forked from ISTI-ansible-roles/ansible-roles
Merge pull request 'Remove the roles that now have their repository.' (#196) from adellam/ansible-roles:master into master
This commit is contained in:
commit
b2de615795
|
@ -1,57 +0,0 @@
|
|||
---
|
||||
mysql_enabled: True
|
||||
mysql_pkg_state: present
|
||||
mysql_conf_dir: /etc/mysql/conf.d
|
||||
mysql_service_conf_dir: /etc/mysql/mysql.conf.d
|
||||
mysql_socket: /run/mysqld/mysqld.sock
|
||||
mysql_data_dir: /var/lib/mysql
|
||||
mysql_log_dir: /var/log/mysql
|
||||
|
||||
mysql_use_ssl: True
|
||||
mysql_letsencrypt_certificates: True
|
||||
|
||||
# python-mysqldb is needed by ansible to manage users and databases
|
||||
mysql_packages_list:
|
||||
- mysql-server
|
||||
- mysql-client
|
||||
- mytop
|
||||
- python-mysqldb
|
||||
- python-pymysql
|
||||
- python-mysql.connector
|
||||
|
||||
mysql_db_name: db_name
|
||||
mysql_db_user: db_user
|
||||
mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault"
|
||||
|
||||
mysql_binary_logging: True
|
||||
mysql_server_id: 1
|
||||
# Alternatives: utf8
|
||||
mysql_default_encoding: utf8mb4
|
||||
# Alternatives: utf8_unicode_ci utf8_bin
|
||||
mysql_default_collation: utf8mb4_unicode_ci
|
||||
mysql_db_host: localhost
|
||||
mysql_db_port: 3306
|
||||
mysql_db_max_connections: 100
|
||||
mysqld_db_read_buffer_size: 128K
|
||||
mysql_db_read_rnd_buffer_size: 256K
|
||||
mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend'
|
||||
mysql_db_innodb_buffer_pool_size: 256M
|
||||
mysql_db_innodb_additional_mem_pool_size: 5M
|
||||
# Set .._log_file_size to 25 % of buffer pool size
|
||||
mysql_db_innodb_log_file_size: 64M
|
||||
mysql_db_innodb_log_buffer_size: 9M
|
||||
mysql_safe_open_files_limit: 1024
|
||||
mysql_max_allowed_packet: 16M
|
||||
mysql_skip_name_resolve: True
|
||||
|
||||
mysql_listen_on_ext_int: False
|
||||
#mysql_db_data:
|
||||
# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32', 'yyy.yyy.yyy.yyy' ] }
|
||||
|
||||
mysql_backup_use_nagios: False
|
||||
mysql_backup_logdir: '{{ mysql_log_dir }}'
|
||||
mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log'
|
||||
mysql_backup_retain_copies: 3
|
||||
mysql_backup_destdir: /var/lib/mysql-backup
|
||||
mysql_backup_exclude_list: "performance_schema"
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
H_NAME=$( hostname -f )
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
LE_LOG_FILE="${LE_LOG_DIR}/mysql.log"
|
||||
MYSQL_CERTDIR=/var/lib/mysql
|
||||
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_FILE
|
||||
|
||||
if [ -f "/etc/default/acme_sh_request_env" ] ; then
|
||||
# shellcheck source=/etc/default/acme_sh_request_env
|
||||
source "/etc/default/acme_sh_request_env"
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_FILE
|
||||
fi
|
||||
|
||||
echo "Copying the cert files" >> $LE_LOG_FILE
|
||||
if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then
|
||||
/bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem
|
||||
chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem
|
||||
fi
|
||||
|
||||
/bin/cp -f "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem
|
||||
chmod 400 ${MYSQL_CERTDIR}/client-key.pem
|
||||
chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem
|
||||
|
||||
/bin/cp -f "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem
|
||||
chmod 440 ${MYSQL_CERTDIR}/client-cert.pem
|
||||
chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem
|
||||
|
||||
echo "Reload the mysql service" >> $LE_LOG_FILE
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl reload mysql >> $LE_LOG_FILE 2>&1
|
||||
else
|
||||
service mysql reload >> $LE_LOG_FILE 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_FILE
|
||||
|
||||
exit 0
|
|
@ -1,85 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
#echo "`date` mysql DUMP temporarly excluded (by Tom)"
|
||||
#exit 1
|
||||
|
||||
RETVAL=0
|
||||
|
||||
MY_BACKUP_USE_NAGIOS="False"
|
||||
MY_BACKUP_DIR=/var/lib/mysql-backup
|
||||
MY_DATA_DIR=/var/lib/mysql
|
||||
N_DAYS_TO_SPARE=7
|
||||
# Exclude list
|
||||
EXCLUDE_LIST='performance_schema'
|
||||
|
||||
if [ -f /etc/default/mysql_backup ] ; then
|
||||
. /etc/default/mysql_backup
|
||||
fi
|
||||
|
||||
if [ ! -f /root/.my.cnf ] ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
umask 0077
|
||||
# Year month day - hour minute second
|
||||
SAVE_TIME=$( date +%Y%m%d-%H%M%S )
|
||||
TIMESTAMP=
|
||||
TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp
|
||||
|
||||
if [ ! -d $MY_BACKUP_DIR ] ; then
|
||||
mkdir -p $MY_BACKUP_DIR
|
||||
fi
|
||||
if [ ! -d $MY_BACKUP_LOG_DIR ] ; then
|
||||
mkdir -p $MY_BACKUP_LOG_DIR
|
||||
fi
|
||||
if [ ! -d $MY_BACKUP_DIR/history ] ; then
|
||||
mkdir -p $MY_BACKUP_DIR/history
|
||||
fi
|
||||
chmod 700 $MY_BACKUP_DIR
|
||||
LOCKFILE=$MY_DATA_DIR/.mysqldump.lock
|
||||
NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status
|
||||
|
||||
if [ ! -f $LOCKFILE ] ; then
|
||||
touch $LOCKFILE
|
||||
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||
> $NAGIOS_LOG
|
||||
fi
|
||||
for db in $( mysql -Bse "show databases;" | egrep -v $EXCLUDE_LIST ) ; do
|
||||
if [ "$db" == "information_schema" ]; then
|
||||
mysqldump --single-transaction -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
|
||||
DUMP_RESULT=$?
|
||||
else
|
||||
mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log
|
||||
DUMP_RESULT=$?
