Update to 2020-11-09 10:00

4 years ago · 0acb3c2aae
parent c593e48020
commit 0acb3c2aae
52 changed files with 503 additions and 171 deletions
--- a/roles/bitwarden_rs/tasks/install.yml
+++ b/roles/bitwarden_rs/tasks/install.yml
@ -19,10 +19,20 @@
  yum:
    name:
      - MariaDB-devel
-      - /usr/lib64/libmariadb.so
  when: bitwarden_db_engine == 'mysql'
  tags: bitwarden

+  # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
+- name: Install MariaDB shared libs
+  yum:
+    name:
+      - MariaDB-shared
+  when:
+    - bitwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is defined
+    - mysql_mariadb_version != 'default'
+  tags: bitwarden
+
 - when: bitwarden_install_mode != 'none'
  tags: bitwarden
  block:
--- a/roles/common/tasks/utils.yml
+++ b/roles/common/tasks/utils.yml
@ -2,7 +2,7 @@

 - name: Install common utilities
  package:
-    name: "{{ system_utils + system_distro_utils}}"
+    name: "{{ system_utils + system_distro_utils }}"

 - name: Install extra softwares
  package:
--- a/roles/composer/meta/main.yml
+++ b/roles/composer/meta/main.yml
@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: httpd_common
--- a/roles/composer/tasks/install.yml
+++ b/roles/composer/tasks/install.yml
@ -0,0 +1,25 @@
+---
+
+- name: download composer
+  get_url:
+    url: https://getcomposer.org/installer
+    dest: /tmp/installer
+  tags: composer
+
+- name: install composer
+  shell: cat /tmp/installer | php74 -- --install-dir=/usr/local/bin
+  args:
+    creates: /usr/local/bin/composer
+  tags: composer
+
+- name: rename composer.phar to composer
+  shell: mv /usr/local/bin/composer.phar /usr/local/bin/composer
+  args:
+    creates: /usr/local/bin/composer
+  tags: composer
+
+- name: make composer executable
+  file: 
+    path: /usr/local/bin/composer
+    mode: 755
+  tags: composer
--- a/roles/composer/tasks/main.yml
+++ b/roles/composer/tasks/main.yml
@ -0,0 +1,3 @@
+---
+
+- include: install.yml
--- a/roles/dokuwiki/tasks/main.yml
+++ b/roles/dokuwiki/tasks/main.yml
@ -338,19 +338,19 @@
  tags: dokuwiki

 - name: Deploy php configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[dokuwiki_php_version].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
  notify: restart php-fpm
  tags: dokuwiki

 - name: Remove PHP config from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ dokuwiki_php_version ]) }}"
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ dokuwiki_php_version ]) }}"
  notify: restart php-fpm
  tags: dokuwiki

 - name: Remove PHP config (using a custom pool)
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  file: path=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions }}"
  when: dokuwiki_php_fpm_pool is defined
  notify: restart php-fpm
  tags: dokuwiki
--- a/roles/dokuwiki/templates/local.protected.php.j2
+++ b/roles/dokuwiki/templates/local.protected.php.j2
@ -21,8 +21,10 @@ $conf['plugin']['{{ dokuwiki_auth }}']['bindpw'] = '{{ dokuwiki_ldap_bind_pass }
 {% elif dokuwiki_auth == 'authad' %}
 $conf['plugin']['authad']['base_dn'] = '{{ dokuwiki_ad_user_base }}';
 $conf['plugin']['authad']['domain_controllers'] = '{{ dokuwiki_ad_dc | join(', ') }}';
+{% if dokuwiki_ad_bind_user is defined and dokuwiki_ad_bind_pass is defined %}
 $conf['plugin']['authad']['admin_username'] = '{{ dokuwiki_ad_bind_user }}';
 $conf['plugin']['authad']['admin_password'] = '{{ dokuwiki_ad_bind_pass }}';
+{% endif %}
 {% if dokuwiki_ad_domain is defined %}
 $conf['plugin']['authad']['account_suffix'] = '@{{ dokuwiki_ad_domain }}';
 {% endif %}
--- a/roles/framadate/meta/main.yml
+++ b/roles/framadate/meta/main.yml
@ -1,3 +1,5 @@
 ---
 allow_duplicates: true
+dependencies:
+  - role: composer
 ...
--- a/roles/framadate/tasks/main.yml
+++ b/roles/framadate/tasks/main.yml
@ -8,9 +8,7 @@
  yum:
    name:
      - unzip
-      - MySQL-python
      - acl
-      - composer
      - tar
  tags: framadate

