From 6dc11ec24e737883b9119582f822cc9277abdc8d Mon Sep 17 00:00:00 2001 From: phil Date: Thu, 4 Jan 2024 08:05:08 +0100 Subject: [PATCH] Updates --- .gitignore | 5 +++++ README.md | 22 +++++++++++++++++++ defaults/main.yml | 2 +- handlers/main.yml | 29 ++++++++++++++++++------- meta/main.yml | 4 ++-- tasks/main.yml | 21 ++++++++++++------- tasks/packages.yml | 1 - tasks/phpfpm.yml | 50 ++++++++++++++++++++++++++++++++++++++++++++ tasks/webserver.yml | 29 ------------------------- templates/fpmpool.j2 | 23 ++++++++++++++++++++ templates/nginx.conf | 32 ---------------------------- templates/pma.php.j2 | 24 +++++++++++++++++++++ 12 files changed, 162 insertions(+), 80 deletions(-) create mode 100644 .gitignore create mode 100644 tasks/phpfpm.yml delete mode 100644 tasks/webserver.yml create mode 100644 templates/fpmpool.j2 delete mode 100644 templates/nginx.conf create mode 100644 templates/pma.php.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1dcb95e --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +.fact_cache +.vault_pass +ansible.log +galaxy/ +.vscode/ diff --git a/README.md b/README.md index 8be4cc2..0c4d690 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,28 @@ phpMyAdmin This role installs phpMyAdmin. +## Variables + +| Name | Note | Default | +|--|--|--| +| `phpmyadmin_user` | System user to create | `pma` +| `phpmyadmin_hosts` | Array with hosts to connect to | *optional* | +| `phpmyadmin_hosts.name` | Hostname of database host | * optional* | +| `phpmyadmin_host.address` | IP address of database host | *optional* | + +## Playbook + +This role depends on [ansible-role-php](https://git.systemausfall.org/senselab/ansible-role-php): +```Shell +--- +- name: Install phpMyAdmin + hosts: + - myhost + roles: + - role: senselab.php + - role: senselab.phpmyadmin +```` + # Running the role Run the playbook with: diff --git a/defaults/main.yml b/defaults/main.yml index 9e3ffb1..5a684f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,2 @@ --- -phpmyadmin_htpasswd_file: /etc/nginx/snippets/.htpasswd +phpmyadmin_user: pma diff --git a/handlers/main.yml b/handlers/main.yml index 9f07eaa..d3218cf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,9 +1,24 @@ --- -- name: reload nginx - ansible.builtin.service: - name: nginx - state: reloaded +- name: Stop php-fpm-socket + ansible.builtin.systemd: + name: "php-fpm@{{ phpmyadmin_user }}.socket" + state: stopped -- name: Get certificate - ansible.builtin.command: - cmd: dehydrated --cron -g +- name: Stop php-fpm-service + ansible.builtin.systemd: + name: "php-fpm@{{ phpmyadmin_user }}.service" + state: stopped + +- name: Start php-fpm-socket + ansible.builtin.systemd: + name: "php-fpm@{{ phpmyadmin_user }}.socket" + state: started + enabled: true + daemon_reload: true + +- name: Start php-fpm-service + ansible.builtin.systemd: + name: "php-fpm@{{ phpmyadmin_user }}.service" + state: started + enabled: true + daemon_reload: true diff --git a/meta/main.yml b/meta/main.yml index c21a509..7d4c5c8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,9 +1,9 @@ galaxy_info: - author: foodcoops.net admins + author: Sense.Lab e.V. admins description: Role to setup phpMyAdmin license: GPLv3 min_ansible_version: "2.9" platforms: - name: Debian versions: - - bullseye + - bookworm diff --git a/tasks/main.yml b/tasks/main.yml index 51b61ca..c202399 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,14 +1,19 @@ --- -- name: Get PHP version - ansible.builtin.shell: - cmd: php -v | grep -Po '(?<=PHP )([0-9.]{3})' - register: php_version - changed_when: false +- name: Configure PHP + ansible.builtin.import_tasks: phpfpm.yml + tags: phpfpm - name: Install packages ansible.builtin.import_tasks: packages.yml tags: packages -- name: Configure webserver - ansible.builtin.import_tasks: webserver.yml - tags: webserver +- name: Copy configuration + ansible.builtin.template: + src: pma.php.j2 + dest: "/etc/phpmyadmin/conf.d/{{ inventory_hostname }}.php" + mode: "0644" + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + - start php-fpm-service diff --git a/tasks/packages.yml b/tasks/packages.yml index bb346cd..618cd1c 100644 --- a/tasks/packages.yml +++ b/tasks/packages.yml @@ -8,5 +8,4 @@ pkg: - python3-passlib - phpmyadmin - - php-fpm cache_valid_time: 3600 diff --git a/tasks/phpfpm.yml b/tasks/phpfpm.yml new file mode 100644 index 0000000..8f57644 --- /dev/null +++ b/tasks/phpfpm.yml @@ -0,0 +1,50 @@ +--- +- name: "PHPFPM | Create user" + ansible.builtin.user: + name: "{{ phpmyadmin_user }}" + shell: /bin/false + create_home: false + password_lock: true + +- name: "PHPFPM | Add www-data to user group" + ansible.builtin.user: + name: www-data + groups: "{{ phpmyadmin_user }}" + append: true + +- name: "PHPFPM | Create log file" + ansible.builtin.file: + path: "{{ php_fpm_log_dir }}/{{ phpmyadmin_user }}.log" + state: touch + mode: "0644" + owner: "{{ phpmyadmin_user }}" + group: "{{ phpmyadmin_user }}" + access_time: preserve + modification_time: preserve + +- name: "PHPFPM | Create pool" + ansible.builtin.template: + src: fpmpool.j2 + dest: "{{ php_fpm_pool_dir }}/{{ phpmyadmin_user }}.cfg" + mode: "0644" + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + +- name: "PHPFPM | Create override directory" + ansible.builtin.file: + path: "/etc/systemd/system/php-fpm@{{ phpmyadmin_user }}.service.d" + state: directory + mode: "0755" + +- name: "PHPFPM | Copy override file" + ansible.builtin.template: + src: override.conf.j2 + dest: "/etc/systemd/system/php-fpm@{{ phpmyadmin_user }}.service.d/override.conf" + mode: "0644" + notify: + - stop php-fpm-socket + - stop php-fpm-service + - start php-fpm-socket + - start php-fpm-service diff --git a/tasks/webserver.yml b/tasks/webserver.yml deleted file mode 100644 index 8c5d653..0000000 --- a/tasks/webserver.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -- name: "Webserver | Add domain to certificate list" - ansible.builtin.lineinfile: - path: /etc/dehydrated/domains.txt - line: "{{ phpmyadmin_domain }}" - when: "'dehydrated' in ansible_facts.packages" - notify: Get certificate - -- name: "Webserver | Create htpasswd file" - community.general.htpasswd: - path: "{{ phpmyadmin_htpasswd_file }}" - name: "foodcoops.net" - password: "{{ vault_phpmyadmin_password }}" - owner: root - group: www-data - mode: 0640 - -- name: "Webserver | Copy Nginx configuration" - ansible.builtin.template: - src: nginx.conf - dest: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}" - mode: 0644 - -- name: "Webserver | Enable Nginx configuration" - ansible.builtin.file: - src: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}" - dest: "/etc/nginx/sites-enabled/{{ phpmyadmin_domain }}" - state: link - notify: reload nginx diff --git a/templates/fpmpool.j2 b/templates/fpmpool.j2 new file mode 100644 index 0000000..44b9778 --- /dev/null +++ b/templates/fpmpool.j2 @@ -0,0 +1,23 @@ +[global] +error_log = ${FPM_ERROR_LOG} + +[{{ phpmyadmin_user }}] +listen = ${FPM_SOCKET_PATH} +pm = ondemand +pm.max_children = 10 +pm.process_idle_timeout = 10s +pm.max_requests = 200 +pm.status_path = /status +chdir = / +clear_env = no +security.limit_extensions = .php .php3 .php4 .php5 +php_admin_value[cgi.fix_pathinfo] = 0 +php_admin_value[opcache.enable] = 1 +php_admin_value[opcache.validate_permission] = 1 +php_admin_value[opcache.validate_root] = 1 +php_admin_value[session.cookie_samesite] = Lax +php_admin_value[openssl.capath] = /etc/ssl/certs +php_flag[display_errors] = off +php_admin_flag[log_errors] = on +php_admin_value[memory_limit] = 256M +php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo diff --git a/templates/nginx.conf b/templates/nginx.conf deleted file mode 100644 index 5016953..0000000 --- a/templates/nginx.conf +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 80; - server_name {{ phpmyadmin_domain }}; - include snippets/letsencrypt.conf; - location / { return 301 https://$http_host$request_uri; } -} - -server { - listen 443 ssl http2; - server_name {{ phpmyadmin_domain }}; - ssl_certificate /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/privkey.pem; - include /etc/nginx/snippets/add_headers.conf; - - auth_basic "Restricted Access Only"; - auth_basic_user_file {{ phpmyadmin_htpasswd_file }}; - - root /usr/share/phpmyadmin; - index index.php index.html index.htm; - - location ~ \.php$ { - try_files $uri =404; - fastcgi_pass unix:/run/php/php{{ php_version.stdout }}-fpm.sock; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - include /etc/nginx/fastcgi_params; - } - - location ~ \.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ { - root /usr/share/phpmyadmin; - } -} \ No newline at end of file diff --git a/templates/pma.php.j2 b/templates/pma.php.j2 new file mode 100644 index 0000000..0e32f6f --- /dev/null +++ b/templates/pma.php.j2 @@ -0,0 +1,24 @@ +{{ ansible_managed | comment }} + + "{{ host.address }}", +{% endfor %} +); + +foreach ($hosts as $verbose => $host) { + $i++; + $cfg['Servers'][$i]['verbose'] = $verbose; + $cfg['Servers'][$i]['host'] = $host; + $cfg['Servers'][$i]['port'] = '3306'; + $cfg['Servers'][$i]['connect_type'] = 'tcp'; + $cfg['Servers'][$i]['extension'] = 'mysqli'; + $cfg['Servers'][$i]['compress'] = FALSE; + $cfg['Servers'][$i]['auth_type'] = 'cookie'; +} +{% endif %}