen" href="normalize.css">
<style type="text/css" media="screen">
html {
font-size: 17px;
font-family: "Droid Sans Condensed", sans-serif;
}
@media (max-width: 900px) {
html { font-size: 15px; }
}
@media (max-width: 400px) {
html { font-size: 13px; }
}
#content {
margin: 0 auto;
width: 600px;
padding: 2rem;
text-align: center;
}
@media (max-width: 900px) {
#content {
width: 70%;
padding: 1.5rem;
}
}
h1 {
padding-bottom: 0.05em;
border-bottom: 2px solid #0092DF;
}
a {
text-decoration: none;
color: #0092DF;
}
</style>
{% endif %}
</head>
<body>
<div id="content">
<h2>{{ nginx_tpl_welcome_title }}</h2>
{% if nginx_tpl_domain %}
<p id="http-status"><strong>{{ item.welcome_status_choices | d([ '200 OK', "418 I'm a teapot" ]) | random }}</strong></p>
{% elif not nginx_tpl_domain %}
<p>If you're reading this, the web server was installed correctly.</p>
{% endif %}
</div>
</body>
</html>

427
playbooks/debops/templates/var/www/site_name/normalize.css vendored Normal file
View File

@ -0,0 +1,427 @@
/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
/* Copyright (C) 2015 Nicolas Gallagher <nicolasgallagher@gmail.com> */
/* Copyright (C) 2015 Jonathan Neal <jonathantneal@hotmail.com> */
/* SPDX-License-Identifier: MIT */
/**
* 1. Set default font family to sans-serif.
* 2. Prevent iOS and IE text size adjust after device orientation change,
* without disabling user zoom.
*/
html {
font-family: sans-serif; /* 1 */
-ms-text-size-adjust: 100%; /* 2 */
-webkit-text-size-adjust: 100%; /* 2 */
}
/**
* Remove default margin.
*/
body {
margin: 0;
}
/* HTML5 display definitions
========================================================================== */
/**
* Correct `block` display not defined for any HTML5 element in IE 8/9.
* Correct `block` display not defined for `details` or `summary` in IE 10/11
* and Firefox.
* Correct `block` display not defined for `main` in IE 11.
*/
article,
aside,
details,
figcaption,
figure,
footer,
header,
hgroup,
main,
menu,
nav,
section,
summary {
display: block;
}
/**
* 1. Correct `inline-block` display not defined in IE 8/9.
* 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
*/
audio,
canvas,
progress,
video {
display: inline-block; /* 1 */
vertical-align: baseline; /* 2 */
}
/**
* Prevent modern browsers from displaying `audio` without controls.
* Remove excess height in iOS 5 devices.
*/
audio:not([controls]) {
display: none;
height: 0;
}
/**
* Address `[hidden]` styling not present in IE 8/9/10.
* Hide the `template` element in IE 8/9/10/11, Safari, and Firefox < 22.
*/
[hidden],
template {
display: none;
}
/* Links
========================================================================== */
/**
* Remove the gray background color from active links in IE 10.
*/
a {
background-color: transparent;
}
/**
* Improve readability of focused elements when they are also in an
* active/hover state.
*/
a:active,
a:hover {
outline: 0;
}
/* Text-level semantics
========================================================================== */
/**
* Address styling not present in IE 8/9/10/11, Safari, and Chrome.
*/
abbr[title] {
border-bottom: 1px dotted;
}
/**
* Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
*/
b,
strong {
font-weight: bold;
}
/**
* Address styling not present in Safari and Chrome.
*/
dfn {
font-style: italic;
}
/**
* Address variable `h1` font-size and margin within `section` and `article`
* contexts in Firefox 4+, Safari, and Chrome.
*/
h1 {
font-size: 2em;
margin: 0.67em 0;
}
/**
* Address styling not present in IE 8/9.
*/
mark {
background: #ff0;
color: #000;
}
/**
* Address inconsistent and variable font size in all browsers.
*/
small {
font-size: 80%;
}
/**
* Prevent `sub` and `sup` affecting `line-height` in all browsers.
*/
sub,
sup {
font-size: 75%;
line-height: 0;
position: relative;
vertical-align: baseline;
}
sup {
top: -0.5em;
}
sub {
bottom: -0.25em;
}
/* Embedded content
========================================================================== */
/**
* Remove border when inside `a` element in IE 8/9/10.
*/
img {
border: 0;
}
/**
* Correct overflow not hidden in IE 9/10/11.
*/
svg:not(:root) {
overflow: hidden;
}
/* Grouping content
========================================================================== */
/**
* Address margin not present in IE 8/9 and Safari.
*/
figure {
margin: 1em 40px;
}
/**
* Address differences between Firefox and other browsers.
*/
hr {
box-sizing: content-box;
height: 0;
}
/**
* Contain overflow in all browsers.
*/
pre {
overflow: auto;
}
/**
* Address odd `em`-unit font size rendering in all browsers.
*/
code,
kbd,
pre,
samp {
font-family: monospace, monospace;
font-size: 1em;
}
/* Forms
========================================================================== */
/**
* Known limitation: by default, Chrome and Safari on OS X allow very limited
* styling of `select`, unless a `border` property is set.
*/
/**
* 1. Correct color not being inherited.
* Known issue: affects color of disabled elements.
* 2. Correct font properties not being inherited.
* 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
*/
button,
input,
optgroup,
select,
textarea {
color: inherit; /* 1 */
font: inherit; /* 2 */
margin: 0; /* 3 */
}
/**
* Address `overflow` set to `hidden` in IE 8/9/10/11.
*/
button {
overflow: visible;
}
/**
* Address inconsistent `text-transform` inheritance for `button` and `select`.
* All other form control elements do not inherit `text-transform` values.
* Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
* Correct `select` style inheritance in Firefox.
*/
button,
select {
text-transform: none;
}
/**
* 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
* and `video` controls.
* 2. Correct inability to style clickable `input` types in iOS.
* 3. Improve usability and consistency of cursor style between image-type
* `input` and others.
*/
button,
html input[type="button"], /* 1 */
input[type="reset"],
input[type="submit"] {
-webkit-appearance: button; /* 2 */
cursor: pointer; /* 3 */
}
/**
* Re-set default cursor for disabled elements.
*/
button[disabled],
html input[disabled] {
cursor: default;
}
/**
* Remove inner padding and border in Firefox 4+.
*/
button::-moz-focus-inner,
input::-moz-focus-inner {
border: 0;
padding: 0;
}
/**
* Address Firefox 4+ setting `line-height` on `input` using `!important` in
* the UA stylesheet.
*/
input {
line-height: normal;
}
/**
* It's recommended that you don't attempt to style these elements.
* Firefox's implementation doesn't respect box-sizing, padding, or width.
*
* 1. Address box sizing set to `content-box` in IE 8/9/10.
* 2. Remove excess padding in IE 8/9/10.
*/
input[type="checkbox"],
input[type="radio"] {
box-sizing: border-box; /* 1 */
padding: 0; /* 2 */
}
/**
* Fix the cursor style for Chrome's increment/decrement buttons. For certain
* `font-size` values of the `input`, it causes the cursor style of the
* decrement button to change from `default` to `text`.
*/
input[type="number"]::-webkit-inner-spin-button,
input[type="number"]::-webkit-outer-spin-button {
height: auto;
}
/**
* 1. Address `appearance` set to `searchfield` in Safari and Chrome.
* 2. Address `box-sizing` set to `border-box` in Safari and Chrome.
*/
input[type="search"] {
-webkit-appearance: textfield; /* 1 */
box-sizing: content-box; /* 2 */
}
/**
* Remove inner padding and search cancel button in Safari and Chrome on OS X.
* Safari (but not Chrome) clips the cancel button when the search input has
* padding (and `textfield` appearance).
*/
input[type="search"]::-webkit-search-cancel-button,
input[type="search"]::-webkit-search-decoration {
-webkit-appearance: none;
}
/**
* Define consistent border, margin, and padding.
*/
fieldset {
border: 1px solid #c0c0c0;
margin: 0 2px;
padding: 0.35em 0.625em 0.75em;
}
/**
* 1. Correct `color` not being inherited in IE 8/9/10/11.
* 2. Remove padding so people aren't caught out if they zero out fieldsets.
*/
legend {
border: 0; /* 1 */
padding: 0; /* 2 */
}
/**
* Remove default vertical scrollbar in IE 8/9/10/11.
*/
textarea {
overflow: auto;
}
/**
* Don't inherit the `font-weight` (applied by a rule above).
* NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
*/
optgroup {
font-weight: bold;
}
/* Tables
========================================================================== */
/**
* Remove most spacing between table cells.
*/
table {
border-collapse: collapse;
border-spacing: 0;
}
td,
th {
padding: 0;
}