@ -114,9 +112,9 @@
  tags: framadate

 - name: Install libs using composer
-  composer: command=install working_dir={{ framadate_root_dir }}/web
+  composer: command=install working_dir={{ framadate_root_dir }}/web executable=/bin/php{{ framadate_php_version }}
  environment:
-    php: /bin/php{{ framadate_php_version == '54' | ternary('',framadate_php_version) }}
+    php: /bin/php{{ framadate_php_version }}
  tags: framadate

 - name: Download custom logo
@ -202,18 +200,18 @@
  tags: framadate

 - name: Deploy PHP configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf
  notify: restart php-fpm
  tags: framadate

 - name: Remove PHP configuration from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ framadate_php_version ]) }}"
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ framadate_php_version ]) }}"
  notify: restart php-fpm
  tags: framadate

 - name: Remove PHP configuration (using a custom pool)
-  file: path={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
  when: framadate_php_fpm_pool is defined
  notify: restart php-fpm
  tags: framadate
--- a/roles/httpd_common/tasks/main.yml
+++ b/roles/httpd_common/tasks/main.yml
@ -1,14 +1,16 @@
 ---

+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: web
+
 - name: Install packages
-  yum:
-    name:
-      - httpd
-      - mod_fcgid
-      - policycoreutils-python
-      - python-passlib
-      - mod_authnz_pam
-  tags: [package,web]
+  yum: name={{ httpd_common_packages }}
+  tags: web

 - name: List httpd ports
  set_fact: httpd_ports={{ httpd_ports + (httpd_ansible_vhosts | selectattr('port','defined') | map(attribute='port') | list) | unique }}
--- a/roles/httpd_common/vars/CentOS-7.yml
+++ b/roles/httpd_common/vars/CentOS-7.yml
@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - policycoreutils-python
+  - python-passlib
+  - mod_authnz_pam
--- a/roles/httpd_common/vars/CentOS-8.yml
+++ b/roles/httpd_common/vars/CentOS-8.yml
@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - python3-policycoreutils
+  - python3-passlib
+  - mod_authnz_pam
--- a/roles/httpd_common/vars/defaults.yml
+++ b/roles/httpd_common/vars/defaults.yml
@ -0,0 +1,4 @@
+---
+
+httpd_common_packages:
+  - httpd
--- a/roles/httpd_php/defaults/main.yml
+++ b/roles/httpd_php/defaults/main.yml
@ -24,23 +24,13 @@ httpd_php_common_modules:
  - pecl-apcu
  - pecl-imagick

-httpd_php_extra_modules: []
-
 httpd_php_versions:
-  54:
-    conf_path: /etc/
-  56:
-    conf_path: /opt/remi/php56/root/etc/
-  70:
-    conf_path: /etc/opt/remi/php70/
-  71:
-    conf_path: /etc/opt/remi/php71/
-  72:
-    conf_path: /etc/opt/remi/php72/
-  73:
-    conf_path: /etc/opt/remi/php73/
-  74:
-    conf_path: /etc/opt/remi/php74/
+  - 56
+  - 70
+  - 71
+  - 72
+  - 73
+  - 74

 httpd_php_default_version: 73

--- a/roles/httpd_php/handlers/main.yml
+++ b/roles/httpd_php/handlers/main.yml
@ -4,23 +4,15 @@

 # We need to stop all the pools and then start them again
 # because if we move one pool config from one version to another
-# the sock might not be removed at the correct time, depending on the
+# the socket might not be removed at the correct time, depending on the
 # order of execution
 - name: restart php-fpm
-  service: name=php-fpm state=stopped enabled=yes
-  notify: stop php-fpm-scl
-
- name: stop php-fpm-scl
-  service: name=php{{ item }}-php-fpm state=stopped enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+  service: name=php{{ item }}-php-fpm state=stopped enabled=True
+  with_items: "{{ httpd_php_versions }}"
  notify: start php-fpm

 - name: start php-fpm
-  service: name=php-fpm state=started enabled=yes
-  notify: start php-fpm-scl
-
- name: start php-fpm-scl
-  service: name=php{{ item }}-php-fpm state=started enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+  service: name=php{{ item }}-php-fpm state=started enabled=True
+  with_items: "{{ httpd_php_versions }}"

 ...
--- a/roles/httpd_php/meta/main.yml
+++ b/roles/httpd_php/meta/main.yml
@ -1,5 +1,5 @@
 ---
 dependencies:
  - role: httpd_common
-  - role: repo_remi_safe
+  - role: repo_remi
 ...
--- a/roles/httpd_php/tasks/main.yml
+++ b/roles/httpd_php/tasks/main.yml
@ -1,31 +1,19 @@
 ---

