tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove the roles that now have their repository.

This commit is contained in:
Andrea Dell'Amico 2020-04-30 15:16:39 +02:00
parent 43b871663c
commit 911781c297
51 changed files with 0 additions and 2334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
library/roles/mysql/defaults/main.yml
View File

@ -1,57 +0,0 @@
---
mysql_enabled: True
mysql_pkg_state: present
mysql_conf_dir: /etc/mysql/conf.d
mysql_service_conf_dir: /etc/mysql/mysql.conf.d
mysql_socket: /run/mysqld/mysqld.sock
mysql_data_dir: /var/lib/mysql
mysql_log_dir: /var/log/mysql
mysql_use_ssl: True
mysql_letsencrypt_certificates: True
# python-mysqldb is needed by ansible to manage users and databases
mysql_packages_list:
- mysql-server
- mysql-client
- mytop
- python-mysqldb
- python-pymysql
- python-mysql.connector
mysql_db_name: db_name
mysql_db_user: db_user
mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
mysql_binary_logging: True
mysql_server_id: 1
# Alternatives: utf8
mysql_default_encoding: utf8mb4
# Alternatives: utf8_unicode_ci utf8_bin
mysql_default_collation: utf8mb4_unicode_ci
mysql_db_host: localhost
mysql_db_port: 3306
mysql_db_max_connections: 100
mysqld_db_read_buffer_size: 128K
mysql_db_read_rnd_buffer_size: 256K
mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
mysql_db_innodb_buffer_pool_size: 256M
mysql_db_innodb_additional_mem_pool_size: 5M
# Set .._log_file_size to 25 % of buffer pool size
mysql_db_innodb_log_file_size: 64M
mysql_db_innodb_log_buffer_size: 9M
mysql_safe_open_files_limit: 1024
mysql_max_allowed_packet: 16M
mysql_skip_name_resolve: True
mysql_listen_on_ext_int: False
#mysql_db_data:
# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32', 'yyy.yyy.yyy.yyy' ] }
mysql_backup_use_nagios: False
mysql_backup_logdir: '{{ mysql_log_dir }}'
mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log'
mysql_backup_retain_copies: 3
mysql_backup_destdir: /var/lib/mysql-backup
mysql_backup_exclude_list: "performance_schema"

44
library/roles/mysql/files/letsencrypt-mysql-hook.sh
View File

@ -1,44 +0,0 @@
#!/bin/bash
H_NAME=$( hostname -f )
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
LE_LOG_DIR=/var/log/letsencrypt
LE_LOG_FILE="${LE_LOG_DIR}/mysql.log"
MYSQL_CERTDIR=/var/lib/mysql
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_FILE
if [ -f "/etc/default/acme_sh_request_env" ] ; then
# shellcheck source=/etc/default/acme_sh_request_env
source "/etc/default/acme_sh_request_env"
else
echo "No letsencrypt default file" >> $LE_LOG_FILE
fi
echo "Copying the cert files" >> $LE_LOG_FILE
if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then
/bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem
chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem
fi
/bin/cp -f "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem
chmod 400 ${MYSQL_CERTDIR}/client-key.pem
chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem
/bin/cp -f "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem
chmod 440 ${MYSQL_CERTDIR}/client-cert.pem
chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem
echo "Reload the mysql service" >> $LE_LOG_FILE
if [ -x /bin/systemctl ] ; then
systemctl reload mysql >> $LE_LOG_FILE 2>&1
else
service mysql reload >> $LE_LOG_FILE 2>&1
fi
echo "Done." >> $LE_LOG_FILE
exit 0

85
library/roles/mysql/files/mysql-backup.sh
View File

@ -1,85 +0,0 @@
#!/bin/bash
#echo "`date` mysql DUMP temporarly excluded (by Tom)"
#exit 1
RETVAL=0
MY_BACKUP_USE_NAGIOS="False"
MY_BACKUP_DIR=/var/lib/mysql-backup
MY_DATA_DIR=/var/lib/mysql
N_DAYS_TO_SPARE=7
# Exclude list
EXCLUDE_LIST='performance_schema'
if [ -f /etc/default/mysql_backup ] ; then
. /etc/default/mysql_backup
fi
if [ ! -f /root/.my.cnf ] ; then
exit 1
fi
umask 0077
# Year month day - hour minute second
SAVE_TIME=$( date +%Y%m%d-%H%M%S )
TIMESTAMP=
TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp
if [ ! -d $MY_BACKUP_DIR ] ; then
mkdir -p $MY_BACKUP_DIR
fi
if [ ! -d $MY_BACKUP_LOG_DIR ] ; then
mkdir -p $MY_BACKUP_LOG_DIR
fi
if [ ! -d $MY_BACKUP_DIR/history ] ; then
mkdir -p $MY_BACKUP_DIR/history
fi
chmod 700 $MY_BACKUP_DIR
LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status
if [ ! -f $LOCKFILE ] ; then
touch $LOCKFILE
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
> $NAGIOS_LOG
fi
for db in $( mysql -Bse "show databases;" | egrep -v $EXCLUDE_LIST ) ; do
if [ "$db" == "information_schema" ]; then
mysqldump --single-transaction -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
DUMP_RESULT=$?
else
mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
DUMP_RESULT=$?
fi
chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME}
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
if [ $DUMP_RESULT -ne 0 ] ; then
echo "$db:FAILED" >> $NAGIOS_LOG
RETVAL=$DUMP_RESULT
else
echo "$db:OK" >> $NAGIOS_LOG
fi
fi
pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1
rm -f $db.sql
ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql
popd >/dev/null 2>&1
done
# Do a "flush-hosts" after the backup
mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log
TIMESTAMP=$( date +%s )
echo "$TIMESTAMP" > $TIMESTAMP_LOG
rm -f $LOCKFILE
else
echo "Old backup still running" > /var/log/mysql-backup.log
RETVAL=2
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
echo "old backup still running:WARNING" >> $NAGIOS_LOG
fi
fi
# Remove the old backups
find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \;
exit $RETVAL

6
library/roles/mysql/handlers/main.yml
View File

@ -1,6 +0,0 @@
---
- name: Restart mysql
service: name=mysql state=restarted
- name: Reload mysql
service: name=mysql state=reloaded

40
library/roles/mysql/tasks/configure_root_access.yml
View File

@ -1,40 +0,0 @@
---
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
- name: Secure the mysql root user with a password
mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }}
when: mysql_root_password is defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
ignore_errors: True
tags: [ 'mysql', 'mysql_root' ]
- name: Secure the mysql root user when no password has been defined
mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }}
when: mysql_root_password is not defined
with_items:
- '{{ ansible_hostname }}'
- 127.0.0.1
- ::1
- localhost
ignore_errors: True
tags: [ 'mysql', 'mysql_root' ]
- name: Install the .my.cnf file with root password credentials
template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
when: mysql_root_password is defined
tags: [ 'mysql', 'mysql_root' ]
- name: delete anonymous MySQL server user for the server hostname
mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }}
tags: [ 'mysql', 'mysql_root' ]
- name: delete anonymous MySQL server user for localhost
mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
tags: mysql
- name: remove the MySQL test database
mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
tags: mysql

7
library/roles/mysql/tasks/disable-mariadb-service.yml
View File

@ -1,7 +0,0 @@
---
- name: Stop and disable the mysql server if we do not want it running
service: name=mysql state=stopped enabled=no
when: not mysql_enabled
tags:
- mysql

15
library/roles/mysql/tasks/main.yml
View File

@ -1,15 +0,0 @@
---
- import_tasks: packages.yml
- import_tasks: mysql-conf.yml
when: mysql_enabled | bool
- import_tasks: manage-mysql-service.yml
- import_tasks: configure_root_access.yml
when: mysql_enabled | bool
- import_tasks: manage_my_db.yml
when: mysql_enabled | bool
- import_tasks: mysql-backup.yml
when: mysql_enabled | bool
- import_tasks: mysql-letsencrypt.yml
when: mysql_letsencrypt_certificates | bool