19
playbooks/debops/tzdata.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage time zone configuration
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
tzdata__timezone: Europe/Moscow
roles:
- role: tzdata
tags: [ 'role::tzdata', 'skip::tzdata' ]

72
playbooks/debops/yadm.yml Normal file
View File

@ -0,0 +1,72 @@
---
- name: Configure yadm, Yet Another Dotfiles Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
yadm__enabled: True
yadm__dotfiles_enabled: True
yadm__upstream_enabled: True
yadm__upstream_version: '2.5.0'
# That be used in yadm.fact.j2 - python script for resolving ansible.local.yadm.dotfile git repo
yadm__dotfiles_host: vcs.wpstudio.ru
yadm__dotfiles_owner: gitea
yadm__default_dotfiles:
- name: 'gitea'
git: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
yadm__packages:
- curl
- git
- ncdu
- fontconfig
- vim
- direnv
post_tasks:
- name: Starship
shell: |
curl -sS https://starship.rs/install.sh | sh -s -- -f
- name: Nerd Font
shell: |
download_font () {
url="https://raw.githubusercontent.com/ryanoasis/nerd-fonts/master/patched-fonts/SourceCodePro/Regular/complete/${1// /%20}"
path="/usr/share/fonts/$1"
curl -s -o "$path" "$url"
}
install_fonts () {
download_font "Sauce Code Pro Nerd Font Complete.ttf"
fc-cache -fv > /dev/null
}
install_fonts
args:
executable: /bin/bash
- name: Xsel for working clipboard copy with X11 forwarding (use SSH -Y)
shell: apt install -yy xsel
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ yadm__apt_preferences__dependent_list }}'
- role: yadm
tags: [ 'role::yadm', 'skip::yadm' ]

8
playbooks/dhcp.yml Normal file
View File

@ -0,0 +1,8 @@
---
- import_playbook: root-account.yml
- import_playbook: debops/dnsmasq.yml
- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
...

7
playbooks/nginx-only.yml Normal file
View File

@ -0,0 +1,7 @@
---
- import_playbook: own/allow-releaseinfo-change.yml
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/nginx.yml

18
playbooks/nginx-site-without-db-site.yml Normal file
View File

@ -0,0 +1,18 @@
---
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/php-prod.yml
- import_playbook: debops/nginx.yml
- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/node-version-manager.yml
become: true
become_user: '{{ site_name }}'
- import_playbook: own/nginx-auth.yml
- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
...

28
playbooks/nginx-site.yml Normal file
View File

@ -0,0 +1,28 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/apt/getting-started.html#example-playbook
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-prod.yml
- import_playbook: own/libgd3-fix-for-php8.yml
when: php_version is defined and php_version != '7.4'
- import_playbook: debops/nginx.yml
- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/node-version-manager.yml
become: true
become_user: '{{ site_name }}'
- import_playbook: own/nginx-auth.yml
- import_playbook: own/phpmyadmin.yml
- import_playbook: own/phpmyadmin-nginx-auth.yml
- import_playbook: own/php-composer.yml
#- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
# TODO: удалить [::]: из конфигов. Определится с дефолтным конфигом. В конфиге pma.conf что-то не так с портами после получения сертификатов.
# TODO: Перенести маппинг host tld для non-www в conf.d
...

6
playbooks/own/allow-releaseinfo-change.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Resolve error for debian10 buster versions an apt update procedures
hosts: [ 'debian10' ]
tasks:
- name: Allow release info changed
shell: apt --allow-releaseinfo-change update

6
playbooks/own/apt-update.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Update system packages
hosts: [ 'debian10' ]
tasks:
- name: apt update
shell: apt update && apt upgrade -y

14
playbooks/own/correct-paths-for-pct-enter.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Nerest bash PATH var with set true paths after pct enter into lxc container from proxmox host
hosts: [ 'debian10' ]
# TODO: Tmux create session not worked in pct enter - only work tmux attach (so..)
tasks:
- name: Append .shell-env
ansible.builtin.lineinfile:
path: '/root/.shell-env'
line: |-
##
## Correct PATH for tmux enter
##
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

19
playbooks/own/libgd3-fix-for-php8.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Solve problem with libgd3 for php-gd
hosts: [ 'debian10' ]
vars_files:
- ./../../vars/php.yml
tasks:
- name: Set pin for libgd3 package
copy:
dest: '/etc/apt/preferences.d/libgd-pin100'
content: |-
Package: libgd3
Pin-Priority: 100
- name: Update apt cache policy and install libgd
shell: |-
apt update
apt install -t bullseye libgd3 -yy
apt-cache policy libgd3
apt install php{{ php_version }}-gd -yy

10
playbooks/own/locales.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Setup EN & RU UTF-8 locales
shell: |
apt install -y locales && \
sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i 's/# ru_RU.UTF-8 UTF-8/ru_RU.UTF-8 UTF-8/' /etc/locale.gen && \
locale-gen

8
playbooks/own/lookup-password-test.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Set ownerships to /var/www dir
set_fact:
mariadb__server: '{{ lookup("password", "secret/vam-teplee-2023/testpass " + "length=15") }}'