- name: Build the list of packages for core PHP
+- name: Build the list of packages
  set_fact:
-    php_pkg: "{{ php_pkg|default([]) }} + [ 'php-{{ item }}' ]"
-  with_items:
-    - "{{ httpd_php_common_modules }}"
-  tags: [package,web]
-
- name: Build the list of packages for scl PHP
-  set_fact:
-     php_pkg: "{{ php_pkg|default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
+     httpd_php_packages: "{{ httpd_php_packages | default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
  with_nested:
-    - "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+    - "{{ httpd_php_versions }}"
    - "{{ httpd_php_common_modules }}"
-  tags: [package,web]
+  tags: web

- name: Install PHP main modules
-  yum: name={{ php_pkg }}
+- name: Install PHP packages
+  yum: name={{ httpd_php_packages }}
  notify:
    - systemd-tmpfiles
    - restart php-fpm
-  tags: [package,web]
-
- name: Install PHP extra modules
-  yum: name={{ httpd_php_extra_modules }} state=present
-  notify: restart php-fpm
-  tags: [package,web]
+  tags: web

 - name: Create tmpfiles.d fragment
  copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf
@ -33,65 +21,61 @@
  tags: web

 - name: Disable default FPM pools
-  template: src=default_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/www.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  template: src=default_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/www.conf
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
+  tags: web

 - name: Deploy main php.ini configuration
-  template: src=php.ini.j2 dest={{ httpd_php_versions[item].conf_path }}/php.ini
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  template: src=php.ini.j2 dest=/etc/opt/remi/php{{ item }}/php.ini
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
+  tags: web

 - name: Deploy PHP FPM master's configuration
-  template: src=php-fpm.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  template: src=php-fpm.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.conf
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
+  tags: web

 - name: Deploy default PHP FPM pools configurations
-  template: src=php_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/php{{ item }}.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  template: src=php_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/php{{ item }}.conf
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
+  tags: web

 - name: Create user accounts for ansible PHP FPM pools
-  user: name={{ item }} comment="PHP FPM {{ item }}" system=yes shell=/sbin/nologin
-  with_items: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
-  tags: [conf,web]
+  user: name={{ item }} comment="PHP FPM {{ item }}" system=True shell=/sbin/nologin
+  loop: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
+  tags: web

 - name: Deploy ansible PHP FPM pools configurations
-  template: src=php_fpm_ansible_pools.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/ansible_pools.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  template: src=php_fpm_ansible_pools.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/ansible_pools.conf
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
+  tags: web

 - name: Create log directories
  file: path=/var/log/php/php{{ item }} state=directory mode=770 owner=root group={{ httpd_user }}
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
  notify: restart php-fpm
-  tags: [conf,web]
-
- name: Start and enable core PHP FPM service
-  service: name=php-fpm state=started enabled=yes
  tags: web

 - name: Start and enable SCL PHP FPM services
  service: name=php{{ item }}-php-fpm state=started enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+  loop: "{{ httpd_php_versions }}"
  tags: web

 - name: Deploy httpd configuration fragments
  template: src={{ item.src }} dest={{ item.dest }}
-  with_items:
+  loop:
    - { src: httpd_php.conf.j2, dest: /etc/httpd/ansible_conf.d/php.conf }
  notify: reload httpd
-  tags: [conf,web]
+  tags: web

 - name: Allow network connections in SELinux
  seboolean: name={{ item }} state=yes persistent=yes
-  with_items:
+  loop:
    - httpd_can_network_connect_db
    - httpd_can_network_memcache
    - httpd_can_network_connect
--- a/roles/httpd_php/templates/php-fpm.conf.j2
+++ b/roles/httpd_php/templates/php-fpm.conf.j2
@ -1,9 +1,9 @@

-include = {{ httpd_php_versions[item].conf_path }}/php-fpm.d/*.conf
+include = /etc/opt/remi/php{{ item }}/php-fpm.d/*.conf

 [global]
 pid = /run/php-fpm/php{{ item }}-fpm.pid
 error_log = syslog
 syslog.facility = daemon
-syslog.ident = php{{ item}}-fpm
+syslog.ident = php{{ item }}-fpm

--- a/roles/includes/vars/CentOS-7.yml
+++ b/roles/includes/vars/CentOS-7.yml
@ -0,0 +1,5 @@
+---
+
+webapps_mysql_packages:
+  - MySQL-python
+  - mariadb
--- a/roles/includes/vars/CentOS-8.yml
+++ b/roles/includes/vars/CentOS-8.yml
@ -0,0 +1,6 @@
+---
+
+webapps_mysql_packages:
+  - python3-mysql
+  - mariadb
+
--- a/roles/includes/vars/Debian.yml
+++ b/roles/includes/vars/Debian.yml
@ -0,0 +1,5 @@
+---
+
+webapps_mysql_packages:
+  - python-mysqldb
+  - mariadb-client
--- a/roles/includes/webapps_create_mysql_db.yml
+++ b/roles/includes/webapps_create_mysql_db.yml
@ -1,18 +1,14 @@
 ---

