* use debops as separate package

* set python version via pyenv

.gitignore

@@ -1,3 +1,3 @@
-*.retry
 .idea
 /secret
+/ansible.cfg

.python-version

@@ -0,0 +1 @@
+3.13.2

README.md

@@ -1,147 +1,19 @@
-# Ansible-Boilerplate
-
-[![GitHub Issues](https://img.shields.io/github/issues/acch/ansible-boilerplate.svg)](https://github.com/acch/ansible-boilerplate/issues) [![GitHub Stars](https://img.shields.io/github/stars/acch/ansible-boilerplate.svg?label=github%20%E2%98%85)](https://github.com/acch/ansible-boilerplate/) [![License](https://img.shields.io/github/license/acch/ansible-boilerplate.svg)](LICENSE)
-
-[Ansible](https://www.ansible.com/) is a configuration management tool, similar to [Chef](https://www.chef.io/) and [Puppet](https://puppet.com/). It allows for performing logical configuration of infrastructure components, such as servers and network switches. The configuration files in this repository can act as a template for your own Ansible projects, in order to get you started quickly. Once you've customized the configuration files then new servers can be configured quickly — excluding their network configuration. This means that adding new servers is as simple as:
-
-- Base OS installation of new server
-- Network configuration of new server (including bond, bridge, DNS and routing)
-- Configuration of password-less (public key) SSH authentication from the Ansible host (your laptop) to the new server
-
-The remaining configuration (installing packages, configuring services, etc.) can then be achieved using Ansible. In addition, Ansible ensures that configuration of all servers is and remains consistent.
-
-## Using this repository
-
-Simply download (clone) the repository and start modifying files according to your needs.
-
+# Getting Started
+## Create symlink for ansible hosts
+`sudo ln -s $(realpath hosts) /etc/ansible/hosts`
+## Modify your ~/.ssh/config
 ```
-git clone https://github.com/acch/ansible-boilerplate.git myAnsibleProject/
+Host debian10.dedic106-dhcp.dimti.ru
+    Port 22242
+``` 
+## Install needed ansible galaxy collections
 ```
-
-Ideally, you'll want to use [Git](https://git-scm.com/) to manage your Ansible configuration files. For that purpose simply [fork](https://help.github.com/articles/fork-a-repo/) this repository into your own Git repository before cloning and customizing it. Alternatively, create your own repository [from the template](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-from-a-template). Git will allow you to version and roll-back changes with ease.
-
-Specifically, you'll want to customize the following files:
-- Add your own hosts and groups to file `hosts`. You'll want to replace `[anygroup]` with a more meaningful group name, and add your own groups as required.
-- Define roles by adding subdirectories underneath directory `roles/`. You'll want to rename `anyrole/` to a more meaningful role name, and add your own roles as required.
-- Associate your hosts (groups) with your roles by adding appropriate playbooks in the root directory. Rename `anygroup.yml` to a more meaningful playbook name.
-- Import all your playbooks in the main `site.yml` playbook.
-
-## Using Ansible
-
-Install `ansible` on your laptop and link the `hosts` file from `/etc/ansible/hosts` to the file in your repository. Now you're all set.
-
-To run a single (ad-hoc) task on multiple servers:
-
+ansible-galaxy install -g -f -r requirements.yml
 ```
-# Check connectivity
-ansible all -m ping -u root
-
-# Run single command on all servers
-ansible all -m command -a "cat /etc/hosts" -u root
-
-# Run single command only on servers in specific group
-ansible anygroup -m command -a "cat /etc/hosts" -u root
-
-# Run single command on individual server
-ansible server1 -m command -a "cat /etc/hosts" -u root
-```
-
-As the `command` module is the default, it can also be omitted:
-
-```
-ansible server1 -a "cat /etc/hosts" -u root
-```
-
-To use shell variables on the remote server, use the `shell` module instead of `command`, and use single quotes for the argument:
-
-```
-ansible server1 -m shell -a 'echo $HOSTNAME' -u root
-```
-
-The true power of ansible comes with so called *playbooks* — think of them as scripts, but they're declarative. Playbooks allow for running multiple tasks on any number of servers, as defined in the configuration files (`*.yml`):
-
-```
-# Run all tasks on all servers
-ansible-playbook site.yml -v
-
-# Run all tasks only on group of servers
-ansible-playbook anygroup.yml -v
-
-# Run all tasks only on individual server
-ansible-playbook site.yml -v -l server1
-```
-
-Note that `-v` produces verbose output. `-vv` and `-vvv` are also available for even more (debug) output.
-
-To verify what tasks would do without changing the actual configuration, use the `--list-hosts` and `--check` parameters:
-
-```
-# Show hosts that would be affected by playbook
-ansible-playbook site.yml --list-hosts
-
-# Perform dry-run to see what tasks would do
-ansible-playbook site.yml -v --check
-```
-
-Running all tasks in a playbook may take a long time. *Tags* are available to organize tasks so one can only run specific tasks to configure a certain component:
-
-```
-# Show list of available tags
-ansible-playbook site.yml --list-tags
-
-# Only run tasks required to configure DNS
-ansible-playbook site.yml -v -t dns
-```
-
-Note that the above command requires you to have tasks defined with the `tags: dns` attribute.
-
-## Configuration files
-
-The `hosts` file defines all hosts and groups which they belong to. Note that a single host can be member of multiple groups. Define groups for each rack, for each network, or for each environment (e.g. production vs. test).