11
library/roles/mysql/tasks/manage-mysql-service.yml
View File

@ -1,11 +0,0 @@
---
- name: Ensure that the mysql server is enabled and running
service: name=mysql state=started enabled=yes
when: mysql_enabled
tags: [ 'mysql', 'mariadb' ]
- name: Stop and disable the mysql server if we do not want it running
service: name=mysql state=stopped enabled=no
when: not mysql_enabled
tags: [ 'mysql', 'mariadb' ]

24
library/roles/mysql/tasks/manage_my_db.yml
View File

@ -1,24 +0,0 @@
---
- name: Add databases to mysql, if any
mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }}
with_items: '{{ mysql_db_data | default([]) }}'
when: item.name is defined
tags: [ 'mysql', 'mysql_db' ]
- name: Add a user for the databases
mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }}
with_subelements:
- '{{ mysql_db_data | default([]) }}'
- allowed_hosts
when: item.0.name is defined
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
- name: Additional user privileges, if defined
mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }}
with_subelements:
- '{{ mysql_db_data | default([]) }}'
- allowed_hosts
when:
- item.0.name is defined
- item.0.additional_privs is defined
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]

12
library/roles/mysql/tasks/mysql-backup.yml
View File

@ -1,12 +0,0 @@
---
- name: Install a script that performs mysql dumps
copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
tags: [ 'mysql', 'mysql_backup' ]
- name: Install the mysql backup defaults
template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440
tags: [ 'mysql', 'mysql_backup' ]
- name: Cron job that executes mysql nightly backups
template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
tags: [ 'mysql', 'mysql_backup' ]

24
library/roles/mysql/tasks/mysql-conf.yml
View File

@ -1,24 +0,0 @@
---
- name: Manage the MySQL configuration files
block:
- name: Create the data directory
file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
- name: Create the log directory
file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
- name: Install the main configuration files.
template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
with_items:
- client
- mysql-clients
notify: Restart mysql
- name: Install the main configuration files.
template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
with_items:
- server
notify: Restart mysql
when: mysql_enabled | bool
tags: [ 'mysql', 'mariadb', 'mysql_conf' ]

30
library/roles/mysql/tasks/mysql-letsencrypt.yml
View File

@ -1,30 +0,0 @@
---
- name: Manage the letsencrypt configuration
block:
- name: Check if the letsencrypt certificates are in place
stat: path={{ letsencrypt_acme_certs_dir }}/privkey
register: letsencrypt_keyfile
- name: Copy the letsencrypt certificate key into the right place
copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
notify: Restart mysql
- name: Copy the letsencrypt public certificate into the right place
copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
notify: Restart mysql
- name: Copy the letsencrypt CA certificate into the right place
copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
notify: Restart mysql
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
- name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool
tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]

6
library/roles/mysql/tasks/packages.yml
View File

@ -1,6 +0,0 @@
---
- name: install the mysql packages
apt: pkg={{ item }} state={{ mysql_pkg_state }}
with_items: '{{ mysql_packages_list }}'
tags: mysql

6
library/roles/mysql/templates/client.cnf.j2
View File

@ -1,6 +0,0 @@
# The following options will be passed to all MariaDB clients
[client]
#password = your_password
port = 3306
socket = {{ mysql_socket }}

4
library/roles/mysql/templates/dot_my.cnf.j2
View File

@ -1,4 +0,0 @@
[client]
user=root
password={{ mysql_root_password }}

22
library/roles/mysql/templates/mysql-backup.cron.j2
View File

@ -1,22 +0,0 @@
#!/bin/bash
LOG_FILE=/var/log/mysql-backup.log
if [ -x /etc/cron.daily/duplicity_backup ] ; then
echo "duplicity backups active. Exiting" > $LOG_FILE
exit 0
fi
# Remote backup performed by BackupPC. If it is active, do not run via cron
if [ -f /var/log/backuppc.log ] ; then
TMSTMP=$( date +%s )
. /var/log/backuppc.log
LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP )
if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then
echo "BackupPC is active, doing nothing" > $LOG_FILE
exit 0
fi
fi
/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1
exit 0

20
library/roles/mysql/templates/mysql-clients.cnf.j2
View File

@ -1,20 +0,0 @@
[mysql]
[mysql_upgrade]
[mysqladmin]
[mysqlbinlog]
[mysqlcheck]
[mysqldump]
quick
max_allowed_packet = 16M
[mysqlimport]
[mysqlshow]
[mysqlslap]

8
library/roles/mysql/templates/mysql_backup-default.j2
View File

@ -1,8 +0,0 @@
MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}'
MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}'
MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}'
N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}'
MY_BACKUP_DIR='{{ mysql_backup_destdir }}'
MY_DATA_DIR='{{ mysql_data_dir }}'
# Exclude list
EXCLUDE_LIST='{{ mysql_backup_exclude_list }}'

89
library/roles/mysql/templates/server.cnf.j2
View File

@ -1,89 +0,0 @@
# Here follows entries for some specific programs
# The MariaDB server
[mysqld]
user = mysql
{% if mysql_listen_on_ext_int %}
bind-address = 0.0.0.0
{% else %}
bind-address = 127.0.0.1
{% endif %}
port = {{ mysql_db_port }}
socket = {{ mysql_socket }}
basedir = /usr
datadir = {{ mysql_data_dir }}
log_error = {{ mysql_log_dir }}/error.log
skip-external-locking
# Point the following paths to different dedicated disks
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
#
# * Fine Tuning
#
max_connections = {{ mysql_db_max_connections }}
key_buffer_size = 16M
max_allowed_packet = {{ mysql_max_allowed_packet }}
table_open_cache = 512
sort_buffer_size = 8M
net_buffer_length = 8K
thread_stack = 192K
thread_cache_size = 8
read_buffer_size = {{ mysqld_db_read_buffer_size }}
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
myisam_sort_buffer_size = 16M
{% if mysql_skip_name_resolve %}
skip-name-resolve
{% endif %}
{% if mysqld_sql_mode is defined %}
sql_mode = {{ mysqld_sql_mode }}
{% endif %}
{% if mysqld_ft_stopword_file is defined %}
ft_stopword_file = {{ mysqld_ft_stopword_file }}
{% endif %}
{% if mysqld_ft_min_word_lenght is defined %}
ft_min_word_len = {{ mysqld_ft_min_word_lenght }}
{% endif %}
ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}'
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
{% if mysql_binary_logging %}
server-id={{ mysql_server_id }}
# Enable binary logging. This is required for acting as a MASTER in a
# replication configuration. You also need the binary log if you need
# the ability to do point in time recovery from your latest backup.
log-bin={{ mysql_log_dir }}/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
# binary logging format - mixed recommended
binlog_format=mixed
{% endif %}
# Uncomment the following if you are using InnoDB tables
innodb_data_home_dir = {{ mysql_data_dir }}
innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
innodb_log_group_home_dir = {{ mysql_data_dir }}
# You can set .._buffer_pool_size up to 50 - 80 %
# of RAM but beware of setting memory usage too high
innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
# Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
{% if mysql_use_ssl %}
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
{% endif %}
[mysqld_safe]
open-files-limit = {{ mysql_safe_open_files_limit }}