- name: Install MySQL-python
-  yum:
-    name:
-      - MySQL-python
-      - mariadb
-  when: ansible_os_family == 'RedHat'
+- include_vars: "{{ item }}"
+  with_first_found:
+    - ../includes/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - ../includes/vars/{{ ansible_distribution }}.yml
+    - ../includes/vars/{{ ansible_os_family }}.yml
+    - ../includes/vars/defaults.yml

- name: Install MySQL-python
-  apt:
-    name:
-      - python-mysqldb
-      - mariadb-client
-  when: ansible_os_family == 'Debian'
+- name: Install MySQL tools
+  package: name={{ webapps_mysql_packages }}

 - name: Create MySQL database
  mysql_db:
@ -21,8 +17,8 @@
    login_user: sqladmin
    login_password: "{{ mysql_admin_pass }}"
    state: present
-    encoding: utf8mb4
-    collation: utf8mb4_general_ci
+    encoding: "{{ db_encoding | default('utf8mb4') }}"
+    collation: "{{ db_collation | default('utf8mb4_general_ci') }}"
  register: db_created

 - name: Create MySQL User
--- a/roles/includes/webapps_webconf.yml
+++ b/roles/includes/webapps_webconf.yml
@ -4,18 +4,18 @@
  notify: reload httpd

 - name: Deploy PHP config
-  template: src=php.conf.j2 dest={{ httpd_php_versions[php_version].conf_path }}/php-fpm.d/{{ app_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ php_version }}/php-fpm.d/{{ app_id }}.conf
  when: php_fpm_pool is not defined or php_fpm_pool == ''
  notify: restart php-fpm

 - name: Remove PHP config from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ php_version ]) }}"
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ php_version ]) }}"
  notify: restart php-fpm

 - name: Remove PHP config (using a custom pool)
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions }}"
  when: php_fpm_pool != ''
  notify: restart php-fpm

--- a/roles/lemonldap_ng/tasks/nginx.yml
+++ b/roles/lemonldap_ng/tasks/nginx.yml
@ -1,7 +1,45 @@
 ---

+- name: Create nginx conf dir
+  file: path=/etc/nginx/{{ item }} state=directory
+  loop:
+    - ansible_location.d
+    - ansible_conf.d
+    - ansible_modules.d
+  tags: web
+
+- name: Check if lua module is installed
+  stat: path=/usr/lib64/nginx/modules/ndk_http_module.so
+  register: llng_mod_lua
+  tags: web
+
+- name: Deploy module conf
+  copy: content={{ item.content }} dest=/etc/nginx/ansible_modules.d/{{ item.dest }}
+  loop:
+    - content: 'load_module "/usr/lib64/nginx/modules/ndk_http_module.so";'
+      dest: 09-ndk.conf
+    - content: 'load_module "/usr/lib64/nginx/modules/ngx_http_lua_module.so";'
+      dest: 11-lua.conf
+  when: llng_mod_lua.stat.exists
+  notify: reload nginx
+  tags: web
+
+- name: Remove module conf
+  file: path=/etc/nginx/ansible_modules.d/{{ item }} state=absent
+  loop:
+    - 09-ndk.conf
+    - 11-lua.conf
+  when: not llng_mod_lua.stat.exists
+  notify: reload nginx
+  tags: web
+
 - name: Deploy handler's nginx configuration
-  template: src=nginx_handler.conf.j2 dest=/etc/nginx/ansible_location.d/10-llng_handler.conf
+  template: src={{ item.src }} dest={{ item.dest }}
+  loop:
+    - src: nginx_handler.conf.j2
+      dest: /etc/nginx/ansible_location.d/10-llng_handler.conf
+    - src: llng_headers.inc.j2
+      dest: /etc/nginx/ansible_conf.d/llng_headers.inc
  when: llng_handler == True
  notify: reload nginx
  tags: web
--- a/roles/lemonldap_ng/templates/llng_headers.inc.j2
+++ b/roles/lemonldap_ng/templates/llng_headers.inc.j2
@ -0,0 +1,33 @@
+auth_request_set $headername1 $upstream_http_headername1;
+auth_request_set $headervalue1 $upstream_http_headervalue1;
+auth_request_set $headername2 $upstream_http_headername2;
+auth_request_set $headervalue2 $upstream_http_headervalue2;
+auth_request_set $headername3 $upstream_http_headername3;
+auth_request_set $headervalue3 $upstream_http_headervalue3;
+auth_request_set $headername4 $upstream_http_headername4;
+auth_request_set $headervalue4 $upstream_http_headervalue4;
+auth_request_set $headername5 $upstream_http_headername5;
+auth_request_set $headervalue5 $upstream_http_headervalue5;
+auth_request_set $headername6 $upstream_http_headername6;
+auth_request_set $headervalue6 $upstream_http_headervalue6;
+auth_request_set $headername7 $upstream_http_headername7;
+auth_request_set $headervalue7 $upstream_http_headervalue7;
+auth_request_set $headername8 $upstream_http_headername8;
+auth_request_set $headervalue8 $upstream_http_headervalue8;
+auth_request_set $headername9 $upstream_http_headername9;
+auth_request_set $headervalue9 $upstream_http_headervalue9;
+auth_request_set $headername10 $upstream_http_headername10;
+auth_request_set $headervalue10 $upstream_http_headervalue10;
+auth_request_set $lmcookie $upstream_http_cookie;
+access_by_lua '
+  i = 1
+  ngx.req.set_header("Cookie",ngx.var.lmcookie)
+  while true do
+    if ngx.var["headername"..i] ~= nil then
+      ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i])
+    else
+      break
+    end
+    i = i +1
+  end
+';
--- a/roles/mysql_server/tasks/main.yml
+++ b/roles/mysql_server/tasks/main.yml
@ -1,13 +1,15 @@
 ---

