aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2021-09-02 01:02:31 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2021-09-02 01:02:31 +0200
commit2e3a53d879ef17f2e4afcce9e6b7f121ab25c571 (patch)
tree6f75bcb2af9dcc5c975ffa0d3438023ad8abf8ca
parenta024ad57e94976f7541bdd352e2d0a364c2aa5fb (diff)
downloadansible_collection-2e3a53d879ef17f2e4afcce9e6b7f121ab25c571.tar.gz
add apache role
-rw-r--r--roles/apache/defaults/main.yml17
-rw-r--r--roles/apache/files/000-default-ssl.conf11
-rw-r--r--roles/apache/files/000-default.conf9
-rw-r--r--roles/apache/handlers/main.yml20
-rw-r--r--roles/apache/tasks/main.yml152
-rw-r--r--roles/apache/templates/fpm-pool.conf.j215
-rw-r--r--roles/apache/templates/php-fpm.conf.j21
-rw-r--r--roles/apache/templates/proxy.conf.j224
-rw-r--r--roles/apache/templates/ssl.conf.j217
-rw-r--r--roles/apache/templates/vhost.conf.j227
-rw-r--r--roles/apache/templates/vhost_nophp.conf.j221
11 files changed, 314 insertions, 0 deletions
diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml
new file mode 100644
index 0000000..9a5bd51
--- /dev/null
+++ b/roles/apache/defaults/main.yml
@@ -0,0 +1,17 @@
+---
+php_versions: []
+
+php_extensions: []
+
+# Removing will NOT remove the module
+apache_mods: []
+
+apache_rproxies: {}
+
+# Hosts WITH PHP, run as seperate user
+apache_vhosts: {}
+
+apache_nophp_vhosts: {}
+
+apache_ssl_cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+apache_ssl_key: '/etc/ssl/private/ssl-cert-snakeoil.key'
diff --git a/roles/apache/files/000-default-ssl.conf b/roles/apache/files/000-default-ssl.conf
new file mode 100644
index 0000000..dcf8b8b
--- /dev/null
+++ b/roles/apache/files/000-default-ssl.conf
@@ -0,0 +1,11 @@
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
+ Redirect 404 /
+
+ Include ssl.conf
+ </VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/files/000-default.conf b/roles/apache/files/000-default.conf
new file mode 100644
index 0000000..922eb96
--- /dev/null
+++ b/roles/apache/files/000-default.conf
@@ -0,0 +1,9 @@
+<VirtualHost *:80>
+ ServerAdmin webmaster@localhost
+
+ RewriteEngine On
+ RewriteCond %{HTTPS} !=on
+ RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml
new file mode 100644
index 0000000..3cbcfcc
--- /dev/null
+++ b/roles/apache/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+- name: Restart apache
+ systemd:
+ name: apache2.service
+ state: restarted
+ become: yes
+
+- name: Reload apache
+ systemd:
+ name: apache2.service
+ state: reloaded
+ become: yes
+
+- name: Restart fpm
+ systemd:
+ name: '{{ item }}-fpm'
+ state: restarted
+ enabled: yes
+ become: yes
+ loop: '{{ php_versions }}'
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
new file mode 100644
index 0000000..9e7e904
--- /dev/null
+++ b/roles/apache/tasks/main.yml
@@ -0,0 +1,152 @@
+---
+- name: Install SURY.ORG package signing key
+ get_url:
+ url: https://packages.sury.org/php/apt.gpg
+ dest: /etc/apt/trusted.gpg.d/sury.gpg
+ become: yes
+
+- name: Install SURY.ORG php package repository
+ copy:
+ dest: /etc/apt/sources.list.d/sury.list
+ content: 'deb https://packages.sury.org/php/ {{ ansible_facts.distribution_release }} main'
+ become: yes
+
+- name: Install general packages
+ apt:
+ name: '{{ ["apache2", "libapache2-mpm-itk"] + php_versions }}'
+ update_cache: yes
+ become: yes
+
+- name: Install extensions
+ apt:
+ name: '{{ php_versions | product(php_extensions) | map("join", "-") }}'
+ become: yes
+
+# ignore errors bc apache2_module checks fails for errors in config (why???)