19
playbooks/own/nginx-auth.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Setup nginx auth scaffolding dirs
hosts: [ 'debian10' ]
tasks:
- shell: |-
cd /etc/nginx
mkdir -p auth.d passwords.d
- copy:
dest: '/etc/nginx/auth.d/grant-access-certbot.conf'
content: |-
set $auth_basic Restricted;
if ($request_uri ~* "well-known") {
set $auth_basic off;
}
auth_basic $auth_basic;

7
playbooks/own/node-version-manager.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Installing node version manager
hosts: [ 'debian10' ]
tasks:
- name: Install nvm
shell: 'wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash'

23
playbooks/own/php-composer.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Install PHP Composer
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Download and install composer
when: (php_version is defined)
shell: |-
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
mv composer.phar /usr/local/bin/composer
- name: Download and install composer
when: (php_version is defined and php_version == '7.4')
shell: |-
composer self-update 1.10.27

26
playbooks/own/phpmyadmin-apache-auth.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Create phpmyadmin apache auth passwords file
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- shell: |-
cd /etc/apache2
mkdir -p passwords.d
- name: 'Adding pma apache auth passwords files'
shell: |-
echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
- name: 'Change require all granted rule, because debops not present appropriate functional'
shell: |-
sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
- name: 'Restarting apache'
shell: |-
systemctl restart apache2

62
playbooks/own/phpmyadmin-nginx-auth.yml Normal file
View File

@ -0,0 +1,62 @@
---
- name: Install PhpMyAdmin
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
vars_files:
- ./../../vars/nginx.yml
- ./../../vars/php.yml
tasks:
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- name: 'Adding pma nginx config'
copy:
dest: '/etc/nginx/sites-available/pma.conf'
content: |-
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/pki/realms/domain/default.crt;
ssl_certificate_key /etc/pki/realms/domain/default.key;
server_name pma.{{ domain_name }};
root /var/www/phpmyadmin;
index index.php;
include auth.d/pma-auth.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;
location ~ \.php$ {
fastcgi_pass $upstream;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $host;
}
}
- name: 'Adding pma nginx auth config'
copy:
dest: '/etc/nginx/auth.d/pma-auth.conf'
content: |-
include auth.d/grant-access-certbot.conf;
auth_basic_user_file passwords.d/pma.passwords;
- name: 'Adding pma nginx auth passwords files'
shell: |-
echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/nginx/passwords.d/pma.passwords
- name: 'Turning on pma web site nginx config'
shell: |-
cd /etc/nginx/sites-enabled
ln -s ../sites-available/pma.conf ./
- name: 'Restarting nginx'
shell: |-
nginx -t && systemctl restart nginx

41
playbooks/own/phpmyadmin.yml Normal file
View File

@ -0,0 +1,41 @@
---
- name: Install PhpMyAdmin
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
vars:
- phpmyadmin_version: 5.2.1
# https://docs.ansible.com/ansible/latest/collections/community/general/random_string_lookup.html#keyword-parameters
- blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
tasks:
- name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
become: true
become_user: '{{ site_name }}'
shell: |-
cd /var/www
rm -rf phpmyadmin
wget -q https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
unzip -qq phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
rm phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin
cd phpmyadmin
cp config.sample.inc.php config.inc.php
mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
- name: 'Set cookie blowfish secret'
# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "'blowfish_secret'] = ''"
replace: "'blowfish_secret'] = '{{ blowfish_secret | replace('\'', '\\\'') }}'\n\n$cfg['CookieSameSite'] = 'Lax';\n"
- name: 'Set MaxTableList'
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "^//$cfg['MaxRows'](.*)"
replace: "//$cfg['MaxRows']\1\n\n$cfg['MaxTableList'] = 500;\n"

7
playbooks/own/var-www-set-ownerships.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Set ownerships to /var/www dir
shell: 'chown -R {{ site_name }}:{{ site_name }} /var/www'

15
playbooks/own/wp-cli.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install WP-CLI
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Download and install wp-cli
shell: |-
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

9
playbooks/own/yadm-update.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: ['debian10']
tasks:
- name: Update existing YADM install with remote ip-address plugin and replace own
shell: |
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull
yadm checkout .

40
playbooks/own/yadm.yml Normal file
View File

@ -0,0 +1,40 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Install direnv
become_user: root
shell: |
command -v direnv > /dev/null || {
curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && \
chmod a+x /usr/local/bin/direnv
}
- name: Install Starship
become_user: root
shell: |
command -v starship> /dev/null || {
curl -sS https://starship.rs/install.sh | sh -s -- -f
}
- name: Install with init or update yadm
become_user: root
shell: |
command -v yadm && {
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull && yadm checkout .
} || {
curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .
}
# For manual change: sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
- name: 'Change character for non-root user'
become_user: root
shell: |
HOME_USER=$(ls /home)
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .'
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'sed -i "s/#/\\$/g" ${HOME}/.config/starship.toml'
exit 0
args:
executable: /bin/bash

11
playbooks/root-account.yml Normal file
View File

@ -0,0 +1,11 @@
---
- import_playbook: own/locales.yml
- import_playbook: debops/apt.yml
- import_playbook: debops/tzdata.yml
#- import_playbook: own/allow-releaseinfo-change.yml# Need only for debian10
- import_playbook: debops/yadm.yml
- import_playbook: debops/root_account.yml
- name: Adding site_name project user to sudoers
import_playbook: debops/sudo.yml
when: 'runner != "normal"'

2
playbooks/yadm.yml Normal file
View File

@ -0,0 +1,2 @@
---
- import_playbook: own/yadm.yml

8
requirements.yml Normal file
View File

@ -0,0 +1,8 @@
---
collections:
- name: nginxinc.nginx_core
version: 0.8.0
- name: https://github.com/debops/debops.git
type: git
version: d554096b5cb02f4c37f68d80d9103105dd5de34b

3
role/defaults/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
mariadb__root_password: '{{ lookup("password", secret + "/credentials/" +
ansible_fqdn + "/mariadb/root/password length=20") }}'

7
roles/common/tasks/main.yml
View File

@ -1,4 +1,5 @@
--- ---
# #
# Tasks to be applied to all servers # Tasks to be applied to all servers
# #
@ -10,4 +11,8 @@
# Add further tasks for the common role (applied to all servers) to this playbook... # Add further tasks for the common role (applied to all servers) to this playbook...
... - name: Install gnupg
shell: >-
apt-get update &&
apt-get install --no-install-recommends --no-install-suggests -y gnupg1 gnupg2 gnupg ca-certificates

8
roles/composer/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Update packages
shell: apt update
# TODO: установка композера
...