-
-### Playbooks
-
-Playbooks associate hosts (groups) with roles. Define a separate playbook for each of your groups, and then import all playbooks in the main `site.yml` playbook.
-
-File | Description
----- | -----------
-`site.yml` | Main playbook - runs all tasks on all servers
-`anygroup.yml` | Group playbook - runs all tasks on servers in group *anygroup*
-
-### Roles
-
-The group playbooks (e.g. `anygroup.yml`) simply associate hosts with roles. Actual tasks are defined in these roles:
-
-```
-roles/
-├── common/             Applied to all servers
-│   ├── handlers/
-│   ├── tasks/
-│   │   └ main.yml      Tasks for all servers
-│   └── templates/
-└── anyrole/            Applied to servers in specific group(s)
-    ├── handlers/
-    ├── tasks/
-    │   └ main.yml      Tasks for specific group(s)
-    └── templates/
-```
-
-Consider adding separate roles for different applications (e.g. webservers, dbservers, hypervisors, etc.), or for different responsibilities which servers fulfill (e.g. infra_server vs. infra_client).
-
-### Tags
-
-Use the following command to show a list of available tags:
-
-```
-ansible-playbook site.yml --list-tags
-```
-
-Consider adding tags for individual components (e.g. DNS, NTP, HTTP, etc.).
-
-Role | Tags
---- | ---
-Common | all,check
-
-## Copyright and license
-
-Copyright 2017 Achim Christ, released under the [MIT license](LICENSE)
+# Usage
+## Ping
+`ansible debian10 -m ping -u root`
+## Playbook
+`ansible-playbook anygroup.yml`
+## Playbook group only tag
+`ansible-playbook anygroup.yml -t nginx`

ansible.cfg

@@ -1,3 +0,0 @@
-[defaults]
-inventory=./hosts
-group_vars=./group_vars

ansible.cfg.example

@@ -0,0 +1,4 @@
+[defaults]
+inventory=./hosts
+group_vars=./group_vars
+collections_paths=~/.ansible/collections:~/.pyenv/versions/3.13.2/lib/python3.13/site-packages/debops/_data/ansible/collections

envs/lxc/server/lxc.env.example

@@ -0,0 +1,13 @@
+SERVER=proxmox_host
+
+LXC_HOST=project_lxc_container
+
+PLAYBOOK=nginx-site
+
+# That is a project name and name of the HOME USER
+# @see group_vars/all.yml
+SITE_NAME=project_name
+
+DOMAIN_NAME=project_domain_name
+
+DATABASE_NAME=project_name

group_vars/all.yml

@@ -8,5 +8,5 @@ keyring__keyserver: hkp://keyserver.ubuntu.com:80
 
 secret__levels: '.'
 
-site_name: '{{ initial_site_name | d(lxc_host) }}'
+home_user: '{{ (ansible_user != "root") | ternary(ansible_user, site_name) }}'
 ...

hosts

@@ -11,6 +11,7 @@
 
 [lxc_templates]
 #debian10  ansible_host=debian10.dedic106-dhcp.dimti.ru  ansible_user=root
+#debian10  ansible_host='{{ lxc_host }}' ansible_port=22230
 debian10  ansible_host='{{ lxc_host }}'
 
 [anygroup]

playbooks/apache-site.yml

@@ -1,4 +1,5 @@
 ---
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
@@ -6,11 +7,13 @@
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-wp.yml
 - import_playbook: debops/apache.yml
-- import_playbook: debops/redis.yml
+#- import_playbook: debops/redis.yml
 - import_playbook: own/var-www-set-ownerships.yml
 - import_playbook: own/phpmyadmin.yml
-- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
-- import_playbook: own/correct-paths-for-pct-enter.yml
+- import_playbook: own/phpmyadmin-apache-auth.yml
+#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
+#- import_playbook: own/correct-paths-for-pct-enter.yml
+- import_playbook: own/wp-cli.yml
 
