gitea/ansible-lxc-templates
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: gitea:7fa274c8766cf062f681df6e6616fee56eabe417
Branches Tags
gitea:master
..
compare: gitea:master
Branches Tags
gitea:master

38 Commits
7fa274c876 ... master

Author SHA1 Message Date
Raptor Dimti Garuda
b70574767e * use debops as separate package 
* set python version via pyenv
 2025-04-08 12:40:45 +03:00
Raptor Dimti Garuda
d9232999ca + probes to use env vars for lxc projects 2025-03-09 20:06:39 +03:00
gitea
db847c8710 * that is debian not ubuntu 2025-02-16 13:00:34 +00:00
dimti
3dfacd0822 + refactored and solve some problems with mariadb and nginx playbook 
+ apps playbooks - docker, caprover
* simple refactore starter scripts
+ apt update debops playboook prepend launch by default
* sury repo changed
* database users locked to localhost only
* phpmyadmin blowfish generate secret fix
 2025-02-10 23:35:41 +03:00
dimti
bff53b4c1a * correct curl options for downloading direnv release binary 
* hard checkout dotfiles after yadm repository fetch
 2024-10-16 18:45:28 +03:00
dimti
2097964fc4 * try to automatic install yadm and direnv if not presented on target system 2024-10-16 17:35:55 +03:00
dimti
74f9f3ef7a * set bigger client max body size for backend fpm socket 
* try to use ${HOME} var instead of ansible user var for detecting home dir
 2024-10-09 15:02:43 +03:00
dimti
3243c81b3d + change starship command prompt sign for non privileged user in separate yadm playbook 2024-09-22 17:51:52 +03:00
dimti
051b7778d6 * set correctly sign character for yadm starship toml when setting up for non-root user 2024-08-05 12:49:44 +03:00
dimti
7f393e79d7 + remove include sub domains from hsts policy 2024-08-01 23:41:36 +03:00
dimti
034988c117 - remove unnecessary blocked dot-files rule for sh and example, because previous rule for all dot files or dot-dirs - blocked that also 2024-07-30 22:53:04 +03:00
dimti
4c90ee6429 + use rewrite options directive with inherit value for merge rewrite rules from base apache site config and htaccess rewrite rules in the site directory 2024-07-30 21:50:50 +03:00
dimti
5a4ec54d3b * correct pass to backend fpm socket 2024-07-22 07:46:53 +03:00
dimti
bbb84079df + php-composer install own playbook with version downgrade for oldest php 7.4 
* automatic detect php version and set php extension (for =>8 php version without installing gd, because Debian 11 need libgd3 fix for that)
* mapping tld hostname for non-www redirection moved to conf.d and copy that file to remote machine with others existing map-files
* some features in this commit not to be a tested in real environment
 2024-07-02 08:47:01 +03:00
dimti
24c9799270 * quotable used variables in nginx vars config 2024-06-28 09:13:07 +03:00
dimti
85c08d9d68 * true installation options for apt xsel 
* use pma user for generate basic auth password for phpmyadmin virtual host
* include wp-cli playbook for apache site by default
 2024-06-04 15:36:16 +03:00
dimti
b3cc57a4d9 + xsel install in yadm playbook post tasks 2024-05-13 09:12:35 +03:00
dimti
b7b67f1c86 * external become_user set for execute nodejs version manager install for possible launch that playbook without become_user interactions (if setting user on execute ansible starter script) 2024-05-08 17:39:34 +03:00
dimti
6186ab94e0 * use appropriate php version both for php and apache installations 
+ pma for apache with auth and hand made change granted permissions
+ wp-cli
+ www-domain alias for apache and revers redirect for that
 2024-04-20 09:11:19 +03:00
dimti
452d5cca79 * usage shared run playbook script extended with user doc 
* example with alternate ssh port
* remove todo from yadm, because that is realized in dotfiles repo
 2024-04-04 18:21:14 +03:00
dimti
f276e83e9a + libgd install for php 8.* now use php version as variable 
#861m7vaer Шаблон операционной системы на Debian 10
 2024-04-03 10:51:47 +03:00
dimti
fd2022333e + todo for nginx and pma configs 
* pma blowfish secret generator and tmp dir fixes

#861m7vaer Шаблон операционной системы на Debian 10
 2024-04-02 10:31:44 +03:00
dimti
fb93943ba5 + yadm initialization for non priveleged and existing users 
#861m7vaer Шаблон операционной системы на Debian 10
 2024-03-22 18:47:05 +03:00
dimti
958e39bce7 * separate launch script by runner type concepts 
* do not launch sudo playbook for simple server install
* use domain_name as env variable from launch script
 2024-01-22 01:25:18 +03:00
dimti
ffb599469e * remove separately groups array from system users vars (fix - adding example var file to git) 2024-01-10 17:48:38 +03:00
dimti
b87659737e * remove separately groups array from system users vars, because task for manager system users - used combined array both with groups and users and same naming users items not included to this array, if use groups with same name before same-name users 2023-12-29 21:45:21 +03:00
dimti
371e8c671b + add install requirements example to readme 
+ nginx site playbook without db
 2023-12-29 20:37:21 +03:00
dimti
6270c71549 + example system unit file 
+ own common tasks of prepared debian for make programs from source
+ ansible ssh port example
 2023-12-29 20:05:20 +03:00
dimti
73647f855d + non-www redirect nginx script (with todo) 
+ domain_name & refactored nginx variables for resolve connect of www-domain logic and redirect to or from
* some installs have error after login to non-privileged user with starship $-symbol - correct escaped function for that
+ use separate domain for pma nginx config based on new domain_name variable (defined in nginx vars file)
* update database example vars (use inventory dir path and bz2 by default)

#861m7vaer Шаблон операционной системы на Debian 10
 2023-10-29 21:57:44 +03:00
dimti
3bf86281d2 + latest extensions - deployed nginx, apache, php 74 & 81, nvm, automatic databases import and phpmyadmin with nginx basic auth 
+ dhcp dnsmasq server playbook for create inner server network

#861m7vaer Шаблон операционной системы на Debian 10
 2023-10-24 17:26:53 +03:00
dimti
9bb3348cce + sample configs for nginx-proxy lxc instance 
+ site_name as general option for different lxc_host and site_name (personally used for vps deployment)
+ vps deploy script
+ node version manager install
+ php version setup vars moved into separate vars-file
+ ansible.cfg that helps to use local inventory and group_vars files
+ root account playbook
 2023-09-27 10:49:04 +03:00
dimti
05c680826c + fix install tmux plugin check 
+ nginx master proxy dummy things

#861m7vaer Шаблон операционной системы на Debian 10
 2023-06-05 23:41:35 +03:00
dimti
796f8a31a7 + change ownerships to var www dir after apache or nginx role processed 
#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-21 11:56:30 +03:00
dimti
cf50453d7d + installing tmux plugin manager for root_account role 
+ starship install via yadm role (multi use installation) and installing Nerd Font
* change straship character for not privileged user
* fix path to normalized css for default nginx page
* own custom roles (allow releaseinfo change and install locales) moved to playbooks dir

#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-18 10:20:49 +03:00
dimti
cb1b727da9 * conditional logic for nginx www redirect 
+ use lxc_host & ssh proxying for resolve connection to inner lxc host in proxmox
+ bash helper for launch playbooks
+ nginx html default template
* create databases moved into own custom variables
+ new using debops roles: yadm (dotfiles), sudo, root_account, system_users

#861m7vaer Шаблон операционной системы на Debian 10
 2023-04-13 07:40:56 +03:00
dimti
38509f5161 + php redis 
#861m7vaer Шаблон операционной системы на Debian 10
 2023-03-19 16:14:49 +03:00
dimti
82a4dc6f55 + php intl 
* fix blocking all php script except index.php
 2023-03-19 14:56:31 +03:00
dimti
7d745761f2 + nginx, php-fpm and octobercms playbooks 
* separate wp-apache and nginx php-fpm playbooks
 2023-03-11 21:23:28 +03:00
87 changed files with 2289 additions and 244 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
*.retry
.idea
/secret
/ansible.cfg

1
.python-version Normal file
View File

@ -0,0 +1 @@
3.13.2

160
README.md
View File

@ -1,147 +1,19 @@
# Ansible-Boilerplate
[![GitHub Issues](https://img.shields.io/github/issues/acch/ansible-boilerplate.svg)](https://github.com/acch/ansible-boilerplate/issues) [![GitHub Stars](https://img.shields.io/github/stars/acch/ansible-boilerplate.svg?label=github%20%E2%98%85)](https://github.com/acch/ansible-boilerplate/) [![License](https://img.shields.io/github/license/acch/ansible-boilerplate.svg)](LICENSE)
[Ansible](https://www.ansible.com/) is a configuration management tool, similar to [Chef](https://www.chef.io/) and [Puppet](https://puppet.com/). It allows for performing logical configuration of infrastructure components, such as servers and network switches. The configuration files in this repository can act as a template for your own Ansible projects, in order to get you started quickly. Once you've customized the configuration files then new servers can be configured quickly — excluding their network configuration. This means that adding new servers is as simple as:
- Base OS installation of new server
- Network configuration of new server (including bond, bridge, DNS and routing)
- Configuration of password-less (public key) SSH authentication from the Ansible host (your laptop) to the new server
The remaining configuration (installing packages, configuring services, etc.) can then be achieved using Ansible. In addition, Ansible ensures that configuration of all servers is and remains consistent.
## Using this repository
Simply download (clone) the repository and start modifying files according to your needs.
# Getting Started
## Create symlink for ansible hosts
`sudo ln -s $(realpath hosts) /etc/ansible/hosts`
## Modify your ~/.ssh/config
```
git clone https://github.com/acch/ansible-boilerplate.git myAnsibleProject/
Host debian10.dedic106-dhcp.dimti.ru
Port 22242
```
## Install needed ansible galaxy collections
```
Ideally, you'll want to use [Git](https://git-scm.com/) to manage your Ansible configuration files. For that purpose simply [fork](https://help.github.com/articles/fork-a-repo/) this repository into your own Git repository before cloning and customizing it. Alternatively, create your own repository [from the template](https://help.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-repository-from-a-template). Git will allow you to version and roll-back changes with ease.
Specifically, you'll want to customize the following files:
- Add your own hosts and groups to file `hosts`. You'll want to replace `[anygroup]` with a more meaningful group name, and add your own groups as required.
- Define roles by adding subdirectories underneath directory `roles/`. You'll want to rename `anyrole/` to a more meaningful role name, and add your own roles as required.
- Associate your hosts (groups) with your roles by adding appropriate playbooks in the root directory. Rename `anygroup.yml` to a more meaningful playbook name.
- Import all your playbooks in the main `site.yml` playbook.
## Using Ansible
Install `ansible` on your laptop and link the `hosts` file from `/etc/ansible/hosts` to the file in your repository. Now you're all set.
To run a single (ad-hoc) task on multiple servers:
ansible-galaxy install -g -f -r requirements.yml
```
# Check connectivity
ansible all -m ping -u root
# Run single command on all servers
ansible all -m command -a "cat /etc/hosts" -u root
# Run single command only on servers in specific group
ansible anygroup -m command -a "cat /etc/hosts" -u root
# Run single command on individual server
ansible server1 -m command -a "cat /etc/hosts" -u root
```
As the `command` module is the default, it can also be omitted:
```
ansible server1 -a "cat /etc/hosts" -u root
```
To use shell variables on the remote server, use the `shell` module instead of `command`, and use single quotes for the argument:
```
ansible server1 -m shell -a 'echo $HOSTNAME' -u root
```
The true power of ansible comes with so called *playbooks* — think of them as scripts, but they're declarative. Playbooks allow for running multiple tasks on any number of servers, as defined in the configuration files (`*.yml`):
```
# Run all tasks on all servers
ansible-playbook site.yml -v
# Run all tasks only on group of servers
ansible-playbook anygroup.yml -v
# Run all tasks only on individual server
ansible-playbook site.yml -v -l server1
```
Note that `-v` produces verbose output. `-vv` and `-vvv` are also available for even more (debug) output.
To verify what tasks would do without changing the actual configuration, use the `--list-hosts` and `--check` parameters:
```
# Show hosts that would be affected by playbook
ansible-playbook site.yml --list-hosts
# Perform dry-run to see what tasks would do
ansible-playbook site.yml -v --check
```
Running all tasks in a playbook may take a long time. *Tags* are available to organize tasks so one can only run specific tasks to configure a certain component:
```
# Show list of available tags
ansible-playbook site.yml --list-tags
# Only run tasks required to configure DNS
ansible-playbook site.yml -v -t dns
```
Note that the above command requires you to have tasks defined with the `tags: dns` attribute.
## Configuration files
The `hosts` file defines all hosts and groups which they belong to. Note that a single host can be member of multiple groups. Define groups for each rack, for each network, or for each environment (e.g. production vs. test).
### Playbooks
Playbooks associate hosts (groups) with roles. Define a separate playbook for each of your groups, and then import all playbooks in the main `site.yml` playbook.
File | Description
---- | -----------
`site.yml` | Main playbook - runs all tasks on all servers
`anygroup.yml` | Group playbook - runs all tasks on servers in group *anygroup*
### Roles
The group playbooks (e.g. `anygroup.yml`) simply associate hosts with roles. Actual tasks are defined in these roles:
```
roles/
├── common/ Applied to all servers
│ ├── handlers/
│ ├── tasks/
│ │ └ main.yml Tasks for all servers
│ └── templates/
└── anyrole/ Applied to servers in specific group(s)
├── handlers/
├── tasks/
│ └ main.yml Tasks for specific group(s)
└── templates/
```
Consider adding separate roles for different applications (e.g. webservers, dbservers, hypervisors, etc.), or for different responsibilities which servers fulfill (e.g. infra_server vs. infra_client).
### Tags
Use the following command to show a list of available tags:
```
ansible-playbook site.yml --list-tags
```
Consider adding tags for individual components (e.g. DNS, NTP, HTTP, etc.).
Role | Tags
--- | ---
Common | all,check
## Copyright and license
Copyright 2017 Achim Christ, released under the [MIT license](LICENSE)
# Usage
## Ping
`ansible debian10 -m ping -u root`
## Playbook
`ansible-playbook anygroup.yml`
## Playbook group only tag
`ansible-playbook anygroup.yml -t nginx`

4
ansible.cfg.example Normal file
View File

@ -0,0 +1,4 @@
[defaults]
inventory=./hosts
group_vars=./group_vars
collections_paths=~/.ansible/collections:~/.pyenv/versions/3.13.2/lib/python3.13/site-packages/debops/_data/ansible/collections

69
apache.yml
View File

@ -1,69 +0,0 @@
---
- name: Manage and configure the Apache HTTP Server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
apache__base_packages:
- libapache2-mod-php7.4
apache__role_modules:
'headers': True
'alias': True
'php7.4': True
'ssl':
enabled: '{{ True if (apache__https_listen and apache__https_enabled) else False }}'
'security2':
enabled: '{{ apache__security_module_enabled|bool }}'
'status':
enabled: '{{ apache__status_enabled|bool }}'
config: |
<Location /server-status>
# Revoke default permissions granted in `/etc/apache2/mods-available/status.conf`.
Require all denied
</Location>
'socache_shmcb':
enabled: '{{ True
if (apache__ocsp_stapling_enabled|bool
and "shmcb" in apache__ocsp_stapling_cache)
else omit }}'
'authz_host':
enabled: '{{ True
if (apache__status_enabled|bool
and apache__status_allow_localhost)
else omit }}'
'rewrite':
enabled: '{{ True
if (apache__register_mod_rewrite_used is defined and
apache__register_mod_rewrite_used.rc|d(1) == 0)
else omit }}'
apache__allow:
- 0.0.0.0
# apache__default_vhost:
# name: '{{ apache__default_vhost_name }}'
# filename: '000-default'
# root: '/var/www/html'
pre_tasks:
- name: Prepare apache environment
import_role:
name: 'apache'
tasks_from: 'main_env'
tags: [ 'role::apache', 'role::apache:env' ]
roles:
# - role: ferm
# tags: [ 'role::ferm', 'skip::ferm' ]
# ferm__dependent_rules:
# - '{{ apache__ferm__dependent_rules }}'
- role: apache
tags: [ 'role::apache', 'skip::apache' ]

2
data/db-dumps/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!.gitignore

13
envs/lxc/server/lxc.env.example Normal file
View File

@ -0,0 +1,13 @@
SERVER=proxmox_host
LXC_HOST=project_lxc_container
PLAYBOOK=nginx-site
# That is a project name and name of the HOME USER
# @see group_vars/all.yml
SITE_NAME=project_name
DOMAIN_NAME=project_domain_name
DATABASE_NAME=project_name

4
group_vars/all.yml
View File

@ -3,6 +3,10 @@
ansible_user: root
remote_user: root
keyring__keyserver: hkp://keyserver.ubuntu.com:80
# Add further variables which apply to all servers to this file...
secret__levels: '.'
home_user: '{{ (ansible_user != "root") | ternary(ansible_user, site_name) }}'
...

4
hosts
View File

@ -10,7 +10,9 @@
# - A hostname/ip can be a member of multiple groups
[lxc_templates]
debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru ansible_user=root
#debian10 ansible_host=debian10.dedic106-dhcp.dimti.ru ansible_user=root
#debian10 ansible_host='{{ lxc_host }}' ansible_port=22230
debian10 ansible_host='{{ lxc_host }}'
[anygroup]
server1 ansible_host=192.168.0.1

0
manala.nginx.yml → manala/manala.nginx.yml
View File

0
manala.php.yml → manala/manala.php.yml
View File

9
ping.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: debian10
tasks:
- name: whoami test
shell: whoami
# Associate further roles to servers in specific group in this file...
...

7
playbooks/_mysql-server-site.yml Normal file
View File

@ -0,0 +1,7 @@
---
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
# Import all other group playbooks in this file...
...

