Update to 2020-11-09 10:00

roles/bitwarden_rs/tasks/install.yml

@@ -19,10 +19,20 @@
   yum:
     name:
       - MariaDB-devel
-      - /usr/lib64/libmariadb.so
   when: bitwarden_db_engine == 'mysql'
   tags: bitwarden
 
+  # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
+- name: Install MariaDB shared libs
+  yum:
+    name:
+      - MariaDB-shared
+  when:
+    - bitwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is defined
+    - mysql_mariadb_version != 'default'
+  tags: bitwarden
+
 - when: bitwarden_install_mode != 'none'
   tags: bitwarden
   block:

roles/composer/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: httpd_common

roles/composer/tasks/install.yml

@@ -0,0 +1,25 @@
+---
+
+- name: download composer
+  get_url:
+    url: https://getcomposer.org/installer
+    dest: /tmp/installer
+  tags: composer
+
+- name: install composer
+  shell: cat /tmp/installer | php74 -- --install-dir=/usr/local/bin
+  args:
+    creates: /usr/local/bin/composer
+  tags: composer
+
+- name: rename composer.phar to composer
+  shell: mv /usr/local/bin/composer.phar /usr/local/bin/composer
+  args:
+    creates: /usr/local/bin/composer
+  tags: composer
+
+- name: make composer executable
+  file: 
+    path: /usr/local/bin/composer
+    mode: 755
+  tags: composer

roles/composer/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+
+- include: install.yml

roles/dokuwiki/tasks/main.yml

@@ -338,19 +338,19 @@
   tags: dokuwiki
 
 - name: Deploy php configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[dokuwiki_php_version].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
   notify: restart php-fpm
   tags: dokuwiki
 
 - name: Remove PHP config from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ dokuwiki_php_version ]) }}"
+  with_items: "{{ httpd_php_versions | difference([ dokuwiki_php_version ]) }}"
   notify: restart php-fpm
   tags: dokuwiki
 
 - name: Remove PHP config (using a custom pool)
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  with_items: "{{ httpd_php_versions }}"
   when: dokuwiki_php_fpm_pool is defined
   notify: restart php-fpm
   tags: dokuwiki

roles/dokuwiki/templates/local.protected.php.j2

@@ -21,8 +21,10 @@ $conf['plugin']['{{ dokuwiki_auth }}']['bindpw'] = '{{ dokuwiki_ldap_bind_pass }
 {% elif dokuwiki_auth == 'authad' %}
 $conf['plugin']['authad']['base_dn'] = '{{ dokuwiki_ad_user_base }}';
 $conf['plugin']['authad']['domain_controllers'] = '{{ dokuwiki_ad_dc | join(', ') }}';
+{% if dokuwiki_ad_bind_user is defined and dokuwiki_ad_bind_pass is defined %}
 $conf['plugin']['authad']['admin_username'] = '{{ dokuwiki_ad_bind_user }}';
 $conf['plugin']['authad']['admin_password'] = '{{ dokuwiki_ad_bind_pass }}';
+{% endif %}
 {% if dokuwiki_ad_domain is defined %}
 $conf['plugin']['authad']['account_suffix'] = '@{{ dokuwiki_ad_domain }}';
 {% endif %}

roles/framadate/meta/main.yml

@@ -1,3 +1,5 @@
 ---
 allow_duplicates: true
+dependencies:
+  - role: composer
 ...

roles/framadate/tasks/main.yml

@@ -8,9 +8,7 @@
   yum:
     name:
       - unzip
-      - MySQL-python
       - acl
-      - composer
       - tar
   tags: framadate
 
@@ -114,9 +112,9 @@
   tags: framadate
 
 - name: Install libs using composer
-  composer: command=install working_dir={{ framadate_root_dir }}/web
+  composer: command=install working_dir={{ framadate_root_dir }}/web executable=/bin/php{{ framadate_php_version }}
   environment:
-    php: /bin/php{{ framadate_php_version == '54' | ternary('',framadate_php_version) }}
+    php: /bin/php{{ framadate_php_version }}
   tags: framadate
 
 - name: Download custom logo
@@ -202,18 +200,18 @@
   tags: framadate
 
 - name: Deploy PHP configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf
   notify: restart php-fpm
   tags: framadate
 
