228 lines
5.5 KiB
YAML
228 lines
5.5 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: php
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software
|
||
package:
|
||
name: "{{item}}"
|
||
state: present
|
||
with_items:
|
||
- php-apcu
|
||
- php-gd
|
||
- php-imagick
|
||
- php-intl
|
||
- php-pgsql
|
||
- php-pspell
|
||
- php-sqlite
|
||
- php-xsl
|
||
- php-geoip
|
||
- geoip-database-extra
|
||
|
||
- name: install front software
|
||
package:
|
||
name: "{{item}}"
|
||
state: present
|
||
with_items:
|
||
- php-fpm
|
||
when:
|
||
- (inventory_hostname in groups['front'])
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: php
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: enable PHP extensions
|
||
lineinfile:
|
||
path: /etc/php/conf.d/{{item}}.ini
|
||
backrefs: true
|
||
regexp: '^;\s*(extension\s*=\s*{{item}}).*$'
|
||
line: '\1'
|
||
with_items:
|
||
- apcu
|
||
- geoip
|
||
- imagick
|
||
|
||
- name: alter PHP APCu configuration lines
|
||
lineinfile:
|
||
path: /etc/php/conf.d/apcu.ini
|
||
regexp: '^;*{{item.name}}\s*='
|
||
line: '{{item.name}}={{item.value}}'
|
||
with_items:
|
||
- {name: 'apc.enable_cli', value: 1}
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: activate PHP extensions
|
||
lineinfile:
|
||
path: /etc/php/php.ini
|
||
backrefs: true
|
||
regexp: '^;*((?:zend_)?extension={{item}}(?:\.so)?)\s*$'
|
||
line: '\1'
|
||
with_items:
|
||
- bcmath
|
||
- bz2
|
||
- calendar
|
||
- dba
|
||
- exif
|
||
- gd
|
||
- gettext
|
||
- gmp
|
||
- iconv
|
||
- intl
|
||
- ldap
|
||
- opcache
|
||
- pdo_pgsql
|
||
- pdo_sqlite
|
||
- pgsql
|
||
- pspell
|
||
- shmop
|
||
- soap
|
||
- sockets
|
||
- sqlite3
|
||
- sysvmsg
|
||
- xmlrpc
|
||
- xsl
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: disable PHP configuration lines
|
||
lineinfile:
|
||
path: /etc/php/php.ini
|
||
backrefs: true
|
||
regexp: '^({{item}}\s*=.*)$'
|
||
line: ';\1'
|
||
with_items:
|
||
- output_buffering
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: alter PHP configuration lines
|
||
lineinfile:
|
||
path: /etc/php/php.ini
|
||
regexp: '^;*{{item.name}}\s*='
|
||
line: '{{item.name}}={{item.value}}'
|
||
with_items:
|
||
- {name: max_execution_time, value: 0}
|
||
- {name: max_input_time, value: -1}
|
||
- {name: memory_limit, value: 512M}
|
||
- {name: post_max_size, value: 0}
|
||
- {name: 'cgi.fix_pathinfo', value: 0}
|
||
- {name: upload_tmp_dir, value: /var/tmp/}
|
||
- {name: upload_max_filesize, value: "{{http_max_upload}}"}
|
||
- {name: 'date.timezone', value: "{{timezone}}"}
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: configure php-fpm
|
||
block:
|
||
|
||
- name: create php-fpm working directories
|
||
copy:
|
||
content: |
|
||
#Type Path Mode UID GID Age Argument
|
||
d /run/php-fpm 775 http http - -
|
||
dest: /etc/tmpfiles.d/run_php.conf
|
||
mode: 0644
|
||
notify:
|
||
- create php-fpm tmpfiles
|
||
|
||
- name: prepare to override systemd settings
|
||
file:
|
||
name: /etc/systemd/system/{{item}}.service.d
|
||
state: directory
|
||
mode: 0755
|
||
with_items:
|
||
- php-fpm
|
||
|
||
- name: secure systemd settings for php-fpm
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
After=systemd-tmpfiles-setup.service
|
||
[Service]
|
||
User=http
|
||
Group=http
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||
PrivateTmp=true
|
||
PrivateDevices=true
|
||
ProtectSystem=true
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
PIDFile=/run/php-fpm/php-fpm.pid
|
||
dest: /etc/systemd/system/php-fpm.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: set the php-fpm settings
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.d/www.conf
|
||
regexp: '^;*{{item.key}}\s*='
|
||
line: '{{item.key}} = {{item.value}}'
|
||
with_dict:
|
||
listen: /run/shared_sockets/php-fpm
|
||
pm: dynamic
|
||
'pm.max_children': '{{php_max_workers}}'
|
||
'pm.start_servers': 1
|
||
'pm.min_spare_servers': 1
|
||
'pm.max_spare_servers': '{{php_max_workers}}'
|
||
'pm.max_requests': '{{php_worker_max_reqs}}'
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: disable useless user/group specs
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.d/www.conf
|
||
backrefs: true
|
||
regexp: '^({{item}}\s*=.*)'
|
||
line: ';\1'
|
||
with_items:
|
||
- user
|
||
- group
|
||
- 'listen.group'
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: set the PID file path for php-fpm
|
||
lineinfile:
|
||
path: /etc/php/php-fpm.conf
|
||
regexp: '^;*pid\s*='
|
||
line: 'pid = /run/php-fpm/php-fpm.pid'
|
||
notify:
|
||
- restart php-fpm.service (front)
|
||
|
||
- name: enable php-fpm.service
|
||
systemd:
|
||
daemon_reload: true
|
||
name: php-fpm.service
|
||
enabled: true
|
||
|
||
- name: PHP test-page in test environment
|
||
copy:
|
||
content: <?php phpinfo();
|
||
dest: /srv/http/index.php
|
||
mode: 0644
|
||
when: (env == 'dev')
|
||
|
||
when:
|
||
- (inventory_hostname in groups['front'])
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: php
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|