 # Import all other group playbooks in this file...
 

playbooks/apps/caprover.yml

@@ -0,0 +1,17 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Configure Firewall
+            shell: |
+                ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;
+
+        -   name: Install caprover
+            shell: |
+                docker run -p 80:80 -p 443:443 -p 3000:3000 -e ACCEPTED_TERMS=true -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover
+
+        -   name: "Install npm caprover package (after that use: caprover serversetup)"
+            shell: |
+                export NVM_DIR="$HOME/.nvm"
+                . "$NVM_DIR/nvm.sh"
+                . "$NVM_DIR/bash_completion"
+                npm install -g caprover

playbooks/apps/docker-debian.yml

@@ -0,0 +1,33 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Remove old packages
+            shell: |
+                for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
+                apt-get autoremove
+
+        -   name: Add APT repository
+            shell: |
+                # Add Docker's official GPG key:
+                apt-get update
+                apt-get install ca-certificates curl
+                install -m 0755 -d /etc/apt/keyrings
+                curl -fsSL https://download.docker.com/linux/debian /gpg -o /etc/apt/keyrings/docker.asc
+                chmod a+r /etc/apt/keyrings/docker.asc
+                
+                # Add the repository to Apt sources:
+                echo \
+                    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian  \
+                    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+                    tee /etc/apt/sources.list.d/docker.list > /dev/null
+                
+                apt-get update
+
+        -   name: Install Docker
+            shell: |
+                apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+        -   name: Test hello-world
+            shell: |
+                docker run hello-world
+

playbooks/apps/docker-ubuntu.yml

@@ -0,0 +1,29 @@
+---
+-   hosts: [ 'debian10' ]
+    tasks:
+        -   name: Remove old packages
+            shell: |
+                for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
+                apt-get autoremove
+
+        -   name: Add APT repository
+            shell: |
+                apt-get update
+                apt-get install ca-certificates curl
+                install -m 0755 -d /etc/apt/keyrings
+                curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+                chmod a+r /etc/apt/keyrings/docker.asc
+                echo \
+                    "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+                    $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
+                    tee /etc/apt/sources.list.d/docker.list > /dev/null
+                apt-get update
+
+        -   name: Install Docker
+            shell: |
+                apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+        -   name: Test hello-world
+            shell: |
+                docker run hello-world
+

playbooks/debops/apache.yml

@@ -10,45 +10,45 @@
                    | combine(inventory__group_environment | d({}))
                    | combine(inventory__host_environment  | d({})) }}'
 
+  vars_files:
+    - ./../../vars/site.yml
+    - ./../../vars/php.yml
+    - ./../../vars/apache.yml
+
   vars:
     apache__base_packages:
-      - libapache2-mod-php8.1
-    apache__role_modules:
-      'headers': True
-      'alias': True
-      'php7.4': True
-      'ssl':
-        enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
-      'security2':
-        enabled: '{{ apache__security_module_enabled|bool }}'
-      'status':
-        enabled: '{{ apache__status_enabled|bool }}'
-        config: |
-          <Location /server-status>
-              # Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
-              Require all denied
-          </Location>
-      'socache_shmcb':
-        enabled: '{{ True
-                     if (apache__ocsp_stapling_enabled|bool
-                         and "shmcb" in apache__ocsp_stapling_cache)
-                     else omit }}'
-      'authz_host':
-        enabled: '{{ True
-                     if (apache__status_enabled|bool
-                         and apache__status_allow_localhost)
-                     else omit }}'
+      - 'libapache2-mod-php{{ php_version }}'
+
+    apache__default_vhost_name:
+      - '{{ domain_name }}'
+      - "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
+
+    apache__modules:
+      'php{{ php_version }}': True
+
       'rewrite':
-        enabled: '{{ True
-                     if (apache__register_mod_rewrite_used is defined and
-                         apache__register_mod_rewrite_used.rc|d(1) == 0)
-                     else omit }}'
+        enabled: True
+
     apache__allow:
       - 0.0.0.0
-#    apache__default_vhost:
-#      name: '{{ apache__default_vhost_name }}'
-#      filename: '000-default'
-#      root: '/var/www/html'
+
+    apache__default_vhost:
+      name: '{{ apache__default_vhost_name }}'
+      filename: '000-default'
+      root: '/var/www/html'
+      root_directives: |-
+        RewriteEngine On
+        RewriteOptions Inherit
+        RewriteBase /
+        {% if www_domain_is_primary %}
+        RewriteCond %{HTTP_HOST} ^([^www].*)$
+        RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
+        {% else %}
+        RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
+        RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
+        {% endif %}
+        RewriteRule "(^|/)\.(?!well-known\/)" - [F]
+
     apache__vhost_allow_override: 'All'
 
   pre_tasks:
@@ -59,6 +59,12 @@
         tasks_from: 'main_env'
       tags: [ 'role::apache', 'role::apache:env' ]
 
+  post_tasks:
+
+    - name: Remove include subdomains for HSTS policy
+      shell: |-
+        sed -i '/; includeSubDomains/d' etc/apache2/sites-available/000-default.conf
+
   roles:
 
     - role: apache

playbooks/debops/apt.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Manage Advanced Package Manager
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  become: True
+
+  environment: '{{ inventory__environment | d({})
+                   | combine(inventory__group_environment | d({}))
+                   | combine(inventory__host_environment  | d({})) }}'
+
+  post_tasks:
+
+    - name: Upgrade
+      ansible.builtin.apt:
+        upgrade: True
+
+  roles:
+
+    - role: apt
+      tags: [ 'role::apt', 'skip::apt' ]

playbooks/debops/files/etc/nginx/conf.d/map_tld_domain.conf

@@ -0,0 +1,4 @@
+map $host $tld {
+    default $host;
+    '~^www\.(?<domain>.*)$' $domain;
+}

playbooks/debops/files/etc/nginx/includes.d/non-www.conf

@@ -6,11 +6,6 @@ if ( $http_host ~* "^www\.") {
 if ( $nonwww ~* "^0+$" ) {
     return 418;
 }
-# TODO: map need moved to conf.d
-map $host $tld {
-    default $host;
-    '~^www\.(?<domain>.*)$' $domain;
-}
 location @nonwww {
     rewrite ^ https://$tld$request_uri permanent;
 }

playbooks/debops/mariadb-custom-db.yml

@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
+
 - name: Manage MariaDB client
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]

playbooks/debops/mariadb.yml

@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
+
 - name: Manage MariaDB client
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]

playbooks/debops/mariadb_server.yml

@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb_server/defaults/main.html