111
library/roles/openvpn/defaults/main.yml
View File

@ -1,111 +0,0 @@
---
openvpn_enabled: True
openvpn_enable_system_forward: True
openvpn_management_enabled: False
openvpn_management_ip: 127.0.0.1
openvpn_management_port: 1195
openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt'
# openvpn_management_password: 'set into a vault file'
openvpn_pkg_state: latest
openvpn_pkgs:
- openvpn
# Authentication choices
openvpn_cert_auth_enabled: True
openvpn_username_pam_auth: False
openvpn_radius_auth: False
openvpn_radius_pkg:
- openvpn-auth-radius
# With openvpn-auth-ldap. Broken on Ubuntu trusty
openvpn_ldap_auth: False
openvpn_ldap_pkg:
- openvpn-auth-ldap
openvpn_ldap_perl_auth: False
openvpn_perl_pkg:
- libnet-ldap-perl
# Server conf parameters
openvpn_conf_dir: /etc/openvpn
openvpn_conf_name: openvpn.conf
openvpn_mode: server
openvpn_dev: tun
openvpn_port: 1194
openvpn_protocol: udp
openvpn_server_net: '192.168.254.0 255.255.255.0'
#openvpn_push_routes: []
# - '192.168.253.0 255.255.255.0'
#openvpn_push_settings:
# - "dhcp-option DNS 10.66.0.4"
#openvpn_remote_servers: []
openvpn_force_ccd: False
# openvpn_users_customizations:
# - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
openvpn_tls_server: True
openvpn_dh: /etc/openvpn/dh2048.pem
openvpn_tls_auth: '/etc/openvpn/ta.key'
openvpn_install_alternative_ca: False
openvpn_alternative_ca_name: ca.pem
openvpn_ca_dir: False
openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
openvpn_ha: False
# Not a real master. It is only the host where the dh.pem and ta.key are generated
openvpn_master_host: 'localhost'
openvpn_is_master_host: False
openvpn_compression_enabled: False
openvpn_keepalive: '10 120'
openvpn_max_clients: 100
openvpn_run_unprivileged: True
openvpn_unprivileged_user: nobody
openvpn_unprivileged_group: nogroup
# Not recommended. Use a private CA if possible
openvpn_letsencrypt_managed: False
openvpn_verbosity_log: 3
openvpn_mute_after: 20
# LDAP conf
openvpn_ldap_uri: 'ldap:'
openvpn_ldap_host: ldap.example.org
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
openvpn_ldap_anon_bind: True
openvpn_ldap_binddn: uid=admin
openvpn_ldap_bindpwd: test
openvpn_ldap_ca: '{{ openvpn_ca }}'
openvpn_ldap_use_ca_dir: False
openvpn_ldap_ca_dir: /etc/ssl/certs
openvpn_ldap_starttls: False
openvpn_ldap_tls_auth: False
openvpn_ldap_tls_cert: '{{ openvpn_cert }}'
openvpn_ldap_tls_key: '{{ openvpn_key }}'
openvpn_ldap_tls_ciphersuite: 'ALL:!ADH:@STRENGTH'
# LDAP auth
openvpn_ldap_base_dn: 'ou=People,dc=example,dc=org'
openvpn_ldap_user_search: '(&(uid=%u))'
openvpn_ldap_require_group: False
# See https://github.com/threerings/openvpn-auth-ldap/issues/7
openvpn_ldap_without_posix_groups: True
openvpn_ldap_group_base: 'ou=Groups,dc=example,dc=org'
openvpn_ldap_group_filter: '(|(cn=developers)(cn=artists))'
openvpn_ldap_group_member_attr: uniqueMember
# Perl LDAP conf
openvpn_ldap_perl_auth_ssl: True
openvpn_ldap_perl_auth_sslport: 636
openvpn_ldap_perl_auth_group: vpn_ldap_posix_group
openvpn_nagios_checks: False
openvpn_nagios_deb_deps:
- libnet-telnet-perl

28
library/roles/openvpn/files/openvpn-letsencrypt-acme.sh
View File

@ -1,28 +0,0 @@
#!/bin/bash
H_NAME=$( hostname -f )
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
LE_LOG_DIR=/var/log/letsencrypt
DATE=$( date )
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
echo "$DATE" >> $LE_LOG_DIR/openvpn.log
if [ -f /etc/default/letsencrypt ] ; then
. /etc/default/letsencrypt
else
echo "No letsencrypt default file" >> $LE_LOG_DIR/openvpn.log
fi
echo "Reload the openvpn service" >> $LE_LOG_DIR/openvpn.log
if [ -x /bin/systemctl ] ; then
systemctl restart openvpn >> $LE_LOG_DIR/openvpn.log 2>&1
else
service openvpn restart >> $LE_LOG_DIR/openvpn.log 2>&1
fi
echo "Done." >> $LE_LOG_DIR/openvpn.log
exit 0

13
library/roles/openvpn/handlers/main.yml
View File

@ -1,13 +0,0 @@
---
# OpenVPN does not support a service reload
- name: Reload OpenVPN
service: name=openvpn state=restarted
when: openvpn_enabled
- name: Restart OpenVPN
service: name=openvpn state=restarted
when: openvpn_enabled
- name: Reload systemd
systemd: daemon_reload=yes
when: ansible_service_mgr == 'systemd'

14
library/roles/openvpn/tasks/letsencrypt-openvpn.yml
View File

@ -1,14 +0,0 @@
---
- name: Create the acme hooks directory if it does not yet exist
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
when:
- openvpn_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'openvpn', 'letsencrypt' ]
- name: Install a script that fix the letsencrypt certificate for openvpn and then reload the service
copy: src=openvpn-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openvpn owner=root group=root mode=4555
when:
- openvpn_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'openvpn', 'letsencrypt' ]

8
library/roles/openvpn/tasks/main.yml
View File

@ -1,8 +0,0 @@
---
- import_tasks: openvpn.yml
- import_tasks: letsencrypt-openvpn.yml
when: openvpn_letsencrypt_managed | bool
- import_tasks: openvpn-nagios.yml
when:
- nagios_enabled is defined and nagios_enabled | bool
- openvpn_nagios_checks | bool

18
library/roles/openvpn/tasks/openvpn-nagios.yml
View File

@ -1,18 +0,0 @@
---
- name: Nagios check configuration for openvpn (NRPE required)
block:
- name: Install the nagios check deb deps
apt: pkg={{ openvpn_nagios_deb_deps }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Install the nagios check script
template: src=check_openvpn.pl.j2 dest={{ nagios_plugins_dir }}/check_openvpn owner=root group=root mode=0755
- name: Install the nagios nrpe configuration
template: src=openvpn-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/openvpn.cfg owner=root group=nagios mode=0440
notify: Reload NRPE server
when:
- openvpn_enabled | bool
- ansible_distribution_file_variety == "Debian"
tags: [ 'openvpn', 'openvpn_nagios', 'nagios' ]