|
||||
fi
|
||||
chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME}
|
||||
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||
if [ $DUMP_RESULT -ne 0 ] ; then
|
||||
echo "$db:FAILED" >> $NAGIOS_LOG
|
||||
RETVAL=$DUMP_RESULT
|
||||
else
|
||||
echo "$db:OK" >> $NAGIOS_LOG
|
||||
fi
|
||||
fi
|
||||
pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1
|
||||
rm -f $db.sql
|
||||
ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql
|
||||
popd >/dev/null 2>&1
|
||||
done
|
||||
# Do a "flush-hosts" after the backup
|
||||
mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log
|
||||
TIMESTAMP=$( date +%s )
|
||||
echo "$TIMESTAMP" > $TIMESTAMP_LOG
|
||||
rm -f $LOCKFILE
|
||||
else
|
||||
echo "Old backup still running" > /var/log/mysql-backup.log
|
||||
RETVAL=2
|
||||
if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then
|
||||
echo "old backup still running:WARNING" >> $NAGIOS_LOG
|
||||
fi
|
||||
fi
|
||||
|
||||
# Remove the old backups
|
||||
find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \;
|
||||
|
||||
exit $RETVAL
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Restart mysql
|
||||
service: name=mysql state=restarted
|
||||
|
||||
- name: Reload mysql
|
||||
service: name=mysql state=reloaded
|
|
@ -1,40 +0,0 @@
|
|||
---
|
||||
# 'localhost' needs to be the last item for idempotency, the mysql_user docs
|
||||
- name: Secure the mysql root user with a password
|
||||
mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }}
|
||||
when: mysql_root_password is defined
|
||||
with_items:
|
||||
- '{{ ansible_hostname }}'
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
- localhost
|
||||
ignore_errors: True
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
|
||||
- name: Secure the mysql root user when no password has been defined
|
||||
mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }}
|
||||
when: mysql_root_password is not defined
|
||||
with_items:
|
||||
- '{{ ansible_hostname }}'
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
- localhost
|
||||
ignore_errors: True
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
|
||||
- name: Install the .my.cnf file with root password credentials
|
||||
template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400
|
||||
when: mysql_root_password is defined
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
|
||||
- name: delete anonymous MySQL server user for the server hostname
|
||||
mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }}
|
||||
tags: [ 'mysql', 'mysql_root' ]
|
||||
|
||||
- name: delete anonymous MySQL server user for localhost
|
||||
mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }}
|
||||
tags: mysql
|
||||
|
||||
- name: remove the MySQL test database
|
||||
mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }}
|
||||
tags: mysql
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: Stop and disable the mysql server if we do not want it running
|
||||
service: name=mysql state=stopped enabled=no
|
||||
when: not mysql_enabled
|
||||
tags:
|
||||
- mysql
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
- import_tasks: packages.yml
|
||||
- import_tasks: mysql-conf.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: manage-mysql-service.yml
|
||||
- import_tasks: configure_root_access.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: manage_my_db.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: mysql-backup.yml
|
||||
when: mysql_enabled | bool
|
||||
- import_tasks: mysql-letsencrypt.yml
|
||||
when: mysql_letsencrypt_certificates | bool
|
||||
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Ensure that the mysql server is enabled and running
|
||||
service: name=mysql state=started enabled=yes
|
||||
when: mysql_enabled
|
||||
tags: [ 'mysql', 'mariadb' ]
|
||||
|
||||
- name: Stop and disable the mysql server if we do not want it running
|
||||
service: name=mysql state=stopped enabled=no
|
||||
when: not mysql_enabled
|
||||
tags: [ 'mysql', 'mariadb' ]
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
- name: Add databases to mysql, if any
|
||||
mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }}
|
||||
with_items: '{{ mysql_db_data | default([]) }}'
|
||||
when: item.name is defined
|
||||
tags: [ 'mysql', 'mysql_db' ]
|
||||
|
||||
- name: Add a user for the databases
|
||||
mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }}
|
||||
with_subelements:
|
||||
- '{{ mysql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
when: item.0.name is defined
|
||||
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
|
||||
|
||||
- name: Additional user privileges, if defined
|
||||
mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }}
|
||||
with_subelements:
|
||||
- '{{ mysql_db_data | default([]) }}'
|
||||
- allowed_hosts
|
||||
when:
|
||||
- item.0.name is defined
|
||||
- item.0.additional_privs is defined
|
||||
tags: [ 'mysql', 'mysql_db', 'mysql_user' ]
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
- name: Install a script that performs mysql dumps
|
||||
copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
||||
|
||||
- name: Install the mysql backup defaults
|
||||
template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
||||
|
||||
- name: Cron job that executes mysql nightly backups
|
||||
template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755
|
||||
tags: [ 'mysql', 'mysql_backup' ]
|
|
@ -1,24 +0,0 @@
|
|||
---
|
||||
- name: Manage the MySQL configuration files
|
||||
block:
|
||||
- name: Create the data directory
|
||||
file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700
|
||||
|
||||
- name: Create the log directory
|
||||
file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750
|
||||
|
||||
- name: Install the main configuration files.
|
||||
template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644
|
||||
with_items:
|
||||
- client
|
||||
- mysql-clients
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Install the main configuration files.
|
||||
template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644
|
||||
with_items:
|
||||
- server
|
||||
notify: Restart mysql
|
||||
|
||||
when: mysql_enabled | bool
|
||||
tags: [ 'mysql', 'mariadb', 'mysql_conf' ]
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
- name: Manage the letsencrypt configuration
|
||||
block:
|
||||
- name: Check if the letsencrypt certificates are in place
|
||||
stat: path={{ letsencrypt_acme_certs_dir }}/privkey
|
||||
register: letsencrypt_keyfile
|
||||
|
||||
- name: Copy the letsencrypt certificate key into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Copy the letsencrypt public certificate into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Copy the letsencrypt CA certificate into the right place
|
||||
copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes
|
||||
when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool
|
||||
notify: Restart mysql
|
||||
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for mysql and then reload the service
|
||||
copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555
|
||||
|
||||
when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool
|
||||
tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ]
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: install the mysql packages
|
||||
apt: pkg={{ item }} state={{ mysql_pkg_state }}
|
||||
with_items: '{{ mysql_packages_list }}'
|
||||
tags: mysql
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
# The following options will be passed to all MariaDB clients
|
||||
[client]
|
||||
#password = your_password
|
||||
port = 3306
|
||||
socket = {{ mysql_socket }}
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
[client]
|
||||
user=root
|
||||
password={{ mysql_root_password }}
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
LOG_FILE=/var/log/mysql-backup.log
|
||||
if [ -x /etc/cron.daily/duplicity_backup ] ; then
|
||||
echo "duplicity backups active. Exiting" > $LOG_FILE
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Remote backup performed by BackupPC. If it is active, do not run via cron
|
||||
if [ -f /var/log/backuppc.log ] ; then
|
||||
TMSTMP=$( date +%s )
|
||||
. /var/log/backuppc.log
|
||||
LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP )
|
||||
if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then
|
||||
echo "BackupPC is active, doing nothing" > $LOG_FILE
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1
|
||||
|
||||
exit 0
|
|
@ -1,20 +0,0 @@
|
|||
|
||||
[mysql]
|
||||
|
||||
[mysql_upgrade]
|
||||
|
||||
[mysqladmin]
|
||||
|
||||
[mysqlbinlog]
|
||||
|
||||
[mysqlcheck]
|
||||
|
||||
[mysqldump]
|
||||
quick
|
||||
max_allowed_packet = 16M
|
||||
|
||||
[mysqlimport]
|
||||
|
||||
[mysqlshow]
|
||||
|
||||
[mysqlslap]
|
|
@ -1,8 +0,0 @@
|
|||
MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}'
|
||||
MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}'
|
||||
MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}'
|
||||
N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}'
|
||||
MY_BACKUP_DIR='{{ mysql_backup_destdir }}'
|
||||
MY_DATA_DIR='{{ mysql_data_dir }}'
|
||||
# Exclude list
|
||||
EXCLUDE_LIST='{{ mysql_backup_exclude_list }}'
|
|
@ -1,89 +0,0 @@
|
|||
# Here follows entries for some specific programs
|
||||
|
||||
# The MariaDB server
|
||||
[mysqld]
|
||||
user = mysql
|
||||
{% if mysql_listen_on_ext_int %}
|
||||
bind-address = 0.0.0.0
|
||||
{% else %}
|
||||
bind-address = 127.0.0.1
|
||||
{% endif %}
|
||||
port = {{ mysql_db_port }}
|
||||
socket = {{ mysql_socket }}
|
||||
basedir = /usr
|
||||
datadir = {{ mysql_data_dir }}
|
||||
log_error = {{ mysql_log_dir }}/error.log
|
||||
skip-external-locking
|
||||
# Point the following paths to different dedicated disks
|
||||
tmpdir = /tmp
|
||||
lc-messages-dir = /usr/share/mysql
|
||||
|
||||
#
|
||||
# * Fine Tuning
|
||||
#
|
||||
max_connections = {{ mysql_db_max_connections }}
|
||||
key_buffer_size = 16M
|
||||
max_allowed_packet = {{ mysql_max_allowed_packet }}
|
||||
table_open_cache = 512
|
||||
sort_buffer_size = 8M
|
||||
net_buffer_length = 8K
|
||||
thread_stack = 192K
|
||||
thread_cache_size = 8
|
||||
read_buffer_size = {{ mysqld_db_read_buffer_size }}
|
||||
read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }}
|
||||
myisam_sort_buffer_size = 16M
|
||||
{% if mysql_skip_name_resolve %}
|
||||
skip-name-resolve
|
||||
{% endif %}
|
||||
|
||||
{% if mysqld_sql_mode is defined %}
|
||||
sql_mode = {{ mysqld_sql_mode }}
|
||||
{% endif %}
|
||||
{% if mysqld_ft_stopword_file is defined %}
|
||||
ft_stopword_file = {{ mysqld_ft_stopword_file }}
|
||||
{% endif %}
|
||||
{% if mysqld_ft_min_word_lenght is defined %}
|
||||
ft_min_word_len = {{ mysqld_ft_min_word_lenght }}
|
||||
{% endif %}
|
||||
ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}'