20
playbooks/apache-site.yml Normal file
View File

@ -0,0 +1,20 @@
---
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-wp.yml
- import_playbook: debops/apache.yml
#- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/phpmyadmin.yml
- import_playbook: own/phpmyadmin-apache-auth.yml
#- import_playbook: own/libgd3-fix-for-php81.yml # Need only for php8.1
#- import_playbook: own/correct-paths-for-pct-enter.yml
- import_playbook: own/wp-cli.yml
# Import all other group playbooks in this file...
...

17
playbooks/apps/caprover.yml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Configure Firewall
shell: |
ufw allow 80,443,3000,996,7946,4789,2377/tcp; ufw allow 7946,4789,2377/udp;
- name: Install caprover
shell: |
docker run -p 80:80 -p 443:443 -p 3000:3000 -e ACCEPTED_TERMS=true -v /var/run/docker.sock:/var/run/docker.sock -v /captain:/captain caprover/caprover
- name: "Install npm caprover package (after that use: caprover serversetup)"
shell: |
export NVM_DIR="$HOME/.nvm"
. "$NVM_DIR/nvm.sh"
. "$NVM_DIR/bash_completion"
npm install -g caprover

33
playbooks/apps/docker-debian.yml Normal file
View File

@ -0,0 +1,33 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
# Add Docker's official GPG key:
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian /gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

29
playbooks/apps/docker-ubuntu.yml Normal file
View File

@ -0,0 +1,29 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Remove old packages
shell: |
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do apt-get remove $pkg; done
apt-get autoremove
- name: Add APT repository
shell: |
apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
- name: Install Docker
shell: |
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
- name: Test hello-world
shell: |
docker run hello-world

1
phpmyadmin.yml → playbooks/debops/_phpmyadmin.yml
View File

@ -11,6 +11,5 @@
| combine(inventory__host_environment | d({})) }}'
roles:
- role: phpmyadmin
tags: [ 'role::phpmyadmin', 'skip::phpmyadmin' ]

71
playbooks/debops/apache.yml Normal file
View File

@ -0,0 +1,71 @@
---
- name: Manage and configure the Apache HTTP Server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/apache.yml
vars:
apache__base_packages:
- 'libapache2-mod-php{{ php_version }}'
apache__default_vhost_name:
- '{{ domain_name }}'
- "{{ (has_www_domain and not www_domain_is_primary) | ternary('www.{{ domain_name }}', omit) }}"
apache__modules:
'php{{ php_version }}': True
'rewrite':
enabled: True
apache__allow:
- 0.0.0.0
apache__default_vhost:
name: '{{ apache__default_vhost_name }}'
filename: '000-default'
root: '/var/www/html'
root_directives: |-
RewriteEngine On
RewriteOptions Inherit
RewriteBase /
{% if www_domain_is_primary %}
RewriteCond %{HTTP_HOST} ^([^www].*)$
RewriteRule ^(.*)$ https://www.%1/$1 [L,R=301]
{% else %}
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
{% endif %}
RewriteRule "(^|/)\.(?!well-known\/)" - [F]
apache__vhost_allow_override: 'All'
pre_tasks:
- name: Prepare apache environment
import_role:
name: 'apache'
tasks_from: 'main_env'
tags: [ 'role::apache', 'role::apache:env' ]
post_tasks:
- name: Remove include subdomains for HSTS policy
shell: |-
sed -i '/; includeSubDomains/d' etc/apache2/sites-available/000-default.conf
roles:
- role: apache
tags: [ 'role::apache', 'skip::apache' ]

22
playbooks/debops/apt.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Manage Advanced Package Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
post_tasks:
- name: Upgrade
ansible.builtin.apt:
upgrade: True
roles:
- role: apt
tags: [ 'role::apt', 'skip::apt' ]

52
playbooks/debops/dnsmasq.yml Normal file
View File

@ -0,0 +1,52 @@
---
- name: Configure dnsmasq
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
dnsmasq__dhcpv4: True
dnsmasq__dhcpv6: False
dnsmasq__interfaces:
- name: 'eth1'
# addresses: ['172.16.30.100']
domain: local
dhcp_range_start: 180
dhcp_range_end: -6
dnsmasq__base_domain: 'local'
# dnsmasq__configuration:
# - name: 'dhcp-option.conf'
# options:
# - name: 'dhcp-option-1'
# option: 'dhcp-option'
# value: '1,255.255.255.0'
# - name: 'dhcp-option-3'
# option: 'dhcp-option'
# value: '3,172.16.30.100'
# - name: 'dhcp-option-6'
# option: 'dhcp-option'
# value: '6,172.16.30.100'
pre_tasks:
- name: Prepare dnsmasq environment
import_role:
name: 'dnsmasq'
tasks_from: 'main_env'
tags: [ 'role::dnsmasq', 'role::ferm', 'role::tcpwrappers' ]
roles:
- role: resolvconf
tags: [ 'role::resolvconf', 'skip::resolvconf' ]
resolvconf__dependent_services:
- 'dnsmasq'
- role: dnsmasq
tags: [ 'role::dnsmasq', 'skip::dnsmasq' ]

18
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-filecloud.conf.example Normal file
View File

@ -0,0 +1,18 @@
server {
listen 80;
server_name domain;
client_max_body_size 0;
location / {
proxy_pass http://site_name;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

20
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-s3.conf.example Normal file
View File

@ -0,0 +1,20 @@
server {
listen 80;
server_name domain;
ignore_invalid_headers off;
client_max_body_size 0;
proxy_buffering off;
location / {
proxy_pass http://site_name:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
proxy_http_version 1.1;
proxy_set_header Connection "";
chunked_transfer_encoding off;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

32
playbooks/debops/files/etc/nginx-master-proxy/conf.d/sample-youtrack.conf.example Normal file
View File

@ -0,0 +1,32 @@
server {
listen 80;
server_name domain;
location / {
proxy_pass http://site_name:8080;
access_log off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 60m;
proxy_http_version 1.1;
}
location /api/eventSourceBus {
proxy_pass http://site_name:8080;
access_log off;
proxy_cache off;
proxy_buffering off;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header Connection '';
chunked_transfer_encoding off;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
}

16
playbooks/debops/files/etc/nginx-master-proxy/conf.d/website.conf.example Normal file
View File

@ -0,0 +1,16 @@
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/tmp/domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/tmp/domain/privkey.pem;
server_name domain;
location / {
proxy_pass https://lxc;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
# TODO: example site.auth.conf

4
playbooks/debops/files/etc/nginx/conf.d/map_tld_domain.conf Normal file
View File

@ -0,0 +1,4 @@
map $host $tld {
default $host;
'~^www\.(?<domain>.*)$' $domain;
}

12
playbooks/debops/files/etc/nginx/includes.d/non-www.conf Normal file
View File

@ -0,0 +1,12 @@
error_page 418 = @nonwww;
set $nonwww "";
if ( $http_host ~* "^www\.") {
set $nonwww "${nonwww}0";
}
if ( $nonwww ~* "^0+$" ) {
return 418;
}
location @nonwww {
rewrite ^ https://$tld$request_uri permanent;
}

49
playbooks/debops/files/etc/nginx/includes.d/octobercms.conf Normal file
View File

@ -0,0 +1,49 @@
location ~ ^/combine.*\.(css|js) {
rewrite ^/.*$ /index.php last;
expires max;
}
# Whitelist
## Let October handle if static file not exists
location ~ ^/favicon\.ico { try_files $uri /index.php; }
location ~ ^/sitemap\.xml { try_files $uri /index.php; }
location ~ ^/robots\.txt { try_files $uri /index.php; }
location ~ ^/humans\.txt { try_files $uri /index.php; }
## Google & Yandex website promts
location ~ ^/(google|yandex).*\.html { try_files $uri /index.php; }
location ~ ^/.*\.xml { try_files $uri /index.php; }
## Let nginx return 404 if static file not exists
location ~ ^/storage/app/uploads/public { access_log off; try_files $uri /404; }
location ~ ^/storage/app/media { access_log off; try_files $uri /404; }
location ~ ^/storage/app/yml { try_files $uri /404; }
location ~ ^/files { access_log off; try_files $uri /404; }
location ~ ^/storage/app/.*\.xls { try_files $uri /404; }
location ~ ^/storage/temp/public { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/modules/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/behaviors/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/reportwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/formwidgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/plugins/.*/.*/widgets/.*/resources { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/assets { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/semantic { access_log off; try_files $uri /404; }
location ~ ^/themes/.*/resources { access_log off; try_files $uri /404; }

29
playbooks/debops/files/etc/nginx/includes.d/staticfiles.conf Normal file
View File

@ -0,0 +1,29 @@
location ~* \.(jpg|jpeg|gif|png|svg|ico)$ {
access_log off;
expires max;
log_not_found off;
error_page 404 = /empty;
}
location = /empty {
expires 0;
empty_gif;
}
location ~* \.(eot|ttf|woff|pdf|css|js)$ {
access_log off;
expires max;
}
location ~* \.(xml|xls)$ {
add_header Cache-Control "no-cache";
}
location ~ /\. {