 - name: Remove PHP configuration from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ framadate_php_version ]) }}"
+  with_items: "{{ httpd_php_versions | difference([ framadate_php_version ]) }}"
   notify: restart php-fpm
   tags: framadate
 
 - name: Remove PHP configuration (using a custom pool)
-  file: path={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
   when: framadate_php_fpm_pool is defined
   notify: restart php-fpm
   tags: framadate

roles/httpd_common/tasks/main.yml

@@ -1,14 +1,16 @@
 ---
 
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: web
+
 - name: Install packages
-  yum:
+  yum: name={{ httpd_common_packages }}
-    name:
+  tags: web
-      - httpd
-      - mod_fcgid
-      - policycoreutils-python
-      - python-passlib
-      - mod_authnz_pam
-  tags: [package,web]
 
 - name: List httpd ports
   set_fact: httpd_ports={{ httpd_ports + (httpd_ansible_vhosts | selectattr('port','defined') | map(attribute='port') | list) | unique }}

roles/httpd_common/vars/CentOS-7.yml

@@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - policycoreutils-python
+  - python-passlib
+  - mod_authnz_pam

roles/httpd_common/vars/CentOS-8.yml

@@ -0,0 +1,8 @@
+---
+
+httpd_common_packages:
+  - httpd
+  - mod_fcgid
+  - python3-policycoreutils
+  - python3-passlib
+  - mod_authnz_pam

roles/httpd_common/vars/defaults.yml

@@ -0,0 +1,4 @@
+---
+
+httpd_common_packages:
+  - httpd

roles/httpd_php/defaults/main.yml

@@ -24,23 +24,13 @@ httpd_php_common_modules:
   - pecl-apcu
   - pecl-imagick
 
-httpd_php_extra_modules: []
-
 httpd_php_versions:
-  54:
+  - 56
-    conf_path: /etc/
+  - 70
-  56:
+  - 71
-    conf_path: /opt/remi/php56/root/etc/
+  - 72
-  70:
+  - 73
-    conf_path: /etc/opt/remi/php70/
+  - 74
-  71:
-    conf_path: /etc/opt/remi/php71/
-  72:
-    conf_path: /etc/opt/remi/php72/
-  73:
-    conf_path: /etc/opt/remi/php73/
-  74:
-    conf_path: /etc/opt/remi/php74/
 
 httpd_php_default_version: 73
 

roles/httpd_php/handlers/main.yml

@@ -4,23 +4,15 @@
 
 # We need to stop all the pools and then start them again
 # because if we move one pool config from one version to another
-# the sock might not be removed at the correct time, depending on the
+# the socket might not be removed at the correct time, depending on the
 # order of execution
 - name: restart php-fpm
-  service: name=php-fpm state=stopped enabled=yes
+  service: name=php{{ item }}-php-fpm state=stopped enabled=True
-  notify: stop php-fpm-scl
+  with_items: "{{ httpd_php_versions }}"
-
-- name: stop php-fpm-scl
-  service: name=php{{ item }}-php-fpm state=stopped enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
   notify: start php-fpm
 
 - name: start php-fpm
-  service: name=php-fpm state=started enabled=yes
+  service: name=php{{ item }}-php-fpm state=started enabled=True
-  notify: start php-fpm-scl
+  with_items: "{{ httpd_php_versions }}"
-
-- name: start php-fpm-scl
-  service: name=php{{ item }}-php-fpm state=started enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
 
 ...

roles/httpd_php/meta/main.yml

@@ -1,5 +1,5 @@
 ---
 dependencies:
   - role: httpd_common
-  - role: repo_remi_safe
+  - role: repo_remi
 ...

roles/httpd_php/tasks/main.yml

@@ -1,31 +1,19 @@
 ---
 
-- name: Build the list of packages for core PHP
+- name: Build the list of packages
   set_fact:
-    php_pkg: "{{ php_pkg|default([]) }} + [ 'php-{{ item }}' ]"
+     httpd_php_packages: "{{ httpd_php_packages | default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
-  with_items:
-    - "{{ httpd_php_common_modules }}"
-  tags: [package,web]
-
-- name: Build the list of packages for scl PHP
-  set_fact:
-     php_pkg: "{{ php_pkg|default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
   with_nested:
-    - "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+    - "{{ httpd_php_versions }}"
     - "{{ httpd_php_common_modules }}"
-  tags: [package,web]
+  tags: web
 