209
library/roles/openvpn/tasks/openvpn.yml
View File

@ -1,209 +0,0 @@
---
- block:
- name: Install the OpenVPN main packages
apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Create the auth, ipp, ccd and status subdirs
file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
with_items:
- ipp
- status
- auth
- ccd
when: openvpn_enabled | bool
tags: openvpn
- block:
- name: Install the OpenVPN radius auth plugin package
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when: openvpn_radius_auth | bool
tags: [ 'openvpn', 'openvpn_radius' ]
- block:
- name: Install the OpenVPN radius auth plugin package
template: src=management.txt.j2 dest={{ openvpn_management_file }} owner=root group=root mode=0400
when: openvpn_management_enabled | bool
tags: [ 'openvpn', 'openvpn_management' ]
- block:
- name: Install the OpenVPN ldap auth plugin package
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Install the LDAP auth configuration file
template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Reload OpenVPN
when: openvpn_ldap_auth
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ]
- block:
- name: Remove the LDAP auth configuration file if LDAP is not used
file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
notify: Reload OpenVPN
when: not openvpn_ldap_auth
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ]
- block:
- name: Install the perl libraries needed by the LDAP client authentication script
apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
- name: Install the perl LDAP auth script
template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550
when: openvpn_ldap_perl_auth
tags: [ 'openvpn', 'openvpn_ldap' ]
- block:
- name: Install the main OpenVPN configuration file on the servers
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Restart OpenVPN
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf' ]
- name: Install the custom configuration for specific OpenVPN users in the servers
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
with_items: '{{ openvpn_users_customizations | default([]) }}'
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
- name: Install the easy-rsa package on servers when we use the certificate authentication
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
when:
- openvpn_cert_auth_enabled | bool
- openvpn_is_master_host | bool
when: openvpn_mode == 'server'
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Install the main OpenVPN configuration file on the clients
template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
notify: Restart OpenVPN
when: openvpn_mode != 'server'
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Install the OpenVPN init defaults
template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444
notify:
- Restart OpenVPN
- Reload systemd
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Create the dh file
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
args:
creates: '{{ openvpn_conf_dir }}/dh2048.pem'
- name: Fix the dh file permissions
file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444
- name: Create the ta key
shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
args:
creates: '{{ openvpn_conf_dir }}/ta.key'
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
when: openvpn_is_master_host | bool or not openvpn_ha | bool
tags: [ 'openvpn', 'openvpn_conf' ]
- block:
- name: Get the dh file from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/dh2048.pem'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Get the ta key from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/ta.key'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
dest: '/{{ openvpn_conf_dir }}/ta.key'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
- name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
when:
- openvpn_ha | bool
- not openvpn_is_master_host | bool
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
- name: Get the dh file from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/dh2048.pem'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}'
- name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}'
- name: Get the ta key from the master host
synchronize:
src: '{{ openvpn_conf_dir }}/ta.key'
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
dest: '/{{ openvpn_conf_dir }}/ta.key'
delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Fix the ta.key file permissions
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
- name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}'
when: openvpn_mode != 'server'
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
- block:
- name: Enable kernel forwarding
sysctl: name={{ item }} value=1 reload=yes state=present
with_items:
- net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding
when:
- openvpn_enable_system_forward | bool
- openvpn_enabled | bool
- name: Disable kernel forwarding
sysctl: name={{ item }} value=0 reload=yes state=present
with_items:
- net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding
when: not openvpn_enable_system_forward
- name: Ensure that the OpenVPN service is enabled and running
service: name=openvpn state=started enabled=yes
when: openvpn_enabled | bool
- name: Ensure that the OpenVPN service is stopped and disabled
service: name=openvpn state=stopped enabled=no
when: not openvpn_enabled | bool
tags: openvpn

72
library/roles/openvpn/templates/auth-ldap.conf.j2
View File

@ -1,72 +0,0 @@
<LDAP>
# LDAP server URL
URL {{ openvpn_ldap_url }}
{% if not openvpn_ldap_anon_bind %}
# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "{{ openvpn_ldap_binddn }}"
# Bind Password
Password "{{ openvpn_ldap_bindpwd }}"
{% endif %}
# Network timeout (in seconds)
Timeout 15
{% if openvpn_ldap_starttls %}
# Enable Start TLS
TLSEnable yes
{% else %}
TLSEnable no
{% endif %}
{% if not openvpn_ldap_anon_bind %}
# Follow LDAP Referrals (anonymously)
FollowReferrals no
{% else %}
FollowReferrals yes
{% endif %}
# TLS CA Certificate File
TLSCACertFile {{ openvpn_ldap_ca }}
{% if openvpn_ldap_use_ca_dir %}
# TLS CA Certificate Directory
# TLSCACertDir {{ openvpn_ldap_ca_dir }}
{% endif %}
{% if openvpn_ldap_tls_auth %}
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile {{ openvpn_ldap_tls_cert }}
TLSKeyFile {{ openvpn_ldap_tls_key }}
{% endif %}
# Cipher Suite
# The defaults are usually fine here
#TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
</LDAP>
<Authorization>
# Base DN
BaseDN "{{ openvpn_ldap_base_dn }}"
# User Search Filter
SearchFilter "{{ openvpn_ldap_user_search }}"
# Require Group Membership
RequireGroup {{ openvpn_ldap_require_group }}
{% if openvpn_ldap_require_group %}
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "{{ openvpn_ldap_group_base }}"
SearchFilter "{{ openvpn_ldap_group_filter }}"
RFC2307bis {{ openvpn_ldap_without_posix_groups }}
MemberAttribute {{ openvpn_ldap_group_member_attr }}
# Add group members to a PF table (disabled)
# #PFTable ips_vpn_eng
</Group>
{% endif %}
</Authorization>

42
library/roles/openvpn/templates/auth-ldap.pl.j2
View File

@ -1,42 +0,0 @@
#!/usr/bin/perl -w
{% if openvpn_ldap_perl_auth_ssl %}
use Net::LDAPS;
{% else %}
use Net::LDAP;
{% endif %}
use strict;
my $ldap;
my $result;
my $opt_uri = "{{ openvpn_ldap_host }}";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_group = "cn={{ openvpn_ldap_perl_auth_group }},{{ openvpn_ldap_group_base }}";
my $opt_binddn = "uid=".$opt_user.",{{ openvpn_ldap_base_dn }}";
{% if openvpn_ldap_perl_auth_ssl %}
$ldap = Net::LDAPS->new($opt_uri, version => 3,
port => '{{ openvpn_ldap_perl_auth_sslport }}',
verify => 'require',
{% if openvpn_ca_dir %}
capath => '{{ openvpn_ldap_ca }}'
{% else %}
cafile => '{{ openvpn_ldap_ca }}'
{% endif %}
) or die("LDAPS connect to $opt_uri failed!");
{% else %}
$ldap = Net::LDAP->new($opt_uri) or die("LDAP connect to $opt_uri failed!");
{% endif %}
{% if openvpn_ldap_nonanon_bind %}
$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd | default('') }}');
{% else %}
$result = $ldap->bind($opt_binddn, password => $opt_passwd);
{% endif %}
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter => "(&({{ openvpn_ldap_group_member_attr }}=$opt_user))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }

219
library/roles/openvpn/templates/check_openvpn.pl.j2
View File

@ -1,219 +0,0 @@
#!/usr/bin/perl -w
#######################################################################
#
# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
#
# License Information:
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# $Id: check_openvpn.pl,v 1.0 2007/07/15 16:07:20 jgr Exp jgr $
# $Revision: 1.0 $
# Home Site: http://emergeworld.blogspot.com/
# #####################################################################
use diagnostics;
use strict;
use Net::Telnet ();
use Getopt::Long qw(:config no_ignore_case);
use vars qw($PROGNAME $VERSION);
{% if ansible_distribution_file_variety == "Debian" %}
use lib "/usr/lib/nagios/plugins";
{% elif ansible_distribution_file_variety == "Debian" %}
use lib "/usr/lib64/nagios/plugins";
{% endif %}
use utils qw(%ERRORS);
$PROGNAME = "check_openvpn";
$VERSION = '$Revision: 1.0 $';
$ENV{'PATH'}='';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
sub print_help ();
sub print_usage ();
GetOptions
("h" => \$opt_h, "help" => \$opt_h,
"H=s" => \$opt_H, "host=s" => \$opt_H,
"p=i" => \$opt_p, "port=i" => \$opt_p,
"P=s" => \$opt_P, "password=s" => \$opt_P,
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
"i" => \$opt_i, "ip" => \$opt_i,
"n" => \$opt_n, "numeric" => \$opt_n,
"c" => \$opt_c, "critical" => \$opt_c,
"w" => \$opt_w, "warning" => \$opt_w,
"C=s" => \$opt_C, "common_name=s" => \$opt_C,
"r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
) or exit $ERRORS{'UNKNOWN'};
# default values
unless ( defined $opt_t ) {
$opt_t = 10;
}
if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
if ( ! defined($opt_H) || ! defined($opt_p) ) {
print_usage();
exit $ERRORS{'UNKNOWN'}
}
my @lines;
my @clients;
my @clients_ip;
my $t;
eval {
$t = new Net::Telnet (Timeout => $opt_t,
Port => $opt_p,
Prompt => '/END$/'
);
$t->open($opt_H);
if ( defined $opt_P ) {
$t->waitfor('/ENTER PASSWORD:$/');
$t->print($opt_P);
}
$t->waitfor('/^$/');
@lines = $t->cmd("status 2");
$t->close;
};
if ($@) {
print "OpenVPN Critical: Can't connect to server\n";
exit $ERRORS{'CRITICAL'};
}
if (defined $opt_i || defined $opt_r) {
foreach (@lines) {
if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
push @clients_ip, $1;
}
}
if (defined $opt_i) {
print "OpenVPN OK: "."@clients_ip ";
exit $ERRORS{'OK'};
} elsif (defined $opt_r) {
if ( ! grep /\b$opt_r\b/, @clients_ip) {
if (defined $opt_c) {
print "OpenVPN CRITICAL: $opt_r don't found";
exit $ERRORS{'CRITICAL'};
} else {
print "OpenVPN WARNING: $opt_r don't found";
exit $ERRORS{'WARNING'};
}
}
print "OpenVPN OK: "."@clients_ip ";
exit $ERRORS{'OK'};
}
}
foreach (@lines) {
if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
push @clients, $1;
}
}
if (defined $opt_C) {
if ( ! grep /\b$opt_C\b/, @clients) {
if (defined $opt_c) {
print "OpenVPN CRITICAL: $opt_C don't found";
exit $ERRORS{'CRITICAL'};
} else {
print "OpenVPN WARNING: $opt_C don't found";
exit $ERRORS{'WARNING'};
}
}
}
if (defined $opt_n) {
print "OpenVPN OK: ".@clients." connected clients.";
exit $ERRORS{'OK'};
}
print "OpenVPN OK: "."@clients ";
exit $ERRORS{'OK'};
#######################################################################
###### Subroutines ####################################################
sub print_usage() {
print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds>
[-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
print " $PROGNAME [-h | --help]\n";
}
sub print_help() {
print "$PROGNAME $VERSION\n\n";
print "Copyright (c) 2007 Jaime Gascon Romero
Nagios plugin to check the clients connected to a openvpn server.
";
print_usage();
print "
-H | --host
IP address or hostname of the openvpn server.
-p | --port
Management port interface of the openvpn server.
-P | --password
Password for the management interface of the openvpn server.
-t | --timeout
Timeout for the connection attempt. Optional, default 10 seconds.
Optional parameters
===================
-i | --ip
Prints the IP address of the remote client instead of the common name.
-n | --numeric
Prints the number of clients connected to the openvpn server.
Matching Parameters
===================
-C | --common_name
The common name, as it is specified in the client certificate, who is wanted to check.
-r | --remote_ip
The client remote ip address who is wanted to check.
-c | --critical
Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
-w | --warning
Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
Other Parameters
================
-h | --help
Show this help.
";
}
# vim:sts=2:sw=2:ts=2:et

32
library/roles/openvpn/templates/client.conf.j2
View File

@ -1,32 +0,0 @@
client
dev {{ openvpn_dev }}
proto {{ openvpn_protocol }}
{% for srv in openvpn_remote_servers %}
remote {{ srv.host }} {{ srv.port }}
{% endfor %}
remote-random
resolv-retry infinite
nobind
{% if openvpn_run_unprivileged %}
# Downgrade privileges after initialization (non-Windows only)
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}
# Try to preserve some state across restarts.
persist-key
persist-tun
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
{% if openvpn_cert_auth_enabled %}
tls-client
remote-cert-tls server
{% endif %}
tls-auth {{ openvpn_tls_auth }} 1
key-direction 1
cipher AES-256-CBC
keepalive {{ openvpn_keepalive }}
# Set log file verbosity.
verb {{ openvpn_verbosity_log }}
# Silence repeating messages
mute {{ openvpn_mute_after }}

1
library/roles/openvpn/templates/management.txt.j2
View File

@ -1 +0,0 @@
{{ openvpn_management_password }}

36
library/roles/openvpn/templates/openvpn-defaults.j2
View File

@ -1,36 +0,0 @@
# This is the configuration file for /etc/init.d/openvpn
#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0

2
library/roles/openvpn/templates/openvpn-nrpe.cfg.j2
View File

@ -1,2 +0,0 @@
# OpenVPN connected users
command[openvpn_users]={{ nagios_plugins_dir }}/check_openvpn -H {{ openvpn_management_ip }} -p {{ openvpn_management_port }} -P {{ openvpn_management_password }}

126
library/roles/openvpn/templates/openvpn.conf.j2
View File

@ -1,126 +0,0 @@
mode {{ openvpn_mode }}
dev {{ openvpn_dev }}
port {{ openvpn_port }}
proto {{ openvpn_protocol }}
{% if openvpn_tls_server %}
tls-server
{% endif %}
dh {{ openvpn_dh }}
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
topology subnet
server {{ openvpn_server_net }}
ifconfig-pool-persist ipp/ipp.txt
client-config-dir ccd
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% if openvpn_push_settings is defined %}
{% for dhcp_opt in openvpn_push_settings %}
push "{{ dhcp_opt }}"
{% endfor %}
{% endif %}
tls-auth {{ openvpn_tls_auth }}
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
{% if openvpn_compression_enabled %}
compress lz4-v2
push "compress lz4-v2"
{% endif %}
keepalive {{ openvpn_keepalive }}
{% if not openvpn_cert_auth_enabled %}
# Disable cert-auth
client-cert-not-required
{% endif %}
{% if openvpn_username_pam_auth %}
username-as-common-name
# PAM login
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
{% endif %}
{% if openvpn_ldap_auth %}
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% endif %}
{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
#script-security 3 execve
{% endif %}
max-clients {{ openvpn_max_clients }}
persist-tun
persist-key
status status/openvpn-status.log
{% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}
verb {{ openvpn_verbosity_log }}
mute {{ openvpn_mute_after }}
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

79
library/roles/openvpn/templates/server.conf.j2
View File

@ -1,79 +0,0 @@
mode {{ openvpn_mode }}
{% if openvpn_management_enabled %}
management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }}
{% endif %}
dev {{ openvpn_dev }}
port {{ openvpn_port }}
proto {{ openvpn_protocol }}
topology subnet
server {{ openvpn_server_net }}
{% if openvpn_ifconfig_pool is defined %}
# Works in bridge mode only
#ifconfig-pool {{ openvpn_ifconfig_pool }}
{% endif %}
ifconfig-pool-persist ipp/ipp.txt
client-config-dir ccd
{% if openvpn_force_ccd %}
ccd-exclusive
{% endif %}
{% if openvpn_client_routes is defined %}
{% for route in openvpn_client_routes %}
route {{ route }}
{% endfor %}
{% endif %}
{% if openvpn_push_routes is defined %}
{% for route in openvpn_push_routes %}
push "route {{ route }}"
{% endfor %}
{% endif %}
{% if openvpn_push_settings is defined %}
{% for dhcp_opt in openvpn_push_settings %}
push "{{ dhcp_opt }}"
{% endfor %}
{% endif %}
cipher AES-256-CBC
{% if openvpn_compression_enabled %}
compress lz4-v2
push "compress lz4-v2"
{% endif %}
keepalive {{ openvpn_keepalive }}
{% if openvpn_cert_auth_enabled %}
tls-server
{% endif %}
tls-auth {{ openvpn_tls_auth }} 0
key-direction 0
dh {{ openvpn_dh }}
ca {{ openvpn_ca }}
cert {{ openvpn_cert }}
key {{ openvpn_key }}
{% if not openvpn_cert_auth_enabled %}
# Disable cert-auth
client-cert-not-required
{% endif %}
{% if openvpn_username_pam_auth %}
username-as-common-name
# PAM login
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
{% endif %}
{% if openvpn_ldap_auth %}
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% endif %}
{% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
script-security 3 execve
{% endif %}
max-clients {{ openvpn_max_clients }}
persist-tun
persist-key
status status/openvpn-status.log
{% if openvpn_run_unprivileged %}
user {{ openvpn_unprivileged_user }}
group {{ openvpn_unprivileged_group }}
{% endif %}
verb {{ openvpn_verbosity_log }}
mute {{ openvpn_mute_after }}
{% if openvpn_protocol == 'udp' %}
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
{% endif %}