+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: mysql
+
 - name: Install MariaDB server and client
-  yum:
-    name:
-      - mariadb-server
-      - mariadb
-      - MySQL-python
-  notify:
-    - restart mariadb
+  package: name={{ mysql_server_packages }}
  tags: mysql

 - name: Deploy backup scripts
--- a/roles/mysql_server/vars/CentOS-7.yml
+++ b/roles/mysql_server/vars/CentOS-7.yml
@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - MySQL-python
--- a/roles/mysql_server/vars/CentOS-8.yml
+++ b/roles/mysql_server/vars/CentOS-8.yml
@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - python3-mysql
--- a/roles/mysql_server/vars/defaults.yml
+++ b/roles/mysql_server/vars/defaults.yml
@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - MySQL-python
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -7,12 +7,13 @@ nginx_ssl_ports:
 nginx_src_ip:
 - 0.0.0.0/0

+# If true, will install openresty as an nginx replacement
+nginx_openresty: False
+
 nginx_modules:
-  - ndk_http_module.so
  - stream
  - http_image_filter
  - http_perl
-  - http_lua

 nginx_log_format: combined_virtual

--- a/roles/nginx/meta/main.yml
+++ b/roles/nginx/meta/main.yml
@ -1,5 +1,6 @@
 ---

 dependencies:
-  - role: repo_nginx
+  - role: repo_openresty
+    when: nginx_openresty
  - role: mkdir
--- a/roles/nginx/tasks/conf.yml
+++ b/roles/nginx/tasks/conf.yml
@ -12,7 +12,6 @@
    - ansible_conf.d/force_ssl.inc
    - ansible_conf.d/acme.inc
    - ansible_conf.d/custom.inc
-    - ansible_conf.d/llng_headers.inc
    - ansible_conf.d/cache.inc
    - ansible_conf.d/10-cache.conf
    - ansible_conf.d/10-perf.conf
@ -54,3 +53,7 @@
    - whitelist-domains.conf
    - whitelist-ips.conf
  tags: web
+
+- name: Configure log rotation
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx
+  tags: web
--- a/roles/nginx/tasks/facts.yml
+++ b/roles/nginx/tasks/facts.yml
@ -25,3 +25,8 @@
  stat: path=/etc/lemonldap-ng/lemonldap-ng.ini
  register: nginx_llng
  tags: web
+
+- name: Check if llng_header.inc conf is installed
+  stat: path=/etc/nginx/ansible_conf.d/llng_headers.inc
+  register: nginx_llng_headers
+  tags: web
--- a/roles/nginx/tasks/install.yml
+++ b/roles/nginx/tasks/install.yml
@ -1,7 +1,8 @@
 ---
- name: Install packages
-  yum:
-    name:
-      - nginx
-      - nginx-mod-http-lua
-  tags: web
+
+- include: install_openresty.yml
+  when: nginx_openresty
+
+- include: install_nginx.yml
+  when: not nginx_openresty
+
--- a/roles/nginx/tasks/install_nginx.yml
+++ b/roles/nginx/tasks/install_nginx.yml
@ -0,0 +1,15 @@
+---
+
+- name: Remove openresty
+  yum:
+    name:
+      - openresty
+    state: absent
+  tags: web
+
+- name: Install nginx
+  yum:
+    name:
+      - nginx
+  tags: web
+
--- a/roles/nginx/tasks/install_openresty.yml
+++ b/roles/nginx/tasks/install_openresty.yml
@ -0,0 +1,69 @@
+---
+
+- name: Check if nginx is installed
+  stat: path=/lib/systemd/system/nginx.service
+  register: nginx_nginx_service
+  tags: web
+
+- name: Stop nginx
+  service: name=nginx state=stopped
+  when: nginx_nginx_service.stat.exists
+  tags: web
+
+- name: Create the nginx user account
+  user:
+    name: nginx
+    system: True
+    shell: /sbin/nologin
+    home: /var/lib/nginx
+  tags: web
+
+- name: Prepare directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /var/lib/nginx/tmp
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/cache/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/log/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /usr/share/nginx
+    - dir: /etc/nginx
+    - dir: /usr/local/openresty/nginx
+  tags: web
+
+  # Create links so openresty uses nginx compatible paths
+- name: Prepare links
+  file: src={{ item.src }} dest={{ item.dest }} state=link
+  loop:
+    - src: /etc/nginx
+      dest: /usr/local/openresty/nginx/conf
+    - src: /var/log/nginx
+      dest: /usr/local/openresty/nginx/logs
+    - src: /usr/share/nginx
+      dest: /usr/local/openresty/nginx/html
+  tags: web
+
+- name: Remove nginx
+  yum:
+    name:
+      - nginx
+    state: absent
+  tags: web
+
+- name: Install packages
+  yum:
+    name:
+      - openresty
+  tags: web
+
+- name: Add a link to nginx in /sbin
+  file: src=/usr/local/openresty/nginx/sbin/nginx dest=/sbin/nginx state=link
+  tags: web
+
--- a/roles/nginx/tasks/service.yml
+++ b/roles/nginx/tasks/service.yml
@ -1,12 +1,22 @@
 ---
- name: Create unit snippet directory
-  file: path=/etc/systemd/system/nginx.service.d state=directory
-  tags: web