-- name: Install PHP main modules
+- name: Install PHP packages
-  yum: name={{ php_pkg }}
+  yum: name={{ httpd_php_packages }}
   notify:
     - systemd-tmpfiles
     - restart php-fpm
-  tags: [package,web]
+  tags: web
-
-- name: Install PHP extra modules
-  yum: name={{ httpd_php_extra_modules }} state=present
-  notify: restart php-fpm
-  tags: [package,web]
 
 - name: Create tmpfiles.d fragment
   copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf
@@ -33,65 +21,61 @@
   tags: web
 
 - name: Disable default FPM pools
-  template: src=default_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/www.conf
+  template: src=default_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/www.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
+  tags: web
 
 - name: Deploy main php.ini configuration
-  template: src=php.ini.j2 dest={{ httpd_php_versions[item].conf_path }}/php.ini
+  template: src=php.ini.j2 dest=/etc/opt/remi/php{{ item }}/php.ini
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
+  tags: web
 
 - name: Deploy PHP FPM master's configuration
-  template: src=php-fpm.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.conf
+  template: src=php-fpm.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
+  tags: web
 
 - name: Deploy default PHP FPM pools configurations
-  template: src=php_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/php{{ item }}.conf
+  template: src=php_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/php{{ item }}.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
+  tags: web
 
 - name: Create user accounts for ansible PHP FPM pools
-  user: name={{ item }} comment="PHP FPM {{ item }}" system=yes shell=/sbin/nologin
+  user: name={{ item }} comment="PHP FPM {{ item }}" system=True shell=/sbin/nologin
-  with_items: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
+  loop: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
-  tags: [conf,web]
+  tags: web
 
 - name: Deploy ansible PHP FPM pools configurations
-  template: src=php_fpm_ansible_pools.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/ansible_pools.conf
+  template: src=php_fpm_ansible_pools.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/ansible_pools.conf
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
+  tags: web
 
 - name: Create log directories
   file: path=/var/log/php/php{{ item }} state=directory mode=770 owner=root group={{ httpd_user }}
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  loop: "{{ httpd_php_versions }}"
   notify: restart php-fpm
-  tags: [conf,web]
-
-- name: Start and enable core PHP FPM service
-  service: name=php-fpm state=started enabled=yes
   tags: web
 
 - name: Start and enable SCL PHP FPM services
   service: name=php{{ item }}-php-fpm state=started enabled=yes
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
+  loop: "{{ httpd_php_versions }}"
   tags: web
 
 - name: Deploy httpd configuration fragments
   template: src={{ item.src }} dest={{ item.dest }}
-  with_items:
+  loop:
     - { src: httpd_php.conf.j2, dest: /etc/httpd/ansible_conf.d/php.conf }
   notify: reload httpd
-  tags: [conf,web]
+  tags: web
 
 - name: Allow network connections in SELinux
   seboolean: name={{ item }} state=yes persistent=yes
-  with_items:
+  loop:
     - httpd_can_network_connect_db
     - httpd_can_network_memcache
     - httpd_can_network_connect

roles/httpd_php/templates/php-fpm.conf.j2

@@ -1,5 +1,5 @@
 
-include = {{ httpd_php_versions[item].conf_path }}/php-fpm.d/*.conf
+include = /etc/opt/remi/php{{ item }}/php-fpm.d/*.conf
 
 [global]
 pid = /run/php-fpm/php{{ item }}-fpm.pid

roles/includes/vars/CentOS-7.yml

@@ -0,0 +1,5 @@
+---
+
+webapps_mysql_packages:
+  - MySQL-python
+  - mariadb

roles/includes/vars/CentOS-8.yml

@@ -0,0 +1,6 @@
+---
+
+webapps_mysql_packages:
+  - python3-mysql
+  - mariadb
+

roles/includes/vars/Debian.yml

@@ -0,0 +1,5 @@
+---
+
+webapps_mysql_packages:
+  - python-mysqldb
+  - mariadb-client

roles/includes/webapps_create_mysql_db.yml

@@ -1,18 +1,14 @@
 ---
 
-- name: Install MySQL-python
+- include_vars: "{{ item }}"
-  yum:
+  with_first_found:
-    name:
+    - ../includes/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
-      - MySQL-python
+    - ../includes/vars/{{ ansible_distribution }}.yml
-      - mariadb
+    - ../includes/vars/{{ ansible_os_family }}.yml
-  when: ansible_os_family == 'RedHat'
+    - ../includes/vars/defaults.yml
 