8
roles/locales/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Setup EN & RU UTF-8 locales
shell: |
apt install -y locales && \
sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i 's/# ru_RU.UTF-8 UTF-8/ru_RU.UTF-8 UTF-8/' /etc/locale.gen && \
locale-gen

15
roles/nginx/files/nginx.systemd Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

51
roles/nginx/files/octobercms.conf Normal file
View File

@ -0,0 +1,51 @@
location / {
rewrite ^/.*$ /index.php last;
}
location ~ ^/combine.*\.(css|js) {
rewrite ^/.*$ /index.php last;
expires max;
}
# Whitelist
## Let October handle if static file does not exists
location = /favicon.ico { try_files $uri /index.php; }
location ~ ^/.*\.xml { try_files $uri /index.php; }
location = /robots.txt { try_files $uri /index.php; }
location = /humans.txt { try_files $uri /index.php; }
location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
## Let nginx return 404 if static file does not exists
location /storage/app/uploads/public { try_files $uri /404; }
location /storage/app/media { try_files $uri /404; }
location /storage/app/yml { try_files $uri /404; }
location /storage/app/docx { try_files $uri /404; }
location /storage/app/resized { try_files $uri /404; }
location /storage/temp/public { try_files $uri /404; }
location /files { try_files $uri /404; }
location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
location ~ ^/modules/.*/assets { try_files $uri /404; }
location ~ ^/modules/.*/resources { try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/assets { try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/resources { try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/assets { try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/resources { try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/assets { try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/resources { try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/assets { try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/resources { try_files $uri /404; }
location ~ ^/plugins/.*/.*/assets { try_files $uri /404; }
location ~ ^/plugins/.*/.*/resources { try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/assets { try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/resources { try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/assets { try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/resources { try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/assets { try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/resources { try_files $uri /404; }
location ~ ^/themes/.*/resources { try_files $uri /404; }

21
roles/nginx/tasks/main.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Update packages
shell: apt update
- name: Install nginx
shell: apt install nginx -y
- name: Enable nginx
shell: systemctl enable nginx
- name: Copy nginx config
copy:
src: 'octobercms.conf'
dest: '/etc/nginx/includes.d'
mode: 0744
- name: Restart nginx
shell: systemctl restart nginx
...

69
roles/php-from-source/files/docker-php-ext-configure Executable file
View File

@ -0,0 +1,69 @@
#!/bin/sh
set -e
# prefer user supplied CFLAGS, but default to our PHP_CFLAGS
: ${CFLAGS:=$PHP_CFLAGS}
: ${CPPFLAGS:=$PHP_CPPFLAGS}
: ${LDFLAGS:=$PHP_LDFLAGS}
export CFLAGS CPPFLAGS LDFLAGS
srcExists=
if [ -d /usr/src/php ]; then
srcExists=1
fi
docker-php-source extract
if [ -z "$srcExists" ]; then
touch /usr/src/php/.docker-delete-me
fi
cd /usr/src/php/ext
usage() {
echo "usage: $0 ext-name [configure flags]"
echo " ie: $0 gd --with-jpeg-dir=/usr/local/something"
echo
echo 'Possible values for ext-name:'
find . \
-mindepth 2 \
-maxdepth 2 \
-type f \
-name 'config.m4' \
| xargs -n1 dirname \
| xargs -n1 basename \
| sort \
| xargs
echo
echo 'Some of the above modules are already compiled into PHP; please check'
echo 'the output of "php -i" to see which modules are already loaded.'
}
ext="$1"
if [ -z "$ext" ] || [ ! -d "$ext" ]; then
usage >&2
exit 1
fi
shift
pm='unknown'
if [ -e /lib/apk/db/installed ]; then
pm='apk'
fi
if [ "$pm" = 'apk' ]; then
if \
[ -n "$PHPIZE_DEPS" ] \
&& ! apk info --installed .phpize-deps > /dev/null \
&& ! apk info --installed .phpize-deps-configure > /dev/null \
; then
apk add --no-cache --virtual .phpize-deps-configure $PHPIZE_DEPS
fi
fi
if command -v dpkg-architecture > /dev/null; then
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"
set -- --build="$gnuArch" "$@"
fi
cd "$ext"
phpize
./configure --enable-option-checking=fatal "$@"

121
roles/php-from-source/files/docker-php-ext-enable Executable file
View File

@ -0,0 +1,121 @@
#!/bin/sh
set -e
extDir="$(php -d 'display_errors=stderr' -r 'echo ini_get("extension_dir");')"
cd "$extDir"
usage() {
echo "usage: $0 [options] module-name [module-name ...]"
echo " ie: $0 gd mysqli"
echo " $0 pdo pdo_mysql"
echo " $0 --ini-name 0-apc.ini apcu apc"
echo
echo 'Possible values for module-name:'
find -maxdepth 1 \
-type f \
-name '*.so' \
-exec basename '{}' ';' \
| sort \
| xargs
echo
echo 'Some of the above modules are already compiled into PHP; please check'
echo 'the output of "php -i" to see which modules are already loaded.'
}
opts="$(getopt -o 'h?' --long 'help,ini-name:' -- "$@" || { usage >&2 && false; })"
eval set -- "$opts"
iniName=
while true; do
flag="$1"
shift
case "$flag" in
--help|-h|'-?') usage && exit 0 ;;
--ini-name) iniName="$1" && shift ;;
--) break ;;
*)
{
echo "error: unknown flag: $flag"
usage
} >&2
exit 1
;;
esac
done
modules=
for module; do
if [ -z "$module" ]; then
continue
fi
if ! [ -f "$module" ] && ! [ -f "$module.so" ]; then
echo >&2 "error: '$module' does not exist"
echo >&2
usage >&2
exit 1
fi
modules="$modules $module"
done
if [ -z "$modules" ]; then
usage >&2
exit 1
fi
pm='unknown'
if [ -e /lib/apk/db/installed ]; then
pm='apk'
fi
apkDel=
if [ "$pm" = 'apk' ]; then
if \
[ -n "$PHPIZE_DEPS" ] \
&& ! apk info --installed .phpize-deps > /dev/null \
&& ! apk info --installed .phpize-deps-configure > /dev/null \
; then
apk add --no-cache --virtual '.docker-php-ext-enable-deps' binutils
apkDel='.docker-php-ext-enable-deps'
fi
fi
for module in $modules; do
moduleFile="$module"
if [ -f "$module.so" ] && ! [ -f "$module" ]; then
moduleFile="$module.so"
fi
if readelf --wide --syms "$moduleFile" | grep -q ' zend_extension_entry$'; then
# https://wiki.php.net/internals/extensions#loading_zend_extensions
line="zend_extension=$module"
else
line="extension=$module"
fi
ext="$(basename "$module")"
ext="${ext%.*}"
if php -d 'display_errors=stderr' -r 'exit(extension_loaded("'"$ext"'") ? 0 : 1);'; then
# this isn't perfect, but it's better than nothing
# (for example, 'opcache.so' presents inside PHP as 'Zend OPcache', not 'opcache')
echo >&2
echo >&2 "warning: $ext ($module) is already loaded!"
echo >&2
continue
fi
case "$iniName" in
/*)
# allow an absolute path
ini="$iniName"
;;
*)
ini="$PHP_INI_DIR/conf.d/${iniName:-"docker-php-ext-$ext.ini"}"
;;
esac
if ! grep -qFx -e "$line" -e "$line.so" "$ini" 2>/dev/null; then
echo "$line" >> "$ini"
fi
done
if [ "$pm" = 'apk' ] && [ -n "$apkDel" ]; then
apk del --no-network $apkDel
fi