 - name: Customize systemd unit
  copy:
    content: |
+      [Unit]
+      Description=The nginx HTTP and reverse proxy server
+      After=syslog.target network-online.target remote-fs.target nss-lookup.target
+      Wants=network-online.target
+      
      [Service]
+      Type=forking
+      PIDFile=/run/nginx.pid
+      ExecStartPre={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }} -t
+      ExecStartPre=/bin/rm -f /run/nginx.pid
+      ExecStart={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }}
+      ExecReload=/bin/kill -s HUP $MAINPID
+      ExecStop=/bin/kill -s QUIT $MAINPID
+      PrivateTmp=true
      Restart=on-failure
      StartLimitInterval=0
      RestartSec=5
@ -14,11 +24,18 @@
      ProtectSystem=full
      ProtectHome=yes
      NoNewPrivileges=yes
-    dest: /etc/systemd/system/nginx.service.d/ansible.conf
+      
+      [Install]
+      WantedBy=multi-user.target
+    dest: /etc/systemd/system/nginx.service
  register: nginx_unit
  notify: restart nginx
  tags: web

+- name: Remove obsolete unit conf
+  file: path=/etc/systemd/system/nginx.service.d/ansible.conf state=absent
+  tags: web
+
 - name: Reload systemd
  systemd: daemon_reload=True
  when: nginx_unit.changed
--- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
@ -144,7 +144,9 @@ server {
 {% if vhost.auth != 'llng_basic' %}
    error_page 401 $lmlocation;
 {% endif %}
+{% if nginx_llng_headers.stat.exists %}
    include /etc/nginx/ansible_conf.d/llng_headers.inc;
+{% endif %}
    fastcgi_param REMOTE_USER $lmremote_user;
 {% elif vhost.auth == 'basic' and vhost.htpasswd_file is defined %}
    auth_basic "Authentication required for {{ vhost.name }}";
--- a/roles/nginx/templates/logrotate.conf.j2
+++ b/roles/nginx/templates/logrotate.conf.j2
@ -0,0 +1,12 @@
+/var/log/nginx/*log {
+    create 0644 nginx nginx
+    daily
+    rotate 10
+    missingok
+    notifempty
+    compress
+    sharedscripts
+    postrotate
+        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
+    endscript
+}
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -4,13 +4,27 @@ error_log /var/log/nginx/error.log;
 error_log syslog:server=unix:/dev/log,nohostname;
 pid /run/nginx.pid;