-- name: Install MySQL-python
+- name: Install MySQL tools
-  apt:
+  package: name={{ webapps_mysql_packages }}
-    name:
-      - python-mysqldb
-      - mariadb-client
-  when: ansible_os_family == 'Debian'
 
 - name: Create MySQL database
   mysql_db:
@@ -21,8 +17,8 @@
     login_user: sqladmin
     login_password: "{{ mysql_admin_pass }}"
     state: present
-    encoding: utf8mb4
+    encoding: "{{ db_encoding | default('utf8mb4') }}"
-    collation: utf8mb4_general_ci
+    collation: "{{ db_collation | default('utf8mb4_general_ci') }}"
   register: db_created
 
 - name: Create MySQL User

roles/includes/webapps_webconf.yml

@@ -4,18 +4,18 @@
   notify: reload httpd
 
 - name: Deploy PHP config
-  template: src=php.conf.j2 dest={{ httpd_php_versions[php_version].conf_path }}/php-fpm.d/{{ app_id }}.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ php_version }}/php-fpm.d/{{ app_id }}.conf
   when: php_fpm_pool is not defined or php_fpm_pool == ''
   notify: restart php-fpm
 
 - name: Remove PHP config from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ php_version ]) }}"
+  with_items: "{{ httpd_php_versions | difference([ php_version ]) }}"
   notify: restart php-fpm
 
 - name: Remove PHP config (using a custom pool)
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list }}"
+  with_items: "{{ httpd_php_versions }}"
   when: php_fpm_pool != ''
   notify: restart php-fpm
 

roles/lemonldap_ng/tasks/nginx.yml

@@ -1,7 +1,45 @@
 ---
 
+- name: Create nginx conf dir
+  file: path=/etc/nginx/{{ item }} state=directory
+  loop:
+    - ansible_location.d
+    - ansible_conf.d
+    - ansible_modules.d
+  tags: web
+
+- name: Check if lua module is installed
+  stat: path=/usr/lib64/nginx/modules/ndk_http_module.so
+  register: llng_mod_lua
+  tags: web
+
+- name: Deploy module conf
+  copy: content={{ item.content }} dest=/etc/nginx/ansible_modules.d/{{ item.dest }}
+  loop:
+    - content: 'load_module "/usr/lib64/nginx/modules/ndk_http_module.so";'
+      dest: 09-ndk.conf
+    - content: 'load_module "/usr/lib64/nginx/modules/ngx_http_lua_module.so";'
+      dest: 11-lua.conf
+  when: llng_mod_lua.stat.exists
+  notify: reload nginx
+  tags: web
+
+- name: Remove module conf
+  file: path=/etc/nginx/ansible_modules.d/{{ item }} state=absent
+  loop:
+    - 09-ndk.conf
+    - 11-lua.conf
+  when: not llng_mod_lua.stat.exists
+  notify: reload nginx
+  tags: web
+
 - name: Deploy handler's nginx configuration
-  template: src=nginx_handler.conf.j2 dest=/etc/nginx/ansible_location.d/10-llng_handler.conf
+  template: src={{ item.src }} dest={{ item.dest }}
+  loop:
+    - src: nginx_handler.conf.j2
+      dest: /etc/nginx/ansible_location.d/10-llng_handler.conf
+    - src: llng_headers.inc.j2
+      dest: /etc/nginx/ansible_conf.d/llng_headers.inc
   when: llng_handler == True
   notify: reload nginx
   tags: web