143
roles/php-from-source/files/docker-php-ext-install Executable file
View File

@ -0,0 +1,143 @@
#!/bin/sh
set -e
# prefer user supplied CFLAGS, but default to our PHP_CFLAGS
: ${CFLAGS:=$PHP_CFLAGS}
: ${CPPFLAGS:=$PHP_CPPFLAGS}
: ${LDFLAGS:=$PHP_LDFLAGS}
export CFLAGS CPPFLAGS LDFLAGS
srcExists=
if [ -d /usr/src/php ]; then
srcExists=1
fi
docker-php-source extract
if [ -z "$srcExists" ]; then
touch /usr/src/php/.docker-delete-me
fi
cd /usr/src/php/ext
usage() {
echo "usage: $0 [-jN] [--ini-name file.ini] ext-name [ext-name ...]"
echo " ie: $0 gd mysqli"
echo " $0 pdo pdo_mysql"
echo " $0 -j5 gd mbstring mysqli pdo pdo_mysql shmop"
echo
echo 'if custom ./configure arguments are necessary, see docker-php-ext-configure'
echo
echo 'Possible values for ext-name:'
find . \
-mindepth 2 \
-maxdepth 2 \
-type f \
-name 'config.m4' \
| xargs -n1 dirname \
| xargs -n1 basename \
| sort \
| xargs
echo
echo 'Some of the above modules are already compiled into PHP; please check'
echo 'the output of "php -i" to see which modules are already loaded.'
}
opts="$(getopt -o 'h?j:' --long 'help,ini-name:,jobs:' -- "$@" || { usage >&2 && false; })"
eval set -- "$opts"
j=1
iniName=
while true; do
flag="$1"
shift
case "$flag" in
--help|-h|'-?') usage && exit 0 ;;
--ini-name) iniName="$1" && shift ;;
--jobs|-j) j="$1" && shift ;;
--) break ;;
*)
{
echo "error: unknown flag: $flag"
usage
} >&2
exit 1
;;
esac
done
exts=
for ext; do
if [ -z "$ext" ]; then
continue
fi
if [ ! -d "$ext" ]; then
echo >&2 "error: $PWD/$ext does not exist"
echo >&2
usage >&2
exit 1
fi
exts="$exts $ext"
done
if [ -z "$exts" ]; then
usage >&2
exit 1
fi
pm='unknown'
if [ -e /lib/apk/db/installed ]; then
pm='apk'
fi
apkDel=
if [ "$pm" = 'apk' ]; then
if [ -n "$PHPIZE_DEPS" ]; then
if apk info --installed .phpize-deps-configure > /dev/null; then
apkDel='.phpize-deps-configure'
elif ! apk info --installed .phpize-deps > /dev/null; then
apk add --no-cache --virtual .phpize-deps $PHPIZE_DEPS
apkDel='.phpize-deps'
fi
fi
fi
popDir="$PWD"
for ext in $exts; do
cd "$ext"
[ -e Makefile ] || docker-php-ext-configure "$ext"
make -j"$j"
if ! php -n -d 'display_errors=stderr' -r 'exit(ZEND_DEBUG_BUILD ? 0 : 1);' > /dev/null; then
# only "strip" modules if we aren't using a debug build of PHP
# (none of our builds are debug builds, but PHP might be recompiled with "--enable-debug" configure option)
# https://github.com/docker-library/php/issues/1268
find modules \
-maxdepth 1 \
-name '*.so' \
-exec sh -euxc ' \
strip --strip-all "$@" || :
' -- '{}' +
fi
make -j"$j" install
find modules \
-maxdepth 1 \
-name '*.so' \
-exec basename '{}' ';' \
| xargs -r docker-php-ext-enable ${iniName:+--ini-name "$iniName"}
make -j"$j" clean
cd "$popDir"
done
if [ "$pm" = 'apk' ] && [ -n "$apkDel" ]; then
apk del --no-network $apkDel
fi
if [ -e /usr/src/php/.docker-delete-me ]; then
docker-php-source delete
fi

34
roles/php-from-source/files/docker-php-source Executable file
View File

@ -0,0 +1,34 @@
#!/bin/sh
set -e
dir=/usr/src/php
usage() {
echo "usage: $0 COMMAND"
echo
echo "Manage php source tarball lifecycle."
echo
echo "Commands:"
echo " extract extract php source tarball into directory $dir if not already done."
echo " delete delete extracted php source located into $dir if not already done."
echo
}
case "$1" in
extract)
mkdir -p "$dir"
if [ ! -f "$dir/.docker-extracted" ]; then
tar -Jxf /usr/src/php.tar.xz -C "$dir" --strip-components=1
touch "$dir/.docker-extracted"
fi
;;
delete)
rm -rf "$dir"
;;
*)
usage
exit 1
;;
esac