4
library/roles/openvpn/templates/user-ccd.conf.j2
View File

@ -1,4 +0,0 @@
ifconfig-push {{ item.ip }} {{ item.netmask }}
{% for net in item.routes %}
push "route {{ net }}"
{% endfor %}

92
library/roles/php-fpm/defaults/main.yml
View File

@ -1,92 +0,0 @@
---
#
# IMPORTANT: the template will be used on a task that refers 'phpfpm_pools' inside a 'with_items' loop. So
# the variables into the template are all 'item.XXX'
#
phpfpm_service_enabled: True
phpfpm_remove_php_module: True
php_from_ppa: False
php_ppa: ppa:ondrej/php
php_version: 7.2
php_run_dir: '/run/php'
phpfpm_root_dir: '/etc/php/{{ php_version }}'
phpfpm_base_dir: '{{ phpfpm_root_dir }}/fpm'
phpfpm_cli_dir: '{{ phpfpm_root_dir }}/cli'
php_fpm_packages:
- 'php{{ php_version }}-fpm'
- 'php{{ php_version }}-cli'
#php_global_settings:
# - { option: '', value: '', state: '' }
#php_cli_global_settings:
# - { option: '', value: '', state: '' }
# Main confign file settings
# It can be 'syslog'
phpfpm_logdir: /var/log/php-fpm
phpfpm_error_logfile: '/var/log/php{{ php_version }}-fpm.log'
phpfpm_syslog_facility: daemon
phpfpm_syslog_ident: php-fpm
phpfpm_log_level: notice
phpfpm_emergency_restart_threshold: 5
phpfpm_emergency_restart_interval: 2m
phpfpm_process_control_timeout: 10s
phpfpm_set_process_max: False
phpfpm_process_max: 256
phpfpm_set_event_mechanism: False
phpfpm_event_mechanism: epoll
# Pools settings
phpfpm_default_pool_name: "php-fpm"
phpfpm_pool_name: "{{ phpfpm_default_pool_name }}"
phpfpm_remove_default_pool: True
phpfpm_use_default_template: True
phpfpm_create_users: True
phpfpm_default_user: php-fpm
phpfpm_default_group: '{{ phpfpm_default_user }}'
phpfpm_listen_on_socket: False
phpfpm_default_listen: "{{ php_run_dir }}/{{ phpfpm_pool_name }}.sock"
#phpfpm_default_listen: "127.0.0.1:9000"
phpfpm_default_allowed_clients: "127.0.0.1"
phpfpm_default_pm: "dynamic"
phpfpm_default_pm_max_children: "50"
phpfpm_default_pm_start_servers: "8"
phpfpm_default_pm_min_spare_servers: "5"
phpfpm_default_pm_max_spare_servers: "12"
phpfpm_default_pm_max_requests: "10000"
phpfpm_default_pm_status_enabled: False
phpfpm_default_pm_status_path: "/status"
phpfpm_default_ping_enabled: False
phpfpm_default_ping_path: "/ping"
phpfpm_default_ping_response: '{{ phpfpm_default_pool_name }}'
phpfpm_default_display_errors: "off"
phpfpm_default_log_errors: "on"
phpfpm_default_memory_limit: "64M"
phpfpm_default_request_terminate_timeout: "240s"
phpfpm_default_slowlog_timeout: "20s"
phpfpm_default_rlimit_files: "4096"
phpfpm_default_extensions: ".php"
phpfpm_default_context: '/'
phpfpm_default_session_handler: 'files'
phpfpm_default_session_prefix: '/var/lib/php'
phpfpm_default_session_dir: '{{ phpfpm_default_session_prefix }}/sessions'
phpfpm_default_define_custom_variables: False
phpfpm_use_memcache_redundancy_sessions: False
phpfpm_use_memcached_redundancy_sessions: False
memcache_session:
- { prop: 'memcache.allow_failover', value: 1 }
- { prop: 'memcache.session_redundancy', value: 3 }
- { prop: 'memcache.hash_strategy', value: 'standard' }
- { prop: 'memcache.max_failover_attempts', value: '20' }
phpfpm_php_variables:
- { prop: 'session.gc_maxlifetime', value: 1440 }
- { prop: 'session.cache_expire', value: 180 }
phpfpm_pools:
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}' }

8
library/roles/php-fpm/handlers/main.yml
View File

@ -1,8 +0,0 @@
---
- name: Reload php-fpm
service: name=php{{ php_version }}-fpm state=reloaded
when: phpfpm_service_enabled
- name: Restart php-fpm
service: name=php{{ php_version }}-fpm state=restarted
when: phpfpm_service_enabled

95
library/roles/php-fpm/tasks/main.yml
View File

@ -1,95 +0,0 @@
---
# php as a standalone service
- name: Install the Ubuntu PHP PPA
apt_repository: repo={{ php_ppa }} state=present update_cache=yes
when: php_from_ppa | bool
tags: [ 'php', 'php_ppa' ]
- name: Remove the Ubuntu PHP PPA
apt_repository: repo={{ php_ppa }} state=absent update_cache=yes
when: not php_from_ppa
tags: [ 'php', 'php_ppa' ]
- name: Install the php-fpm package
apt: pkg={{ php_fpm_packages }} state=present update_cache=yes cache_valid_time=3600
tags: php
- name: Install additional php packages
apt: pkg={{ php_additional_packages | default([]) }} state=present update_cache=yes cache_valid_time=3600
tags: php
- name: Set the timezone if we have one
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=Date option=date.timezone value={{ timezone }} backup=yes
when: timezone is defined
notify: Reload php-fpm
tags: [ 'php', 'php_ini' ]
- name: Modify the global php settings
ini_file: dest={{ phpfpm_base_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }}
with_items: '{{ php_global_settings | default([]) }}'
notify: Reload php-fpm
tags: [ 'php', 'php_ini' ]
- name: Modify the global php cli settings
ini_file: dest={{ phpfpm_cli_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }}
with_items: '{{ php_cli_global_settings | default([]) }}'
tags: [ 'php', 'php_ini' ]
- name: Activate the memcache sessions support and redundancy if needed
action: configfile path={{ phpfpm_base_dir }}/conf.d/20-memcache.ini key={{ item.prop }} value='{{ item.value }}'
when: phpfpm_use_memcache_redundancy_sessions | bool
with_items: '{{ memcache_session }}'
notify: Reload php-fpm
tags: [ 'php', 'php_ini' ]
- name: remove php-fpm default pool
file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent
when: phpfpm_remove_default_pool | bool
notify: Restart php-fpm
tags: php
- name: Create the users under the php-fpm processes will run
user: name={{ item.user }} comment="{{ item.user }}" home=/dev/null createhome=no shell=/sbin/nologin
with_items: '{{ phpfpm_pools }}'
when: phpfpm_create_users | bool
notify: Restart php-fpm
tags: [ 'php', 'fpm_pool' ]
- name: Create the directories where to store the sessions files. One for each pool
file: dest={{ phpfpm_session_prefix }}/{{ item.pool_name }} owner={{ item.user }} group=root mode=0750 state=directory
with_items: '{{ phpfpm_pools }}'
when:
- phpfpm_session_prefix is defined
- phpfpm_use_default_template | bool
tags: [ 'php', 'fpm_pool' ]
- name: Create the directories where to store the log files
file: dest={{ phpfpm_logdir }} owner=root group=root mode=0750 state=directory
tags: [ 'php', 'fpm_pool' ]
- name: Install the php-fpm logrotate file
template: src=php-fpm.logrotate.j2 dest=/etc/logrotate.d/php-fpm owner=root group=root mode=0444
tags: [ 'php', 'fpm_conf' ]
- name: Install the php-fpm main config file
template: src=php-fpm.conf.j2 dest={{ phpfpm_base_dir }}/php-fpm.conf owner=root group=root mode=0444
notify: Restart php-fpm
tags: [ 'php', 'fpm_conf', 'fpm_pool' ]
- name: Install the php-fpm pools
template: src=php-fpm-pool.conf.j2 dest={{ phpfpm_base_dir }}/pool.d/{{ item.pool_name }}.conf owner=root group=root mode=0444
with_items: '{{ phpfpm_pools }}'
when: phpfpm_use_default_template | bool
notify: Restart php-fpm
tags: [ 'php', 'fpm_conf', 'fpm_pool', 'fpm_pool_conf' ]
- name: Ensure that the php-fpm service is started and enabled
service: name=php{{ php_version }}-fpm state=started enabled=yes
when: phpfpm_service_enabled | bool
tags: php
- name: Ensure that the php-fpm service is stopped and disabled
service: name=php{{ php_version }}-fpm state=stopped enabled=no
when: not phpfpm_service_enabled
tags: php

