From 2e3a53d879ef17f2e4afcce9e6b7f121ab25c571 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Thu, 2 Sep 2021 01:02:31 +0200 Subject: add apache role --- roles/apache/defaults/main.yml | 17 ++++ roles/apache/files/000-default-ssl.conf | 11 +++ roles/apache/files/000-default.conf | 9 ++ roles/apache/handlers/main.yml | 20 ++++ roles/apache/tasks/main.yml | 152 +++++++++++++++++++++++++++++ roles/apache/templates/fpm-pool.conf.j2 | 15 +++ roles/apache/templates/php-fpm.conf.j2 | 1 + roles/apache/templates/proxy.conf.j2 | 24 +++++ roles/apache/templates/ssl.conf.j2 | 17 ++++ roles/apache/templates/vhost.conf.j2 | 27 +++++ roles/apache/templates/vhost_nophp.conf.j2 | 21 ++++ 11 files changed, 314 insertions(+) create mode 100644 roles/apache/defaults/main.yml create mode 100644 roles/apache/files/000-default-ssl.conf create mode 100644 roles/apache/files/000-default.conf create mode 100644 roles/apache/handlers/main.yml create mode 100644 roles/apache/tasks/main.yml create mode 100644 roles/apache/templates/fpm-pool.conf.j2 create mode 100644 roles/apache/templates/php-fpm.conf.j2 create mode 100644 roles/apache/templates/proxy.conf.j2 create mode 100644 roles/apache/templates/ssl.conf.j2 create mode 100644 roles/apache/templates/vhost.conf.j2 create mode 100644 roles/apache/templates/vhost_nophp.conf.j2 (limited to 'roles') diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml new file mode 100644 index 0000000..9a5bd51 --- /dev/null +++ b/roles/apache/defaults/main.yml @@ -0,0 +1,17 @@ +--- +php_versions: [] + +php_extensions: [] + +# Removing will NOT remove the module +apache_mods: [] + +apache_rproxies: {} + +# Hosts WITH PHP, run as seperate user +apache_vhosts: {} + +apache_nophp_vhosts: {} + +apache_ssl_cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' +apache_ssl_key: '/etc/ssl/private/ssl-cert-snakeoil.key' diff --git a/roles/apache/files/000-default-ssl.conf b/roles/apache/files/000-default-ssl.conf new file mode 100644 index 0000000..dcf8b8b --- /dev/null +++ b/roles/apache/files/000-default-ssl.conf @@ -0,0 +1,11 @@ + + + ServerAdmin webmaster@localhost + + Redirect 404 / + + Include ssl.conf + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/files/000-default.conf b/roles/apache/files/000-default.conf new file mode 100644 index 0000000..922eb96 --- /dev/null +++ b/roles/apache/files/000-default.conf @@ -0,0 +1,9 @@ + + ServerAdmin webmaster@localhost + + RewriteEngine On + RewriteCond %{HTTPS} !=on + RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml new file mode 100644 index 0000000..3cbcfcc --- /dev/null +++ b/roles/apache/handlers/main.yml @@ -0,0 +1,20 @@ +--- +- name: Restart apache + systemd: + name: apache2.service + state: restarted + become: yes + +- name: Reload apache + systemd: + name: apache2.service + state: reloaded + become: yes + +- name: Restart fpm + systemd: + name: '{{ item }}-fpm' + state: restarted + enabled: yes + become: yes + loop: '{{ php_versions }}' diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml new file mode 100644 index 0000000..9e7e904 --- /dev/null +++ b/roles/apache/tasks/main.yml @@ -0,0 +1,152 @@ +--- +- name: Install SURY.ORG package signing key + get_url: + url: https://packages.sury.org/php/apt.gpg + dest: /etc/apt/trusted.gpg.d/sury.gpg + become: yes + +- name: Install SURY.ORG php package repository + copy: + dest: /etc/apt/sources.list.d/sury.list + content: 'deb https://packages.sury.org/php/ {{ ansible_facts.distribution_release }} main' + become: yes + +- name: Install general packages + apt: + name: '{{ ["apache2", "libapache2-mpm-itk"] + php_versions }}' + update_cache: yes + become: yes + +- name: Install extensions + apt: + name: '{{ php_versions | product(php_extensions) | map("join", "-") }}' + become: yes + +# ignore errors bc apache2_module checks fails for errors in config (why???) +- name: Enable apache2 modules + community.general.apache2_module: + name: '{{ item }}' + state: present + loop: '{{ apache_mods }}' + ignore_errors: yes + become: yes + notify: Restart apache + +- name: Check for changed cert + command: /bin/true + when: + - cert_changed + notify: + - Restart apache + +- name: Check for php module + find: + paths: '/etc/apache2/mods-enabled/' + patterns: 'php*' + file_type: any + become: yes + register: a2_mod_php + +- name: Disable apache2 mod php + file: + path: '{{ item.path }}' + follow: no + state: absent + become: yes + loop: '{{ a2_mod_php.files }}' + notify: Restart apache + +- name: Install SSL config + template: + src: ssl.conf.j2 + dest: /etc/apache2/ssl.conf + become: yes + notify: Restart apache + +- name: Remove default-ssl + file: + path: '/etc/apache2/{{ item }}/default-ssl.conf' + follow: no + state: absent + become: yes + loop: + - sites-available + - sites-enabled + notify: Reload apache + +- name: Install default sites + copy: + src: '{{ item }}' + dest: '/etc/apache2/sites-available/{{ item }}' + become: yes + loop: + - 000-default-ssl.conf + - 000-default.conf + notify: Reload apache + +- name: Install vhost configs + template: + src: vhost.conf.j2 + dest: '/etc/apache2/sites-available/{{ item.key }}.conf' + with_dict: '{{ apache_vhosts }}' + become: yes + notify: Reload apache + +- name: Install noPHP vhost configs + template: + src: vhost_nophp.conf.j2 + dest: '/etc/apache2/sites-available/{{ item.key }}.conf' + with_dict: '{{ apache_nophp_vhosts }}' + become: yes + notify: Reload apache + +- name: Install proxy configs + template: + src: proxy.conf.j2 + dest: '/etc/apache2/sites-available/{{ item.key }}.conf' + with_dict: '{{ apache_rproxies }}' + become: yes + notify: Reload apache + +- name: Create site users + user: + name: 'www-{{ item }}' + shell: /usr/sbin/nologin + system: yes + home: '/var/www/{{ item }}' + become: yes + with_items: '{{ apache_vhosts.keys() | list }}' + +- name: chmod site dirs + file: + path: '/var/www/{{ item }}' + mode: '750' + become: yes + with_items: '{{ apache_vhosts.keys() | list }}' + +- name: Create noPHP site dirs + file: + path: '/var/www/{{ item }}' + mode: '750' + owner: www-data + group: www-data + state: directory + become: yes + with_items: '{{ apache_nophp_vhosts.keys() | list }}' + +- name: Create FPM Pools + template: + src: fpm-pool.conf.j2 + dest: '/etc/php/{{ item.value.php_version }}/fpm/pool.d/www-{{ item.key }}.conf' + become: yes + with_dict: '{{ apache_vhosts }}' + notify: Restart fpm + +- name: Enable sites + file: + path: '/etc/apache2/sites-enabled/{{ item }}.conf' + state: link + src: '../sites-available/{{ item }}.conf' + become: yes + notify: Reload apache + with_items: '{{ apache_vhosts.keys() | list + apache_rproxies.keys() | list + apache_nophp_vhosts.keys() | list + ["000-default", "000-default-ssl"] }}' diff --git a/roles/apache/templates/fpm-pool.conf.j2 b/roles/apache/templates/fpm-pool.conf.j2 new file mode 100644 index 0000000..514382b --- /dev/null +++ b/roles/apache/templates/fpm-pool.conf.j2 @@ -0,0 +1,15 @@ +[www-{{ item.key }}] + user = www-{{ item.key }} + group = www-{{ item.key }} + listen = /run/php/php{{ item.value.php_version }}-fpm.www-{{ item.key }}.sock + listen.owner = www-{{ item.key }} + listen.group = www-{{ item.key }} + listen.mode = 0600 + + pm = dynamic + pm.max_children = {{ item.value.fpm.max_children | default("5") }} + pm.start_servers = {{ item.value.fpm.start_servers | default("2") }} + pm.min_spare_servers = {{ item.value.fpm.min_spare_servers | default("1") }} + pm.max_spare_servers = {{ item.value.fpm.max_spare_servers | default("3") }} + +{{ item.value.php_custom_conf | default("") }} diff --git a/roles/apache/templates/php-fpm.conf.j2 b/roles/apache/templates/php-fpm.conf.j2 new file mode 100644 index 0000000..2dd653c --- /dev/null +++ b/roles/apache/templates/php-fpm.conf.j2 @@ -0,0 +1 @@ +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/templates/proxy.conf.j2 b/roles/apache/templates/proxy.conf.j2 new file mode 100644 index 0000000..6fca868 --- /dev/null +++ b/roles/apache/templates/proxy.conf.j2 @@ -0,0 +1,24 @@ + + + ServerAdmin webmaster@localhost + + ServerName {{ item.value.hostname }} + +{% if item.value.ssl is defined and item.value.ssl is sameas true %} + SSLProxyEngine on + SSLProxyVerify require + SSLProxyCACertificateFile "/etc/ssl/certs/ca-certificates.crt" + SSLProxyCheckPeerCN on + SSLProxyVerifyDepth 10 +{% endif %} + + ProxyPass / {{ item.value.proxy }} + ProxyPassReverse / {{ item.value.proxy }} + + {{ item.value.apache_custom_conf | default("") }} + + Include ssl.conf + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/templates/ssl.conf.j2 b/roles/apache/templates/ssl.conf.j2 new file mode 100644 index 0000000..04587a2 --- /dev/null +++ b/roles/apache/templates/ssl.conf.j2 @@ -0,0 +1,17 @@ +# This file is managed by Ansible. Do not change. + +SSLEngine on + +SSLProtocol -all +TLSv1.2 +TLSv1.3 + +SSLCertificateFile {{ apache_ssl_cert }} +SSLCertificateKeyFile {{ apache_ssl_key }} + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/templates/vhost.conf.j2 b/roles/apache/templates/vhost.conf.j2 new file mode 100644 index 0000000..78862af --- /dev/null +++ b/roles/apache/templates/vhost.conf.j2 @@ -0,0 +1,27 @@ +# This file is managed by Ansible. Do not change. + + + + ServerName {{ item.value.hostname }} + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/{{ item.key }}/{{ item.value.relative_root }} + + + AllowOverride All + Require all granted + + + AssignUserID www-{{ item.key }} www-{{ item.key }} + + Include ssl.conf + + {{ item.value.apache_custom_conf | default("") }} + + + SetHandler "proxy:unix:/run/php/php{{ item.value.php_version }}-fpm.www-{{ item.key }}.sock|fcgi://localhost" + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/roles/apache/templates/vhost_nophp.conf.j2 b/roles/apache/templates/vhost_nophp.conf.j2 new file mode 100644 index 0000000..22d948a --- /dev/null +++ b/roles/apache/templates/vhost_nophp.conf.j2 @@ -0,0 +1,21 @@ +# This file is managed by Ansible. Do not change. + + + + ServerName {{ item.value.hostname }} + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/{{ item.key }}/{{ item.value.relative_root }} + + + AllowOverride All + Require all granted + + + Include ssl.conf + + {{ item.value.apache_custom_conf | default("") }} + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet -- cgit v1.2.3