+
 - name: Manage MariaDB server
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
@@ -14,7 +16,20 @@
     mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
                                 |d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
     mariadb_server__upstream_version: '11.2'
-    mariadb_server__bind_address: '0.0.0.0'
+    mariadb_server__bind_address: '127.0.0.1'
+    mariadb_server__mysqld_performance_options:
+      'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
+      'innodb_buffer_pool_size': '{{ (ansible_memtotal_mb / 2) | int }}M'
+      'innodb_log_file_size': '{{ (ansible_memtotal_mb / 2) / 4 | int }}M'
+      'query_cache_type': '1'
+      'query_cache_size': '1M'
+      'query_cache_limit': '10M'
+      'join_buffer_size': '1M'
+      'performance_schema': 'ON'
+      'skip-name-resolve': 'ON'
+#    mariadb_server__options:
+#      'query_cache_size': '1M'
+
 
   roles:
     - role: keyring

playbooks/debops/nginx.yml

@@ -1,5 +1,7 @@
 ---
 
+# https://docs.debops.org/en/stable-3.2/ansible/roles/nginx/defaults/main.html
+
 - name: Manage nginx webserver
   collections: [ 'debops.debops', 'debops.roles01',
                  'debops.roles02', 'debops.roles03' ]
@@ -10,10 +12,10 @@
                    | combine(inventory__group_environment | d({}))
                    | combine(inventory__host_environment  | d({})) }}'
 
-
   vars_files:
-    - ./../../vars/nginx.yml
+    - ./../../vars/site.yml
     - ./../../vars/php.yml
+    - ./../../vars/nginx.yml
 
   vars:
     nginx_acme: False
@@ -25,38 +27,38 @@
     nginx_ocsp: False
     nginx_worker_processes: auto
     nginx_manage_ipv6only: False
+    nginx_default_name: 'welcome'
+    nginx_default_ssl_name: 'welcome'
     # TODO: Replace [::]:443 to 443 and [::]:80 to 80 in site nginx config
+    nginx_server_localhost:
+      enabled: False
+    nginx_listen_port: [ '80' ]
+    nginx_listen_ssl_port: [ '443' ]
     nginx__servers:
       - name: '{{ domain_name }}'
-
         type: php
-
         root: '/var/www/{{ site_name }}'
-
         public_dir_name: ''
-
         include_files_begin: '{{ nginx_includes_begin }}'
-
         options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
-
         location_list:
           - pattern: '/'
             locations:
-              - pattern: '~ ^/*.-backend/'
-                options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;'
+              - pattern: '~ ^/.*-backend/'
+                options: |
+                  try_files /index.html @october;
+                  set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;
+                  client_max_body_size 1000M;
             options: try_files /index.html @october;
           - pattern: '@october'
             options: rewrite ^/.*$ /index.php last;
           - pattern: '~* ^(?!/index).*\.php$'
             options: return 403;
-
         php_options: |
           fastcgi_read_timeout 3000;
         php_upstream: $upstream
-
         #location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
         php_location_script_name: ~ ^(?<script_name>/index\.php)
-
         #location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
         php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
 
@@ -77,6 +79,12 @@
         dest: /etc/nginx/
         mode: 0644
 
+    - name: Copy map config for www/non-www redirects
+      copy:
+        src: etc/nginx/conf.d/map_tld_domain.conf
+        dest: /etc/nginx/conf.d/
+        mode: 0644
+
   post_tasks:
     - name: Default index.html
       template:

playbooks/debops/php-prod.yml

@@ -12,12 +12,10 @@
 
 
   vars:
-    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
-    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__sury_apt_key_id_map:
       'Debian':
         - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
-          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+          repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
           state: '{{ "present" if php__sury|bool else "absent" }}'
 
         # Key replaced due to security concerns
@@ -25,8 +23,10 @@
         - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
           state: 'absent'
     php__sury_apt_repo_map:
-      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
       'Ubuntu': 'ppa:ondrej/php'
+    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__base_packages:
       - unzip
       - git

playbooks/debops/php-wp.yml

@@ -14,14 +14,10 @@
     - ./../../vars/php.yml
 
   vars:
-    php__sury: '{{ ansible_local.php.sury
-                   |d(ansible_distribution_release in [ "buster" ]) | bool }}'
-    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
-    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__sury_apt_key_id_map:
       'Debian':
         - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
-          repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+          repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
           state: '{{ "present" if php__sury|bool else "absent" }}'
 
         # Key replaced due to security concerns
@@ -29,8 +25,10 @@
         - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
           state: 'absent'
     php__sury_apt_repo_map:
-      'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
+      'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
       'Ubuntu': 'ppa:ondrej/php'
+    php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
+    php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
     php__base_packages:
       - unzip
       - git

playbooks/debops/root_account.yml

@@ -12,14 +12,9 @@
 
   vars:
     root_account__enabled: True
-#    root_account__dotfiles_enabled: True
-#    root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
-
-  post_tasks:
-    - name: Tmux Plugins Manager
-      # Вообще это конструкция не нужна, так как tmux и сам все прекрасно умеет устанавливать, только если бы у него в этот момент была программа git
-      # Хотя нет, блин, нихрена он не умеет. Последнюю команду он почему не запускает: ~/.tmux/plugins/tpm/bin/install_plugins
-      shell: test -d ~/.tmux/plugins/tpm || git clone https://github.com/tmux-plugins/tpm ~/.tmux/plugins/tpm && ~/.tmux/plugins/tpm/bin/install_plugins
+    root_account__password: False
+    root_account__dotfiles_enabled: True
+    root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
 
   roles:
     - role: root_account

playbooks/debops/yadm.yml

@@ -54,6 +54,9 @@
       args:
         executable: /bin/bash
 
+    - name: Xsel for working clipboard copy with X11 forwarding (use SSH -Y)
+      shell: apt install -yy xsel
+
   roles:
     - role: keyring
       tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]

playbooks/nginx-only.yml

@@ -1,5 +1,6 @@
 ---
 - import_playbook: own/allow-releaseinfo-change.yml
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml

playbooks/nginx-site-without-db-site.yml

@@ -0,0 +1,18 @@
+---
+- import_playbook: debops/apt.yml
+- import_playbook: root-account.yml
+- import_playbook: debops/pki.yml
+- import_playbook: debops/system_users.yml
+- import_playbook: debops/php-prod.yml
+- import_playbook: debops/nginx.yml
+- import_playbook: debops/redis.yml
+- import_playbook: own/var-www-set-ownerships.yml
+- import_playbook: own/node-version-manager.yml
+  become: true
+  become_user: '{{ site_name }}'
+- import_playbook: own/nginx-auth.yml
+- import_playbook: own/correct-paths-for-pct-enter.yml
+
+# Import all other group playbooks in this file...