296
library/roles/php-fpm/templates/php-fpm-pool.conf.j2
View File

@ -1,296 +0,0 @@
; Start a new pool named 'www'.
[{{ item.pool_name | default('www') }}]
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = {{ item.listen | default ('127.0.0.1:9000') }}
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: -1
;listen.backlog = -1
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
listen.allowed_clients = {{ item.allowed_clients | default ('127.0.0.1') }}
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
{% if phpfpm_listen_on_socket %}
listen.owner = {{ item.user }}
listen.group = www-data
listen.mode = 0660
{% endif %}
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = {{ item.user | default('php-fpm') }}
; RPM: Keep a group allowed to write in log dir.
group = {{ item.group | default('php-fpm') }}
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives:
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; Note: This value is mandatory.
pm = {{ item.pm | default('dynamic') }}
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.
pm.max_children = {{ item.pm_max_children | default('50') }}
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = {{ item.pm_start_servers | default('3') }}
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = {{ item.pm_min_spare | default('1') }}
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = {{ item.pm_max_spare | default('10') }}
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = {{ item.pm_max_requests | default('10000') }}
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. By default, the status page shows the following
; information:
; accepted conn - the number of request accepted by the pool;
; pool - the name of the pool;
; process manager - static or dynamic;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes.
; The values of 'idle processes', 'active processes' and 'total processes' are
; updated each second. The value of 'accepted conn' is updated in real time.
; Example output:
; accepted conn: 12073
; pool: www
; process manager: static
; idle processes: 35
; active processes: 65
; total processes: 100
; By default the status page output is formatted as text/plain. Passing either
; 'html' or 'json' as a query string will return the corresponding output
; syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
pm.status_path = {{ item.pm_status_path | default('/status') }}
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
ping.path = {{ item.ping_path | default('/ping') }}
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
ping.response = {{ item.ping_response | default('www') }}
access.log = /var/log/php-fpm/$pool-access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: ouput header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
access.format = "%{REMOTE_ADDR}e - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
request_terminate_timeout = {{ item.req_term_timeout | default('240s') }}
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
request_slowlog_timeout = {{ item.slowlog_timeout | default('20s') }}
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
slowlog = /var/log/php-fpm/$pool-slow.log
; Set open file descriptor rlimit.
; Default Value: system defined value
rlimit_files = {{ item.rlimit_files | default('4096') }}
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start. This value must be an absolute path.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Default Value: no
catch_workers_output = yes
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
security.limit_extensions = {{ item.php_extensions | default('.php') }}
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
php_flag[display_errors] = {{ item.display_errors | default('off') }}
php_admin_value[error_log] = {{ phpfpm_logdir }}/$pool-error.log
php_admin_flag[log_errors] = {{ item.log_errors | default('on') }}
php_admin_value[memory_limit] = {{ item.memory_limit | default('64M') }}
php_admin_value[upload_max_filesize] = {{ item.upload_max_filesize | default('20M') }}
php_admin_value[post_max_size] = {{ item.upload_max_filesize | default('20M') }}
php_admin_value[upload_tmp_dir] = {{ item.upload_tmp_dir | default('/var/tmp') }}
; Set session path to a directory owned by process user
php_value[session.save_handler] = '{{ item.session_save_handler | default('files') }}'
{% if phpfpm_session_prefix is defined %}
php_value[session.save_path] = '{{ phpfpm_session_prefix }}/{{ item.pool_name }}'
{% else %}
php_value[session.save_path] = '{{ phpfpm_default_session_dir }}'
{% endif %}
{% if item.define_custom_variables is defined and item.define_custom_variables %}
{% for php_var in phpfpm_php_variables %}
php_value[{{ php_var.prop }}] = {{ php_var.value }}
{% endfor %}
{% endif %}

115
library/roles/php-fpm/templates/php-fpm.conf.j2
View File

@ -1,115 +0,0 @@
;;;;;;;;;;;;;;;;;;;;;
; FPM Configuration ;
;;;;;;;;;;;;;;;;;;;;;
; All relative paths in this configuration file are relative to PHP's install
; prefix.
; Include one or more files. If glob(3) exists, it is used to include a bunch of
; files from a glob(3) pattern. This directive can be used everywhere in the
; file.
;include={{ phpfpm_base_dir }}/*.conf
;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;
[global]
; Pid file
; Default Value: none
pid = /run/php/php{{ php_version }}-fpm.pid
; Error log file
; If it's set to "syslog", log is sent to syslogd instead of being written
; in a local file.
; Default Value: /var/log/php-fpm.log
error_log = {{ phpfpm_error_logfile }}
{% if phpfpm_error_logfile == 'syslog' %}
; syslog_facility is used to specify what type of program is logging the
; message. This lets syslogd specify that messages from different facilities
; will be handled differently.
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
; Default Value: daemon
syslog.facility = {{ phpfpm_syslog_facility }}
; syslog_ident is prepended to every message. If you have multiple FPM
; instances running on the same server, you can change the default value
; which must suit common needs.
; Default Value: php-fpm
syslog.ident = {{ phpfpm_syslog_ident }}
{% endif %}
; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
log_level = {{ phpfpm_log_level }}
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
emergency_restart_threshold = {{ phpfpm_emergency_restart_threshold }}
; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
emergency_restart_interval = {{ phpfpm_emergency_restart_interval }}
; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
process_control_timeout = {{ phpfpm_process_control_timeout }}
; The maximum number of processes FPM will fork. This has been design to control
; the global number of processes when using dynamic PM within a lot of pools.
; Use it with caution.
; Note: A value of 0 indicates no limit
; Default Value: 0
{% if phpfpm_set_process_max %}
process.max = {{ phpfpm_process_max }}
{% endif %}
; Specify the nice(2) priority to apply to the master process (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool process will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
;process.priority = -19
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
daemonize = yes
; Set open file descriptor rlimit for the master process.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit for the master process.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
{% if phpfpm_set_event_mechanism %}
; Specify the event mechanism FPM will use. The following is available:
; - select (any POSIX os)
; - poll (any POSIX os)
; - epoll (linux >= 2.5.44)
; Default Value: not set (auto detection)
events.mechanism = {{ phpfpm_event_mechanism }}
{% endif %}
;;;;;;;;;;;;;;;;;;;;
; Pool Definitions ;
;;;;;;;;;;;;;;;;;;;;
; See /etc/php-fpm.d/*.conf
; To configure the pools it is recommended to have one .conf file per
; pool in the following directory:
include={{ phpfpm_base_dir }}/pool.d/*.conf

10
library/roles/php-fpm/templates/php-fpm.logrotate.j2
View File

@ -1,10 +0,0 @@
{{ phpfpm_logdir}}/*log {
missingok
notifempty
sharedscripts
delaycompress
postrotate
/usr/lib/php5/php5-fpm-reopenlogs
endscript
}