85
roles/php-from-source/tasks/main.yml Normal file
View File

@ -0,0 +1,85 @@
---
- name: Copy docker-php-* helpers to /usr/local/bin/
copy:
src: "{{item}}"
dest: /usr/local/bin/
mode: 0744
loop:
- docker-php-ext-configure
- docker-php-ext-enable
- docker-php-ext-install
- docker-php-source
# prevent Debian's PHP packages from being installed
# https://github.com/docker-library/php/pull/542
- name: Disable php for apt
shell: "set -eux; { echo 'Package: php*'; echo 'Pin: release *'; echo 'Pin-Priority: -1'; } > /etc/apt/preferences.d/no-debian-php"
# dependencies required for running "phpize"
# (see persistent deps below)
- name: Set ENV var PHPIZE_DEPS
lineinfile:
dest: ~/.bashrc
line: 'export PHPIZE_DEPS="autoconf dpkg-dev file g++ gcc libc-dev make pkg-config re2c"'
# persistent / runtime deps
- name: Install dev dependencies for compile
shell: set -eux; apt-get update; apt-get install -y --no-install-recommends $PHPIZE_DEPS ca-certificates curl xz-utils ; rm -rf /var/lib/apt/lists/*
environment:
PHPIZE_DEPS: autoconf dpkg-dev file g++ gcc libc-dev make pkg-config re2c
- name: Set ENV var PHP_INI_DIR
lineinfile:
dest: ~/.bashrc
line: 'export PHP_INI_DIR="/usr/local/etc/php"'
- name: Create /var/www/html dir
shell: set -eux; mkdir -p "$PHP_INI_DIR/conf.d"; [ ! -d /var/www/html ]; mkdir -p /var/www/html; chown www-data:www-data /var/www/html; chmod 777 /var/www/html
environment:
PHP_INI_DIR: /usr/local/etc/php
# Apply stack smash protection to functions using local buffers and alloca()
# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
# Enable optimization (-O2)
# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
# https://github.com/docker-library/php/issues/272
# -D_LARGEFILE_SOURCE and -D_FILE_OFFSET_BITS=64 (https://www.php.net/manual/en/intro.filesystem.php)
- name: Set ENV vars for php installation
lineinfile:
dest: ~/.bashrc
line: "{{item}}"
loop:
- 'export PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"'
- 'export PHP_CPPFLAGS="$PHP_CFLAGS"'
- 'export PHP_LDFLAGS="-Wl,-O1 -pie"'
- 'export GPG_KEYS="42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312"'
- 'export PHP_VERSION="7.4.33"'
- 'export PHP_URL="https://www.php.net/distributions/php-7.4.33.tar.xz" PHP_ASC_URL="https://www.php.net/distributions/php-7.4.33.tar.xz.asc"'
- 'export PHP_SHA256="924846abf93bc613815c55dd3f5809377813ac62a9ec4eb3778675b82a27b927"'
- name: Download php sources
shell: set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends gnupg dirmngr; rm -rf /var/lib/apt/lists/*; mkdir -p /usr/src; cd /usr/src; curl -fsSL -o php.tar.xz "$PHP_URL"; if [ -n "$PHP_SHA256" ]; then echo "$PHP_SHA256 *php.tar.xz" | sha256sum -c -; fi; if [ -n "$PHP_ASC_URL" ]; then curl -fsSL -o php.tar.xz.asc "$PHP_ASC_URL"; export GNUPGHOME="$(mktemp -d)"; for key in $GPG_KEYS; do gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; done; gpg --batch --verify php.tar.xz.asc php.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME"; fi; apt-mark auto '.*' > /dev/null; apt-mark manual $savedAptMark > /dev/null; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false
environment:
PHP_URL: https://www.php.net/distributions/php-7.4.33.tar.xz
PHP_SHA256: 924846abf93bc613815c55dd3f5809377813ac62a9ec4eb3778675b82a27b927
PHP_ASC_URL: https://www.php.net/distributions/php-7.4.33.tar.xz.asc
GPG_KEYS: 42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312
- name: Install php
environment:
PHP_CFLAGS: -fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_CPPFLAGS: -fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
PHP_LDFLAGS: -Wl,-O1 -pie
PHP_INI_DIR: /usr/local/etc/php
shell: >-
set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends libargon2-dev libcurl4-openssl-dev libonig-dev libreadline-dev libsodium-dev libsqlite3-dev libssl-dev libxml2-dev zlib1g-dev ; export CFLAGS="$PHP_CFLAGS" CPPFLAGS="$PHP_CPPFLAGS" LDFLAGS="$PHP_LDFLAGS" ; docker-php-source extract; cd /usr/src/php; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; debMultiarch="$(dpkg-architecture --query DEB_BUILD_MULTIARCH)"; if [ ! -d /usr/include/curl ]; then ln -sT "/usr/include/$debMultiarch/curl" /usr/local/include/curl; fi; ./configure --build="$gnuArch" --with-config-file-path="$PHP_INI_DIR" --with-config-file-scan-dir="$PHP_INI_DIR/conf.d" --enable-option-checking=fatal --with-mhash --with-pic --enable-ftp --enable-mbstring --enable-mysqlnd --with-password-argon2 --with-sodium=shared --with-pdo-sqlite=/usr --with-sqlite3=/usr --with-curl --with-iconv --with-openssl --with-readline --with-zlib --disable-phpdbg --with-pear $(test "$gnuArch" = 's390x-linux-gnu' && echo '--without-pcre-jit') --with-libdir="lib/$debMultiarch" --disable-cgi --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data ; make -j "$(nproc)"; find -type f -name '*.a' -delete; make install; find /usr/local -type f -perm '/0111' -exec sh -euxc ' strip --strip-all "$@" || : ' -- '{}' + ; make clean; cp -v php.ini-* "$PHP_INI_DIR/"; cd /; docker-php-source delete; apt-mark auto '.*' > /dev/null; [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { print $(NF-1) }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual ; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; rm -rf /var/lib/apt/lists/*; pecl update-channels; rm -rf /tmp/pear ~/.pearrc; php --version
# sodium was built as a shared module (so that it can be replaced later if so desired), so let's enable it too (https://github.com/docker-library/php/issues/598)
- name: Shell Command (docker-php-ext-enable sodium)
shell: docker-php-ext-enable sodium
- name: Nerest php-fpm pool config
shell: set -eux; cd /usr/local/etc; if [ -d php-fpm.d ]; then sed 's!=NONE/!=!g' php-fpm.conf.default | tee php-fpm.conf > /dev/null; cp php-fpm.d/www.conf.default php-fpm.d/www.conf; else mkdir php-fpm.d; cp php-fpm.conf.default php-fpm.d/www.conf; { echo '[global]'; echo 'include=etc/php-fpm.d/*.conf'; } | tee php-fpm.conf; fi; { echo '[global]'; echo 'error_log = /proc/self/fd/2'; echo; echo '; https://github.com/docker-library/php/pull/725#issuecomment-443540114'; echo 'log_limit = 8192'; echo; echo '[www]'; echo '; if we send this to /proc/self/fd/1, it never appears'; echo 'access.log = /proc/self/fd/2'; echo; echo 'clear_env = no'; echo; echo '; Ensure worker stdout and stderr are sent to the main error log.'; echo 'catch_workers_output = yes'; echo 'decorate_workers_output = no'; } | tee php-fpm.d/docker.conf; { echo '[global]'; echo 'daemonize = no'; echo; echo '[www]'; echo 'listen = 9000'; } | tee php-fpm.d/zz-docker.conf
...

19
roles/phpmyadmin/COPYRIGHT Normal file
View File

@ -0,0 +1,19 @@
debops.phpmyadmin - Manage phpMyAdmin service using Ansible
Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2015-2019 DebOps <https://debops.org/>
SPDX-License-Identifier: GPL-3.0-only
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.

4
roles/phpmyadmin/README.md Normal file
View File

@ -0,0 +1,4 @@
### phpmyadmin
This role does not have official documentation.
See [DebOps documentation](https://docs.debops.org/en/tags/v3.0.3^0/) instead.