roles/lemonldap_ng/templates/llng_headers.inc.j2

@@ -0,0 +1,33 @@
+auth_request_set $headername1 $upstream_http_headername1;
+auth_request_set $headervalue1 $upstream_http_headervalue1;
+auth_request_set $headername2 $upstream_http_headername2;
+auth_request_set $headervalue2 $upstream_http_headervalue2;
+auth_request_set $headername3 $upstream_http_headername3;
+auth_request_set $headervalue3 $upstream_http_headervalue3;
+auth_request_set $headername4 $upstream_http_headername4;
+auth_request_set $headervalue4 $upstream_http_headervalue4;
+auth_request_set $headername5 $upstream_http_headername5;
+auth_request_set $headervalue5 $upstream_http_headervalue5;
+auth_request_set $headername6 $upstream_http_headername6;
+auth_request_set $headervalue6 $upstream_http_headervalue6;
+auth_request_set $headername7 $upstream_http_headername7;
+auth_request_set $headervalue7 $upstream_http_headervalue7;
+auth_request_set $headername8 $upstream_http_headername8;
+auth_request_set $headervalue8 $upstream_http_headervalue8;
+auth_request_set $headername9 $upstream_http_headername9;
+auth_request_set $headervalue9 $upstream_http_headervalue9;
+auth_request_set $headername10 $upstream_http_headername10;
+auth_request_set $headervalue10 $upstream_http_headervalue10;
+auth_request_set $lmcookie $upstream_http_cookie;
+access_by_lua '
+  i = 1
+  ngx.req.set_header("Cookie",ngx.var.lmcookie)
+  while true do
+    if ngx.var["headername"..i] ~= nil then
+      ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i])
+    else
+      break
+    end
+    i = i +1
+  end
+';

roles/mysql_server/tasks/main.yml

@@ -1,13 +1,15 @@
 ---
 
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: mysql
+
 - name: Install MariaDB server and client
-  yum:
+  package: name={{ mysql_server_packages }}
-    name:
-      - mariadb-server
-      - mariadb
-      - MySQL-python
-  notify:
-    - restart mariadb
   tags: mysql
 
 - name: Deploy backup scripts

roles/mysql_server/vars/CentOS-7.yml

@@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - MySQL-python

roles/mysql_server/vars/CentOS-8.yml

@@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - python3-mysql

roles/mysql_server/vars/defaults.yml

@@ -0,0 +1,6 @@
+---
+
+mysql_server_packages:
+  - mariadb-server
+  - mariadb
+  - MySQL-python

roles/nginx/defaults/main.yml

@@ -7,12 +7,13 @@ nginx_ssl_ports:
 nginx_src_ip:
  - 0.0.0.0/0
 
+# If true, will install openresty as an nginx replacement
+nginx_openresty: False
+
 nginx_modules:
-  - ndk_http_module.so
   - stream
   - http_image_filter
   - http_perl
-  - http_lua
 
 nginx_log_format: combined_virtual
 

roles/nginx/meta/main.yml

@@ -1,5 +1,6 @@
 ---
 
 dependencies:
-  - role: repo_nginx
+  - role: repo_openresty
+    when: nginx_openresty
   - role: mkdir

roles/nginx/tasks/conf.yml

@@ -12,7 +12,6 @@
     - ansible_conf.d/force_ssl.inc
     - ansible_conf.d/acme.inc
     - ansible_conf.d/custom.inc
-    - ansible_conf.d/llng_headers.inc
     - ansible_conf.d/cache.inc
     - ansible_conf.d/10-cache.conf
     - ansible_conf.d/10-perf.conf
@@ -54,3 +53,7 @@
     - whitelist-domains.conf
     - whitelist-ips.conf
   tags: web
+
+- name: Configure log rotation
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx
+  tags: web

roles/nginx/tasks/facts.yml

@@ -25,3 +25,8 @@
   stat: path=/etc/lemonldap-ng/lemonldap-ng.ini
   register: nginx_llng
   tags: web
+
+- name: Check if llng_header.inc conf is installed
+  stat: path=/etc/nginx/ansible_conf.d/llng_headers.inc
+  register: nginx_llng_headers
+  tags: web

roles/nginx/tasks/install.yml

@@ -1,7 +1,8 @@
 ---
-- name: Install packages
+
-  yum:
+- include: install_openresty.yml
-    name:
+  when: nginx_openresty
-      - nginx
+
-      - nginx-mod-http-lua
+- include: install_nginx.yml
-  tags: web
+  when: not nginx_openresty
+

roles/nginx/tasks/install_nginx.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Remove openresty
+  yum:
+    name:
+      - openresty
+    state: absent
+  tags: web
+
+- name: Install nginx
+  yum:
+    name:
+      - nginx
+  tags: web
+

