Update to 2020-11-09 10:00

master
Daniel Berteaud 4 years ago
parent c593e48020
commit 0acb3c2aae
  1. 12
      roles/bitwarden_rs/tasks/install.yml
  2. 4
      roles/composer/meta/main.yml
  3. 25
      roles/composer/tasks/install.yml
  4. 3
      roles/composer/tasks/main.yml
  5. 10
      roles/dokuwiki/tasks/main.yml
  6. 2
      roles/dokuwiki/templates/local.protected.php.j2
  7. 2
      roles/framadate/meta/main.yml
  8. 14
      roles/framadate/tasks/main.yml
  9. 18
      roles/httpd_common/tasks/main.yml
  10. 8
      roles/httpd_common/vars/CentOS-7.yml
  11. 8
      roles/httpd_common/vars/CentOS-8.yml
  12. 4
      roles/httpd_common/vars/defaults.yml
  13. 22
      roles/httpd_php/defaults/main.yml
  14. 18
      roles/httpd_php/handlers/main.yml
  15. 2
      roles/httpd_php/meta/main.yml
  16. 76
      roles/httpd_php/tasks/main.yml
  17. 2
      roles/httpd_php/templates/php-fpm.conf.j2
  18. 5
      roles/includes/vars/CentOS-7.yml
  19. 6
      roles/includes/vars/CentOS-8.yml
  20. 5
      roles/includes/vars/Debian.yml
  21. 24
      roles/includes/webapps_create_mysql_db.yml
  22. 10
      roles/includes/webapps_webconf.yml
  23. 40
      roles/lemonldap_ng/tasks/nginx.yml
  24. 33
      roles/lemonldap_ng/templates/llng_headers.inc.j2
  25. 16
      roles/mysql_server/tasks/main.yml
  26. 6
      roles/mysql_server/vars/CentOS-7.yml
  27. 6
      roles/mysql_server/vars/CentOS-8.yml
  28. 6
      roles/mysql_server/vars/defaults.yml
  29. 5
      roles/nginx/defaults/main.yml
  30. 3
      roles/nginx/meta/main.yml
  31. 5
      roles/nginx/tasks/conf.yml
  32. 5
      roles/nginx/tasks/facts.yml
  33. 13
      roles/nginx/tasks/install.yml
  34. 15
      roles/nginx/tasks/install_nginx.yml
  35. 69
      roles/nginx/tasks/install_openresty.yml
  36. 25
      roles/nginx/tasks/service.yml
  37. 2
      roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
  38. 12
      roles/nginx/templates/logrotate.conf.j2
  39. 28
      roles/nginx/templates/nginx.conf.j2
  40. 1
      roles/repo_base/tasks/base_CentOS8.yml
  41. 1
      roles/repo_grafana/tasks/main.yml
  42. 15
      roles/repo_mariadb/tasks/main.yml
  43. 12
      roles/repo_mariadb/templates/mariadb.repo.j2
  44. 2
      roles/repo_nux_dextop/tasks/main.yml
  45. 10
      roles/repo_openresty/tasks/main.yml
  46. 23
      roles/repo_remi/tasks/main.yml
  47. 10
      roles/sssd_ad_auth/tasks/main.yml
  48. 1
      roles/zabbix_agent/tasks/install_RedHat.yml
  49. 8
      roles/zabbix_server/files/zabbix_server.te
  50. 12
      roles/zabbix_server/tasks/conf.yml
  51. 2
      roles/zabbix_server/tasks/install.yml

@ -19,10 +19,20 @@
yum:
name:
- MariaDB-devel
- /usr/lib64/libmariadb.so
when: bitwarden_db_engine == 'mysql'
tags: bitwarden
# With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
- name: Install MariaDB shared libs
yum:
name:
- MariaDB-shared
when:
- bitwarden_db_engine == 'mysql'
- mysql_mariadb_version is defined
- mysql_mariadb_version != 'default'
tags: bitwarden
- when: bitwarden_install_mode != 'none'
tags: bitwarden
block:

@ -0,0 +1,4 @@
---
dependencies:
- role: httpd_common

@ -0,0 +1,25 @@
---
- name: download composer
get_url:
url: https://getcomposer.org/installer
dest: /tmp/installer
tags: composer
- name: install composer
shell: cat /tmp/installer | php74 -- --install-dir=/usr/local/bin
args:
creates: /usr/local/bin/composer
tags: composer
- name: rename composer.phar to composer
shell: mv /usr/local/bin/composer.phar /usr/local/bin/composer
args:
creates: /usr/local/bin/composer
tags: composer
- name: make composer executable
file:
path: /usr/local/bin/composer
mode: 755
tags: composer

@ -0,0 +1,3 @@
---
- include: install.yml

@ -338,19 +338,19 @@
tags: dokuwiki
- name: Deploy php configuration
template: src=php.conf.j2 dest={{ httpd_php_versions[dokuwiki_php_version].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
template: src=php.conf.j2 dest=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf
notify: restart php-fpm
tags: dokuwiki
- name: Remove PHP config from other versions
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list | difference([ dokuwiki_php_version ]) }}"
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
with_items: "{{ httpd_php_versions | difference([ dokuwiki_php_version ]) }}"
notify: restart php-fpm
tags: dokuwiki
- name: Remove PHP config (using a custom pool)
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list }}"
file: path=/etc/opt/remi/php{{ dokuwiki_php_version }}/php-fpm.d/dokuwiki_{{ dokuwiki_id }}.conf state=absent
with_items: "{{ httpd_php_versions }}"
when: dokuwiki_php_fpm_pool is defined
notify: restart php-fpm
tags: dokuwiki

@ -21,8 +21,10 @@ $conf['plugin']['{{ dokuwiki_auth }}']['bindpw'] = '{{ dokuwiki_ldap_bind_pass }
{% elif dokuwiki_auth == 'authad' %}
$conf['plugin']['authad']['base_dn'] = '{{ dokuwiki_ad_user_base }}';
$conf['plugin']['authad']['domain_controllers'] = '{{ dokuwiki_ad_dc | join(', ') }}';
{% if dokuwiki_ad_bind_user is defined and dokuwiki_ad_bind_pass is defined %}
$conf['plugin']['authad']['admin_username'] = '{{ dokuwiki_ad_bind_user }}';
$conf['plugin']['authad']['admin_password'] = '{{ dokuwiki_ad_bind_pass }}';
{% endif %}
{% if dokuwiki_ad_domain is defined %}
$conf['plugin']['authad']['account_suffix'] = '@{{ dokuwiki_ad_domain }}';
{% endif %}

@ -1,3 +1,5 @@
---
allow_duplicates: true
dependencies:
- role: composer
...

@ -8,9 +8,7 @@
yum:
name:
- unzip
- MySQL-python
- acl
- composer
- tar
tags: framadate
@ -114,9 +112,9 @@
tags: framadate
- name: Install libs using composer
composer: command=install working_dir={{ framadate_root_dir }}/web
composer: command=install working_dir={{ framadate_root_dir }}/web executable=/bin/php{{ framadate_php_version }}
environment:
php: /bin/php{{ framadate_php_version == '54' | ternary('',framadate_php_version) }}
php: /bin/php{{ framadate_php_version }}
tags: framadate
- name: Download custom logo
@ -202,18 +200,18 @@
tags: framadate
- name: Deploy PHP configuration
template: src=php.conf.j2 dest={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf
template: src=php.conf.j2 dest=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf
notify: restart php-fpm
tags: framadate
- name: Remove PHP configuration from other versions
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list | difference([ framadate_php_version ]) }}"
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
with_items: "{{ httpd_php_versions | difference([ framadate_php_version ]) }}"
notify: restart php-fpm
tags: framadate
- name: Remove PHP configuration (using a custom pool)
file: path={{ httpd_php_versions[framadate_php_version].conf_path }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
file: path=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
when: framadate_php_fpm_pool is defined
notify: restart php-fpm
tags: framadate

@ -1,14 +1,16 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
- vars/defaults.yml
tags: web
- name: Install packages
yum:
name:
- httpd
- mod_fcgid
- policycoreutils-python
- python-passlib
- mod_authnz_pam
tags: [package,web]
yum: name={{ httpd_common_packages }}
tags: web
- name: List httpd ports
set_fact: httpd_ports={{ httpd_ports + (httpd_ansible_vhosts | selectattr('port','defined') | map(attribute='port') | list) | unique }}

@ -0,0 +1,8 @@
---
httpd_common_packages:
- httpd
- mod_fcgid
- policycoreutils-python
- python-passlib
- mod_authnz_pam

@ -0,0 +1,8 @@
---
httpd_common_packages:
- httpd
- mod_fcgid
- python3-policycoreutils
- python3-passlib
- mod_authnz_pam

@ -0,0 +1,4 @@
---
httpd_common_packages:
- httpd

@ -24,23 +24,13 @@ httpd_php_common_modules:
- pecl-apcu
- pecl-imagick
httpd_php_extra_modules: []
httpd_php_versions:
54:
conf_path: /etc/
56:
conf_path: /opt/remi/php56/root/etc/
70:
conf_path: /etc/opt/remi/php70/
71:
conf_path: /etc/opt/remi/php71/
72:
conf_path: /etc/opt/remi/php72/
73:
conf_path: /etc/opt/remi/php73/
74:
conf_path: /etc/opt/remi/php74/
- 56
- 70
- 71
- 72
- 73
- 74
httpd_php_default_version: 73

@ -4,23 +4,15 @@
# We need to stop all the pools and then start them again
# because if we move one pool config from one version to another
# the sock might not be removed at the correct time, depending on the
# the socket might not be removed at the correct time, depending on the
# order of execution
- name: restart php-fpm
service: name=php-fpm state=stopped enabled=yes
notify: stop php-fpm-scl
- name: stop php-fpm-scl
service: name=php{{ item }}-php-fpm state=stopped enabled=yes
with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
service: name=php{{ item }}-php-fpm state=stopped enabled=True
with_items: "{{ httpd_php_versions }}"
notify: start php-fpm
- name: start php-fpm
service: name=php-fpm state=started enabled=yes
notify: start php-fpm-scl
- name: start php-fpm-scl
service: name=php{{ item }}-php-fpm state=started enabled=yes
with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
service: name=php{{ item }}-php-fpm state=started enabled=True
with_items: "{{ httpd_php_versions }}"
...

@ -1,5 +1,5 @@
---
dependencies:
- role: httpd_common
- role: repo_remi_safe
- role: repo_remi
...

@ -1,31 +1,19 @@
---
- name: Build the list of packages for core PHP
- name: Build the list of packages
set_fact:
php_pkg: "{{ php_pkg|default([]) }} + [ 'php-{{ item }}' ]"
with_items:
- "{{ httpd_php_common_modules }}"
tags: [package,web]
- name: Build the list of packages for scl PHP
set_fact:
php_pkg: "{{ php_pkg|default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
httpd_php_packages: "{{ httpd_php_packages | default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
with_nested:
- "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
- "{{ httpd_php_versions }}"
- "{{ httpd_php_common_modules }}"
tags: [package,web]
tags: web
- name: Install PHP main modules
yum: name={{ php_pkg }}
- name: Install PHP packages
yum: name={{ httpd_php_packages }}
notify:
- systemd-tmpfiles
- restart php-fpm
tags: [package,web]
- name: Install PHP extra modules
yum: name={{ httpd_php_extra_modules }} state=present
notify: restart php-fpm
tags: [package,web]
tags: web
- name: Create tmpfiles.d fragment
copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf
@ -33,65 +21,61 @@
tags: web
- name: Disable default FPM pools
template: src=default_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/www.conf
with_items: "{{ httpd_php_versions.keys() | list }}"
template: src=default_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/www.conf
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
tags: web
- name: Deploy main php.ini configuration
template: src=php.ini.j2 dest={{ httpd_php_versions[item].conf_path }}/php.ini
with_items: "{{ httpd_php_versions.keys() | list }}"
template: src=php.ini.j2 dest=/etc/opt/remi/php{{ item }}/php.ini
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
tags: web
- name: Deploy PHP FPM master's configuration
template: src=php-fpm.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.conf
with_items: "{{ httpd_php_versions.keys() | list }}"
template: src=php-fpm.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.conf
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
tags: web
- name: Deploy default PHP FPM pools configurations
template: src=php_fpm_pool.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/php{{ item }}.conf
with_items: "{{ httpd_php_versions.keys() | list }}"
template: src=php_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/php{{ item }}.conf
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
tags: web
- name: Create user accounts for ansible PHP FPM pools
user: name={{ item }} comment="PHP FPM {{ item }}" system=yes shell=/sbin/nologin
with_items: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
tags: [conf,web]
user: name={{ item }} comment="PHP FPM {{ item }}" system=True shell=/sbin/nologin
loop: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
tags: web
- name: Deploy ansible PHP FPM pools configurations
template: src=php_fpm_ansible_pools.conf.j2 dest={{ httpd_php_versions[item].conf_path }}/php-fpm.d/ansible_pools.conf
with_items: "{{ httpd_php_versions.keys() | list }}"
template: src=php_fpm_ansible_pools.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/ansible_pools.conf
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
tags: web
- name: Create log directories
file: path=/var/log/php/php{{ item }} state=directory mode=770 owner=root group={{ httpd_user }}
with_items: "{{ httpd_php_versions.keys() | list }}"
loop: "{{ httpd_php_versions }}"
notify: restart php-fpm
tags: [conf,web]
- name: Start and enable core PHP FPM service
service: name=php-fpm state=started enabled=yes
tags: web
- name: Start and enable SCL PHP FPM services
service: name=php{{ item }}-php-fpm state=started enabled=yes
with_items: "{{ httpd_php_versions.keys() | list | difference([ 54 ]) }}"
loop: "{{ httpd_php_versions }}"
tags: web
- name: Deploy httpd configuration fragments
template: src={{ item.src }} dest={{ item.dest }}
with_items:
loop:
- { src: httpd_php.conf.j2, dest: /etc/httpd/ansible_conf.d/php.conf }
notify: reload httpd
tags: [conf,web]
tags: web
- name: Allow network connections in SELinux
seboolean: name={{ item }} state=yes persistent=yes
with_items:
loop:
- httpd_can_network_connect_db
- httpd_can_network_memcache
- httpd_can_network_connect

@ -1,5 +1,5 @@
include = {{ httpd_php_versions[item].conf_path }}/php-fpm.d/*.conf
include = /etc/opt/remi/php{{ item }}/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php{{ item }}-fpm.pid

@ -0,0 +1,5 @@
---
webapps_mysql_packages:
- MySQL-python
- mariadb

@ -0,0 +1,6 @@
---
webapps_mysql_packages:
- python3-mysql
- mariadb

@ -0,0 +1,5 @@
---
webapps_mysql_packages:
- python-mysqldb
- mariadb-client

@ -1,18 +1,14 @@
---
- name: Install MySQL-python
yum:
name:
- MySQL-python
- mariadb
when: ansible_os_family == 'RedHat'
- include_vars: "{{ item }}"
with_first_found:
- ../includes/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- ../includes/vars/{{ ansible_distribution }}.yml
- ../includes/vars/{{ ansible_os_family }}.yml
- ../includes/vars/defaults.yml
- name: Install MySQL-python
apt:
name:
- python-mysqldb
- mariadb-client
when: ansible_os_family == 'Debian'
- name: Install MySQL tools
package: name={{ webapps_mysql_packages }}
- name: Create MySQL database
mysql_db:
@ -21,8 +17,8 @@
login_user: sqladmin
login_password: "{{ mysql_admin_pass }}"
state: present
encoding: utf8mb4
collation: utf8mb4_general_ci
encoding: "{{ db_encoding | default('utf8mb4') }}"
collation: "{{ db_collation | default('utf8mb4_general_ci') }}"
register: db_created
- name: Create MySQL User

@ -4,18 +4,18 @@
notify: reload httpd
- name: Deploy PHP config
template: src=php.conf.j2 dest={{ httpd_php_versions[php_version].conf_path }}/php-fpm.d/{{ app_id }}.conf
template: src=php.conf.j2 dest=/etc/opt/remi/php{{ php_version }}/php-fpm.d/{{ app_id }}.conf
when: php_fpm_pool is not defined or php_fpm_pool == ''
notify: restart php-fpm
- name: Remove PHP config from other versions
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list | difference([ php_version ]) }}"
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions | difference([ php_version ]) }}"
notify: restart php-fpm
- name: Remove PHP config (using a custom pool)
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list }}"
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/{{ app_id }}.conf state=absent
with_items: "{{ httpd_php_versions }}"
when: php_fpm_pool != ''
notify: restart php-fpm

@ -1,7 +1,45 @@
---
- name: Create nginx conf dir
file: path=/etc/nginx/{{ item }} state=directory
loop:
- ansible_location.d
- ansible_conf.d
- ansible_modules.d
tags: web
- name: Check if lua module is installed
stat: path=/usr/lib64/nginx/modules/ndk_http_module.so
register: llng_mod_lua
tags: web
- name: Deploy module conf
copy: content={{ item.content }} dest=/etc/nginx/ansible_modules.d/{{ item.dest }}
loop:
- content: 'load_module "/usr/lib64/nginx/modules/ndk_http_module.so";'
dest: 09-ndk.conf
- content: 'load_module "/usr/lib64/nginx/modules/ngx_http_lua_module.so";'
dest: 11-lua.conf
when: llng_mod_lua.stat.exists
notify: reload nginx
tags: web
- name: Remove module conf
file: path=/etc/nginx/ansible_modules.d/{{ item }} state=absent
loop:
- 09-ndk.conf
- 11-lua.conf
when: not llng_mod_lua.stat.exists
notify: reload nginx
tags: web
- name: Deploy handler's nginx configuration
template: src=nginx_handler.conf.j2 dest=/etc/nginx/ansible_location.d/10-llng_handler.conf
template: src={{ item.src }} dest={{ item.dest }}
loop:
- src: nginx_handler.conf.j2
dest: /etc/nginx/ansible_location.d/10-llng_handler.conf
- src: llng_headers.inc.j2
dest: /etc/nginx/ansible_conf.d/llng_headers.inc
when: llng_handler == True
notify: reload nginx
tags: web

@ -0,0 +1,33 @@
auth_request_set $headername1 $upstream_http_headername1;
auth_request_set $headervalue1 $upstream_http_headervalue1;
auth_request_set $headername2 $upstream_http_headername2;
auth_request_set $headervalue2 $upstream_http_headervalue2;
auth_request_set $headername3 $upstream_http_headername3;
auth_request_set $headervalue3 $upstream_http_headervalue3;
auth_request_set $headername4 $upstream_http_headername4;
auth_request_set $headervalue4 $upstream_http_headervalue4;
auth_request_set $headername5 $upstream_http_headername5;
auth_request_set $headervalue5 $upstream_http_headervalue5;
auth_request_set $headername6 $upstream_http_headername6;
auth_request_set $headervalue6 $upstream_http_headervalue6;
auth_request_set $headername7 $upstream_http_headername7;
auth_request_set $headervalue7 $upstream_http_headervalue7;
auth_request_set $headername8 $upstream_http_headername8;
auth_request_set $headervalue8 $upstream_http_headervalue8;
auth_request_set $headername9 $upstream_http_headername9;
auth_request_set $headervalue9 $upstream_http_headervalue9;
auth_request_set $headername10 $upstream_http_headername10;
auth_request_set $headervalue10 $upstream_http_headervalue10;
auth_request_set $lmcookie $upstream_http_cookie;
access_by_lua '
i = 1
ngx.req.set_header("Cookie",ngx.var.lmcookie)
while true do
if ngx.var["headername"..i] ~= nil then
ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i])
else
break
end
i = i +1
end
';

@ -1,13 +1,15 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
- vars/defaults.yml
tags: mysql
- name: Install MariaDB server and client
yum:
name:
- mariadb-server
- mariadb
- MySQL-python
notify:
- restart mariadb
package: name={{ mysql_server_packages }}
tags: mysql
- name: Deploy backup scripts

@ -0,0 +1,6 @@
---
mysql_server_packages:
- mariadb-server
- mariadb
- MySQL-python

@ -0,0 +1,6 @@
---
mysql_server_packages:
- mariadb-server
- mariadb
- python3-mysql

@ -0,0 +1,6 @@
---
mysql_server_packages:
- mariadb-server
- mariadb
- MySQL-python

@ -7,12 +7,13 @@ nginx_ssl_ports:
nginx_src_ip:
- 0.0.0.0/0
# If true, will install openresty as an nginx replacement
nginx_openresty: False
nginx_modules:
- ndk_http_module.so
- stream
- http_image_filter
- http_perl
- http_lua
nginx_log_format: combined_virtual

@ -1,5 +1,6 @@
---
dependencies:
- role: repo_nginx
- role: repo_openresty
when: nginx_openresty
- role: mkdir

@ -12,7 +12,6 @@
- ansible_conf.d/force_ssl.inc
- ansible_conf.d/acme.inc
- ansible_conf.d/custom.inc
- ansible_conf.d/llng_headers.inc
- ansible_conf.d/cache.inc
- ansible_conf.d/10-cache.conf
- ansible_conf.d/10-perf.conf
@ -54,3 +53,7 @@
- whitelist-domains.conf
- whitelist-ips.conf
tags: web
- name: Configure log rotation
template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nginx
tags: web

@ -25,3 +25,8 @@
stat: path=/etc/lemonldap-ng/lemonldap-ng.ini
register: nginx_llng
tags: web
- name: Check if llng_header.inc conf is installed
stat: path=/etc/nginx/ansible_conf.d/llng_headers.inc
register: nginx_llng_headers
tags: web

@ -1,7 +1,8 @@
---
- name: Install packages
yum:
name:
- nginx
- nginx-mod-http-lua
tags: web
- include: install_openresty.yml
when: nginx_openresty
- include: install_nginx.yml
when: not nginx_openresty

@ -0,0 +1,15 @@
---
- name: Remove openresty
yum:
name:
- openresty
state: absent
tags: web
- name: Install nginx
yum:
name:
- nginx
tags: web

@ -0,0 +1,69 @@
---
- name: Check if nginx is installed
stat: path=/lib/systemd/system/nginx.service
register: nginx_nginx_service
tags: web
- name: Stop nginx
service: name=nginx state=stopped
when: nginx_nginx_service.stat.exists
tags: web
- name: Create the nginx user account
user:
name: nginx
system: True
shell: /sbin/nologin
home: /var/lib/nginx
tags: web
- name: Prepare directories
file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
loop:
- dir: /var/lib/nginx/tmp
owner: nginx
group: nginx
mode: '700'
- dir: /var/cache/nginx
owner: nginx
group: nginx
mode: '700'
- dir: /var/log/nginx
owner: nginx
group: nginx
mode: '700'
- dir: /usr/share/nginx
- dir: /etc/nginx
- dir: /usr/local/openresty/nginx
tags: web
# Create links so openresty uses nginx compatible paths
- name: Prepare links
file: src={{ item.src }} dest={{ item.dest }} state=link
loop:
- src: /etc/nginx
dest: /usr/local/openresty/nginx/conf
- src: /var/log/nginx
dest: /usr/local/openresty/nginx/logs
- src: /usr/share/nginx
dest: /usr/local/openresty/nginx/html
tags: web
- name: Remove nginx
yum:
name:
- nginx
state: absent
tags: web
- name: Install packages
yum:
name:
- openresty
tags: web
- name: Add a link to nginx in /sbin
file: src=/usr/local/openresty/nginx/sbin/nginx dest=/sbin/nginx state=link
tags: web

@ -1,12 +1,22 @@
---
- name: Create unit snippet directory
file: path=/etc/systemd/system/nginx.service.d state=directory
tags: web
- name: Customize systemd unit
copy:
content: |
[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }} -t
ExecStartPre=/bin/rm -f /run/nginx.pid
ExecStart={{ nginx_openresty | ternary('/usr/local/openresty/nginx/sbin/nginx','/sbin/nginx') }}
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
Restart=on-failure
StartLimitInterval=0
RestartSec=5
@ -14,11 +24,18 @@
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
dest: /etc/systemd/system/nginx.service.d/ansible.conf
[Install]
WantedBy=multi-user.target
dest: /etc/systemd/system/nginx.service
register: nginx_unit
notify: restart nginx
tags: web
- name: Remove obsolete unit conf
file: path=/etc/systemd/system/nginx.service.d/ansible.conf state=absent
tags: web
- name: Reload systemd
systemd: daemon_reload=True
when: nginx_unit.changed

@ -144,7 +144,9 @@ server {
{% if vhost.auth != 'llng_basic' %}
error_page 401 $lmlocation;
{% endif %}
{% if nginx_llng_headers.stat.exists %}
include /etc/nginx/ansible_conf.d/llng_headers.inc;
{% endif %}
fastcgi_param REMOTE_USER $lmremote_user;
{% elif vhost.auth == 'basic' and vhost.htpasswd_file is defined %}
auth_basic "Authentication required for {{ vhost.name }}";

