first commit

README.md

@@ -0,0 +1,11 @@
+phpMyAdmin
+==========
+
+This role installs phpMyAdmin.
+
+# Running the role
+
+Run the playbook with:
+```Shell
+ansible-playbook playbooks/phpmyadmin.yml
+```

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+phpmyadmin_htpasswd_file: /etc/nginx/snippets/.htpasswd

handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: reload nginx
+  ansible.builtin.service:
+    name: nginx
+    state: reloaded
+
+- name: Get certificate
+  ansible.builtin.command:
+    cmd: dehydrated --cron -g

meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  author: foodcoops.net admins
+  description: Role to setup phpMyAdmin
+  license: GPLv3
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye

tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Get PHP version
+  ansible.builtin.shell:
+    cmd: php -v | grep -Po '(?<=PHP )([0-9.]{3})'
+  register: php_version
+  changed_when: false
+
+- name: Install packages
+  ansible.builtin.import_tasks: packages.yml
+  tags: packages
+
+- name: Configure webserver
+  ansible.builtin.import_tasks: webserver.yml
+  tags: webserver

tasks/packages.yml

@@ -0,0 +1,12 @@
+---
+- name: "Packages | Get installed packages"
+  ansible.builtin.package_facts:
+    manager: apt
+
+- name: "Packages | Install packages"
+  ansible.builtin.apt:
+    pkg:
+      - python3-passlib
+      - phpmyadmin
+      - php-fpm
+    cache_valid_time: 3600

tasks/webserver.yml

@@ -0,0 +1,29 @@
+---
+- name: "Webserver | Add domain to certificate list"
+  ansible.builtin.lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ phpmyadmin_domain }}"
+  when: "'dehydrated' in ansible_facts.packages"
+  notify: Get certificate
+
+- name: "Webserver | Create htpasswd file"
+  community.general.htpasswd:
+    path: "{{ phpmyadmin_htpasswd_file }}"
+    name: "foodcoops.net"
+    password: "{{ vault_phpmyadmin_password }}"
+    owner: root
+    group: www-data
+    mode: 0640
+
+- name: "Webserver | Copy Nginx configuration"
+  ansible.builtin.template:
+    src: nginx.conf
+    dest: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}"
+    mode: 0644
+
+- name: "Webserver | Enable Nginx configuration"
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ phpmyadmin_domain }}"
+    dest: "/etc/nginx/sites-enabled/{{ phpmyadmin_domain }}"
+    state: link
+  notify: reload nginx

templates/nginx.conf

@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    server_name {{ phpmyadmin_domain }};
+    include snippets/letsencrypt.conf;
+    location / { return 301 https://$http_host$request_uri; }
+}
+
+server {
+    listen 443 ssl http2;
+    server_name {{ phpmyadmin_domain }};
+    ssl_certificate /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/{{ phpmyadmin_domain }}/privkey.pem;
+    include /etc/nginx/snippets/add_headers.conf;
+
+    auth_basic "Restricted Access Only";
+    auth_basic_user_file {{ phpmyadmin_htpasswd_file }};
+
+    root /usr/share/phpmyadmin;
+    index index.php index.html index.htm;
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_pass unix:/run/php/php{{ php_version.stdout }}-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    location ~ \.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt)$ {
+        root /usr/share/phpmyadmin;
+    }
+}