roles/nginx/tasks/install_openresty.yml

@@ -0,0 +1,69 @@
+---
+
+- name: Check if nginx is installed
+  stat: path=/lib/systemd/system/nginx.service
+  register: nginx_nginx_service
+  tags: web
+
+- name: Stop nginx
+  service: name=nginx state=stopped
+  when: nginx_nginx_service.stat.exists
+  tags: web
+
+- name: Create the nginx user account
+  user:
+    name: nginx
+    system: True
+    shell: /sbin/nologin
+    home: /var/lib/nginx
+  tags: web
+
+- name: Prepare directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /var/lib/nginx/tmp
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/cache/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /var/log/nginx
+      owner: nginx
+      group: nginx
+      mode: '700'
+    - dir: /usr/share/nginx
+    - dir: /etc/nginx
+    - dir: /usr/local/openresty/nginx
+  tags: web
+
+  # Create links so openresty uses nginx compatible paths
+- name: Prepare links
+  file: src={{ item.src }} dest={{ item.dest }} state=link
+  loop:
+    - src: /etc/nginx
+      dest: /usr/local/openresty/nginx/conf
+    - src: /var/log/nginx
+      dest: /usr/local/openresty/nginx/logs
+    - src: /usr/share/nginx
+      dest: /usr/local/openresty/nginx/html
+  tags: web
+
+- name: Remove nginx
+  yum:
+    name:
+      - nginx
+    state: absent
+  tags: web
+
+- name: Install packages
+  yum:
+    name:
+      - openresty
+  tags: web
+
+- name: Add a link to nginx in /sbin
+  file: src=/usr/local/openresty/nginx/sbin/nginx dest=/sbin/nginx state=link
+  tags: web
+

roles/nginx/tasks/service.yml

@@ -1,12 +1,22 @@
 ---
-- name: Create unit snippet directory
-  file: path=/etc/systemd/system/nginx.service.d state=directory
-  tags: web
 
 - name: Customize systemd unit
   copy:
     content: |
+      [Unit]
+      Description=The nginx HTTP and reverse proxy server
+      After=syslog.target network-online.target remote-fs.target nss-lookup.target
+      Wants=network-online.target
+      
       [Service]
+      Type=forking
+      PIDFile=/run/nginx.pid
+      ExecStartPre={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }} -t
+      ExecStartPre=/bin/rm -f /run/nginx.pid
+      ExecStart={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }}
+      ExecReload=/bin/kill -s HUP $MAINPID
+      ExecStop=/bin/kill -s QUIT $MAINPID
+      PrivateTmp=true
       Restart=on-failure
       StartLimitInterval=0
       RestartSec=5
@@ -14,11 +24,18 @@
       ProtectSystem=full
       ProtectHome=yes
       NoNewPrivileges=yes
-    dest: /etc/systemd/system/nginx.service.d/ansible.conf
+      
+      [Install]
+      WantedBy=multi-user.target
+    dest: /etc/systemd/system/nginx.service
   register: nginx_unit
   notify: restart nginx
   tags: web
 
+- name: Remove obsolete unit conf
+  file: path=/etc/systemd/system/nginx.service.d/ansible.conf state=absent
+  tags: web
+
 - name: Reload systemd
   systemd: daemon_reload=True
   when: nginx_unit.changed

roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2

@@ -144,7 +144,9 @@ server {
 {% if vhost.auth != 'llng_basic' %}
     error_page 401 $lmlocation;
 {% endif %}
+{% if nginx_llng_headers.stat.exists %}
     include /etc/nginx/ansible_conf.d/llng_headers.inc;
+{% endif %}
     fastcgi_param REMOTE_USER $lmremote_user;
 {% elif vhost.auth == 'basic' and vhost.htpasswd_file is defined %}
     auth_basic "Authentication required for {{ vhost.name }}";

roles/nginx/templates/logrotate.conf.j2

@@ -0,0 +1,12 @@
+/var/log/nginx/*log {
+    create 0644 nginx nginx
+    daily
+    rotate 10
+    missingok
+    notifempty
+    compress
+    sharedscripts
+    postrotate
+        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
+    endscript
+}

roles/nginx/templates/nginx.conf.j2

@@ -4,13 +4,27 @@ error_log /var/log/nginx/error.log;
 error_log syslog:server=unix:/dev/log,nohostname;
 pid /run/nginx.pid;
 