|
||||
|
||||
#
|
||||
# * Query Cache Configuration
|
||||
#
|
||||
query_cache_limit = 1M
|
||||
query_cache_size = 16M
|
||||
|
||||
|
||||
{% if mysql_binary_logging %}
|
||||
server-id={{ mysql_server_id }}
|
||||
# Enable binary logging. This is required for acting as a MASTER in a
|
||||
# replication configuration. You also need the binary log if you need
|
||||
# the ability to do point in time recovery from your latest backup.
|
||||
log-bin={{ mysql_log_dir }}/mysql-bin.log
|
||||
expire_logs_days = 10
|
||||
max_binlog_size = 100M
|
||||
# binary logging format - mixed recommended
|
||||
binlog_format=mixed
|
||||
{% endif %}
|
||||
|
||||
# Uncomment the following if you are using InnoDB tables
|
||||
innodb_data_home_dir = {{ mysql_data_dir }}
|
||||
innodb_data_file_path = {{ mysql_db_innodb_data_file_path }}
|
||||
innodb_log_group_home_dir = {{ mysql_data_dir }}
|
||||
# You can set .._buffer_pool_size up to 50 - 80 %
|
||||
# of RAM but beware of setting memory usage too high
|
||||
innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }}
|
||||
# Set .._log_file_size to 25 % of buffer pool size
|
||||
innodb_log_file_size = {{ mysql_db_innodb_log_file_size }}
|
||||
innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }}
|
||||
innodb_flush_log_at_trx_commit = 1
|
||||
innodb_lock_wait_timeout = 50
|
||||
|
||||
{% if mysql_use_ssl %}
|
||||
ssl-ca=/var/lib/mysql/ca.pem
|
||||
ssl-cert=/var/lib/mysql/client-cert.pem
|
||||
ssl-key=/var/lib/mysql/client-key.pem
|
||||
{% endif %}
|
||||
|
||||
[mysqld_safe]
|
||||
open-files-limit = {{ mysql_safe_open_files_limit }}
|
|
@ -1,111 +0,0 @@
|
|||
---
|
||||
openvpn_enabled: True
|
||||
openvpn_enable_system_forward: True
|
||||
openvpn_management_enabled: False
|
||||
openvpn_management_ip: 127.0.0.1
|
||||
openvpn_management_port: 1195
|
||||
openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt'
|
||||
# openvpn_management_password: 'set into a vault file'
|
||||
openvpn_pkg_state: latest
|
||||
openvpn_pkgs:
|
||||
- openvpn
|
||||
|
||||
# Authentication choices
|
||||
openvpn_cert_auth_enabled: True
|
||||
openvpn_username_pam_auth: False
|
||||
|
||||
openvpn_radius_auth: False
|
||||
openvpn_radius_pkg:
|
||||
- openvpn-auth-radius
|
||||
|
||||
# With openvpn-auth-ldap. Broken on Ubuntu trusty
|
||||
openvpn_ldap_auth: False
|
||||
openvpn_ldap_pkg:
|
||||
- openvpn-auth-ldap
|
||||
|
||||
openvpn_ldap_perl_auth: False
|
||||
openvpn_perl_pkg:
|
||||
- libnet-ldap-perl
|
||||
|
||||
# Server conf parameters
|
||||
openvpn_conf_dir: /etc/openvpn
|
||||
openvpn_conf_name: openvpn.conf
|
||||
|
||||
openvpn_mode: server
|
||||
openvpn_dev: tun
|
||||
openvpn_port: 1194
|
||||
openvpn_protocol: udp
|
||||
openvpn_server_net: '192.168.254.0 255.255.255.0'
|
||||
#openvpn_push_routes: []
|
||||
# - '192.168.253.0 255.255.255.0'
|
||||
|
||||
#openvpn_push_settings:
|
||||
# - "dhcp-option DNS 10.66.0.4"
|
||||
|
||||
#openvpn_remote_servers: []
|
||||
|
||||
openvpn_force_ccd: False
|
||||
# openvpn_users_customizations:
|
||||
# - { cn: 'Joe Bar', ip: '<Client IP>', netmask: '<openvpn_server_net netmask>', routes: [ '192.168.253.0 255.255.255.0' ] }
|
||||
|
||||
openvpn_tls_server: True
|
||||
openvpn_dh: /etc/openvpn/dh2048.pem
|
||||
openvpn_tls_auth: '/etc/openvpn/ta.key'
|
||||
openvpn_install_alternative_ca: False
|
||||
openvpn_alternative_ca_name: ca.pem
|
||||
openvpn_ca_dir: False
|
||||
openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
|
||||
openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
|
||||
openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
|
||||
|
||||
openvpn_ha: False
|
||||
# Not a real master. It is only the host where the dh.pem and ta.key are generated
|
||||
openvpn_master_host: 'localhost'
|
||||
openvpn_is_master_host: False
|
||||
|
||||
openvpn_compression_enabled: False
|
||||
openvpn_keepalive: '10 120'
|
||||
|
||||
openvpn_max_clients: 100
|
||||
openvpn_run_unprivileged: True
|
||||
openvpn_unprivileged_user: nobody
|
||||
openvpn_unprivileged_group: nogroup
|
||||
# Not recommended. Use a private CA if possible
|
||||
openvpn_letsencrypt_managed: False
|
||||
|
||||
openvpn_verbosity_log: 3
|
||||
openvpn_mute_after: 20
|
||||
|
||||
# LDAP conf
|
||||
openvpn_ldap_uri: 'ldap:'
|
||||
openvpn_ldap_host: ldap.example.org
|
||||
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
|
||||
openvpn_ldap_anon_bind: True
|
||||
openvpn_ldap_binddn: uid=admin
|
||||
openvpn_ldap_bindpwd: test
|
||||
openvpn_ldap_ca: '{{ openvpn_ca }}'
|
||||
openvpn_ldap_use_ca_dir: False
|
||||
openvpn_ldap_ca_dir: /etc/ssl/certs
|
||||
openvpn_ldap_starttls: False
|
||||
openvpn_ldap_tls_auth: False
|
||||
openvpn_ldap_tls_cert: '{{ openvpn_cert }}'
|
||||
openvpn_ldap_tls_key: '{{ openvpn_key }}'
|
||||
openvpn_ldap_tls_ciphersuite: 'ALL:!ADH:@STRENGTH'
|
||||
# LDAP auth
|
||||
openvpn_ldap_base_dn: 'ou=People,dc=example,dc=org'
|
||||
openvpn_ldap_user_search: '(&(uid=%u))'
|
||||
openvpn_ldap_require_group: False
|
||||
# See https://github.com/threerings/openvpn-auth-ldap/issues/7
|
||||
openvpn_ldap_without_posix_groups: True
|
||||
openvpn_ldap_group_base: 'ou=Groups,dc=example,dc=org'
|
||||
openvpn_ldap_group_filter: '(|(cn=developers)(cn=artists))'
|
||||
openvpn_ldap_group_member_attr: uniqueMember
|
||||
|
||||
# Perl LDAP conf
|
||||
openvpn_ldap_perl_auth_ssl: True
|
||||
openvpn_ldap_perl_auth_sslport: 636
|
||||
openvpn_ldap_perl_auth_group: vpn_ldap_posix_group
|
||||
|
||||
openvpn_nagios_checks: False
|
||||
openvpn_nagios_deb_deps:
|
||||
- libnet-telnet-perl
|
|
@ -1,28 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
H_NAME=$( hostname -f )
|
||||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$H_NAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
DATE=$( date )
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> $LE_LOG_DIR/openvpn.log
|
||||
|
||||
if [ -f /etc/default/letsencrypt ] ; then
|
||||
. /etc/default/letsencrypt
|
||||
else
|
||||
echo "No letsencrypt default file" >> $LE_LOG_DIR/openvpn.log
|
||||
fi
|
||||
|
||||
echo "Reload the openvpn service" >> $LE_LOG_DIR/openvpn.log
|
||||
if [ -x /bin/systemctl ] ; then
|
||||
systemctl restart openvpn >> $LE_LOG_DIR/openvpn.log 2>&1
|
||||
else
|
||||
service openvpn restart >> $LE_LOG_DIR/openvpn.log 2>&1
|
||||
fi
|
||||
|
||||
echo "Done." >> $LE_LOG_DIR/openvpn.log
|
||||
|
||||
exit 0
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
# OpenVPN does not support a service reload
|
||||
- name: Reload OpenVPN
|
||||
service: name=openvpn state=restarted
|
||||
when: openvpn_enabled
|
||||
|
||||