+- name: Enable apache2 modules
+ community.general.apache2_module:
+ name: '{{ item }}'
+ state: present
+ loop: '{{ apache_mods }}'
+ ignore_errors: yes
+ become: yes
+ notify: Restart apache
+
+- name: Check for changed cert
+ command: /bin/true
+ when:
+ - cert_changed
+ notify:
+ - Restart apache
+
+- name: Check for php module
+ find:
+ paths: '/etc/apache2/mods-enabled/'
+ patterns: 'php*'
+ file_type: any
+ become: yes
+ register: a2_mod_php
+
+- name: Disable apache2 mod php
+ file:
+ path: '{{ item.path }}'
+ follow: no
+ state: absent
+ become: yes
+ loop: '{{ a2_mod_php.files }}'
+ notify: Restart apache
+
+- name: Install SSL config
+ template:
+ src: ssl.conf.j2
+ dest: /etc/apache2/ssl.conf
+ become: yes
+ notify: Restart apache
+
+- name: Remove default-ssl
+ file:
+ path: '/etc/apache2/{{ item }}/default-ssl.conf'
+ follow: no
+ state: absent
+ become: yes
+ loop:
+ - sites-available
+ - sites-enabled
+ notify: Reload apache
+
+- name: Install default sites
+ copy:
+ src: '{{ item }}'
+ dest: '/etc/apache2/sites-available/{{ item }}'
+ become: yes
+ loop:
+ - 000-default-ssl.conf
+ - 000-default.conf
+ notify: Reload apache
+
+- name: Install vhost configs
+ template:
+ src: vhost.conf.j2
+ dest: '/etc/apache2/sites-available/{{ item.key }}.conf'
+ with_dict: '{{ apache_vhosts }}'
+ become: yes
+ notify: Reload apache
+
+- name: Install noPHP vhost configs
+ template:
+ src: vhost_nophp.conf.j2
+ dest: '/etc/apache2/sites-available/{{ item.key }}.conf'
+ with_dict: '{{ apache_nophp_vhosts }}'
+ become: yes
+ notify: Reload apache
+
+- name: Install proxy configs
+ template:
+ src: proxy.conf.j2
+ dest: '/etc/apache2/sites-available/{{ item.key }}.conf'
+ with_dict: '{{ apache_rproxies }}'
+ become: yes
+ notify: Reload apache
+
+- name: Create site users
+ user:
+ name: 'www-{{ item }}'
+ shell: /usr/sbin/nologin
+ system: yes
+ home: '/var/www/{{ item }}'
+ become: yes
+ with_items: '{{ apache_vhosts.keys() | list }}'
+
+- name: chmod site dirs
+ file:
+ path: '/var/www/{{ item }}'
+ mode: '750'
+ become: yes
+ with_items: '{{ apache_vhosts.keys() | list }}'
+
+- name: Create noPHP site dirs
+ file:
+ path: '/var/www/{{ item }}'
+ mode: '750'
+ owner: www-data
+ group: www-data
+ state: directory
+ become: yes
+ with_items: '{{ apache_nophp_vhosts.keys() | list }}'
+
+- name: Create FPM Pools
+ template:
+ src: fpm-pool.conf.j2
+ dest: '/etc/php/{{ item.value.php_version }}/fpm/pool.d/www-{{ item.key }}.conf'
+ become: yes
+ with_dict: '{{ apache_vhosts }}'
+ notify: Restart fpm
+
+- name: Enable sites
+ file:
+ path: '/etc/apache2/sites-enabled/{{ item }}.conf'
+ state: link
+ src: '../sites-available/{{ item }}.conf'
+ become: yes
+ notify: Reload apache
+ with_items: '{{ apache_vhosts.keys() | list + apache_rproxies.keys() | list + apache_nophp_vhosts.keys() | list + ["000-default", "000-default-ssl"] }}'
diff --git a/roles/apache/templates/fpm-pool.conf.j2 b/roles/apache/templates/fpm-pool.conf.j2
new file mode 100644
index 0000000..514382b
--- /dev/null
+++ b/roles/apache/templates/fpm-pool.conf.j2
@@ -0,0 +1,15 @@
+[www-{{ item.key }}]
+ user = www-{{ item.key }}
+ group = www-{{ item.key }}
+ listen = /run/php/php{{ item.value.php_version }}-fpm.www-{{ item.key }}.sock
+ listen.owner = www-{{ item.key }}
+ listen.group = www-{{ item.key }}
+ listen.mode = 0600
+
+ pm = dynamic
+ pm.max_children = {{ item.value.fpm.max_children | default("5") }}