deny all;
}
location ~* \.(tpl|ini|sh) {
deny all;
}

20
playbooks/debops/files/etc/nginx/includes.d/www.conf Normal file
View File

@ -0,0 +1,20 @@
error_page 418 = @www;
set $www "0";
if ( $http_host ~* "^www\.") {
set $www "${www}1";
}
if ( $http_host ~* "^m\.") {
set $www "${www}2";
}
if ( $www = "0" ) {
return 418;
}
location @www {
rewrite ^ $scheme://www.$host$request_uri? permanent;
}

19
playbooks/debops/keyring.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage APT and GPG keyrings
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
keyring__enabled: True
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring' ]

40
playbooks/debops/mariadb-custom-db.yml Normal file
View File

@ -0,0 +1,40 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
vars_files:
- ./../../vars/databases.yml
roles:
- role: secret
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::mariadb' ]
keyring__dependent_apt_keys:
- '{{ mariadb__keyring__dependent_apt_keys }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::mariadb' ]
python__dependent_packages3:
- '{{ mariadb__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ mariadb__python__dependent_packages2 }}'
- role: mariadb
tags: [ 'role::mariadb', 'skip::mariadb' ]

9
mariadb.yml → playbooks/debops/mariadb.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults/main.html
- name: Manage MariaDB client
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
@ -13,13 +15,6 @@
vars:
mariadb__flavor: '{{ ansible_local.mariadb.flavor|d(mariadb__flavor_map[ansible_distribution_release] | d("mariadb")) }}'
mariadb__upstream_version: '10.5'
mariadb__databases:
- name: 'intermetiz'
- name: 'intermetiz-products'
mariadb__users:
- name: 'intermetiz'
host: '%'
database: 'intermetiz%'
roles:

19
mariadb_server.yml → playbooks/debops/mariadb_server.yml
View File

@ -1,5 +1,7 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb_server/defaults/main.html
- name: Manage MariaDB server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
@ -13,8 +15,21 @@
vars:
mariadb_server__flavor: '{{ ansible_local.mariadb.flavor
|d(mariadb_server__flavor_map[ansible_distribution_release] | d("mariadb_upstream")) }}'
mariadb_server__upstream_version: '10.5'
mariadb_server__bind_address: '0.0.0.0'
mariadb_server__upstream_version: '11.2'
mariadb_server__bind_address: '127.0.0.1'
mariadb_server__mysqld_performance_options:
'innodb_buffer_pool_instances': '{{ ansible_processor_vcpus | d(1) }}'
'innodb_buffer_pool_size': '{{ (ansible_memtotal_mb / 2) | int }}M'
'innodb_log_file_size': '{{ (ansible_memtotal_mb / 2) / 4 | int }}M'
'query_cache_type': '1'
'query_cache_size': '1M'
'query_cache_limit': '10M'
'join_buffer_size': '1M'
'performance_schema': 'ON'
'skip-name-resolve': 'ON'
# mariadb_server__options:
# 'query_cache_size': '1M'
roles:
- role: keyring

29
playbooks/debops/nginx-master-proxy.yml Normal file
View File

@ -0,0 +1,29 @@
---
- name: Manage master nginx proxy
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nginx_acme: True
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
nginx_ocsp: False
nginx_worker_processes: auto
pre_tasks:
- name: Copy Nginx Master Proxy config examples
copy:
src: etc/nginx-master-proxy/conf.d
dest: /etc/nginx/
mode: 0644
roles:
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

123
playbooks/debops/nginx.yml Normal file
View File

@ -0,0 +1,123 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/nginx/defaults/main.html
- name: Manage nginx webserver
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/site.yml
- ./../../vars/php.yml
- ./../../vars/nginx.yml
vars:
nginx_acme: False
nginx_http_extra_options: |
client_max_body_size 100M;
nginx_real_ip_from: ['172.16.30.0/24']
nginx_default_keepalive_timeout: 65
# nginx_webroot_create: False
nginx_ocsp: False
nginx_worker_processes: auto
nginx_manage_ipv6only: False
nginx_default_name: 'welcome'
nginx_default_ssl_name: 'welcome'
# TODO: Replace [::]:443 to 443 and [::]:80 to 80 in site nginx config
nginx_server_localhost:
enabled: False
nginx_listen_port: [ '80' ]
nginx_listen_ssl_port: [ '443' ]
nginx__servers:
- name: '{{ domain_name }}'
type: php
root: '/var/www/{{ site_name }}'
public_dir_name: ''
include_files_begin: '{{ nginx_includes_begin }}'
options: 'set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;'
location_list:
- pattern: '/'
locations:
- pattern: '~ ^/.*-backend/'
options: |
try_files /index.html @october;
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-backend.sock;
client_max_body_size 1000M;
options: try_files /index.html @october;
- pattern: '@october'
options: rewrite ^/.*$ /index.php last;
- pattern: '~* ^(?!/index).*\.php$'
options: return 403;
php_options: |
fastcgi_read_timeout 3000;
php_upstream: $upstream
#location ~ ^(?!.+\.php/)(?<script_name>.+\.php)$ {
php_location_script_name: ~ ^(?<script_name>/index\.php)
#location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
php_location_path_info: ~ ^(?<script_name>/index\.php)(?<path_info>/.*)?
pre_tasks:
- name: Set filtered includes
set_fact:
nginx_includes_begin: "{{ (nginx_includes_begin | default([])) | union([item]) }}"
when: item != omit
loop:
- "{{ (nginx_www_domain and nginx_www_redirect == 'www') | ternary('includes.d/www.conf', omit) }}"
- "{{ (nginx_www_domain and nginx_www_redirect == 'non-www') | ternary('includes.d/non-www.conf', omit) }}"
- includes.d/octobercms.conf
- includes.d/staticfiles.conf
- name: Copy OctoberCMS nginx conf includes and www redirect
copy:
src: etc/nginx/includes.d
dest: /etc/nginx/
mode: 0644
- name: Copy map config for www/non-www redirects
copy:
src: etc/nginx/conf.d/map_tld_domain.conf
dest: /etc/nginx/conf.d/
mode: 0644
post_tasks:
- name: Default index.html
template:
src: var/www/site_name/index.html.j2
dest: '/var/www/{{ site_name }}/index.html'
mode: 0644
owner: '{{ site_name }}'
- name: Copy normalized.css
template:
src: var/www/site_name/normalize.css
dest: '/var/www/{{ site_name }}/'
mode: 0644
owner: '{{ site_name }}'
roles:
# - role: keyring
# tags: [ 'role::keyring', 'skip::keyring', 'role::nginx' ]
# keyring__dependent_apt_keys:
# - '{{ nginx__keyring__dependent_apt_keys }}'
#
# - role: apt_preferences
# tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
# apt_preferences__dependent_list:
# - '{{ nginx__apt_preferences__dependent_list }}'
#
# - role: python
# tags: [ 'role::python', 'skip::python' ]
# python__dependent_packages3:
# - '{{ nginx__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ nginx__python__dependent_packages2 }}'
- role: nginx
tags: [ 'role::nginx', 'skip::nginx' ]

30
playbooks/debops/nodejs.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Manage NodeJS environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
nodejs__node_upstream: True
nodejs__node_upstream_release: node_18.x
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::nodejs' ]
keyring__dependent_apt_keys:
- '{{ nodejs__keyring__dependent_apt_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ nodejs__apt_preferences__dependent_list }}'
- role: nodejs
tags: [ 'role::nodejs', 'skip::nodejs' ]

95
playbooks/debops/php-prod.yml Normal file
View File

@ -0,0 +1,95 @@
---
- name: Install and manage PHP environment
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git
# mysql - это нужно только для WordPress
# mbstring требует только некоторые пакеты в laravel
# bcmath - нужно для работы парсера Excel файлов на одном из проектов
# Laravel/OctoberCMS: intl, redis
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "buster" ])
else False }}'
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
php__fpm_pm: static
php__fpm_pm_max_children: 26
php__pools:
- name: backend
user: www-data
group: www-data
php_admin_values:
memory_limit: 256M
post_max_size: 800M
upload_max_filesize: 200M
max_execution_time: 600
pm: static
pm_max_children: 3
vars_files:
- ./../../vars/php.yml
pre_tasks:
- name: Apply keyring configuration for php environment
import_role:
name: 'keyring'
vars:
keyring__dependent_apt_keys:
- '{{ php__keyring__dependent_apt_keys }}'
tags: [ 'role::keyring', 'skip::keyring', 'role::php' ]
- name: Prepare php environment
import_role:
name: 'php'
tasks_from: 'main_env'
tags: [ 'role::php', 'role::php:env', 'role::logrotate' ]
roles:
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ php__apt_preferences__dependent_list }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ php__logrotate__dependent_config }}'
- role: apt_install
- role: php
tags: [ 'role::php', 'skip::php' ]

14
php.yml → playbooks/debops/php-wp.yml
View File

@ -10,16 +10,14 @@
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/php.yml
vars:
php__version_preference: [ 'php7.4' ]
php__sury: '{{ ansible_local.php.sury
|d(ansible_distribution_release in [ "buster" ]) | bool }}'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