+{% if nginx_openresty %}
+# Openresty uses builtin modules, not dynamic ones
+{% else %}
 include /etc/nginx/ansible_modules.d/*.conf;
+{% endif %}
 
 events {
   worker_connections 1024;
 }
 
 http {
+
+{% if nginx_openresty %}
+  # Set nginx compatible paths for openresty
+  client_body_temp_path /var/lib/nginx/tmp/client_body;
+  fastcgi_temp_path /var/lib/nginx/tmp/fastcgi;
+  proxy_temp_path /var/lib/nginx/tmp/proxy;
+  scgi_temp_path /var/lib/nginx/tmp/scgi;
+  uwsgi_temp_path /var/lib/nginx/tmp/uwsgi;
+{% endif %}
+
   log_format combined_virtual
                '$server_name $remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
@@ -83,13 +97,13 @@ http {
     location / {
     }
 
-    error_page 404 /404.html;
+#    error_page 404 /404.html;
-      location = /40x.html {
+#    location = /40x.html {
-    }
+#    }
-
+#
-    error_page 500 502 503 504 /50x.html;
+#    error_page 500 502 503 504 /50x.html;
-      location = /50x.html {
+#    location = /50x.html {
-    }
+#    }
 
     location ~ \.ht {
       deny all;

roles/repo_base/tasks/base_CentOS8.yml

@@ -26,4 +26,5 @@
   loop:
     - CentOS-Base   # Replaced with CentOS-BaseOS
     - CentOS-CR     # Replaced with CentOS-cr
+    - CentOS-Extras # Replaced with CentOS-extras
   tags: repo

roles/repo_grafana/tasks/main.yml

@@ -7,4 +7,5 @@
     gpgcheck: True
     repo_gpgcheck: True
     gpgkey: https://packages.grafana.com/gpg.key
+  tags: repo,grafana
 

roles/repo_mariadb/tasks/main.yml

@@ -1,11 +1,8 @@
 ---
 
-- name: Configure MariaDB repository
+  # Here we use a template instead of yum_repository because
-  yum_repository:
+  # we might need to set module_hotfixes = true for el8. And yum_repository
-    name: mariadb
+  # doesn't support this setting
-    description: MariaDB
+- name: Configure MariaDB repo
-    baseurl: http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
+  template: src=mariadb.repo.j2 dest=/etc/yum.repos.d/mariadb.repo
-    gpgcheck: True
+  tags: mysql,repo
-    gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
-    state: "{{ (mysql_mariadb_version != 'default') | ternary('present','absent') }}"
-  tags: repo,mysql

roles/repo_mariadb/templates/mariadb.repo.j2

@@ -0,0 +1,12 @@
+{% if mysql_mariadb_version != 'default' %}
+[mariadb]
+baseurl = http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
+gpgcheck = 1
+gpgkey = https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
+name = MariaDB
+{% if ansible_os_family == 'RedHat' and ansible_distribution_major_version is version('8', '>=') %}
+# Workaround a bug in dnf which would make the default module mask
+# packages from the MariaDB repo. See https://jira.mariadb.org/browse/MDEV-20673
+module_hotfixes = true
+{% endif %}
+{% endif %}

roles/repo_nux_dextop/tasks/main.yml

@@ -4,7 +4,7 @@
   yum_repository:
     name: nux-dextop
     description: Nux.Ro RPMs for general desktop use
-    baseurl: http://li.nux.ro/download/nux/dextop/el7/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el7/$basearch/
+    baseurl: http://li.nux.ro/download/nux/dextop/el$releasever/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el$releasever/$basearch/
     gpgcheck: True
     gpgkey: http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
   tags: repo

roles/repo_openresty/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Configure openresty repository
+  yum_repository:
+    name: openresty
+    description: Official OpenResty Open Source Repository for CentOS
+    baseurl: https://openresty.org/package/centos/$releasever/$basearch
+    gpgcheck: True
+    gpgkey: https://openresty.org/package/pubkey.gpg
+  tags: repo,web

roles/repo_remi/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- include_vars: "{{ item }}"
+  with_first_found:
+    - vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
+    - vars/{{ ansible_distribution }}.yml
+    - vars/{{ ansible_os_family }}.yml
+    - vars/defaults.yml
+  tags: repo
+
+- name: Remove remi-release
+  yum: name=remi-release state=absent
+  tags: repo
+
+- name: Configure Remi Safe repository
+  yum_repository:
+    name: remi
+    description: Remi's RPM repository for Enterprise Linux
+    baseurl: http://rpms.remirepo.net/enterprise/$releasever/remi/$basearch/
+    gpgcheck: True
+    gpgkey: "{{ repo_remi_gpg_url }}"
+  tags: repo
+

roles/sssd_ad_auth/tasks/main.yml

@@ -45,6 +45,7 @@
     stdin: "{{ ad_admin_pass }}"
   no_log: True
   when: not ad_keytab.stat.exists
+  register: ad_join
   tags: auth
 