99
roles/phpmyadmin/defaults/main.yml Normal file
View File

@ -0,0 +1,99 @@
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# .. Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# .. Copyright (C) 2015-2019 DebOps <https://debops.org/>
# .. SPDX-License-Identifier: GPL-3.0-only
# .. _phpmyadmin__ref_defaults:
# debops.phpmyadmin default variables
# ===================================
# .. contents:: Sections
# :local:
#
# .. include:: ../../../../includes/global.rst
# .. envvar:: phpmyadmin_dependencies [[[
#
# Should PHPMyAdmin role manage its own dependencies?
phpmyadmin_dependencies: True
# ]]]
# .. envvar:: phpmyadmin_domain [[[
#
# What subdomain should be used for PHPMyAdmin in nginx configuration
phpmyadmin_domain: [ 'mysql.{{ ansible_domain }}' ]
# ]]]
# .. envvar:: phpmyadmin_password_length [[[
#
# Default length of generated passwords
phpmyadmin_password_length: '20'
# ]]]
# .. envvar:: phpmyadmin_control_password [[[
#
# Default PHPMyAdmin control password
phpmyadmin_control_password: "{{ lookup('password', secret + '/mariadb/' + ansible_local['mariadb'].delegate_to + '/credentials/' + phpmyadmin_control_user + '/password length=' + phpmyadmin_password_length) }}"
# ]]]
# .. envvar:: phpmyadmin_allow [[[
#
# List of IP addresses or network ranges in CIDR format, allowed to access
# PHPMyAdmin. Leave empty to allow access from all IP addresses/networks
phpmyadmin_allow: []
# ]]]
# .. envvar:: phpmyadmin_upload_size [[[
#
# Max upload size for nginx and php5
phpmyadmin_upload_size: '64M'
# ]]]
# .. envvar:: phpmyadmin_php5_max_children [[[
#
# Maximum number of PHP5 processes for PHPMyAdmin
phpmyadmin_php5_max_children: '20'
# ]]]
# Configuration for other Ansible roles [[[
# -----------------------------------------
# .. envvar:: phpmyadmin__php__dependent_packages [[[
#
# Package configuration for the :ref:`debops.php` Ansible role.
phpmyadmin__php__dependent_packages:
- 'mysql'
- 'mcrypt'
- 'gd'
# ]]]
# .. envvar:: phpmyadmin__php__dependent_pools [[[
#
# Pool configuration for the :ref:`debops.php` Ansible role.
phpmyadmin__php__dependent_pools:
- '{{ phpmyadmin_php5_pool }}'
# ]]]
# .. envvar:: phpmyadmin__nginx__dependent_servers [[[
#
# Server configuration for the :ref:`debops.nginx` Ansible role.
phpmyadmin__nginx__dependent_servers:
- '{{ phpmyadmin_nginx_server }}'
# ]]]
# .. envvar:: phpmyadmin__nginx__dependent_upstreams [[[
#
# Upstream configuration for the :ref:`debops.nginx` Ansible role.
phpmyadmin__nginx__dependent_upstreams:
- '{{ phpmyadmin_nginx_upstream_php5 }}'
# ]]]
# ]]]

34
roles/phpmyadmin/meta/main.yml Normal file
View File

@ -0,0 +1,34 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
# Ensure that custom Ansible plugins and modules included in the main DebOps
# collection are available to roles in other collections.
collections: [ 'debops.debops' ]
dependencies: []
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Install and configure PHPMyAdmin on a MySQL database server'
company: 'DebOps'
license: 'GPL-3.0-only'
min_ansible_version: '1.7.0'
platforms:
- name: Ubuntu
versions:
- precise
- quantal
- raring
- saucy
- trusty
- name: Debian
versions:
- wheezy
- jessie
galaxy_tags:
- mysql
- database
- php

44
roles/phpmyadmin/tasks/main.yml Normal file
View File

@ -0,0 +1,44 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
- name: Import DebOps secret role
import_role:
name: 'secret'
- name: Install dbconfig-common
apt: pkg=dbconfig-common state=present install_recommends=no
register: phpmyadmin__register_dbconfig_packages
until: phpmyadmin__register_dbconfig_packages is succeeded
- name: Pre-configure PHPMyAdmin database
template: src=etc/dbconfig-common/phpmyadmin.conf.j2
dest=/etc/dbconfig-common/phpmyadmin.conf
owner=root group=root mode=0600
- name: Install PHPMyAdmin packages
apt: pkg=phpmyadmin state=present install_recommends=no
register: phpmyadmin__register_packages
until: phpmyadmin__register_packages is succeeded
- name: Create database for PHPMyAdmin
mysql_db: name={{ phpmyadmin_control_database | default('phpmyadmin') }} state=present
register: phpmyadmin_database
- name: Import PHPMyAdmin schema
mysql_db: # noqa no-handler
name: '{{ phpmyadmin_control_database | default("phpmyadmin") }}'
state: 'import'
target: '/usr/share/dbconfig-common/data/phpmyadmin/install/mysql'
login_unix_socket: '/run/mysqld/mysqld.sock'
when: phpmyadmin_database is defined and phpmyadmin_database is changed
- name: Create PHPMyAdmin control user
mysql_user:
name: "{{ phpmyadmin_control_user | default('phpmyadmin') }}"
state: 'present'
password: '{{ phpmyadmin_control_password }}'
priv: "{{ phpmyadmin_control_database | default('phpmyadmin') }}.*:ALL"
login_unix_socket: '/run/mysqld/mysqld.sock'
no_log: '{{ debops__no_log | d(True) }}'

82
roles/phpmyadmin/templates/etc/dbconfig-common/phpmyadmin.conf.j2 Normal file
View File

@ -0,0 +1,82 @@
{# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
# This file is managed by Ansible, all changes will be lost
# automatically generated by the maintainer scripts of phpmyadmin
# any changes you make will be preserved, though your comments
# will be lost! to change your settings you should edit this
# file and then run "dpkg-reconfigure phpmyadmin"
# dbc_install: configure database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_install='false'
# dbc_upgrade: upgrade database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_upgrade='false'
# dbc_remove: deconfigure database with dbconfig-common?
# set to anything but "true" to opt out of assistance
dbc_remove=''
# dbc_dbtype: type of underlying database to use
# this exists primarily to let dbconfig-common know what database
# type to use when a package supports multiple database types.
# don't change this value unless you know for certain that this
# package supports multiple database types
dbc_dbtype='mysql'
# dbc_dbuser: database user
# the name of the user who we will use to connect to the database.
dbc_dbuser='{{ phpmyadmin_control_user }}'
# dbc_dbpass: database user password
# the password to use with the above username when connecting
# to a database, if one is required
dbc_dbpass='{{ phpmyadmin_control_password }}'
# dbc_dbserver: database host.
# leave unset to use localhost (or a more efficient local method
# if it exists).
dbc_dbserver=''
# dbc_dbport: remote database port
# leave unset to use the default. only applicable if you are
# using a remote database.
dbc_dbport=''
# dbc_dbname: name of database
# this is the name of your application's database.
dbc_dbname='{{ phpmyadmin_control_database }}'
# dbc_dbadmin: name of the administrative user
# this is the administrative user that is used to create all of the above
dbc_dbadmin='root'
# dbc_basepath: base directory to hold database files
# leave unset to use the default. only applicable if you are
# using a local (filesystem based) database.
dbc_basepath=''
##
## postgresql specific settings. if you don't use postgresql,
## you can safely ignore all of these
##
# dbc_ssl: should we require ssl?
# set to "true" to require that connections use ssl
dbc_ssl=''
# dbc_authmethod_admin: authentication method for admin
# dbc_authmethod_user: authentication method for dbuser
# see the section titled "AUTHENTICATION METHODS" in
# /usr/share/doc/dbconfig-common/README.pgsql for more info
dbc_authmethod_admin=''
dbc_authmethod_user=''
##
## end postgresql specific settings
##