repo: 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
@ -27,8 +25,10 @@
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Debian': 'deb https://packages.sury.su/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__base_packages:
- unzip
- git

0
pki.yml → playbooks/debops/pki.yml
View File

91
playbooks/debops/redis.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Manage Redis server
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
redis_server__auth_password:
redis_server__configuration:
- name: 'main'
options:
# - name: 'save'
# value: ''
# dynamic: True
- name: 'protected-mode'
value: 'no'
dynamic: False
- name: 'stop-writes-on-bgsave-error'
value: 'no'
dynamic: False
- name: 'save'
value:
- name: '900 1'
state: absent
- name: '300 10'
state: absent
- name: '60 10000'
state: absent
dynamic: False
pre_tasks:
- name: Prepare sysfs environment
import_role:
name: 'sysfs'
tasks_from: 'main_env'
tags: [ 'role::sysfs', 'role::secret' ]
- name: Prepare redis_server environment
import_role:
name: 'redis_server'
tasks_from: 'main_env'
tags: [ 'role::redis_server', 'role::ferm' ]
roles:
- role: secret
tags: [ 'role::secret', 'role::sysfs' ]
secret__directories:
- '{{ sysfs__secret__directories | d([]) }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ redis_server__apt_preferences__dependent_list }}'
- role: etc_services
tags: [ 'role::etc_services', 'skip::etc_services' ]
etc_services__dependent_list:
- '{{ redis_server__etc_services__dependent_list }}'
- role: sysctl
tags: [ 'role::sysctl', 'skip::sysctl' ]
sysctl__dependent_parameters:
- '{{ redis_server__sysctl__dependent_parameters }}'
- role: sysfs
tags: [ 'role::sysfs', 'skip::sysfs' ]
sysfs__dependent_attributes:
- '{{ redis_server__sysfs__dependent_attributes }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::redis_server' ]
python__dependent_packages3:
- '{{ redis_server__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ redis_server__python__dependent_packages2 }}'
- role: redis_server
tags: [ 'role::redis_server', 'skip::redis_server' ]

21
playbooks/debops/root_account.yml Normal file
View File

@ -0,0 +1,21 @@
---
- name: Manage root system account
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
root_account__enabled: True
root_account__password: False
root_account__dotfiles_enabled: True
root_account__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
roles:
- role: root_account
tags: [ 'role::root_account', 'skip::root_account' ]

30
playbooks/debops/sudo.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Configure sudo service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars_files:
- ./../../vars/sudo.yml
roles:
# - role: python
# tags: [ 'role::python', 'skip::python', 'role::ldap' ]
# python__dependent_packages3:
# - '{{ ldap__python__dependent_packages3 }}'
# python__dependent_packages2:
# - '{{ ldap__python__dependent_packages2 }}'
#
# - role: ldap
# tags: [ 'role::ldap', 'skip::ldap' ]
# ldap__dependent_tasks:
# - '{{ sudo__ldap__dependent_tasks }}'
- role: sudo
tags: [ 'role::sudo', 'skip::sudo' ]

34
playbooks/debops/system_users.yml Normal file
View File

@ -0,0 +1,34 @@
---
- name: Manage local users and groups
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
system_users__self: False
system_users__dotfiles_enabled: True
system_users__dotfiles_repo: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
vars_files:
- ./../../vars/system_users.yml
post_tasks:
- name: Change starship character to dollar sign
shell: |
sed -i 's/#/\\$/g' /home/{{ site_name }}/.config/starship.toml
args:
executable: /bin/bash
roles:
- role: libuser
tags: [ 'role::libuser', 'skip::libuser' ]
- role: system_users
tags: [ 'role::system_users', 'skip::system_users' ]

76
playbooks/debops/templates/var/www/site_name/index.html.j2 Normal file
View File

@ -0,0 +1,76 @@
{# Copyright (C) 2014-2017 Maciej Delmanowski <drybjed@drybjed.net>
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
# Copyright (C) 2014-2017 DebOps <https://debops.org/>
# SPDX-License-Identifier: GPL-3.0-only
#}
<!DOCTYPE html>
<html lang="en">
{% set nginx_tpl_domain = item.welcome_domain | d(item.name if (item.name is string) else item.name[0] | d(ansible_domain)) %}
{% if nginx_tpl_domain %}
{% set nginx_tpl_welcome_title = '<a href="' + item.welcome_url_scheme | d("https") + '://' + nginx_tpl_domain + '/">' + nginx_tpl_domain + '</a>' %}
{% else %}
{% set nginx_tpl_welcome_title = '<a href="http://companyname.website/">CompanyName.website</a>' %}
{% endif %}
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="referrer" content="no-referrer">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ nginx_tpl_domain | d("CompanyName.website") }}</title>
{% if item.welcome_css | d(True) | bool %}
<link rel="stylesheet" type="text/css" media="screen" href="normalize.css">
<style type="text/css" media="screen">
html {
font-size: 17px;
font-family: "Droid Sans Condensed", sans-serif;
}
@media (max-width: 900px) {
html { font-size: 15px; }
}
@media (max-width: 400px) {
html { font-size: 13px; }
}
#content {
margin: 0 auto;
width: 600px;
padding: 2rem;
text-align: center;
}
@media (max-width: 900px) {
#content {
width: 70%;
padding: 1.5rem;
}
}
h1 {
padding-bottom: 0.05em;
border-bottom: 2px solid #0092DF;
}
a {
text-decoration: none;
color: #0092DF;
}
</style>
{% endif %}
</head>
<body>
<div id="content">
<h2>{{ nginx_tpl_welcome_title }}</h2>
{% if nginx_tpl_domain %}
<p id="http-status"><strong>{{ item.welcome_status_choices | d([ '200 OK', "418 I'm a teapot" ]) | random }}</strong></p>
{% elif not nginx_tpl_domain %}
<p>If you're reading this, the web server was installed correctly.</p>
{% endif %}
</div>
</body>
</html>

427
playbooks/debops/templates/var/www/site_name/normalize.css vendored Normal file
View File

@ -0,0 +1,427 @@
/*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */
/* Copyright (C) 2015 Nicolas Gallagher <nicolasgallagher@gmail.com> */
/* Copyright (C) 2015 Jonathan Neal <jonathantneal@hotmail.com> */
/* SPDX-License-Identifier: MIT */
/**
* 1. Set default font family to sans-serif.
* 2. Prevent iOS and IE text size adjust after device orientation change,
* without disabling user zoom.
*/
html {
font-family: sans-serif; /* 1 */
-ms-text-size-adjust: 100%; /* 2 */
-webkit-text-size-adjust: 100%; /* 2 */
}
/**
* Remove default margin.
*/
body {
margin: 0;
}
/* HTML5 display definitions
========================================================================== */
/**
* Correct `block` display not defined for any HTML5 element in IE 8/9.
* Correct `block` display not defined for `details` or `summary` in IE 10/11
* and Firefox.
* Correct `block` display not defined for `main` in IE 11.
*/
article,
aside,
details,
figcaption,
figure,
footer,
header,
hgroup,
main,
menu,
nav,
section,
summary {
display: block;
}
/**
* 1. Correct `inline-block` display not defined in IE 8/9.
* 2. Normalize vertical alignment of `progress` in Chrome, Firefox, and Opera.
*/
audio,
canvas,
progress,
video {
display: inline-block; /* 1 */
vertical-align: baseline; /* 2 */
}
/**
* Prevent modern browsers from displaying `audio` without controls.
* Remove excess height in iOS 5 devices.
*/
audio:not([controls]) {
display: none;
height: 0;
}
/**
* Address `[hidden]` styling not present in IE 8/9/10.
* Hide the `template` element in IE 8/9/10/11, Safari, and Firefox < 22.
*/
[hidden],
template {
display: none;
}
/* Links
========================================================================== */
/**
* Remove the gray background color from active links in IE 10.
*/
a {
background-color: transparent;
}
/**
* Improve readability of focused elements when they are also in an
* active/hover state.
*/
a:active,
a:hover {
outline: 0;
}
/* Text-level semantics
========================================================================== */
/**
* Address styling not present in IE 8/9/10/11, Safari, and Chrome.
*/
abbr[title] {
border-bottom: 1px dotted;
}
/**
* Address style set to `bolder` in Firefox 4+, Safari, and Chrome.
*/
b,
strong {
font-weight: bold;
}
/**
* Address styling not present in Safari and Chrome.
*/
dfn {
font-style: italic;
}
/**
* Address variable `h1` font-size and margin within `section` and `article`
* contexts in Firefox 4+, Safari, and Chrome.
*/
h1 {
font-size: 2em;
margin: 0.67em 0;
}
/**
* Address styling not present in IE 8/9.
*/
mark {
background: #ff0;
color: #000;
}
/**
* Address inconsistent and variable font size in all browsers.
*/
small {
font-size: 80%;
}
/**
* Prevent `sub` and `sup` affecting `line-height` in all browsers.
*/
sub,
sup {
font-size: 75%;
line-height: 0;
position: relative;
vertical-align: baseline;
}
sup {
top: -0.5em;
}
sub {
bottom: -0.25em;
}
/* Embedded content
========================================================================== */
/**
* Remove border when inside `a` element in IE 8/9/10.
*/
img {
border: 0;
}
/**
* Correct overflow not hidden in IE 9/10/11.
*/
svg:not(:root) {
overflow: hidden;
}
/* Grouping content
========================================================================== */
/**
* Address margin not present in IE 8/9 and Safari.
*/
figure {
margin: 1em 40px;
}
/**
* Address differences between Firefox and other browsers.
*/
hr {
box-sizing: content-box;
height: 0;
}
/**
* Contain overflow in all browsers.
*/
pre {
overflow: auto;
}
/**
* Address odd `em`-unit font size rendering in all browsers.
*/
code,
kbd,
pre,
samp {
font-family: monospace, monospace;
font-size: 1em;
}
/* Forms
========================================================================== */
/**
* Known limitation: by default, Chrome and Safari on OS X allow very limited
* styling of `select`, unless a `border` property is set.
*/
/**
* 1. Correct color not being inherited.
* Known issue: affects color of disabled elements.
* 2. Correct font properties not being inherited.
* 3. Address margins set differently in Firefox 4+, Safari, and Chrome.
*/
button,
input,
optgroup,
select,
textarea {
color: inherit; /* 1 */
font: inherit; /* 2 */
margin: 0; /* 3 */
}
/**
* Address `overflow` set to `hidden` in IE 8/9/10/11.
*/
button {
overflow: visible;
}
/**
* Address inconsistent `text-transform` inheritance for `button` and `select`.
* All other form control elements do not inherit `text-transform` values.
* Correct `button` style inheritance in Firefox, IE 8/9/10/11, and Opera.
* Correct `select` style inheritance in Firefox.
*/
button,
select {
text-transform: none;
}
/**
* 1. Avoid the WebKit bug in Android 4.0.* where (2) destroys native `audio`
* and `video` controls.
* 2. Correct inability to style clickable `input` types in iOS.
* 3. Improve usability and consistency of cursor style between image-type
* `input` and others.
*/
button,
html input[type="button"], /* 1 */
input[type="reset"],
input[type="submit"] {
-webkit-appearance: button; /* 2 */
cursor: pointer; /* 3 */
}
/**
* Re-set default cursor for disabled elements.
*/
button[disabled],
html input[disabled] {
cursor: default;
}
/**
* Remove inner padding and border in Firefox 4+.
*/
button::-moz-focus-inner,
input::-moz-focus-inner {
border: 0;
padding: 0;
}
/**
* Address Firefox 4+ setting `line-height` on `input` using `!important` in
* the UA stylesheet.
*/
input {
line-height: normal;
}
/**
* It's recommended that you don't attempt to style these elements.
* Firefox's implementation doesn't respect box-sizing, padding, or width.
*
* 1. Address box sizing set to `content-box` in IE 8/9/10.
* 2. Remove excess padding in IE 8/9/10.
*/
input[type="checkbox"],
input[type="radio"] {
box-sizing: border-box; /* 1 */
padding: 0; /* 2 */
}
/**
* Fix the cursor style for Chrome's increment/decrement buttons. For certain
* `font-size` values of the `input`, it causes the cursor style of the
* decrement button to change from `default` to `text`.
*/
input[type="number"]::-webkit-inner-spin-button,
input[type="number"]::-webkit-outer-spin-button {
height: auto;
}
/**
* 1. Address `appearance` set to `searchfield` in Safari and Chrome.
* 2. Address `box-sizing` set to `border-box` in Safari and Chrome.
*/
input[type="search"] {
-webkit-appearance: textfield; /* 1 */
box-sizing: content-box; /* 2 */
}
/**
* Remove inner padding and search cancel button in Safari and Chrome on OS X.
* Safari (but not Chrome) clips the cancel button when the search input has
* padding (and `textfield` appearance).
*/
input[type="search"]::-webkit-search-cancel-button,
input[type="search"]::-webkit-search-decoration {
-webkit-appearance: none;
}
/**
* Define consistent border, margin, and padding.
*/
fieldset {
border: 1px solid #c0c0c0;
margin: 0 2px;
padding: 0.35em 0.625em 0.75em;
}
/**
* 1. Correct `color` not being inherited in IE 8/9/10/11.
* 2. Remove padding so people aren't caught out if they zero out fieldsets.
*/
legend {
border: 0; /* 1 */
padding: 0; /* 2 */
}
/**
* Remove default vertical scrollbar in IE 8/9/10/11.
*/
textarea {
overflow: auto;
}
/**
* Don't inherit the `font-weight` (applied by a rule above).
* NOTE: the default cannot safely be changed in Chrome and Safari on OS X.
*/
optgroup {
font-weight: bold;
}
/* Tables
========================================================================== */
/**
* Remove most spacing between table cells.
*/
table {
border-collapse: collapse;
border-spacing: 0;
}
td,
th {
padding: 0;
}

19
playbooks/debops/tzdata.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Manage time zone configuration
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
tzdata__timezone: Europe/Moscow
roles:
- role: tzdata
tags: [ 'role::tzdata', 'skip::tzdata' ]

72
playbooks/debops/yadm.yml Normal file
View File

@ -0,0 +1,72 @@
---
- name: Configure yadm, Yet Another Dotfiles Manager
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
vars:
yadm__enabled: True
yadm__dotfiles_enabled: True
yadm__upstream_enabled: True
yadm__upstream_version: '2.5.0'
# That be used in yadm.fact.j2 - python script for resolving ansible.local.yadm.dotfile git repo
yadm__dotfiles_host: vcs.wpstudio.ru
yadm__dotfiles_owner: gitea
yadm__default_dotfiles:
- name: 'gitea'
git: 'https://vcs.wpstudio.ru/gitea/dotfiles.git'
yadm__packages:
- curl
- git
- ncdu
- fontconfig
- vim
- direnv
post_tasks:
- name: Starship
shell: |
curl -sS https://starship.rs/install.sh | sh -s -- -f
- name: Nerd Font
shell: |
download_font () {
url="https://raw.githubusercontent.com/ryanoasis/nerd-fonts/master/patched-fonts/SourceCodePro/Regular/complete/${1// /%20}"
path="/usr/share/fonts/$1"
curl -s -o "$path" "$url"
}
install_fonts () {
download_font "Sauce Code Pro Nerd Font Complete.ttf"
fc-cache -fv > /dev/null
}
install_fonts
args:
executable: /bin/bash
- name: Xsel for working clipboard copy with X11 forwarding (use SSH -Y)
shell: apt install -yy xsel
roles:
- role: keyring
tags: [ 'role::keyring', 'skip::keyring', 'role::yadm' ]
keyring__dependent_gpg_keys:
- '{{ yadm__keyring__dependent_gpg_keys }}'
- role: apt_preferences
tags: [ 'role::apt_preferences', 'skip::apt_preferences' ]
apt_preferences__dependent_list:
- '{{ yadm__apt_preferences__dependent_list }}'
- role: yadm
tags: [ 'role::yadm', 'skip::yadm' ]

8
playbooks/dhcp.yml Normal file
View File

@ -0,0 +1,8 @@
---
- import_playbook: root-account.yml
- import_playbook: debops/dnsmasq.yml
- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
...

7
playbooks/nginx-only.yml Normal file
View File

@ -0,0 +1,7 @@
---
- import_playbook: own/allow-releaseinfo-change.yml
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/nginx.yml

18
playbooks/nginx-site-without-db-site.yml Normal file
View File

@ -0,0 +1,18 @@
---
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/php-prod.yml
- import_playbook: debops/nginx.yml
- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/node-version-manager.yml
become: true
become_user: '{{ site_name }}'
- import_playbook: own/nginx-auth.yml
- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
...

28
playbooks/nginx-site.yml Normal file
View File

@ -0,0 +1,28 @@
---
# https://docs.debops.org/en/stable-3.2/ansible/roles/apt/getting-started.html#example-playbook
- import_playbook: debops/apt.yml
- import_playbook: root-account.yml
- import_playbook: debops/pki.yml
- import_playbook: debops/system_users.yml
- import_playbook: debops/mariadb_server.yml
- import_playbook: debops/mariadb-custom-db.yml
- import_playbook: debops/php-prod.yml
- import_playbook: own/libgd3-fix-for-php8.yml
when: php_version is defined and php_version != '7.4'
- import_playbook: debops/nginx.yml
- import_playbook: debops/redis.yml
- import_playbook: own/var-www-set-ownerships.yml
- import_playbook: own/node-version-manager.yml
become: true
become_user: '{{ site_name }}'
- import_playbook: own/nginx-auth.yml
- import_playbook: own/phpmyadmin.yml
- import_playbook: own/phpmyadmin-nginx-auth.yml
- import_playbook: own/php-composer.yml
#- import_playbook: own/correct-paths-for-pct-enter.yml
# Import all other group playbooks in this file...
# TODO: удалить [::]: из конфигов. Определится с дефолтным конфигом. В конфиге pma.conf что-то не так с портами после получения сертификатов.
# TODO: Перенести маппинг host tld для non-www в conf.d
...

6
playbooks/own/allow-releaseinfo-change.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Resolve error for debian10 buster versions an apt update procedures
hosts: [ 'debian10' ]
tasks:
- name: Allow release info changed
shell: apt --allow-releaseinfo-change update

6
playbooks/own/apt-update.yml Normal file
View File

@ -0,0 +1,6 @@
---
- name: Update system packages
hosts: [ 'debian10' ]
tasks:
- name: apt update
shell: apt update && apt upgrade -y

14
playbooks/own/correct-paths-for-pct-enter.yml Normal file
View File

@ -0,0 +1,14 @@
---
- name: Nerest bash PATH var with set true paths after pct enter into lxc container from proxmox host
hosts: [ 'debian10' ]
# TODO: Tmux create session not worked in pct enter - only work tmux attach (so..)
tasks:
- name: Append .shell-env
ansible.builtin.lineinfile:
path: '/root/.shell-env'
line: |-
##
## Correct PATH for tmux enter
##
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

19
playbooks/own/libgd3-fix-for-php8.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Solve problem with libgd3 for php-gd
hosts: [ 'debian10' ]
vars_files:
- ./../../vars/php.yml
tasks:
- name: Set pin for libgd3 package
copy:
dest: '/etc/apt/preferences.d/libgd-pin100'
content: |-
Package: libgd3
Pin-Priority: 100
- name: Update apt cache policy and install libgd
shell: |-
apt update
apt install -t bullseye libgd3 -yy
apt-cache policy libgd3
apt install php{{ php_version }}-gd -yy

10
playbooks/own/locales.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Setup EN & RU UTF-8 locales
shell: |
apt install -y locales && \
sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i 's/# ru_RU.UTF-8 UTF-8/ru_RU.UTF-8 UTF-8/' /etc/locale.gen && \
locale-gen

8
playbooks/own/lookup-password-test.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Set ownerships to /var/www dir
set_fact:
mariadb__server: '{{ lookup("password", "secret/vam-teplee-2023/testpass " + "length=15") }}'

19
playbooks/own/nginx-auth.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Setup nginx auth scaffolding dirs
hosts: [ 'debian10' ]
tasks:
- shell: |-
cd /etc/nginx
mkdir -p auth.d passwords.d
- copy:
dest: '/etc/nginx/auth.d/grant-access-certbot.conf'
content: |-
set $auth_basic Restricted;
if ($request_uri ~* "well-known") {
set $auth_basic off;
}
auth_basic $auth_basic;

7
playbooks/own/node-version-manager.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Installing node version manager
hosts: [ 'debian10' ]
tasks:
- name: Install nvm
shell: 'wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash'

23
playbooks/own/php-composer.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: Install PHP Composer
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Download and install composer
when: (php_version is defined)
shell: |-
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'dac665fdc30fdd8ec78b38b9800061b4150413ff2e3b6f88543c636f7cd84f6db9189d43a81e5503cda447da73c7e5b6') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php
php -r "unlink('composer-setup.php');"
mv composer.phar /usr/local/bin/composer
- name: Download and install composer
when: (php_version is defined and php_version == '7.4')
shell: |-
composer self-update 1.10.27

26
playbooks/own/phpmyadmin-apache-auth.yml Normal file
View File

@ -0,0 +1,26 @@
---
- name: Create phpmyadmin apache auth passwords file
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- shell: |-
cd /etc/apache2
mkdir -p passwords.d
- name: 'Adding pma apache auth passwords files'
shell: |-
echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/apache2/passwords.d/pma.passwords
- name: 'Change require all granted rule, because debops not present appropriate functional'
shell: |-
sed -i "s|Require all granted|Require valid-user|g" /etc/apache2/sites-available/pma.conf
- name: 'Restarting apache'
shell: |-
systemctl restart apache2

62
playbooks/own/phpmyadmin-nginx-auth.yml Normal file
View File

@ -0,0 +1,62 @@
---
- name: Install PhpMyAdmin
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
vars_files:
- ./../../vars/nginx.yml
- ./../../vars/php.yml
tasks:
- name: Import DebOps secret role
ansible.builtin.import_role:
name: 'secret'
- name: 'Adding pma nginx config'
copy:
dest: '/etc/nginx/sites-available/pma.conf'
content: |-
server {
listen 80;
listen 443 ssl;
ssl_certificate /etc/pki/realms/domain/default.crt;
ssl_certificate_key /etc/pki/realms/domain/default.key;
server_name pma.{{ domain_name }};
root /var/www/phpmyadmin;
index index.php;
include auth.d/pma-auth.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
set $upstream unix:/run/{{ php__version_preference[0] }}-fpm-www-data.sock;
location ~ \.php$ {
fastcgi_pass $upstream;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $host;
}
}
- name: 'Adding pma nginx auth config'
copy:
dest: '/etc/nginx/auth.d/pma-auth.conf'
content: |-
include auth.d/grant-access-certbot.conf;
auth_basic_user_file passwords.d/pma.passwords;
- name: 'Adding pma nginx auth passwords files'
shell: |-
echo "pma:$(openssl passwd -apr1 {{ lookup("password", secret + "/basic/" + site_name + "/pma " + "length=30")}} )" > /etc/nginx/passwords.d/pma.passwords
- name: 'Turning on pma web site nginx config'
shell: |-
cd /etc/nginx/sites-enabled
ln -s ../sites-available/pma.conf ./
- name: 'Restarting nginx'
shell: |-
nginx -t && systemctl restart nginx

41
playbooks/own/phpmyadmin.yml Normal file
View File

@ -0,0 +1,41 @@
---
- name: Install PhpMyAdmin
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
vars:
- phpmyadmin_version: 5.2.1
# https://docs.ansible.com/ansible/latest/collections/community/general/random_string_lookup.html#keyword-parameters
- blowfish_secret: "{{ lookup('community.general.random_string', length=32) }}"
tasks:
- name: 'Download phpMyAdmin {{ phpmyadmin_version }} into var/www dir and uncompress'
become: true
become_user: '{{ site_name }}'
shell: |-
cd /var/www
rm -rf phpmyadmin
wget -q https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
unzip -qq phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
rm phpMyAdmin-{{ phpmyadmin_version }}-all-languages.zip
mv phpMyAdmin-{{ phpmyadmin_version }}-all-languages phpmyadmin
cd phpmyadmin
cp config.sample.inc.php config.inc.php
mkdir tmp && sudo chown :33 tmp && chmod g+w tmp
- name: 'Set cookie blowfish secret'
# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/replace_module.html
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "'blowfish_secret'] = ''"
replace: "'blowfish_secret'] = '{{ blowfish_secret | replace('\'', '\\\'') }}'\n\n$cfg['CookieSameSite'] = 'Lax';\n"
- name: 'Set MaxTableList'
replace:
path: /var/www/phpmyadmin/config.inc.php
regexp: "^//$cfg['MaxRows'](.*)"
replace: "//$cfg['MaxRows']\1\n\n$cfg['MaxTableList'] = 500;\n"

7
playbooks/own/var-www-set-ownerships.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Configure Locales
hosts: [ 'debian10' ]
tasks:
- name: Set ownerships to /var/www dir
shell: 'chown -R {{ site_name }}:{{ site_name }} /var/www'

15
playbooks/own/wp-cli.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Install WP-CLI
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debian10' ]
tasks:
- name: Download and install wp-cli
shell: |-
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
chmod +x wp-cli.phar
mv wp-cli.phar /usr/local/bin/wp

9
playbooks/own/yadm-update.yml Normal file
View File

@ -0,0 +1,9 @@
---
- hosts: ['debian10']
tasks:
- name: Update existing YADM install with remote ip-address plugin and replace own
shell: |
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull
yadm checkout .

40
playbooks/own/yadm.yml Normal file
View File

@ -0,0 +1,40 @@
---
- hosts: [ 'debian10' ]
tasks:
- name: Install direnv
become_user: root
shell: |
command -v direnv > /dev/null || {
curl -sfLo /usr/local/bin/direnv https://github.com/direnv/direnv/releases/download/v2.35.0/direnv.linux-amd64 && \
chmod a+x /usr/local/bin/direnv
}
- name: Install Starship
become_user: root
shell: |
command -v starship> /dev/null || {
curl -sS https://starship.rs/install.sh | sh -s -- -f
}
- name: Install with init or update yadm
become_user: root
shell: |
command -v yadm && {
yadm remote set-url origin https://vcs.wpstudio.ru/gitea/dotfiles.git
rm -rf .tmux/plugins/tmux-ip-address
yadm pull && yadm checkout .
} || {
curl -sfLo /usr/local/bin/yadm https://github.com/TheLocehiliosan/yadm/raw/master/yadm && chmod a+x /usr/local/bin/yadm
yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .
}
# For manual change: sed -i 's/#/\\$/g' ${HOME}/.config/starship.toml
- name: 'Change character for non-root user'
become_user: root
shell: |
HOME_USER=$(ls /home)
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'yadm clone --bootstrap https://vcs.wpstudio.ru/gitea/dotfiles.git && yadm checkout .'
test ! -z "${HOME_USER}" && su --login ${HOME_USER} -c 'sed -i "s/#/\\$/g" ${HOME}/.config/starship.toml'
exit 0
args:
executable: /bin/bash

11
playbooks/root-account.yml Normal file
View File

@ -0,0 +1,11 @@
---
- import_playbook: own/locales.yml
- import_playbook: debops/apt.yml
- import_playbook: debops/tzdata.yml
#- import_playbook: own/allow-releaseinfo-change.yml# Need only for debian10
- import_playbook: debops/yadm.yml
- import_playbook: debops/root_account.yml
- name: Adding site_name project user to sudoers
import_playbook: debops/sudo.yml
when: 'runner != "normal"'

2
playbooks/yadm.yml Normal file
View File

@ -0,0 +1,2 @@
---
- import_playbook: own/yadm.yml

4
requirements.yml
View File

@ -3,4 +3,6 @@
collections:
- name: nginxinc.nginx_core
version: 0.8.0
- name: debops.debops
- name: https://github.com/debops/debops.git
type: git
version: d554096b5cb02f4c37f68d80d9103105dd5de34b

6
roles/common/tasks/main.yml
View File

@ -11,4 +11,8 @@
# Add further tasks for the common role (applied to all servers) to this playbook...
...
- name: Install gnupg
shell: >-
apt-get update &&
apt-get install --no-install-recommends --no-install-suggests -y gnupg1 gnupg2 gnupg ca-certificates

8
roles/locales/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Setup EN & RU UTF-8 locales
shell: |
apt install -y locales && \
sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
sed -i 's/# ru_RU.UTF-8 UTF-8/ru_RU.UTF-8 UTF-8/' /etc/locale.gen && \
locale-gen

15
roles/nginx/files/nginx.systemd Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target

4
roles/release-changed/tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Allow release info changed
shell: apt --allow-releaseinfo-change update

58
run-lxc-playbook.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
source $1
usage() {
echo "Usage: run-lxc-playbook.sh path/to/env"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER"
usage
exit 1
fi
if [[ -z "$LXC_HOST" ]]; then
echo "You must defined LXC_HOST"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK"
usage
exit 1
fi
PLAYBOOK_FILEPATH="playbooks/$PLAYBOOK.yml"
if [[ ! -f "$PLAYBOOK_FILEPATH" ]]; then
echo "Playbook file is not exists: $PLAYBOOK_FILEPATH"
usage
exit 1
fi
if [[ -z "$SITE_NAME" ]]; then
echo "You must defined SITE_NAME"
usage
exit 1
fi
if [[ -z "$DOMAIN_NAME" ]]; then
echo "You must defined DOMAIN_NAME"
usage
exit 1
fi
if [[ -z "$DATABASE_NAME" ]]; then
echo "You must defined DATABASE_NAME"
usage
exit 1
fi
ansible-playbook \
-e "lxc_host=$LXC_HOST" \
-e "site_name=$SITE_NAME" \
-e "domain_name=$DOMAIN_NAME" \
-e "database_name=$DATABASE_NAME" \
-e "runner=lxc" \
--ssh-common-args="-o ProxyCommand='ssh -W %h:%p -q root@$SERVER'" \
$PLAYBOOK_FILEPATH

64
run-playbook.sh Executable file
View File

@ -0,0 +1,64 @@
#!/bin/bash
SSH_PORT=22
args=("$@")
# Обработка опций
for ((i=0; i<$#; i++)); do
if [ "${args[$i]}" == "-p" ]; then
SSH_PORT=${args[$i+1]}
unset 'args[i]'
unset 'args[i+1]'
fi
if [ "${args[$i]}" == "-f" ]; then
FORCE=1
unset 'args[i]'
fi
done
args=("${args[@]}")
SERVER=${args[0]}
PLAYBOOK=${args[1]}
USER=${args[2]}
usage() {
echo "Usage: run-vps-playbook.sh server playbook [user]"
echo "server - domain or ip address of the vps server"
echo "playbook - playbook file"
echo "[user] - if choose the use it, otherwise used root"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER as first argument"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK as second argument"
usage
exit 1
fi
if [[ -z "$USER" ]]; then
USER=root
fi
COMMAND=$(cat <<EOF
ansible-playbook -e "lxc_host=${SERVER}" -e "runner=normal" -e "ansible_user=${USER}" --ssh-common-args="-p $SSH_PORT"
EOF
)
COMMAND="${COMMAND} ${PLAYBOOK}"
if [[ -z "$FORCE" ]]; then
printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
read -p "Are you sure? " -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yyн]$ ]]
then
/bin/bash -c "${COMMAND}"
fi
else
/bin/bash -c "${COMMAND}"
fi

69
run-site-playbook.sh Executable file
View File

@ -0,0 +1,69 @@
#!/bin/bash
SERVER=$1
PLAYBOOK=$2
SITE_NAME=$3
DOMAIN_NAME=$4
while [[ "$#" -gt 0 ]]; do
case $1 in
-f|--force) force=1; shift ;;
esac
shift
done
usage() {
echo "Usage: run-vps-playbook.sh server playbook site_name domain_name"
echo "server - domain or ip address of the vps server"
echo "playbook - playbook file"
echo "site_name - site name, e.g. intermetiz - that is a project name used for create home directory and www directory, and database dump base file name"
echo "domain_name - domain name, e.g. intermetiz.ru"
}
if [[ -z "$SERVER" ]]; then
echo "You must defined SERVER as first argument"
usage
exit 1
fi
if [[ -z "$PLAYBOOK" ]]; then
echo "You must defined PLAYBOOK as second argument"
usage
exit 1
fi
if [[ ! -f "$PLAYBOOK" ]]; then
echo "Playbook file is not exists: $PLAYBOOK"
usage
exit 1
fi
if [[ -z "$SITE_NAME" ]]; then
echo "You must defined SITE_NAME as third argument"
usage
exit 1
fi
if [[ -z "$DOMAIN_NAME" ]]; then
echo "You must defined DOMAIN_NAME as fourth argument"
usage
exit 1
fi
COMMAND=$(cat <<EOF
ansible-playbook -e "lxc_host=${SERVER}" -e "initial_site_name=${SITE_NAME}" -e "domain_name=${DOMAIN_NAME}" -e runner=site
EOF
)
COMMAND="${COMMAND} ${PLAYBOOK}"
if [[ -z "$force" ]]; then
printf 'Launch ansible playbook:\n%s\n' "${COMMAND}"
read -p "Are you sure? " -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yyн]$ ]]
then
/bin/bash -c "${COMMAND}"
fi
else
/bin/bash -c "${COMMAND}"
fi

10
site.yml
View File

@ -1,10 +0,0 @@
---
- import_playbook: pki.yml
- import_playbook: mariadb_server.yml
- import_playbook: mariadb.yml
- import_playbook: php.yml
- import_playbook: apache.yml
# Import all other group playbooks in this file...
...

2
vars/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
*
!*-example.yml

8
vars/apache-example.yml Normal file
View File

@ -0,0 +1,8 @@
apache__dependent_vhosts:
- name: 'pma.{{ apache__default_vhost_name[0] }}'
filename: 'pma'
root: '/var/www/phpmyadmin'
root_directives: |-
AuthType Basic
AuthName "Authorization"
AuthUserFile passwords.d/pma.passwords

11
vars/databases-example.yml Normal file
View File

@ -0,0 +1,11 @@
# https://docs.debops.org/en/stable-3.2/ansible/roles/mariadb/defaults-detailed.html#mariadb-users
mariadb__databases:
- name: '{{ site_name }}'
source: '{{ inventory_dir }}//data/db-dumps/{{ site_name }}.sql.bz2'
target: '/tmp/{{ site_name }}.sql.bz2'
mariadb__users:
- name: '{{ site_name }}'
host: 'localhost'
database: '{{ site_name }}%'

2
vars/nginx-example.yml Normal file
View File

@ -0,0 +1,2 @@
nginx_www_domain: '{{ has_www_domain }}'
nginx_www_redirect: '{{ www_domain_is_primary | ternary("www", "non-www") }}'

7
vars/php-example.yml Normal file
View File

@ -0,0 +1,7 @@
php__version_preference: [ 'php7.4']
php__sury: true
php__packages: [ 'curl', 'xml', 'gd', 'zip', 'mbstring', 'mysql', 'bcmath', 'intl', 'redis' ]
#php__version_preference: [ 'php8.1' ]
#php__sury: true
#php__packages: [ 'curl', 'xml', 'zip', 'mbstring', 'mysql', 'bcmath', 'intl', 'redis' ]

2
vars/site-example.yml Normal file
View File

@ -0,0 +1,2 @@
has_www_domain: True
www_domain_is_primary: False

4
vars/sudo-example.yml Normal file
View File

@ -0,0 +1,4 @@
sudo__sudoers:
- name: '{{ site_name }}-nopasswd'
raw: |
{{ site_name }} ALL=(ALL) NOPASSWD: ALL

5
vars/system_users-example.yml Normal file
View File

@ -0,0 +1,5 @@
system_users__accounts:
- name: '{{ site_name }}'
group: '{{ site_name }}'
admin: True
shell: '/bin/bash'