+ pm.start_servers = {{ item.value.fpm.start_servers | default("2") }}
+ pm.min_spare_servers = {{ item.value.fpm.min_spare_servers | default("1") }}
+ pm.max_spare_servers = {{ item.value.fpm.max_spare_servers | default("3") }}
+
+{{ item.value.php_custom_conf | default("") }}
diff --git a/roles/apache/templates/php-fpm.conf.j2 b/roles/apache/templates/php-fpm.conf.j2
new file mode 100644
index 0000000..2dd653c
--- /dev/null
+++ b/roles/apache/templates/php-fpm.conf.j2
@@ -0,0 +1 @@
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/templates/proxy.conf.j2 b/roles/apache/templates/proxy.conf.j2
new file mode 100644
index 0000000..6fca868
--- /dev/null
+++ b/roles/apache/templates/proxy.conf.j2
@@ -0,0 +1,24 @@
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+ ServerAdmin webmaster@localhost
+
+ ServerName {{ item.value.hostname }}
+
+{% if item.value.ssl is defined and item.value.ssl is sameas true %}
+ SSLProxyEngine on
+ SSLProxyVerify require
+ SSLProxyCACertificateFile "/etc/ssl/certs/ca-certificates.crt"
+ SSLProxyCheckPeerCN on
+ SSLProxyVerifyDepth 10
+{% endif %}
+
+ ProxyPass / {{ item.value.proxy }}
+ ProxyPassReverse / {{ item.value.proxy }}
+
+ {{ item.value.apache_custom_conf | default("") }}
+
+ Include ssl.conf
+ </VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/templates/ssl.conf.j2 b/roles/apache/templates/ssl.conf.j2
new file mode 100644
index 0000000..04587a2
--- /dev/null
+++ b/roles/apache/templates/ssl.conf.j2
@@ -0,0 +1,17 @@
+# This file is managed by Ansible. Do not change.
+
+SSLEngine on
+
+SSLProtocol -all +TLSv1.2 +TLSv1.3
+
+SSLCertificateFile {{ apache_ssl_cert }}
+SSLCertificateKeyFile {{ apache_ssl_key }}
+
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+ SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory /usr/lib/cgi-bin>
+ SSLOptions +StdEnvVars
+</Directory>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/templates/vhost.conf.j2 b/roles/apache/templates/vhost.conf.j2
new file mode 100644
index 0000000..78862af
--- /dev/null
+++ b/roles/apache/templates/vhost.conf.j2
@@ -0,0 +1,27 @@
+# This file is managed by Ansible. Do not change.
+
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+ ServerName {{ item.value.hostname }}
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/{{ item.key }}/{{ item.value.relative_root }}
+
+ <Directory /var/www/{{ item.key }}>
+ AllowOverride All
+ Require all granted
+ </Directory>
+
+ AssignUserID www-{{ item.key }} www-{{ item.key }}
+
+ Include ssl.conf
+
+ {{ item.value.apache_custom_conf | default("") }}
+
+ <FilesMatch \.php$>
+ SetHandler "proxy:unix:/run/php/php{{ item.value.php_version }}-fpm.www-{{ item.key }}.sock|fcgi://localhost"
+ </FilesMatch>
+ </VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/roles/apache/templates/vhost_nophp.conf.j2 b/roles/apache/templates/vhost_nophp.conf.j2
new file mode 100644
index 0000000..22d948a
--- /dev/null
+++ b/roles/apache/templates/vhost_nophp.conf.j2
@@ -0,0 +1,21 @@
+# This file is managed by Ansible. Do not change.
+
+<IfModule mod_ssl.c>
+ <VirtualHost _default_:443>
+ ServerName {{ item.value.hostname }}
+
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/{{ item.key }}/{{ item.value.relative_root }}
+
+ <Directory /var/www/{{ item.key }}>
+ AllowOverride All
+ Require all granted
+ </Directory>
+
+ Include ssl.conf
+
+ {{ item.value.apache_custom_conf | default("") }}
+ </VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet