This commit is contained in:
phil 2024-01-04 08:05:08 +01:00
parent b34f00fbb8
commit 6dc11ec24e
12 changed files with 162 additions and 80 deletions

5
.gitignore vendored Normal file
View file

@ -0,0 +1,5 @@
.fact_cache
.vault_pass
ansible.log
galaxy/
.vscode/

View file

@ -3,6 +3,28 @@ phpMyAdmin
This role installs phpMyAdmin. This role installs phpMyAdmin.
## Variables
| Name | Note | Default |
|--|--|--|
| `phpmyadmin_user` | System user to create | `pma`
| `phpmyadmin_hosts` | Array with hosts to connect to | *optional* |
| `phpmyadmin_hosts.name` | Hostname of database host | * optional* |
| `phpmyadmin_host.address` | IP address of database host | *optional* |
## Playbook
This role depends on [ansible-role-php](https://git.systemausfall.org/senselab/ansible-role-php):
```Shell
---
- name: Install phpMyAdmin
hosts:
- myhost
roles:
- role: senselab.php
- role: senselab.phpmyadmin
````
# Running the role # Running the role
Run the playbook with: Run the playbook with:

View file

@ -1,2 +1,2 @@
--- ---
phpmyadmin_htpasswd_file: /etc/nginx/snippets/.htpasswd phpmyadmin_user: pma

View file

@ -1,9 +1,24 @@
--- ---
- name: reload nginx - name: Stop php-fpm-socket
ansible.builtin.service: ansible.builtin.systemd:
name: nginx name: "php-fpm@{{ phpmyadmin_user }}.socket"
state: reloaded state: stopped
- name: Get certificate - name: Stop php-fpm-service
ansible.builtin.command: ansible.builtin.systemd:
cmd: dehydrated --cron -g name: "php-fpm@{{ phpmyadmin_user }}.service"
state: stopped
- name: Start php-fpm-socket
ansible.builtin.systemd:
name: "php-fpm@{{ phpmyadmin_user }}.socket"
state: started
enabled: true
daemon_reload: true
- name: Start php-fpm-service
ansible.builtin.systemd:
name: "php-fpm@{{ phpmyadmin_user }}.service"
state: started
enabled: true
daemon_reload: true

View file

@ -1,9 +1,9 @@
galaxy_info: galaxy_info:
author: foodcoops.net admins author: Sense.Lab e.V. admins
description: Role to setup phpMyAdmin description: Role to setup phpMyAdmin
license: GPLv3 license: GPLv3
min_ansible_version: "2.9" min_ansible_version: "2.9"
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- bullseye - bookworm

View file

@ -1,14 +1,19 @@
--- ---
- name: Get PHP version - name: Configure PHP
ansible.builtin.shell: ansible.builtin.import_tasks: phpfpm.yml
cmd: php -v | grep -Po '(?<=PHP )([0-9.]{3})' tags: phpfpm
register: php_version
changed_when: false
- name: Install packages - name: Install packages
ansible.builtin.import_tasks: packages.yml ansible.builtin.import_tasks: packages.yml
tags: packages tags: packages
- name: Configure webserver - name: Copy configuration
ansible.builtin.import_tasks: webserver.yml ansible.builtin.template:
tags: webserver src: pma.php.j2
dest: "/etc/phpmyadmin/conf.d/{{ inventory_hostname }}.php"
mode: "0644"
notify:
- stop php-fpm-socket
- stop php-fpm-service
- start php-fpm-socket
- start php-fpm-service

View file

@ -8,5 +8,4 @@
pkg: pkg:
- python3-passlib - python3-passlib
- phpmyadmin - phpmyadmin
- php-fpm
cache_valid_time: 3600 cache_valid_time: 3600

50
tasks/phpfpm.yml Normal file
View file

@ -0,0 +1,50 @@
---
- name: "PHPFPM | Create user"
ansible.builtin.user:
name: "{{ phpmyadmin_user }}"
shell: /bin/false
create_home: false
password_lock: true
- name: "PHPFPM | Add www-data to user group"
ansible.builtin.user:
name: www-data
groups: "{{ phpmyadmin_user }}"
append: true
- name: "PHPFPM | Create log file"
ansible.builtin.file:
path: "{{ php_fpm_log_dir }}/{{ phpmyadmin_user }}.log"
state: touch
mode: "0644"
owner: "{{ phpmyadmin_user }}"
group: "{{ phpmyadmin_user }}"
access_time: preserve
modification_time: preserve
- name: "PHPFPM | Create pool"
ansible.builtin.template:
src: fpmpool.j2
dest: "{{ php_fpm_pool_dir }}/{{ phpmyadmin_user }}.cfg"
mode: "0644"
notify:
- stop php-fpm-socket
- stop php-fpm-service
- start php-fpm-socket
- name: "PHPFPM | Create override directory"
ansible.builtin.file:
path: "/etc/systemd/system/php-fpm@{{ phpmyadmin_user }}.service.d"
state: directory
mode: "0755"
- name: "PHPFPM | Copy override file"
ansible.builtin.template:
src: override.conf.j2
dest: "/etc/systemd/system/php-fpm@{{ phpmyadmin_user }}.service.d/override.conf"
mode: "0644"
notify:
- stop php-fpm-socket
- stop php-fpm-service
- start php-fpm-socket
- start php-fpm-service

View file

@ -1,29 +0,0 @@
---
- name: "Webserver | Add domain to certificate list"
ansible.builtin.lineinfile:
path: /etc/dehydrated/domains.txt
line: "{{ phpmyadmin_domain }}"
when: "'dehydrated' in ansible_facts.packages"
notify: Get certificate
- name: "Webserver | Create htpasswd file"
community.general.htpasswd:
path: "{{ phpmyadmin_htpasswd_file }}"
name: "foodcoops.net"
password: "{{ vault_phpmyadmin_password }}"
owner: root
group: www-data
mode: 0640
- name: "Webserver | Copy Nginx configuration"
ansible.builtin.template:
src: nginx.conf
dest: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}"
mode: 0644
- name: "Webserver | Enable Nginx configuration"
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}"
dest: "/etc/nginx/sites-enabled/{{ phpmyadmin_domain }}"
state: link
notify: reload nginx

23
templates/fpmpool.j2 Normal file
View file

@ -0,0 +1,23 @@
[global]
error_log = ${FPM_ERROR_LOG}
[{{ phpmyadmin_user }}]
listen = ${FPM_SOCKET_PATH}
pm = ondemand
pm.max_children = 10
pm.process_idle_timeout = 10s
pm.max_requests = 200
pm.status_path = /status
chdir = /
clear_env = no
security.limit_extensions = .php .php3 .php4 .php5
php_admin_value[cgi.fix_pathinfo] = 0
php_admin_value[opcache.enable] = 1
php_admin_value[opcache.validate_permission] = 1
php_admin_value[opcache.validate_root] = 1
php_admin_value[session.cookie_samesite] = Lax
php_admin_value[openssl.capath] = /etc/ssl/certs
php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[memory_limit] = 256M
php_admin_value[disable_functions] = mail,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_exec,passthru,system,proc_get_status,proc_close,proc_nice,proc_terminate,proc_open,curl_ini,parse_ini_file,show_source,dl,symlink,system_exec,exec,shell_exec,phpinfo

View file

@ -1,32 +0,0 @@
server {
listen 80;
server_name {{ phpmyadmin_domain }};
include snippets/letsencrypt.conf;
location / { return 301 https://$http_host$request_uri; }
}
server {
listen 443 ssl http2;
server_name {{ phpmyadmin_domain }};
ssl_certificate /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/privkey.pem;
include /etc/nginx/snippets/add_headers.conf;
auth_basic "Restricted Access Only";
auth_basic_user_file {{ phpmyadmin_htpasswd_file }};
root /usr/share/phpmyadmin;
index index.php index.html index.htm;
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/run/php/php{{ php_version.stdout }}-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
location ~ \.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
root /usr/share/phpmyadmin;
}
}

24
templates/pma.php.j2 Normal file
View file

@ -0,0 +1,24 @@
{{ ansible_managed | comment }}
<?php
$cfg['ForceSSL'] = true;
{% if phpmyadmin_hosts is defined %}
$i = 0;
$hosts = array (
{% for host in phpmyadmin_hosts %}
"{{ host.name }}" => "{{ host.address }}",
{% endfor %}
);
foreach ($hosts as $verbose => $host) {
$i++;
$cfg['Servers'][$i]['verbose'] = $verbose;
$cfg['Servers'][$i]['host'] = $host;
$cfg['Servers'][$i]['port'] = '3306';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['compress'] = FALSE;
$cfg['Servers'][$i]['auth_type'] = 'cookie';
}
{% endif %}