+
+...

playbooks/nginx-site.yml

@@ -1,19 +1,28 @@
 ---
+# https://docs.debops.org/en/stable-3.2/ansible/roles/apt/getting-started.html#example-playbook
+- import_playbook: debops/apt.yml
 - import_playbook: root-account.yml
 - import_playbook: debops/pki.yml
 - import_playbook: debops/system_users.yml
 - import_playbook: debops/mariadb_server.yml
 - import_playbook: debops/mariadb-custom-db.yml
 - import_playbook: debops/php-prod.yml
+- import_playbook: own/libgd3-fix-for-php8.yml
+  when: php_version is defined and php_version != '7.4'
 - import_playbook: debops/nginx.yml
 - import_playbook: debops/redis.yml
 - import_playbook: own/var-www-set-ownerships.yml
 - import_playbook: own/node-version-manager.yml
+  become: true
+  become_user: '{{ site_name }}'
 - import_playbook: own/nginx-auth.yml
 - import_playbook: own/phpmyadmin.yml
 - import_playbook: own/phpmyadmin-nginx-auth.yml
-- import_playbook: own/correct-paths-for-pct-enter.yml
+- import_playbook: own/php-composer.yml
+#- import_playbook: own/correct-paths-for-pct-enter.yml
 
 # Import all other group playbooks in this file...
 
+# TODO: удалить [::]: из конфигов. Определится с дефолтным конфигом. В конфиге pma.conf что-то не так с портами после получения сертификатов.
+# TODO: Перенести маппинг host tld для non-www в conf.d
 ...

playbooks/own/apt-update.yml

@@ -0,0 +1,6 @@
+---
+- name: Update system packages
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: apt update
+      shell: apt update && apt upgrade -y

playbooks/own/libgd3-fix-for-php8.yml

@@ -1,14 +1,19 @@
 ---
 - name: Solve problem with libgd3 for php-gd
   hosts: [ 'debian10' ]
+  vars_files:
+    - ./../../vars/php.yml
   tasks:
-    - copy:
+    - name: Set pin for libgd3 package
+      copy:
         dest: '/etc/apt/preferences.d/libgd-pin100'
         content: |-
           Package: libgd3
           Pin-Priority: 100
-    - shell: |-
+
+    - name: Update apt cache policy and install libgd
+      shell: |-
         apt update
         apt install -t bullseye libgd3 -yy
         apt-cache policy libgd3
-        apt install php8.1-gd -yy
+        apt install php{{ php_version }}-gd -yy

playbooks/own/node-version-manager.yml

@@ -4,6 +4,4 @@
   hosts: [ 'debian10' ]
   tasks:
     - name: Install nvm
-      become: true
-      become_user: '{{ site_name }}'
       shell: 'wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash'

playbooks/own/php-composer.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Install PHP Composer
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  tasks:
+    - name: Download and install composer
+      when: (php_version is defined)
+      shell: |-
+        php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+        php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
+        php composer-setup.php
+        php -r "unlink('composer-setup.php');"
+        mv composer.phar /usr/local/bin/composer
+
+    - name: Download and install composer
+      when: (php_version is defined and php_version == '7.4')
+      shell: |-
+        composer self-update 1.10.27

playbooks/own/phpmyadmin-apache-auth.yml

@@ -0,0 +1,26 @@
+---
+
+- name: Create phpmyadmin apache auth passwords file
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+  hosts: [ 'debian10' ]
+  tasks:
+    - name: Import DebOps secret role
+      ansible.builtin.import_role:
+        name: 'secret'
+
+    - shell: |-
+        cd /etc/apache2
+        mkdir -p passwords.d
+
+    - name: 'Adding pma apache auth passwords files'
+      shell: |-
+        echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
+
+    - name: 'Change require all granted rule, because debops not present appropriate functional'
+      shell: |-
+        sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
+
+    - name: 'Restarting apache'
+      shell: |-
+        systemctl restart apache2

playbooks/own/phpmyadmin-nginx-auth.yml

@@ -22,7 +22,7 @@
         content: |-
           server {
               listen 80;
-              listen 443;
+              listen 443 ssl;
               ssl_certificate           /etc/pki/realms/domain/default.crt;
               ssl_certificate_key       /etc/pki/realms/domain/default.key;
               server_name pma.{{ domain_name }};
@@ -50,7 +50,7 @@
 
     - name: 'Adding pma nginx auth passwords files'
       shell: |-
-        echo "{{ site_name }}:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/nginx/passwords.d/pma.passwords
+        echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/nginx/passwords.d/pma.passwords
 