@ -0,0 +1,12 @@
/var/log/nginx/*log {
create 0644 nginx nginx
daily
rotate 10
missingok
notifempty
compress
sharedscripts
postrotate
/bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
endscript
}

@ -4,13 +4,27 @@ error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/dev/log,nohostname;
pid /run/nginx.pid;
{% if nginx_openresty %}
# Openresty uses builtin modules, not dynamic ones
{% else %}
include /etc/nginx/ansible_modules.d/*.conf;
{% endif %}
events {
worker_connections 1024;
}
http {
{% if nginx_openresty %}
# Set nginx compatible paths for openresty
client_body_temp_path /var/lib/nginx/tmp/client_body;
fastcgi_temp_path /var/lib/nginx/tmp/fastcgi;
proxy_temp_path /var/lib/nginx/tmp/proxy;
scgi_temp_path /var/lib/nginx/tmp/scgi;
uwsgi_temp_path /var/lib/nginx/tmp/uwsgi;
{% endif %}
log_format combined_virtual
'$server_name $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
@ -83,13 +97,13 @@ http {
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
location ~ \.ht {
deny all;

@ -26,4 +26,5 @@
loop:
- CentOS-Base # Replaced with CentOS-BaseOS
- CentOS-CR # Replaced with CentOS-cr
- CentOS-Extras # Replaced with CentOS-extras
tags: repo

@ -7,4 +7,5 @@
gpgcheck: True
repo_gpgcheck: True
gpgkey: https://packages.grafana.com/gpg.key
tags: repo,grafana

@ -1,11 +1,8 @@
---
- name: Configure MariaDB repository
yum_repository:
name: mariadb
description: MariaDB
baseurl: http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
gpgcheck: True
gpgkey: https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
state: "{{ (mysql_mariadb_version != 'default') | ternary('present','absent') }}"
tags: repo,mysql
# Here we use a template instead of yum_repository because
# we might need to set module_hotfixes = true for el8. And yum_repository
# doesn't support this setting
- name: Configure MariaDB repo
template: src=mariadb.repo.j2 dest=/etc/yum.repos.d/mariadb.repo
tags: mysql,repo

@ -0,0 +1,12 @@
{% if mysql_mariadb_version != 'default' %}
[mariadb]
baseurl = http://yum.mariadb.org/{{ mysql_mariadb_version }}/centos$releasever-amd64
gpgcheck = 1
gpgkey = https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
name = MariaDB
{% if ansible_os_family == 'RedHat' and ansible_distribution_major_version is version('8', '>=') %}
# Workaround a bug in dnf which would make the default module mask
# packages from the MariaDB repo. See https://jira.mariadb.org/browse/MDEV-20673
module_hotfixes = true
{% endif %}
{% endif %}

@ -4,7 +4,7 @@
yum_repository:
name: nux-dextop
description: Nux.Ro RPMs for general desktop use
baseurl: http://li.nux.ro/download/nux/dextop/el7/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el7/$basearch/
baseurl: http://li.nux.ro/download/nux/dextop/el$releasever/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el$releasever/$basearch/
gpgcheck: True
gpgkey: http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
tags: repo

@ -0,0 +1,10 @@
---
- name: Configure openresty repository
yum_repository:
name: openresty
description: Official OpenResty Open Source Repository for CentOS
baseurl: https://openresty.org/package/centos/$releasever/$basearch
gpgcheck: True
gpgkey: https://openresty.org/package/pubkey.gpg
tags: repo,web

@ -0,0 +1,23 @@
---
- include_vars: "{{ item }}"
with_first_found:
- vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml
- vars/{{ ansible_distribution }}.yml
- vars/{{ ansible_os_family }}.yml
- vars/defaults.yml
tags: repo
- name: Remove remi-release
yum: name=remi-release state=absent
tags: repo
- name: Configure Remi Safe repository
yum_repository:
name: remi
description: Remi's RPM repository for Enterprise Linux
baseurl: http://rpms.remirepo.net/enterprise/$releasever/remi/$basearch/
gpgcheck: True
gpgkey: "{{ repo_remi_gpg_url }}"
tags: repo

@ -45,6 +45,7 @@
stdin: "{{ ad_admin_pass }}"
no_log: True
when: not ad_keytab.stat.exists
register: ad_join
tags: auth
- name: Check if we're a DC
@ -75,6 +76,7 @@
creates: /var/lib/sss/keytabs/{{ item.name | upper }}.keytab
become_user: sssd
with_items: "{{ ad_trusted_domains }}"
register: ad_trusted_join
tags: auth
- name: Start and enable services
@ -83,3 +85,11 @@
- sssd
- oddjobd
tags: auth
# On el8 for example, sssd is already installed and running on a default setup
# so we need to restart it now, so users are available (for eg, ssh authorized_keys setup)
# We can't rely on the handler, because it would only run at the end of the playbook
- name: Restart sssd if needed
service: name=sssd state=restarted
when: ad_join.changed or ad_trusted_join.results | selectattr('changed','equalto',True) | list | length > 0
tags: auth

@ -15,7 +15,6 @@
- zabbix-agent
- zabbix-agent-addons
- openssl
- "{{ ansible_distribution_major_version is version('8', '<') | ternary('policycoreutils-python','python3-policycoreutils') }}"
state: "{{ zabbix_agent_update | ternary('latest','present') }}"
notify: restart zabbix-agent
tags: zabbix

@ -1,16 +1,20 @@
module zabbix_server 1.0;
module zabbix_server 1.2;
require {
type zabbix_var_run_t;
type zabbix_t;
type zabbix_var_lib_t;
class sock_file { create unlink };
type mysqld_db_t;
class sock_file { create unlink write };
class unix_stream_socket connectto;
class file { execute execute_no_trans };
class capability dac_override;
}
#============= zabbix_t ==============
allow zabbix_t self:unix_stream_socket connectto;
allow zabbix_t self:capability dac_override;
allow zabbix_t zabbix_var_lib_t:file { execute execute_no_trans };
allow zabbix_t zabbix_var_run_t:sock_file { create unlink };
allow zabbix_t mysqld_db_t:sock_file write;

@ -6,19 +6,19 @@
tags: zabbix
- name: Deploy PHP configuration
template: src=php.conf.j2 dest={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf
template: src=php.conf.j2 dest=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf
when: zabbix_server_php_fpm_pool is not defined
notify: restart php-fpm
tags: zabbix
- name: Remove PHP configuration from other versions
file: path={{ httpd_php_versions[item].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
with_items: "{{ httpd_php_versions.keys() | list | difference([ zabbix_server_php_version ]) }}"
file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/zabbix_server.conf state=absent
with_items: "{{ httpd_php_versions | difference([ zabbix_server_php_version ]) }}"
notify: restart php-fpm
tags: zabbix
- name: Remove PHP configuration (using a custom pool)
file: path={{ httpd_php_versions[zabbix_server_php_version].conf_path }}/php-fpm.d/zabbix_server.conf state=absent
file: path=/etc/opt/remi/php{{ zabbix_server_php_version }}/php-fpm.d/zabbix_server.conf state=absent
when: zabbix_server_php_fpm_pool is defined
notify: restart php-fpm
tags: zabbix
@ -29,6 +29,8 @@
- db_user: "{{ zabbix_server_db_user }}"
- db_server: "{{ zabbix_server_db_server }}"
- db_pass: "{{ zabbix_server_db_pass }}"
- db_encoding: utf8
- db_collation: utf8_bin
tags: zabbix
- name: Check if database is initialized
@ -50,7 +52,7 @@
tags: zabbix
block:
- name: Uncompress Zabbix schema file
shell: gzip -dc /usr/share/doc/zabbix-server-mysql-{{ zabbix_server_version.stdout }}/create.sql.gz > /tmp/zabbix.sql
shell: gzip -dc /usr/share/doc/zabbix-server-mysql/create.sql.gz > /tmp/zabbix.sql
- name: Load DB schema
mysql_db:

@ -8,9 +8,7 @@
- zabbix-java-gateway
- zabbix-get
- mariadb
- sendxmpp
- fping
- MySQL-python
- patrix
- perl-JSON
- perl-IO-Socket-SSL

Loading…
Cancel
Save