36
library/roles/phpMyAdmin/README.md
View File

@ -1,36 +0,0 @@
Role Name
=========
Role that installs phpMyAdmin. Optionally depends on apache/nginx and php-fpm. I do not force the dependency because it could be installed together with other PHP applications.
Requirements
------------
Some PHP package dependencies are listed in the documentation at <https://docs.phpmyadmin.net/en/latest/require.html#php>.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
No Galaxy dependecies right now
Example Playbook
----------------
- hosts: servers
roles:
- { role: phpMyAdmin }
License
-------
EUPL 1.2
Author Information
------------------
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

45
library/roles/phpMyAdmin/defaults/main.yml
View File

@ -1,45 +0,0 @@
---
phpmyadmin_shared_installation: True
phpmyadmin_behind_nginx: True
phpmyadmin_behind_apache: False
phpmyadmin_version: 5.0.2
phpmyadmin_app: 'phpMyAdmin-{{ phpmyadmin_version }}-all-languages'
phpmyadmin_download_link: 'https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_app }}.zip'
phpmyadmin_install_dir: /srv/phpmyadmin
phpmyadmin_phpfpm_pool_name: phpmyadmin
phpmyadmin_phpfpm_pool_user: phpmyadmin
phpmyadmin_phpfpm_doc_root: '{{ phpmyadmin_install_dir }}/phpmyadmin'
phpmyadmin_phpfpm_app_context: '/phpmyadmin'
phpmyadmin_phpfpm_listen_port: 9000
phpmyadmin_phpfpm_pm_max_children: "6"
phpmyadmin_phpfpm_pm_start_servers: 2
phpmyadmin_phpfpm_pm_min_spare_servers: 2
phpmyadmin_phpfpm_pm_max_spare_servers: 3
phpmyadmin_phpfpm_virthost: '{{ ansible_fqdn }}'
phpmyadmin_default_lang: 'en'
#phpmyadmin_blowfish_secret: 'generate it'
phpmyadmin_target_servers:
- { description: 'local mysql server', host: 'localhost', port: 3306, socket: '', ssl: 'true', auth_type: 'cookie', user: '', password: '', only_db: "'db1', 'db2'", allowroot: 'false' }
phpmyadmin_php_packages:
- 'php{{ php_version }}-fpm'
- 'php{{ php_version }}-json'
- 'php{{ php_version }}-intl'
- 'php{{ php_version }}-cli'
- 'php{{ php_version }}-mysqlnd'
- 'php{{ php_version }}-gd'
- 'php{{ php_version }}-json'
- 'php{{ php_version }}-curl'
- 'php{{ php_version }}-mbstring'
- 'php{{ php_version }}-readline'
- 'php{{ php_version }}-bz2'
- 'php{{ php_version }}-zip'
- php-php-gettext
- php-phpseclib
- php-tcpdf
- imagemagick
phpmyadmin_phpfpm_pool:
- { pool_name: '{{ phpmyadmin_phpfpm_pool_name }}', app_context: '{{ phpmyadmin_phpfpm_app_context }}', doc_root: '{{ phpmyadmin_install_dir }}', user: '{{ phpmyadmin_phpfpm_pool_user }}', group: '{{ phpfpm_co_guard_user }}', listen: '{{ phpfpm_listen_host }}:{{ phpmyadmin_phpfpm_listen_port }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpmyadmin_phpfpm_pm_max_children }}', pm_start_servers: '{{ phpmyadmin_phpfpm_pm_start_servers }}', pm_min_spare: '{{ phpmyadmin_phpfpm_pm_min_spare_servers }}', pm_max_spare: '{{ phpmyadmin_phpfpm_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', req_term_timeout: '240s', admin_write: True, virthost: '{{ phpmyadmin_phpfpm_virthost }}' }

2
library/roles/phpMyAdmin/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for phpMyAdmin

46
library/roles/phpMyAdmin/meta/main.yml
View File

@ -1,46 +0,0 @@
galaxy_info:
author: Andrea Dell'Amico
description: IT architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL 1.2
min_ansible_version: 2.7
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
platforms:
- name: EL
versions:
- 7
- name: Ubuntu
versions:
- bionic
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies:
- { role: '../../library/roles/php-fpm', when: not phpmyadmin_shared_installation | bool }
- { role: '../../library/roles/nginx', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_nginx | bool }
- { role: '../../library/roles/apache', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_apache | bool }

31
library/roles/phpMyAdmin/tasks/main.yml
View File

@ -1,31 +0,0 @@
---
- name: Install and configure phpMyAdmin
block:
- name: Create the phpmyadmin download directory
file: dest={{ phpmyadmin_install_dir }} state=directory
- name: Create the phpmyadmin download, upload and tmp directories
file: dest={{ item }} state=directory owner={{ phpmyadmin_phpfpm_pool_user }} mode=0700
with_items:
- '{{ phpmyadmin_install_dir }}/upload'
- '{{ phpmyadmin_install_dir }}/download'
- '{{ phpmyadmin_install_dir }}/tmp'
- name: Download and unarchive the phpMyAdmin distribution
unarchive: remote_src=yes src={{ phpmyadmin_download_link }} dest={{ phpmyadmin_install_dir }}
args:
creates: '{{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/index.php'
- name: Remove the test and setup directories
file: dest={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/{{ item }} state=absent
with_items:
- 'test'
- setup
- name: Set the path to the phpMyAdmin installation
file: src={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }} dest={{ phpmyadmin_phpfpm_doc_root }} state=link
- name: Install the phpMyAdmin config file
template: src=phpmyadmin-config.inc.php.j2 dest={{ phpmyadmin_phpfpm_doc_root }}/config.inc.php owner={{ phpmyadmin_phpfpm_pool_user }} group={{ phpmyadmin_phpfpm_pool_user }} mode=0440
tags: [ 'phpMyadmin', 'phpmyadmin' ]

25
library/roles/phpMyAdmin/templates/phpmyadmin-config.inc.php.j2
View File

@ -1,25 +0,0 @@
<?php
/* Servers configuration */
{% for server in phpmyadmin_target_servers %}
/* Server: {{ server.description }} [{{ server.id }}] */
$cfg['Servers'][{{ server.id }}]['verbose'] = '{{ server.description }}';
$cfg['Servers'][{{ server.id }}]['host'] = '{{ server.host }}';
$cfg['Servers'][{{ server.id }}]['port'] = {{ server.port }};
$cfg['Servers'][{{ server.id }}]['socket'] = '{{ server.socket }}';
$cfg['Servers'][{{ server.id }}]['ssl'] = {{ server.ssl }};
$cfg['Servers'][{{ server.id }}]['auth_type'] = '{{ server.auth_type }}';
$cfg['Servers'][{{ server.id }}]['user'] = '{{ server.user }}';
$cfg['Servers'][{{ server.id }}]['password'] = '{{ server.password }}';
$cfg['Servers'][{{ server.id }}]['only_db'] = array({{ server.only_db }});
$cfg['Servers'][{{ server.id }}]['AllowRoot'] = {{ server.allowroot }};
{% endfor %}
/* End of servers configuration */
$cfg['blowfish_secret'] = "{{ phpmyadmin_blowfish_secret }}";
$cfg['DefaultLang'] = '{{ phpmyadmin_default_lang }}';
$cfg['ServerDefault'] = 1;
$cfg['UploadDir'] = '{{ phpmyadmin_install_dir }}/upload';
$cfg['SaveDir'] = '{{ phpmyadmin_install_dir}}/download';
$cfg['TempDir'] = '{{ phpmyadmin_install_dir}}/tmp';
?>

2
library/roles/phpMyAdmin/tests/inventory
View File

@ -1,2 +0,0 @@
localhost

5
library/roles/phpMyAdmin/tests/test.yml
View File

@ -1,5 +0,0 @@
---
- hosts: localhost
remote_user: root
roles:
- phpMyAdmin

2
library/roles/phpMyAdmin/vars/main.yml
View File

@ -1,2 +0,0 @@
---
# vars file for phpMyAdmin