 - name: Check if we're a DC
@@ -75,6 +76,7 @@
     creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
   become_user: sssd
   with_items: "{{ ad_trusted_domains }}"
+  register: ad_trusted_join
   tags: auth
 
 - name: Start and enable services
@@ -83,3 +85,11 @@
     - sssd
     - oddjobd
   tags: auth
+
+  # On el8 for example, sssd is already installed and running on a default setup
+  # so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
+  # We can't rely on the handler, because it would only run at the end of the playbook
+- name: Restart sssd if needed
+  service: name=sssd state=restarted
+  when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: auth

roles/zabbix_agent/tasks/install_RedHat.yml

@@ -15,7 +15,6 @@
       - zabbix-agent
       - zabbix-agent-addons
       - openssl
-      - "{{ ansible_distribution_major_version is version('8', '<') | ternary('policycoreutils-python','python3-policycoreutils') }}"
     state: "{{ zabbix_agent_update | ternary('latest','present') }}"
   notify: restart zabbix-agent
   tags: zabbix

roles/zabbix_server/files/zabbix_server.te

@@ -1,16 +1,20 @@
-module zabbix_server 1.0;
+module zabbix_server 1.2;
 
 require {
         type zabbix_var_run_t;
         type zabbix_t;
         type zabbix_var_lib_t;
-        class sock_file { create unlink };
+        type mysqld_db_t;
+        class sock_file { create unlink write };
         class unix_stream_socket connectto;
         class file { execute execute_no_trans };
+        class capability dac_override;
 }
 
 #============= zabbix_t ==============
 allow zabbix_t self:unix_stream_socket connectto;
+allow zabbix_t self:capability dac_override;
 allow zabbix_t zabbix_var_lib_t:file { execute execute_no_trans };
 allow zabbix_t zabbix_var_run_t:sock_file { create unlink };
+allow zabbix_t mysqld_db_t:sock_file write;
 

roles/zabbix_server/tasks/conf.yml

@@ -6,19 +6,19 @@
   tags: zabbix
 
 - name: Deploy PHP configuration
-  template: src=php.conf.j2 dest={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf
   when: zabbix_server_php_fpm_pool is not defined
   notify: restart php-fpm
   tags: zabbix
 
 - name: Remove PHP configuration from other versions
-  file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/zabbix_server.conf state=absent
-  with_items: "{{ httpd_php_versions.keys() | list | difference([ zabbix_server_php_version ]) }}"
+  with_items: "{{ httpd_php_versions | difference([ zabbix_server_php_version ]) }}"
   notify: restart php-fpm
   tags: zabbix
 
 - name: Remove PHP configuration (using a custom pool)
-  file: path={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
+  file: path=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf state=absent
   when: zabbix_server_php_fpm_pool is defined
   notify: restart php-fpm
   tags: zabbix
@@ -29,6 +29,8 @@
     - db_user: "{{ zabbix_server_db_user }}"
     - db_server: "{{ zabbix_server_db_server }}"
     - db_pass: "{{ zabbix_server_db_pass }}"
+    - db_encoding: utf8
+    - db_collation: utf8_bin
   tags: zabbix
 
 - name: Check if database is initialized
@@ -50,7 +52,7 @@
   tags: zabbix
   block:
     - name: Uncompress Zabbix schema file
-      shell: gzip -dc /usr/share/doc/zabbix-server-mysql-{{ zabbix_server_version.stdout }}/create.sql.gz > /tmp/zabbix.sql
+      shell: gzip -dc /usr/share/doc/zabbix-server-mysql/create.sql.gz > /tmp/zabbix.sql
 
     - name: Load DB schema
       mysql_db:

roles/zabbix_server/tasks/install.yml

@@ -8,9 +8,7 @@
       - zabbix-java-gateway
       - zabbix-get
       - mariadb
-      - sendxmpp
       - fping
-      - MySQL-python
       - patrix
       - perl-JSON
       - perl-IO-Socket-SSL