+{% if nginx_openresty %}
+# Openresty uses builtin modules, not dynamic ones
+{% else %}
 include /etc/nginx/ansible_modules.d/*.conf;
+{% endif %}

 events {
  worker_connections 1024;
 }

 http {
+
+{% if nginx_openresty %}
+  # Set nginx compatible paths for openresty
+  client_body_temp_path /var/lib/nginx/tmp/client_body;
+  fastcgi_temp_path /var/lib/nginx/tmp/fastcgi;
+  proxy_temp_path /var/lib/nginx/tmp/proxy;
+  scgi_temp_path /var/lib/nginx/tmp/scgi;
+  uwsgi_temp_path /var/lib/nginx/tmp/uwsgi;
+{% endif %}
+
  log_format combined_virtual
               '$server_name $remote_addr - $remote_user [$time_local] "$request" '
               '$status $body_bytes_sent "$http_referer" '
@ -83,13 +97,13 @@ http {
    location / {
    }

-    error_page 404 /404.html;
-      location = /40x.html {
-    }
-
-    error_page 500 502 503 504 /50x.html;
-      location = /50x.html {
-    }
+#    error_page 404 /404.html;
+#    location = /40x.html {
+#    }
+#
+#    error_page 500 502 503 504 /50x.html;
+#    location = /50x.html {
+#    }

    location ~ \.ht {
      deny all;
--- a/roles/repo_base/tasks/base_CentOS8.yml
+++ b/roles/repo_base/tasks/base_CentOS8.yml
@ -24,6 +24,7 @@
 - name: Remove Base file
  file: path=/etc/yum.repos.d/{{ item }}.repo state=absent
  loop:
-    - CentOS-Base # Replaced with CentOS-BaseOS
-    - CentOS-CR   # Replaced with CentOS-cr
+    - CentOS-Base   # Replaced with CentOS-BaseOS
+    - CentOS-CR     # Replaced with CentOS-cr
+    - CentOS-Extras # Replaced with CentOS-extras
  tags: repo
--- a/roles/repo_grafana/tasks/main.yml
+++ b/roles/repo_grafana/tasks/main.yml
@ -7,4 +7,5 @@
    gpgcheck: True
    repo_gpgcheck: True
    gpgkey: https://packages.grafana.com/gpg.key
+  tags: repo,grafana

--- a/roles/repo_mariadb/tasks/main.yml
+++ b/roles/repo_mariadb/tasks/main.yml
@ -1,11 +1,8 @@
 ---

- name: Configure MariaDB repository
-  yum_repository:
-    name: mariadb
-    description: MariaDB
-    baseurl: http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
-    gpgcheck: True
-    gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
-    state: "{{ (mysql_mariadb_version != 'default') | ternary('present','absent') }}"
-  tags: repo,mysql
+  # Here we use a template instead of yum_repository because
+  # we might need to set module_hotfixes = true for el8. And yum_repository
+  # doesn't support this setting
+- name: Configure MariaDB repo
+  template: src=mariadb.repo.j2 dest=/etc/yum.repos.d/mariadb.repo
+  tags: mysql,repo
--- a/roles/repo_mariadb/templates/mariadb.repo.j2
+++ b/roles/repo_mariadb/templates/mariadb.repo.j2
@ -0,0 +1,12 @@
+{% if mysql_mariadb_version != 'default' %}
+[mariadb]
+baseurl = http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
+gpgcheck = 1
+gpgkey = https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
+name = MariaDB
+{% if ansible_os_family == 'RedHat' and ansible_distribution_major_version is version('8', '>=') %}
+# Workaround a bug in dnf which would make the default module mask
+# packages from the MariaDB repo. See https://jira.mariadb.org/browse/MDEV-20673
+module_hotfixes = true
+{% endif %}
+{% endif %}
--- a/roles/repo_nux_dextop/tasks/main.yml
+++ b/roles/repo_nux_dextop/tasks/main.yml
@ -4,7 +4,7 @@
  yum_repository:
    name: nux-dextop
    description: Nux.Ro RPMs for general desktop use
-    baseurl: http://li.nux.ro/download/nux/dextop/el7/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el7/$basearch/
+    baseurl: http://li.nux.ro/download/nux/dextop/el$releasever/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el$releasever/$basearch/
    gpgcheck: True
    gpgkey: http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
  tags: repo
--- a/roles/repo_openresty/tasks/main.yml
+++ b/roles/repo_openresty/tasks/main.yml
@ -0,0 +1,10 @@
+---
+
+- name: Configure openresty repository
+  yum_repository:
+    name: openresty
+    description: Official OpenResty Open Source Repository for CentOS
+    baseurl: https://openresty.org/package/centos/$releasever/$basearch
+    gpgcheck: True
+    gpgkey: https://openresty.org/package/pubkey.gpg
+  tags: repo,web
--- a/roles/repo_remi/tasks/main.yml
+++ b/roles/repo_remi/tasks/main.yml
@ -0,0 +1,23 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: repo
+
+- name: Remove remi-release
+  yum: name=remi-release state=absent
+  tags: repo
+
+- name: Configure Remi Safe repository
+  yum_repository:
+    name: remi
+    description: Remi's RPM repository for Enterprise Linux
+    baseurl: http://rpms.remirepo.net/enterprise/$releasever/remi/$basearch/
+    gpgcheck: True
+    gpgkey: "{{ repo_remi_gpg_url }}"
+  tags: repo
+
--- a/roles/sssd_ad_auth/tasks/main.yml
+++ b/roles/sssd_ad_auth/tasks/main.yml
@ -45,6 +45,7 @@
    stdin: "{{ ad_admin_pass }}"
  no_log: True
  when: not ad_keytab.stat.exists
+  register: ad_join
  tags: auth