     - name: 'Turning on pma web site nginx config'
       shell: |-

playbooks/own/phpmyadmin.yml

@@ -9,9 +9,9 @@
 
   vars:
     - phpmyadmin_version: 5.2.1
+      # https://docs.ansible.com/ansible/latest/collections/community/general/random_string_lookup.html#keyword-parameters
+    - blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
 
-  # Create phpmyadmin config for apache2
-  # TODO: Set blowfish_secret and make access rights for ./tmp directory
   tasks:
     - name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
       become: true
@@ -23,3 +23,19 @@
         unzip -qq phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
         rm phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
         mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin
+        cd phpmyadmin
+        cp config.sample.inc.php config.inc.php
+        mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
+
+    - name: 'Set cookie blowfish secret'
+      # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html
+      replace:
+        path: /var/www/phpmyadmin/config.inc.php
+        regexp: "'blowfish_secret'] = ''"
+        replace: "'blowfish_secret'] = '{{ blowfish_secret | replace('\'', '\\\'') }}'\n\n$cfg['CookieSameSite'] = 'Lax';\n"
+
+    - name: 'Set MaxTableList'
+      replace:
+        path: /var/www/phpmyadmin/config.inc.php
+        regexp: "^//$cfg['MaxRows'](.*)"
+        replace: "//$cfg['MaxRows']\1\n\n$cfg['MaxTableList'] = 500;\n"

playbooks/own/wp-cli.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Install WP-CLI
+
+  collections: [ 'debops.debops', 'debops.roles01',
+                 'debops.roles02', 'debops.roles03' ]
+
+  hosts: [ 'debian10' ]
+
+  tasks:
+    - name: Download and install wp-cli
+      shell: |-
+        curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
+        chmod +x wp-cli.phar
+        mv wp-cli.phar /usr/local/bin/wp

playbooks/own/yadm-update.yml

@@ -0,0 +1,9 @@
+---
+- hosts: ['debian10']
+  tasks:
+      - name: Update existing YADM install with remote ip-address plugin and replace own
+        shell: |
+            yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
+            rm -rf .tmux/plugins/tmux-ip-address
+            yadm pull
+            yadm checkout .

playbooks/own/yadm.yml

@@ -0,0 +1,40 @@
+---
+- hosts: [ 'debian10' ]
+  tasks:
+    - name: Install direnv
+      become_user: root
+      shell: |
+        command -v direnv > /dev/null || {
+          curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && \
+          chmod a+x /usr/local/bin/direnv
+        }
+
+    - name: Install Starship
+      become_user: root
+      shell: |
+        command -v starship> /dev/null || {
+          curl -sS https://starship.rs/install.sh | sh -s -- -f
+        }
+
+    - name: Install with init or update yadm
+      become_user: root
+      shell: |
+        command -v yadm && {
+          yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
+          rm -rf .tmux/plugins/tmux-ip-address
+          yadm pull && yadm checkout .
+        } || {
+          curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
+          yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .
+        }
+
+      # For manual change: sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
+    - name: 'Change character for non-root user'
+      become_user: root
+      shell: |
+        HOME_USER=$(ls /home)
+        test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .'
+        test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'sed -i "s/#/\\$/g" ${HOME}/.config/starship.toml'
+        exit 0
+      args:
+        executable: /bin/bash

playbooks/root-account.yml

@@ -1,11 +1,11 @@
 ---
 - import_playbook: own/locales.yml
+- import_playbook: debops/apt.yml
 - import_playbook: debops/tzdata.yml
-- import_playbook: own/allow-releaseinfo-change.yml
+#- import_playbook: own/allow-releaseinfo-change.yml# Need only for debian10
 - import_playbook: debops/yadm.yml
 - import_playbook: debops/root_account.yml
-- import_playbook: debops/sudo.yml
+- name: Adding site_name project user to sudoers
+  import_playbook: debops/sudo.yml
+  when: 'runner != "normal"'
 
-# Import all other group playbooks in this file...
-
-...

playbooks/yadm.yml

@@ -0,0 +1,2 @@
+---
+- import_playbook: own/yadm.yml

roles/common/tasks/main.yml

@@ -11,4 +11,8 @@
 
 # Add further tasks for the common role (applied to all servers) to this playbook...
 
-...
