---
time_zone: 'Europe/Rome'
domain_name: 'isti.cnr.it'
iptables_default_policy: REJECT
nagios_enabled: False
postfix_relay_host: smtp-srv.isti.cnr.it
postfix_relay_client: False
postfix_use_letsencrypt: True
#
letsencrypt_acme_install: True
letsencrypt_email: s2i2s@isti.cnr.it
letsencrypt_acme_email: s2i2s@isti.cnr.it
letsencrypt_acme_cron_day_of_month: '1-15'
letsencrypt_acme_sh_explicitly_install_certs: True
letsencrypt_ocsp_must_staple: True
letsencrypt_acme_sh_use_ecc: False
http_port: 80
https_port: 443

resolv_conf_ip:
  - '146.48.80.4'
  - '146.48.80.3'

local_postgresql_instance: True
# phppgadmin wants its own hostname and virtualhost so that we can limit its access.
local_phppgadmin_instance: False

php_app_db_name: app_db
php_app_db_user: app_db_u
php_app_db_pwd: '{{ vault_php_app_db_pwd }}'
psql_db_data:
  - { name: '{{ php_app_db_name }}', encoding: 'UTF8', user: '{{ php_app_db_user }}', roles: 'CREATEDB,NOSUPERUSER', pwd: '{{ php_app_db_pwd }}', managedb: True, allowed_hosts: [ '{{ ansible_fqdn }}', '127.0.0.1/8' ], extensions: [ '' ] }

psql_version: 13
psql_db_host: localhost
psql_db_port: 5432
psql_listen_on_ext_int: False

php_app_root: /var/www/html
php_app_servername: '{{ ansible_fqdn }}'
php_app_user: php_app

#
# Add the users that must have ssh access to the system
users_system_users:
  - { login: 'user.name', name: "User Name", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ user_name_ssh_key }}', shell: '/bin/bash', admin: True, limited_sudoers_user: False }

sshd_enable_sftp_subsystem: True
sshd_enable_sftp_jail: True
sshd_sftp_chroot_match_group: '{{ php_app_user }}'
sshd_sftp_chroot_directory: '{{ php_app_root }}'

users_additional_groups:
  - { group: '{{ sshd_sftp_chroot_match_group }}' }
#
# Users that can only sftp
users_system_users_adjunct:
  - { login: 'sftponly.user', group: '{{ sshd_sftp_chroot_match_group }}', name: "Sftponly User", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ sftponly_user_ssh_key }}', shell: '/bin/bash', admin: False, limited_sudoers_user: False, log_as_root: False }

  # Define the users ssh keys here
user_name_ssh_key:

nginx_use_common_virthost: True
nginx_virthosts: '{{ php_app_nginx_virthost }}'

php_app_nginx_virthost:
  - virthost_name: '{{ ansible_fqdn }}'
    server_name: '{{  php_app_servername}}'
    ssl_enabled: True
    ssl_only: True
    ssl_letsencrypt_certs: '{{ nginx_letsencrypt_managed }}'
    root: '{{ php_app_root }}'
    server_tokens: 'off'
    index: index.php
    max_body: '{{ nginx_client_max_body_size }}'
    proxy_standard_setup: True
    locations:
      - location: ~ \.php$
        php_target: '{{ phpfpm_default_listen }}'

phpfpm_default_user: '{{ php_app_user }}'
phpfpm_default_pool_name: php_app

php_version: 7.4

php_app_php_required_packages:
  - 'php{{ php_version }}-gd'
  - 'php{{ php_version }}-json'
  - 'php{{ php_version }}-pgsql'
  - 'php{{ php_version }}-xml'
  - 'php{{ php_version }}-mbstring'
  - 'php{{ php_version }}-intl'
  - 'php{{ php_version }}-curl'
  - 'php{{ php_version }}-zip'
  - 'php{{ php_version }}-bz2'
  - 'php{{ php_version }}-gmp'
#  - 'php{{ php_version }}-ldap'
#  - 'php-imagick'
#  - 'php-redis'
#  - 'php-apcu'

php_app_php_global_settings:
  - { option: 'always_populate_raw_post_data', value: '-1' }
  - { option: 'allow_url_fopen', value: 'on' }
  - { option: 'max_execution_time', value: '240' }
  - { option: 'memory_limit', value: '{{ phpfpm_default_memory_limit }}' }
  - { option: 'max_input_vars', value: '1400' }
  - { option: 'post_max_size', value: '32M' }
  - { option: 'upload_max_filesize', value: '32M' }
#  - { option: 'opcache.enable', value: '1' }
#  - { option: 'opcache.enable_cli', value: '1' }
#  - { option: 'opcache.interned_strings_buffer', value: '8' }
#  - { option: 'opcache.max_accelerated_files', value: '10000' }
#  - { option: 'opcache.memory_consumption', value: '128' }
#  - { option: 'opcache.save_comments', value: '1' }
#  - { option: 'opcache.revalidate_freq', value: '1' }

php_required_packages: '{{ php_app_php_required_packages }}'
php_global_settings: '{{ php_app_php_global_settings }}'
php_cli_global_settings: '{{ php_global_settings }}'
php_app_phpfpm_pools:
  - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', doc_root: '{{ php_app_root }}', req_term_timeout: '240s', virthost: '{{ php_app_servername }}', nginx_servername: '{{ php_app_servername }}' }

phpfpm_pools:
  - '{{ php_app_phpfpm_pools }}'