 - name: Check if we're a DC
@ -75,6 +76,7 @@
    creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
  become_user: sssd
  with_items: "{{ ad_trusted_domains }}"
+  register: ad_trusted_join
  tags: auth

 - name: Start and enable services
@ -83,3 +85,11 @@
    - sssd
    - oddjobd
  tags: auth
+
+  # On el8 for example, sssd is already installed and running on a default setup
+  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
+  # We can't rely on the handler, because it would only run at the end of the playbook
+- name: Restart sssd if needed
+  service: name=sssd state=restarted
+  when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: auth
--- a/roles/zabbix_agent/tasks/install_RedHat.yml
+++ b/roles/zabbix_agent/tasks/install_RedHat.yml
@ -15,7 +15,6 @@
      - zabbix-agent
      - zabbix-agent-addons
      - openssl
-      - "{{ ansible_distribution_major_version is version('8', '<') | ternary('policycoreutils-python','python3-policycoreutils') }}"
    state: "{{ zabbix_agent_update | ternary('latest','present') }}"
  notify: restart zabbix-agent
  tags: zabbix
--- a/roles/zabbix_server/files/zabbix_server.te
+++ b/roles/zabbix_server/files/zabbix_server.te
@ -1,16 +1,20 @@
-module zabbix_server 1.0;
+module zabbix_server 1.2;

 require {
        type zabbix_var_run_t;
        type zabbix_t;
        type zabbix_var_lib_t;
-        class sock_file { create unlink };
+        type mysqld_db_t;
+        class sock_file { create unlink write };
        class unix_stream_socket connectto;
        class file { execute execute_no_trans };
+        class capability dac_override;
 }

 #============= zabbix_t ==============
 allow zabbix_t self:unix_stream_socket connectto;
+allow zabbix_t self:capability dac_override;
 allow zabbix_t zabbix_var_lib_t:file { execute execute_no_trans };
 allow zabbix_t zabbix_var_run_t:sock_file { create unlink };
+allow zabbix_t mysqld_db_t:sock_file write;

--- a/roles/zabbix_server/tasks/conf.yml
+++ b/roles/zabbix_server/tasks/conf.yml
@ -6,19 +6,19 @@
  tags: zabbix

 - name: Deploy PHP configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf
  when: zabbix_server_php_fpm_pool is not defined
  notify: restart php-fpm
  tags: zabbix

 - name: Remove PHP configuration from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ zabbix_server_php_version ]) }}"
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/zabbix_server.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ zabbix_server_php_version ]) }}"
  notify: restart php-fpm
  tags: zabbix

 - name: Remove PHP configuration (using a custom pool)
-  file: path={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
+  file: path=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf state=absent
  when: zabbix_server_php_fpm_pool is defined
  notify: restart php-fpm
  tags: zabbix
@ -29,6 +29,8 @@
    - db_user: "{{ zabbix_server_db_user }}"
    - db_server: "{{ zabbix_server_db_server }}"
    - db_pass: "{{ zabbix_server_db_pass }}"
+    - db_encoding: utf8
+    - db_collation: utf8_bin
  tags: zabbix

 - name: Check if database is initialized
@ -50,7 +52,7 @@
  tags: zabbix
  block:
    - name: Uncompress Zabbix schema file
-      shell: gzip -dc /usr/share/doc/zabbix-server-mysql-{{ zabbix_server_version.stdout }}/create.sql.gz > /tmp/zabbix.sql
+      shell: gzip -dc /usr/share/doc/zabbix-server-mysql/create.sql.gz > /tmp/zabbix.sql

    - name: Load DB schema
      mysql_db:
--- a/roles/zabbix_server/tasks/install.yml
+++ b/roles/zabbix_server/tasks/install.yml
@ -8,9 +8,7 @@
      - zabbix-java-gateway
      - zabbix-get
      - mariadb
-      - sendxmpp
      - fping
-      - MySQL-python
      - patrix
      - perl-JSON
      - perl-IO-Socket-SSL