+- name: Install gnupg
+  shell: >-
+    apt-get update && 
+    apt-get install --no-install-recommends --no-install-suggests -y gnupg1 gnupg2 gnupg ca-certificates
+

roles/nginx/files/nginx.systemd

@@ -0,0 +1,15 @@
+[Unit]
+Description=nginx - high performance web server
+Documentation=http://nginx.org/en/docs/
+After=network-online.target remote-fs.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+PIDFile=/var/run/nginx.pid
+ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
+ExecReload=/bin/kill -s HUP $MAINPID
+ExecStop=/bin/kill -s TERM $MAINPID
+
+[Install]
+WantedBy=multi-user.target

run-lxc-playbook.sh

@@ -1,59 +1,58 @@
 #!/bin/bash
-SERVER=$1
-LXC_HOST=$2
-PLAYBOOK=$3
-
-while [[ "$#" -gt 0 ]]; do
-    case $1 in
-        -f|--force) force=1; shift ;;
-    esac
-    shift
-done
+source $1
 
 usage() {
-    echo "Usage: run-lxc-playbook.sh server lxc_host playbook"
-    echo "server - main proxmox server IP address and lxc_host that the name of lxc container"
-    echo "lxc_host - name of lxc container"
-    echo "playbook - playbook file"
+    echo "Usage: run-lxc-playbook.sh path/to/env"
 }
 
 if [[ -z "$SERVER" ]]; then
-  echo "You must defined SERVER as first argument"
+  echo "You must defined SERVER"
   usage
   exit 1
 fi
 
 if [[ -z "$LXC_HOST" ]]; then
-  echo "You must defined LXC_HOST as second argument"
+  echo "You must defined LXC_HOST"
   usage
   exit 1
 fi
 
 if [[ -z "$PLAYBOOK" ]]; then
-  echo "You must defined PLAYBOOK as third argument"
+  echo "You must defined PLAYBOOK"
   usage
   exit 1
 fi
 
-if [[ ! -f "$PLAYBOOK" ]]; then
-  echo "Playbook file is not exists: $PLAYBOOK"
+PLAYBOOK_FILEPATH="playbooks/$PLAYBOOK.yml"
+if [[ ! -f "$PLAYBOOK_FILEPATH" ]]; then
+  echo "Playbook file is not exists: $PLAYBOOK_FILEPATH"
   usage
   exit 1
 fi
 
-COMMAND=$(cat <<EOF
-ansible-playbook -e "lxc_host=$LXC_HOST" --ssh-common-args="-o ProxyCommand='ssh -W %h:%p -q root@$SERVER'" $PLAYBOOK
-EOF
-)
-
-if [[ -z "$force" ]]; then
-  printf 'Launch ansible playbook:\n%s\n' "$COMMAND"
-  read -p "Are you sure?  " -n 1 -r
-  echo    # (optional) move to a new line
-  if [[ $REPLY =~ ^[Yy]$ ]]
-  then
-      /bin/bash -c "$COMMAND"
-  fi
-else
-  /bin/bash -c "$COMMAND"
+if [[ -z "$SITE_NAME" ]]; then
+  echo "You must defined SITE_NAME"
+  usage
+  exit 1
 fi
+
+if [[ -z "$DOMAIN_NAME" ]]; then
+  echo "You must defined DOMAIN_NAME"
+  usage
+  exit 1
+fi
+
+if [[ -z "$DATABASE_NAME" ]]; then
+  echo "You must defined DATABASE_NAME"
+  usage
+  exit 1
+fi
+
+ansible-playbook \
+  -e "lxc_host=$LXC_HOST" \
+  -e "site_name=$SITE_NAME" \
+  -e "domain_name=$DOMAIN_NAME" \
+  -e "database_name=$DATABASE_NAME" \
+  -e "runner=lxc" \
+  --ssh-common-args="-o ProxyCommand='ssh -W %h:%p -q root@$SERVER'" \
+  $PLAYBOOK_FILEPATH

run-playbook.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+SSH_PORT=22
+args=("$@")
+
+# Обработка опций
+for ((i=0; i<$#; i++)); do
+  if [ "${args[$i]}" == "-p" ]; then
+    SSH_PORT=${args[$i+1]}
+    unset 'args[i]'
+    unset 'args[i+1]'
+  fi
+  if [ "${args[$i]}" == "-f" ]; then
+    FORCE=1
+    unset 'args[i]'
+  fi
+done
+
+args=("${args[@]}")
+
+SERVER=${args[0]}
+PLAYBOOK=${args[1]}
+USER=${args[2]}
+
+usage() {
+    echo "Usage: run-vps-playbook.sh server playbook [user]"
+    echo "server - domain or ip address of the vps server"
+    echo "playbook - playbook file"
+    echo "[user] - if choose the use it, otherwise used root"
+}
+
+if [[ -z "$SERVER" ]]; then
+  echo "You must defined SERVER as first argument"
+  usage
+  exit 1
+fi
+
+if [[ -z "$PLAYBOOK" ]]; then
+  echo "You must defined PLAYBOOK as second argument"
+  usage
+  exit 1
+fi
+
+if [[ -z "$USER" ]]; then
+    USER=root
+fi
+
+COMMAND=$(cat <<EOF
+ansible-playbook -e "lxc_host=${SERVER}" -e "runner=normal" -e "ansible_user=${USER}" --ssh-common-args="-p $SSH_PORT"
+EOF
+)
+
+COMMAND="${COMMAND} ${PLAYBOOK}"
+
+if [[ -z "$FORCE" ]]; then
+  printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
+  read -p "Are you sure?  " -n 1 -r
+  echo    # (optional) move to a new line
+  if [[ $REPLY =~ ^[Yyн]$ ]]
+  then
+      /bin/bash -c "${COMMAND}"
+  fi
+else
+    /bin/bash -c "${COMMAND}"
+fi

run-site-playbook.sh