55
roles/phpmyadmin/vars/main.yml Normal file
View File

@ -0,0 +1,55 @@
---
# Copyright (C) 2014-2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2015-2019 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
phpmyadmin_control_user: 'phpmyadmin'
phpmyadmin_control_database: 'phpmyadmin'
phpmyadmin_nginx_server:
by_role: 'debops.phpmyadmin'
enabled: True
default: False
type: 'php5'
name: '{{ phpmyadmin_domain }}'
root: '/usr/share/phpmyadmin'
webroot_create: False
options: |
client_max_body_size {{ phpmyadmin_upload_size }};
location:
# Required for location_allow to work
'/': 'try_files $uri $uri/ =404;'
'~ ^/(setup|libraries)': 'deny all;'
location_allow:
'/': '{{ phpmyadmin_allow }}'
php5: 'php5_phpmyadmin'
php5_options: |
{% if phpmyadmin_allow is defined and phpmyadmin_allow %}
{% for address in phpmyadmin_allow %}
allow {{ address }};
{% endfor %}
deny all;
{% endif %}
phpmyadmin_nginx_upstream_php5:
enabled: True
name: 'php5_phpmyadmin'
type: 'php5'
php5: 'phpmyadmin'
phpmyadmin_php5_pool:
enabled: True
name: 'phpmyadmin'
user: 'www-data'
group: 'www-data'
pm_max_children: '{{ phpmyadmin_php5_max_children }}'
php_value:
post_max_size: '{{ phpmyadmin_upload_size }}'
upload_max_filesize: '{{ phpmyadmin_upload_size }}'

4
roles/release-changed/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Allow release info changed
shell: apt --allow-releaseinfo-change update

58
run-lxc-playbook.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
source $1
usage() {
echo "Usage: run-lxc-playbook.sh path/to/env"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER"
usage
exit 1
fi
if [[ -z "$LXC_HOST" ]]; then
echo "You must defined LXC_HOST"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK"
usage
exit 1
fi
PLAYBOOK_FILEPATH="playbooks/$PLAYBOOK.yml"
if [[ ! -f "$PLAYBOOK_FILEPATH" ]]; then
echo "Playbook file is not exists: $PLAYBOOK_FILEPATH"
usage
exit 1
fi
if [[ -z "$SITE_NAME" ]]; then
echo "You must defined SITE_NAME"
usage
exit 1
fi
if [[ -z "$DOMAIN_NAME" ]]; then
echo "You must defined DOMAIN_NAME"
usage
exit 1
fi
if [[ -z "$DATABASE_NAME" ]]; then
echo "You must defined DATABASE_NAME"
usage
exit 1
fi
ansible-playbook \
-e "lxc_host=$LXC_HOST" \
-e "site_name=$SITE_NAME" \
-e "domain_name=$DOMAIN_NAME" \
-e "database_name=$DATABASE_NAME" \
-e "runner=lxc" \
--ssh-common-args="-o ProxyCommand='ssh -W %h:%p -q root@$SERVER'" \
$PLAYBOOK_FILEPATH

64
run-playbook.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
SSH_PORT=22
args=("$@")
# Обработка опций
for ((i=0; i<$#; i++)); do
if [ "${args[$i]}" == "-p" ]; then
SSH_PORT=${args[$i+1]}
unset 'args[i]'
unset 'args[i+1]'
fi
if [ "${args[$i]}" == "-f" ]; then
FORCE=1
unset 'args[i]'
fi
done
args=("${args[@]}")
SERVER=${args[0]}
PLAYBOOK=${args[1]}
USER=${args[2]}
usage() {
echo "Usage: run-vps-playbook.sh server playbook [user]"
echo "server - domain or ip address of the vps server"
echo "playbook - playbook file"
echo "[user] - if choose the use it, otherwise used root"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER as first argument"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK as second argument"
usage
exit 1
fi
if [[ -z "$USER" ]]; then
USER=root
fi
COMMAND=$(cat <<EOF
ansible-playbook -e "lxc_host=${SERVER}" -e "runner=normal" -e "ansible_user=${USER}" --ssh-common-args="-p $SSH_PORT"
EOF
)
COMMAND="${COMMAND} ${PLAYBOOK}"
if [[ -z "$FORCE" ]]; then
printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
read -p "Are you sure? " -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yyн]$ ]]
then
/bin/bash -c "${COMMAND}"
fi
else
/bin/bash -c "${COMMAND}"
fi

69
run-site-playbook.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
SERVER=$1
PLAYBOOK=$2
SITE_NAME=$3
DOMAIN_NAME=$4
while [[ "$#" -gt 0 ]]; do
case $1 in
-f|--force) force=1; shift ;;
esac
shift
done
usage() {
echo "Usage: run-vps-playbook.sh server playbook site_name domain_name"
echo "server - domain or ip address of the vps server"
echo "playbook - playbook file"
echo "site_name - site name, e.g. intermetiz - that is a project name used for create home directory and www directory, and database dump base file name"
echo "domain_name - domain name, e.g. intermetiz.ru"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER as first argument"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK as second argument"
usage
exit 1
fi
if [[ ! -f "$PLAYBOOK" ]]; then
echo "Playbook file is not exists: $PLAYBOOK"
usage
exit 1
fi
if [[ -z "$SITE_NAME" ]]; then
echo "You must defined SITE_NAME as third argument"
usage
exit 1
fi
if [[ -z "$DOMAIN_NAME" ]]; then
echo "You must defined DOMAIN_NAME as fourth argument"
usage
exit 1
fi
COMMAND=$(cat <<EOF
ansible-playbook -e "lxc_host=${SERVER}" -e "initial_site_name=${SITE_NAME}" -e "domain_name=${DOMAIN_NAME}" -e runner=site
EOF
)
COMMAND="${COMMAND} ${PLAYBOOK}"
if [[ -z "$force" ]]; then
printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
read -p "Are you sure? " -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yyн]$ ]]
then
/bin/bash -c "${COMMAND}"
fi
else
/bin/bash -c "${COMMAND}"
fi

2
secret/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!.gitignore

6
site.yml
View File

@ -1,6 +0,0 @@
---
- import_playbook: anygroup.yml
# Import all other group playbooks in this file...
...

2
vars/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!*-example.yml

8
vars/apache-example.yml Normal file
View File

@ -0,0 +1,8 @@
apache__dependent_vhosts:
- name: 'pma.{{ apache__default_vhost_name[0] }}'
filename: 'pma'
root: '/var/www/phpmyadmin'
root_directives: |-
AuthType Basic
AuthName "Authorization"
AuthUserFile passwords.d/pma.passwords

11
vars/databases-example.yml Normal file
View File

@ -0,0 +1,11 @@
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults-detailed.html#mariadb-users
mariadb__databases:
- name: '{{ site_name }}'
source: '{{ inventory_dir }}//data/db-dumps/{{ site_name }}.sql.bz2'
target: '/tmp/{{ site_name }}.sql.bz2'
mariadb__users:
- name: '{{ site_name }}'
host: 'localhost'
database: '{{ site_name }}%'

2
vars/nginx-example.yml Normal file
View File

@ -0,0 +1,2 @@
nginx_www_domain: '{{ has_www_domain }}'
nginx_www_redirect: '{{ www_domain_is_primary | ternary("www", "non-www") }}'

Some files were not shown because too many files have changed in this diff Show More