@@ -0,0 +1,69 @@
+#!/bin/bash
+SERVER=$1
+PLAYBOOK=$2
+SITE_NAME=$3
+DOMAIN_NAME=$4
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -f|--force) force=1; shift ;;
+    esac
+    shift
+done
+
+usage() {
+    echo "Usage: run-vps-playbook.sh server playbook site_name domain_name"
+    echo "server - domain or ip address of the vps server"
+    echo "playbook - playbook file"
+    echo "site_name - site name, e.g. intermetiz - that is a project name used for create home directory and www directory, and database dump base file name"
+    echo "domain_name - domain name, e.g. intermetiz.ru"
+}
+
+if [[ -z "$SERVER" ]]; then
+  echo "You must defined SERVER as first argument"
+  usage
+  exit 1
+fi
+
+if [[ -z "$PLAYBOOK" ]]; then
+  echo "You must defined PLAYBOOK as second argument"
+  usage
+  exit 1
+fi
+
+if [[ ! -f "$PLAYBOOK" ]]; then
+  echo "Playbook file is not exists: $PLAYBOOK"
+  usage
+  exit 1
+fi
+
+if [[ -z "$SITE_NAME" ]]; then
+  echo "You must defined SITE_NAME as third argument"
+  usage
+  exit 1
+fi
+
+if [[ -z "$DOMAIN_NAME" ]]; then
+  echo "You must defined DOMAIN_NAME as fourth argument"
+  usage
+  exit 1
+fi
+
+COMMAND=$(cat <<EOF
+ansible-playbook -e "lxc_host=${SERVER}" -e "initial_site_name=${SITE_NAME}" -e "domain_name=${DOMAIN_NAME}" -e runner=site
+EOF
+)
+
+COMMAND="${COMMAND} ${PLAYBOOK}"
+
+if [[ -z "$force" ]]; then
+  printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
+  read -p "Are you sure?  " -n 1 -r
+  echo    # (optional) move to a new line
+  if [[ $REPLY =~ ^[Yyн]$ ]]
+  then
+      /bin/bash -c "${COMMAND}"
+  fi
+else
+    /bin/bash -c "${COMMAND}"
+fi

run-vps-playbook.sh

@@ -1,54 +0,0 @@
-#!/bin/bash
-SERVER=$1
-PLAYBOOK=$2
-SITE_NAME=$3
-
-while [[ "$#" -gt 0 ]]; do
-    case $1 in
-        -f|--force) force=1; shift ;;
-    esac
-    shift
-done
-
-usage() {
-    echo "Usage: run-vps-playbook.sh server playbook [site_name]"
-    echo "server - domain or ip adress of the vps server"
-    echo "site_name - site name"
-    echo "playbook - playbook file"
-}
-
-if [[ -z "$SERVER" ]]; then
-  echo "You must defined SERVER as first argument"
-  usage
-  exit 1
-fi
-
-if [[ -z "$PLAYBOOK" ]]; then
-  echo "You must defined PLAYBOOK as third argument"
-  usage
-  exit 1
-fi
-
-
-COMMAND=$(cat <<EOF
-ansible-playbook -e "lxc_host=${SERVER}"
-EOF
-)
-
-if [[ -n "$SITE_NAME" ]]; then
-  COMMAND="${COMMAND} -e initial_site_name=${SITE_NAME}"
-fi
-
-COMMAND="${COMMAND} ${PLAYBOOK}"
-
-if [[ -z "$force" ]]; then
-  printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
-  read -p "Are you sure?  " -n 1 -r
-  echo    # (optional) move to a new line
-  if [[ $REPLY =~ ^[Yy]$ ]]
-  then
-      /bin/bash -c "${COMMAND}"
-  fi
-else
-    /bin/bash -c "${COMMAND}"
-fi

vars/apache-example.yml

@@ -0,0 +1,8 @@
+apache__dependent_vhosts:
+  - name: 'pma.{{ apache__default_vhost_name[0] }}'
+    filename: 'pma'
+    root: '/var/www/phpmyadmin'
+    root_directives: |-
+      AuthType Basic
+      AuthName "Authorization"
+      AuthUserFile passwords.d/pma.passwords

vars/databases-example.yml

@@ -1,3 +1,5 @@
+# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults-detailed.html#mariadb-users
+
 mariadb__databases:
   - name: '{{ site_name }}'
     source: '{{ inventory_dir }}//data/db-dumps/{{ site_name }}.sql.bz2'
@@ -5,5 +7,5 @@ mariadb__databases:
 
 mariadb__users:
   - name: '{{ site_name }}'
-    host: '%'
+    host: 'localhost'
     database: '{{ site_name }}%'

vars/nginx-example.yml

@@ -1,3 +1,2 @@
-domain_name: site.com
-nginx_www_domain: True
-nginx_www_redirect: www
+nginx_www_domain: '{{ has_www_domain }}'
+nginx_www_redirect: '{{ www_domain_is_primary | ternary("www", "non-www") }}'

vars/site-example.yml

@@ -0,0 +1,2 @@
+has_www_domain: True
+www_domain_is_primary: False

vars/system_users-example.yml

@@ -1,7 +1,3 @@
-system_users__groups:
-  - name: '{{ site_name }}'
-    user: False
-
 system_users__accounts:
   - name: '{{ site_name }}'
     group: '{{ site_name }}'

yadm.yml

@@ -1,8 +0,0 @@
----
-- import_playbook: debops/yadm.yml
-- import_playbook: debops/users.yml
-- import_playbook: debops/sudo.yml
-
-# Import all other group playbooks in this file...
-
-...