- name: Restart OpenVPN
|
||||
service: name=openvpn state=restarted
|
||||
when: openvpn_enabled
|
||||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
when: ansible_service_mgr == 'systemd'
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
|
||||
when:
|
||||
- openvpn_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'openvpn', 'letsencrypt' ]
|
||||
|
||||
- name: Install a script that fix the letsencrypt certificate for openvpn and then reload the service
|
||||
copy: src=openvpn-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openvpn owner=root group=root mode=4555
|
||||
when:
|
||||
- openvpn_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'openvpn', 'letsencrypt' ]
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- import_tasks: openvpn.yml
|
||||
- import_tasks: letsencrypt-openvpn.yml
|
||||
when: openvpn_letsencrypt_managed | bool
|
||||
- import_tasks: openvpn-nagios.yml
|
||||
when:
|
||||
- nagios_enabled is defined and nagios_enabled | bool
|
||||
- openvpn_nagios_checks | bool
|
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
- name: Nagios check configuration for openvpn (NRPE required)
|
||||
block:
|
||||
- name: Install the nagios check deb deps
|
||||
apt: pkg={{ openvpn_nagios_deb_deps }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
- name: Install the nagios check script
|
||||
template: src=check_openvpn.pl.j2 dest={{ nagios_plugins_dir }}/check_openvpn owner=root group=root mode=0755
|
||||
|
||||
- name: Install the nagios nrpe configuration
|
||||
template: src=openvpn-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/openvpn.cfg owner=root group=nagios mode=0440
|
||||
notify: Reload NRPE server
|
||||
|
||||
when:
|
||||
- openvpn_enabled | bool
|
||||
- ansible_distribution_file_variety == "Debian"
|
||||
tags: [ 'openvpn', 'openvpn_nagios', 'nagios' ]
|
||||
|
|
@ -1,209 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the OpenVPN main packages
|
||||
apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
- name: Create the auth, ipp, ccd and status subdirs
|
||||
file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
|
||||
with_items:
|
||||
- ipp
|
||||
- status
|
||||
- auth
|
||||
- ccd
|
||||
|
||||
when: openvpn_enabled | bool
|
||||
tags: openvpn
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN radius auth plugin package
|
||||
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
when: openvpn_radius_auth | bool
|
||||
tags: [ 'openvpn', 'openvpn_radius' ]
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN radius auth plugin package
|
||||
template: src=management.txt.j2 dest={{ openvpn_management_file }} owner=root group=root mode=0400
|
||||
|
||||
when: openvpn_management_enabled | bool
|
||||
tags: [ 'openvpn', 'openvpn_management' ]
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN ldap auth plugin package
|
||||
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
- name: Install the LDAP auth configuration file
|
||||
template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
notify: Reload OpenVPN
|
||||
|
||||
when: openvpn_ldap_auth
|
||||
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Remove the LDAP auth configuration file if LDAP is not used
|
||||
file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
|
||||
notify: Reload OpenVPN
|
||||
|
||||
when: not openvpn_ldap_auth
|
||||
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Install the perl libraries needed by the LDAP client authentication script
|
||||
apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
- name: Install the perl LDAP auth script
|
||||
template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550
|
||||
|
||||
when: openvpn_ldap_perl_auth
|
||||
tags: [ 'openvpn', 'openvpn_ldap' ]
|
||||
|
||||
- block:
|
||||
- name: Install the main OpenVPN configuration file on the servers
|
||||
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
notify: Restart OpenVPN
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf' ]
|
||||
|
||||
- name: Install the custom configuration for specific OpenVPN users in the servers
|
||||
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
with_items: '{{ openvpn_users_customizations | default([]) }}'
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ]
|
||||
|
||||
- name: Install the easy-rsa package on servers when we use the certificate authentication
|
||||
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
when:
|
||||
- openvpn_cert_auth_enabled | bool
|
||||
- openvpn_is_master_host | bool
|
||||
|
||||
when: openvpn_mode == 'server'
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Install the main OpenVPN configuration file on the clients
|
||||
template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
notify: Restart OpenVPN
|
||||
|
||||
when: openvpn_mode != 'server'
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Install the OpenVPN init defaults
|
||||
template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444
|
||||
notify:
|
||||
- Restart OpenVPN
|
||||
- Reload systemd
|
||||
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Create the dh file
|
||||
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
|
||||
args:
|
||||
creates: '{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
|
||||
- name: Fix the dh file permissions
|
||||
file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444
|
||||
|
||||
- name: Create the ta key
|
||||
shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
|
||||
args:
|
||||
creates: '{{ openvpn_conf_dir }}/ta.key'
|
||||
|
||||
- name: Fix the ta.key file permissions
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
|
||||
when: openvpn_is_master_host | bool or not openvpn_ha | bool
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Get the dh file from the master host
|
||||
synchronize:
|
||||
src: '{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Relax the ta.key file permissions so that it can be copied around
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Get the ta key from the master host
|
||||
synchronize:
|
||||
src: '{{ openvpn_conf_dir }}/ta.key'
|
||||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
|
||||
dest: '/{{ openvpn_conf_dir }}/ta.key'
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Fix the ta.key file permissions
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
|
||||
- name: Fix the ta.key file permissions on the master host
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
when:
|
||||
- openvpn_ha | bool
|
||||
- not openvpn_is_master_host | bool
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
||||
|
||||
- block:
|
||||
- name: Get the dh file from the master host
|
||||
synchronize:
|
||||
src: '{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
|
||||
- name: Relax the ta.key file permissions so that it can be copied around
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
|
||||
- name: Get the ta key from the master host
|
||||
synchronize:
|
||||
src: '{{ openvpn_conf_dir }}/ta.key'
|
||||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
|
||||
dest: '/{{ openvpn_conf_dir }}/ta.key'
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Fix the ta.key file permissions
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
|
||||
- name: Fix the ta.key file permissions on the master host
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
|
||||
when: openvpn_mode != 'server'
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
||||
|
||||
|
||||
- block:
|
||||
- name: Enable kernel forwarding
|
||||
sysctl: name={{ item }} value=1 reload=yes state=present
|
||||
with_items:
|
||||
- net.ipv4.ip_forward
|
||||
# - net.ipv6.conf.all.forwarding
|
||||
when:
|
||||
- openvpn_enable_system_forward | bool
|
||||
- openvpn_enabled | bool
|
||||
|
||||
- name: Disable kernel forwarding
|
||||
sysctl: name={{ item }} value=0 reload=yes state=present
|
||||
with_items:
|
||||
- net.ipv4.ip_forward
|
||||
# - net.ipv6.conf.all.forwarding
|
||||
when: not openvpn_enable_system_forward
|
||||
|
||||
- name: Ensure that the OpenVPN service is enabled and running
|
||||
service: name=openvpn state=started enabled=yes
|
||||
when: openvpn_enabled | bool
|
||||
|
||||
- name: Ensure that the OpenVPN service is stopped and disabled
|
||||
service: name=openvpn state=stopped enabled=no
|
||||
when: not openvpn_enabled | bool
|
||||
|
||||
tags: openvpn
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
<LDAP>
|
||||
# LDAP server URL
|
||||
URL {{ openvpn_ldap_url }}
|
||||
|
||||
{% if not openvpn_ldap_anon_bind %}
|
||||
# Bind DN (If your LDAP server doesn't support anonymous binds)
|
||||
BindDN "{{ openvpn_ldap_binddn }}"
|
||||
# Bind Password
|
||||
Password "{{ openvpn_ldap_bindpwd }}"
|
||||
{% endif %}
|
||||
|
||||
# Network timeout (in seconds)
|
||||
Timeout 15
|
||||
|
||||
{% if openvpn_ldap_starttls %}
|
||||
# Enable Start TLS
|
||||
TLSEnable yes
|
||||
{% else %}
|
||||
TLSEnable no
|
||||
{% endif %}
|
||||
|
||||
{% if not openvpn_ldap_anon_bind %}
|
||||
# Follow LDAP Referrals (anonymously)
|
||||
FollowReferrals no
|
||||
{% else %}
|
||||
FollowReferrals yes
|
||||
{% endif %}
|
||||
|
||||
# TLS CA Certificate File
|
||||
TLSCACertFile {{ openvpn_ldap_ca }}
|
||||
|
||||
{% if openvpn_ldap_use_ca_dir %}
|
||||
# TLS CA Certificate Directory
|
||||
# TLSCACertDir {{ openvpn_ldap_ca_dir }}
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_tls_auth %}
|
||||
# Client Certificate and key
|
||||
# If TLS client authentication is required
|
||||
TLSCertFile {{ openvpn_ldap_tls_cert }}
|
||||
TLSKeyFile {{ openvpn_ldap_tls_key }}
|
||||
{% endif %}
|
||||
|
||||
# Cipher Suite
|
||||
# The defaults are usually fine here
|
||||
#TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
|
||||
</LDAP>
|
||||
|
||||
<Authorization>
|
||||
# Base DN
|
||||
BaseDN "{{ openvpn_ldap_base_dn }}"
|
||||
|
||||
# User Search Filter
|
||||
SearchFilter "{{ openvpn_ldap_user_search }}"
|
||||
|
||||
# Require Group Membership
|
||||
RequireGroup {{ openvpn_ldap_require_group }}
|
||||
|
||||
{% if openvpn_ldap_require_group %}
|
||||
# Add non-group members to a PF table (disabled)
|
||||
#PFTable ips_vpn_users
|
||||
|
||||
<Group>
|
||||
BaseDN "{{ openvpn_ldap_group_base }}"
|
||||
SearchFilter "{{ openvpn_ldap_group_filter }}"
|
||||
RFC2307bis {{ openvpn_ldap_without_posix_groups }}
|
||||
MemberAttribute {{ openvpn_ldap_group_member_attr }}
|
||||
# Add group members to a PF table (disabled)
|
||||
# #PFTable ips_vpn_eng
|
||||
</Group>
|
||||
{% endif %}
|
||||
</Authorization>
|
|
@ -1,42 +0,0 @@
|
|||
#!/usr/bin/perl -w
|
||||
|
||||
{% if openvpn_ldap_perl_auth_ssl %}
|
||||
use Net::LDAPS;
|
||||
{% else %}
|
||||
use Net::LDAP;
|
||||
{% endif %}
|
||||
use strict;
|
||||
|
||||
my $ldap;
|
||||
my $result;
|
||||
|
||||
my $opt_uri = "{{ openvpn_ldap_host }}";
|
||||
my $opt_user = $ENV{'username'};
|
||||
my $opt_passwd = $ENV{'password'};
|
||||
my $opt_group = "cn={{ openvpn_ldap_perl_auth_group }},{{ openvpn_ldap_group_base }}";
|
||||
my $opt_binddn = "uid=".$opt_user.",{{ openvpn_ldap_base_dn }}";
|
||||
|
||||
{% if openvpn_ldap_perl_auth_ssl %}
|
||||
$ldap = Net::LDAPS->new($opt_uri, version => 3,
|
||||
port => '{{ openvpn_ldap_perl_auth_sslport }}',
|
||||
verify => 'require',
|
||||
{% if openvpn_ca_dir %}
|
||||
capath => '{{ openvpn_ldap_ca }}'
|
||||
{% else %}
|
||||
cafile => '{{ openvpn_ldap_ca }}'
|
||||
{% endif %}
|
||||
) or die("LDAPS connect to $opt_uri failed!");
|
||||
{% else %}
|
||||
$ldap = Net::LDAP->new($opt_uri) or die("LDAP connect to $opt_uri failed!");
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_nonanon_bind %}
|
||||
$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd | default('') }}');
|
||||
{% else %}
|
||||
$result = $ldap->bind($opt_binddn, password => $opt_passwd);
|
||||
{% endif %}
|
||||
$result->code and die($result->error);
|
||||
$result = $ldap->search(base=>$opt_group, filter => "(&({{ openvpn_ldap_group_member_attr }}=$opt_user))");
|
||||
$result->code();
|
||||
if ($result->count == 1) { exit 0; }
|
||||
unless($result->count){ exit 1; }
|
|
@ -1,219 +0,0 @@
|
|||
#!/usr/bin/perl -w
|
||||
|
||||
#######################################################################
|
||||
#
|
||||
# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
|
||||
#
|
||||
# License Information:
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# $Id: check_openvpn.pl,v 1.0 2007/07/15 16:07:20 jgr Exp jgr $
|
||||
# $Revision: 1.0 $
|
||||
# Home Site: http://emergeworld.blogspot.com/
|
||||
# #####################################################################
|
||||
|
||||
use diagnostics;
|
||||
use strict;
|
||||
use Net::Telnet ();
|
||||
use Getopt::Long qw(:config no_ignore_case);
|
||||
use vars qw($PROGNAME $VERSION);
|
||||
{% if ansible_distribution_file_variety == "Debian" %}
|
||||
use lib "/usr/lib/nagios/plugins";
|
||||
{% elif ansible_distribution_file_variety == "Debian" %}
|
||||
use lib "/usr/lib64/nagios/plugins";
|
||||
{% endif %}
|
||||
use utils qw(%ERRORS);
|
||||
|
||||
$PROGNAME = "check_openvpn";
|
||||
$VERSION = '$Revision: 1.0 $';
|
||||
|
||||
$ENV{'PATH'}='';
|
||||
$ENV{'BASH_ENV'}='';
|
||||
$ENV{'ENV'}='';
|
||||
|
||||
my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
|
||||
|
||||
sub print_help ();
|
||||
sub print_usage ();
|
||||
|
||||
GetOptions
|
||||
("h" => \$opt_h, "help" => \$opt_h,
|
||||
"H=s" => \$opt_H, "host=s" => \$opt_H,
|
||||
"p=i" => \$opt_p, "port=i" => \$opt_p,
|
||||
"P=s" => \$opt_P, "password=s" => \$opt_P,
|
||||
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
|
||||
"i" => \$opt_i, "ip" => \$opt_i,
|
||||
"n" => \$opt_n, "numeric" => \$opt_n,
|
||||
"c" => \$opt_c, "critical" => \$opt_c,
|
||||
"w" => \$opt_w, "warning" => \$opt_w,
|
||||
"C=s" => \$opt_C, "common_name=s" => \$opt_C,
|
||||
"r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
|
||||
) or exit $ERRORS{'UNKNOWN'};
|
||||
|
||||
# default values
|
||||
unless ( defined $opt_t ) {
|
||||
$opt_t = 10;
|
||||
}
|
||||
|
||||
if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
|
||||
|
||||
if ( ! defined($opt_H) || ! defined($opt_p) ) {
|
||||
print_usage();
|
||||
exit $ERRORS{'UNKNOWN'}
|
||||
}
|
||||
|
||||
my @lines;
|
||||
my @clients;
|
||||
my @clients_ip;
|
||||
my $t;
|
||||
|
||||
eval {
|
||||
$t = new Net::Telnet (Timeout => $opt_t,
|
||||
Port => $opt_p,
|
||||
Prompt => '/END$/'
|
||||
);
|
||||
$t->open($opt_H);
|
||||
if ( defined $opt_P ) {
|
||||
$t->waitfor('/ENTER PASSWORD:$/');
|
||||
$t->print($opt_P);
|
||||
}
|
||||
$t->waitfor('/^$/');
|
||||
@lines = $t->cmd("status 2");
|
||||
$t->close;
|
||||
};
|
||||
|
||||
if ($@) {
|
||||
print "OpenVPN Critical: Can't connect to server\n";
|
||||
exit $ERRORS{'CRITICAL'};
|
||||
}
|
||||
|
||||
|
||||
if (defined $opt_i || defined $opt_r) {
|
||||
foreach (@lines) {
|
||||
if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
|
||||
push @clients_ip, $1;
|
||||
}
|
||||
}
|
||||
if (defined $opt_i) {
|
||||
print "OpenVPN OK: "."@clients_ip ";
|
||||
exit $ERRORS{'OK'};
|
||||
} elsif (defined $opt_r) {
|
||||
if ( ! grep /\b$opt_r\b/, @clients_ip) {
|
||||
if (defined $opt_c) {
|
||||
print "OpenVPN CRITICAL: $opt_r don't found";
|
||||
exit $ERRORS{'CRITICAL'};
|
||||
} else {
|
||||
print "OpenVPN WARNING: $opt_r don't found";
|
||||
exit $ERRORS{'WARNING'};
|
||||
}
|
||||
}
|
||||
print "OpenVPN OK: "."@clients_ip ";
|
||||
exit $ERRORS{'OK'};
|
||||
}
|
||||
}
|
||||
|
||||
foreach (@lines) {
|
||||
if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
|
||||
push @clients, $1;
|
||||
}
|
||||
}
|
||||
|
||||
if (defined $opt_C) {
|
||||
if ( ! grep /\b$opt_C\b/, @clients) {
|
||||
if (defined $opt_c) {
|
||||
print "OpenVPN CRITICAL: $opt_C don't found";
|
||||
exit $ERRORS{'CRITICAL'};
|
||||
} else {
|
||||
print "OpenVPN WARNING: $opt_C don't found";
|
||||
exit $ERRORS{'WARNING'};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
if (defined $opt_n) {
|
||||
print "OpenVPN OK: ".@clients." connected clients.";
|
||||
exit $ERRORS{'OK'};
|
||||
}
|
||||
|
||||
print "OpenVPN OK: "."@clients ";
|
||||
exit $ERRORS{'OK'};
|
||||
|
||||
#######################################################################
|
||||
###### Subroutines ####################################################
|
||||
|
||||
sub print_usage() {
|
||||
print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds>
|
||||
[-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
|
||||
print " $PROGNAME [-h | --help]\n";
|
||||
}
|
||||
|
||||
sub print_help() {
|
||||
print "$PROGNAME $VERSION\n\n";
|
||||
print "Copyright (c) 2007 Jaime Gascon Romero
|
||||
|
||||
Nagios plugin to check the clients connected to a openvpn server.
|
||||
|
||||
";
|
||||
print_usage();
|
||||
print "
|
||||
-H | --host
|
||||
IP address or hostname of the openvpn server.
|
||||
|
||||
-p | --port
|
||||
Management port interface of the openvpn server.
|
||||
|
||||
-P | --password
|
||||
Password for the management interface of the openvpn server.
|
||||
|
||||
-t | --timeout
|
||||
Timeout for the connection attempt. Optional, default 10 seconds.
|
||||
|
||||
|
||||
Optional parameters
|
||||
===================
|
||||
|
||||
-i | --ip
|
||||
Prints the IP address of the remote client instead of the common name.
|
||||
|
||||
-n | --numeric
|
||||
Prints the number of clients connected to the openvpn server.
|
||||
|
||||
|
||||
Matching Parameters
|
||||
===================
|
||||
|
||||
-C | --common_name
|
||||
The common name, as it is specified in the client certificate, who is wanted to check.
|
||||
|
||||
-r | --remote_ip
|
||||
The client remote ip address who is wanted to check.
|
||||
|
||||
-c | --critical
|
||||
Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
|
||||
|
||||
-w | --warning
|
||||
Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
|
||||
|
||||
|
||||
Other Parameters
|
||||
================
|
||||
|
||||
-h | --help
|
||||
Show this help.
|
||||
";
|
||||
|
||||
}
|
||||
|
||||
# vim:sts=2:sw=2:ts=2:et
|
|
@ -1,32 +0,0 @@
|
|||
client
|
||||
dev {{ openvpn_dev }}
|
||||
proto {{ openvpn_protocol }}
|
||||
{% for srv in openvpn_remote_servers %}
|
||||
remote {{ srv.host }} {{ srv.port }}
|
||||
{% endfor %}
|
||||
remote-random
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
{% if openvpn_run_unprivileged %}
|
||||
# Downgrade privileges after initialization (non-Windows only)
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
# Try to preserve some state across restarts.
|
||||
persist-key
|
||||
persist-tun
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
{% if openvpn_cert_auth_enabled %}
|
||||
tls-client
|
||||
remote-cert-tls server
|
||||
{% endif %}
|
||||
tls-auth {{ openvpn_tls_auth }} 1
|
||||
key-direction 1
|
||||
cipher AES-256-CBC
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
# Set log file verbosity.
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
# Silence repeating messages
|
||||
mute {{ openvpn_mute_after }}
|
|
@ -1 +0,0 @@
|
|||
{{ openvpn_management_password }}
|
|
@ -1,36 +0,0 @@
|
|||
# This is the configuration file for /etc/init.d/openvpn
|
||||
|
||||
#
|
||||
# Start only these VPNs automatically via init script.
|
||||
# Allowed values are "all", "none" or space separated list of
|
||||
# names of the VPNs. If empty, "all" is assumed.
|
||||
# The VPN name refers to the VPN configutation file name.
|
||||
# i.e. "home" would be /etc/openvpn/home.conf
|
||||
#
|
||||
# If you're running systemd, changing this variable will
|
||||
# require running "systemctl daemon-reload" followed by
|
||||
# a restart of the openvpn service (if you removed entries
|
||||
# you may have to stop those manually)
|
||||
#
|
||||
AUTOSTART="all"
|
||||
#AUTOSTART="none"
|
||||
#AUTOSTART="home office"
|
||||
#
|
||||
# WARNING: If you're running systemd the rest of the
|
||||
# options in this file are ignored.
|
||||
#
|
||||
# Refresh interval (in seconds) of default status files
|
||||
# located in /var/run/openvpn.$NAME.status
|
||||
# Defaults to 10, 0 disables status file generation
|
||||
#
|
||||
#STATUSREFRESH=10
|
||||
#STATUSREFRESH=0
|
||||
# Optional arguments to openvpn's command line
|
||||
OPTARGS=""
|
||||
#
|
||||
# If you need openvpn running after sendsigs, i.e.
|
||||
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
|
||||
# to 1 and include umountnfs as Required-Stop: in openvpn's
|
||||
# init.d script (remember to run insserv after that)
|
||||
#
|
||||
OMIT_SENDSIGS=0
|
|
@ -1,2 +0,0 @@
|
|||
# OpenVPN connected users
|
||||
command[openvpn_users]={{ nagios_plugins_dir }}/check_openvpn -H {{ openvpn_management_ip }} -p {{ openvpn_management_port }} -P {{ openvpn_management_password }}
|
|
@ -1,126 +0,0 @@
|
|||
mode {{ openvpn_mode }}
|
||||
dev {{ openvpn_dev }}
|
||||
|
||||
port {{ openvpn_port }}
|
||||
proto {{ openvpn_protocol }}
|
||||
|
||||
{% if openvpn_tls_server %}
|
||||
tls-server
|
||||
{% endif %}
|
||||
|
||||
dh {{ openvpn_dh }}
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
|
||||
topology subnet
|
||||
|
||||
server {{ openvpn_server_net }}
|
||||
|
||||
ifconfig-pool-persist ipp/ipp.txt
|
||||
|
||||
client-config-dir ccd
|
||||
# EXAMPLE: Suppose the client
|
||||
# having the certificate common name "Thelonious"
|
||||
# also has a small subnet behind his connecting
|
||||
# machine, such as 192.168.40.128/255.255.255.248.
|
||||
# First, uncomment out these lines:
|
||||
;client-config-dir ccd
|
||||
;route 192.168.40.128 255.255.255.248
|
||||
# Then create a file ccd/Thelonious with this line:
|
||||
# iroute 192.168.40.128 255.255.255.248
|
||||
# This will allow Thelonious' private subnet to
|
||||
# access the VPN. This example will only work
|
||||
# if you are routing, not bridging, i.e. you are
|
||||
# using "dev tun" and "server" directives.
|
||||
|
||||
# EXAMPLE: Suppose you want to give
|
||||
# Thelonious a fixed VPN IP address of 10.9.0.1.
|
||||
# First uncomment out these lines:
|
||||
;client-config-dir ccd
|
||||
;route 10.9.0.0 255.255.255.252
|
||||
# Then add this line to ccd/Thelonious:
|
||||
# ifconfig-push 10.9.0.1 10.9.0.2
|
||||
|
||||
# Suppose that you want to enable different
|
||||
# firewall access policies for different groups
|
||||
# of clients. There are two methods:
|
||||
# (1) Run multiple OpenVPN daemons, one for each
|
||||
# group, and firewall the TUN/TAP interface
|
||||
# for each group/daemon appropriately.
|
||||
# (2) (Advanced) Create a script to dynamically
|
||||
# modify the firewall in response to access
|
||||
# from different clients. See man
|
||||
# page for more info on learn-address script.
|
||||
;learn-address ./script
|
||||
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
|
||||
{% if openvpn_push_settings is defined %}
|
||||
{% for dhcp_opt in openvpn_push_settings %}
|
||||
push "{{ dhcp_opt }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
tls-auth {{ openvpn_tls_auth }}
|
||||
|
||||
# Select a cryptographic cipher.
|
||||
# This config item must be copied to
|
||||
# the client config file as well.
|
||||
# Note that v2.4 client/server will automatically
|
||||
# negotiate AES-256-GCM in TLS mode.
|
||||
# See also the ncp-cipher option in the manpage
|
||||
cipher AES-256-CBC
|
||||
|
||||
|
||||
{% if openvpn_compression_enabled %}
|
||||
compress lz4-v2
|
||||
push "compress lz4-v2"
|
||||
{% endif %}
|
||||
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
|
||||
{% if not openvpn_cert_auth_enabled %}
|
||||
# Disable cert-auth
|
||||
client-cert-not-required
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_username_pam_auth %}
|
||||
username-as-common-name
|
||||
# PAM login
|
||||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_auth %}
|
||||
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
||||
{% endif %}
|
||||
|
||||
{% if openvpn_ldap_perl_auth %}
|
||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||
#script-security 3 execve
|
||||
{% endif %}
|
||||
|
||||
max-clients {{ openvpn_max_clients }}
|
||||
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
status status/openvpn-status.log
|
||||
|
||||
{% if openvpn_run_unprivileged %}
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
mute {{ openvpn_mute_after }}
|
||||
|
||||
# Notify the client that when the server restarts so it
|
||||
# can automatically reconnect.
|
||||
explicit-exit-notify 1
|
|
@ -1,79 +0,0 @@
|
|||
mode {{ openvpn_mode }}
|
||||
{% if openvpn_management_enabled %}
|
||||
management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }}
|
||||
{% endif %}
|
||||
dev {{ openvpn_dev }}
|
||||
port {{ openvpn_port }}
|
||||
proto {{ openvpn_protocol }}
|
||||
topology subnet
|
||||
server {{ openvpn_server_net }}
|
||||
{% if openvpn_ifconfig_pool is defined %}
|
||||
# Works in bridge mode only
|
||||
#ifconfig-pool {{ openvpn_ifconfig_pool }}
|
||||
{% endif %}
|
||||
ifconfig-pool-persist ipp/ipp.txt
|
||||
client-config-dir ccd
|
||||
{% if openvpn_force_ccd %}
|
||||
ccd-exclusive
|
||||
{% endif %}
|
||||
{% if openvpn_client_routes is defined %}
|
||||
{% for route in openvpn_client_routes %}
|
||||
route {{ route }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if openvpn_push_routes is defined %}
|
||||
{% for route in openvpn_push_routes %}
|
||||
push "route {{ route }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if openvpn_push_settings is defined %}
|
||||
{% for dhcp_opt in openvpn_push_settings %}
|
||||
push "{{ dhcp_opt }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
cipher AES-256-CBC
|
||||
{% if openvpn_compression_enabled %}
|
||||
compress lz4-v2
|
||||
push "compress lz4-v2"
|
||||
{% endif %}
|
||||
keepalive {{ openvpn_keepalive }}
|
||||
{% if openvpn_cert_auth_enabled %}
|
||||
tls-server
|
||||
{% endif %}
|
||||
tls-auth {{ openvpn_tls_auth }} 0
|
||||
key-direction 0
|
||||
dh {{ openvpn_dh }}
|
||||
ca {{ openvpn_ca }}
|
||||
cert {{ openvpn_cert }}
|
||||
key {{ openvpn_key }}
|
||||
{% if not openvpn_cert_auth_enabled %}
|
||||
# Disable cert-auth
|
||||
client-cert-not-required
|
||||
{% endif %}
|
||||
{% if openvpn_username_pam_auth %}
|
||||
username-as-common-name
|
||||
# PAM login
|
||||
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
|
||||
{% endif %}
|
||||
{% if openvpn_ldap_auth %}
|
||||
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
||||
{% endif %}
|
||||
{% if openvpn_ldap_perl_auth %}
|
||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||
script-security 3 execve
|
||||
{% endif %}
|
||||
max-clients {{ openvpn_max_clients }}
|
||||
persist-tun
|
||||
persist-key
|
||||
status status/openvpn-status.log
|
||||
{% if openvpn_run_unprivileged %}
|
||||
user {{ openvpn_unprivileged_user }}
|
||||
group {{ openvpn_unprivileged_group }}
|
||||
{% endif %}
|
||||
verb {{ openvpn_verbosity_log }}
|
||||
mute {{ openvpn_mute_after }}
|
||||
{% if openvpn_protocol == 'udp' %}
|
||||
# Notify the client that when the server restarts so it
|
||||
# can automatically reconnect.
|
||||
explicit-exit-notify 1
|
||||
{% endif %}
|
|
@ -1,4 +0,0 @@
|
|||
ifconfig-push {{ item.ip }} {{ item.netmask }}
|
||||
{% for net in item.routes %}
|
||||
push "route {{ net }}"
|
||||
{% endfor %}
|
|
@ -1,92 +0,0 @@
|
|||
---
|
||||
#
|
||||
# IMPORTANT: the template will be used on a task that refers 'phpfpm_pools' inside a 'with_items' loop. So
|
||||
# the variables into the template are all 'item.XXX'
|
||||
#
|
||||
phpfpm_service_enabled: True
|
||||
phpfpm_remove_php_module: True
|
||||
php_from_ppa: False
|
||||
php_ppa: ppa:ondrej/php
|
||||
php_version: 7.2
|
||||
php_run_dir: '/run/php'
|
||||
|
||||
phpfpm_root_dir: '/etc/php/{{ php_version }}'
|
||||
phpfpm_base_dir: '{{ phpfpm_root_dir }}/fpm'
|
||||
phpfpm_cli_dir: '{{ phpfpm_root_dir }}/cli'
|
||||
|
||||
php_fpm_packages:
|
||||
- 'php{{ php_version }}-fpm'
|
||||
- 'php{{ php_version }}-cli'
|
||||
|
||||
#php_global_settings:
|
||||
# - { option: '', value: '', state: '' }
|
||||
#php_cli_global_settings:
|
||||
# - { option: '', value: '', state: '' }
|
||||
|
||||
# Main confign file settings
|
||||
# It can be 'syslog'
|
||||
phpfpm_logdir: /var/log/php-fpm
|
||||
phpfpm_error_logfile: '/var/log/php{{ php_version }}-fpm.log'
|
||||
phpfpm_syslog_facility: daemon
|
||||
phpfpm_syslog_ident: php-fpm
|
||||
phpfpm_log_level: notice
|
||||
phpfpm_emergency_restart_threshold: 5
|
||||
phpfpm_emergency_restart_interval: 2m
|
||||
phpfpm_process_control_timeout: 10s
|
||||
phpfpm_set_process_max: False
|
||||
phpfpm_process_max: 256
|
||||
phpfpm_set_event_mechanism: False
|
||||
phpfpm_event_mechanism: epoll
|
||||
|
||||
|
||||
# Pools settings
|
||||
phpfpm_default_pool_name: "php-fpm"
|
||||
phpfpm_pool_name: "{{ phpfpm_default_pool_name }}"
|
||||
phpfpm_remove_default_pool: True
|
||||
phpfpm_use_default_template: True
|
||||
phpfpm_create_users: True
|
||||
phpfpm_default_user: php-fpm
|
||||
phpfpm_default_group: '{{ phpfpm_default_user }}'
|
||||
phpfpm_listen_on_socket: False
|
||||
phpfpm_default_listen: "{{ php_run_dir }}/{{ phpfpm_pool_name }}.sock"
|
||||
#phpfpm_default_listen: "127.0.0.1:9000"
|
||||
phpfpm_default_allowed_clients: "127.0.0.1"
|
||||
phpfpm_default_pm: "dynamic"
|
||||
phpfpm_default_pm_max_children: "50"
|
||||
phpfpm_default_pm_start_servers: "8"
|
||||
phpfpm_default_pm_min_spare_servers: "5"
|
||||
phpfpm_default_pm_max_spare_servers: "12"
|
||||
phpfpm_default_pm_max_requests: "10000"
|
||||
phpfpm_default_pm_status_enabled: False
|
||||
phpfpm_default_pm_status_path: "/status"
|
||||
phpfpm_default_ping_enabled: False
|
||||
phpfpm_default_ping_path: "/ping"
|
||||
phpfpm_default_ping_response: '{{ phpfpm_default_pool_name }}'
|
||||
phpfpm_default_display_errors: "off"
|
||||
phpfpm_default_log_errors: "on"
|
||||
phpfpm_default_memory_limit: "64M"
|
||||
phpfpm_default_request_terminate_timeout: "240s"
|
||||
phpfpm_default_slowlog_timeout: "20s"
|
||||
phpfpm_default_rlimit_files: "4096"
|
||||
phpfpm_default_extensions: ".php"
|
||||
phpfpm_default_context: '/'
|
||||
phpfpm_default_session_handler: 'files'
|
||||
phpfpm_default_session_prefix: '/var/lib/php'
|
||||
phpfpm_default_session_dir: '{{ phpfpm_default_session_prefix }}/sessions'
|
||||
phpfpm_default_define_custom_variables: False
|
||||
|
||||
phpfpm_use_memcache_redundancy_sessions: False
|
||||
phpfpm_use_memcached_redundancy_sessions: False
|
||||
|
||||
memcache_session:
|
||||
- { prop: 'memcache.allow_failover', value: 1 }
|
||||
- { prop: 'memcache.session_redundancy', value: 3 }
|
||||
- { prop: 'memcache.hash_strategy', value: 'standard' }
|
||||
- { prop: 'memcache.max_failover_attempts', value: '20' }
|
||||
|
||||
phpfpm_php_variables:
|
||||
- { prop: 'session.gc_maxlifetime', value: 1440 }
|
||||
- { prop: 'session.cache_expire', value: 180 }
|
||||
|
||||
phpfpm_pools:
|
||||
- { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}' }
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Reload php-fpm
|
||||
service: name=php{{ php_version }}-fpm state=reloaded
|
||||
when: phpfpm_service_enabled
|
||||
|
||||
- name: Restart php-fpm
|
||||
service: name=php{{ php_version }}-fpm state=restarted
|
||||
when: phpfpm_service_enabled
|
|
@ -1,95 +0,0 @@
|
|||
---
|
||||
# php as a standalone service
|
||||
- name: Install the Ubuntu PHP PPA
|
||||
apt_repository: repo={{ php_ppa }} state=present update_cache=yes
|
||||
when: php_from_ppa | bool
|
||||
tags: [ 'php', 'php_ppa' ]
|
||||
|
||||
- name: Remove the Ubuntu PHP PPA
|
||||
apt_repository: repo={{ php_ppa }} state=absent update_cache=yes
|
||||
when: not php_from_ppa
|
||||
tags: [ 'php', 'php_ppa' ]
|
||||
|
||||
- name: Install the php-fpm package
|
||||
apt: pkg={{ php_fpm_packages }} state=present update_cache=yes cache_valid_time=3600
|
||||
tags: php
|
||||
|
||||
- name: Install additional php packages
|
||||
apt: pkg={{ php_additional_packages | default([]) }} state=present update_cache=yes cache_valid_time=3600
|
||||
tags: php
|
||||
|
||||
- name: Set the timezone if we have one
|
||||
ini_file: dest={{ phpfpm_base_dir }}/php.ini section=Date option=date.timezone value={{ timezone }} backup=yes
|
||||
when: timezone is defined
|
||||
notify: Reload php-fpm
|
||||
tags: [ 'php', 'php_ini' ]
|
||||
|
||||
- name: Modify the global php settings
|
||||
ini_file: dest={{ phpfpm_base_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }}
|
||||
with_items: '{{ php_global_settings | default([]) }}'
|
||||
notify: Reload php-fpm
|
||||
tags: [ 'php', 'php_ini' ]
|
||||
|
||||
- name: Modify the global php cli settings
|
||||
ini_file: dest={{ phpfpm_cli_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }}
|
||||
with_items: '{{ php_cli_global_settings | default([]) }}'
|
||||
tags: [ 'php', 'php_ini' ]
|
||||
|
||||
- name: Activate the memcache sessions support and redundancy if needed
|
||||
action: configfile path={{ phpfpm_base_dir }}/conf.d/20-memcache.ini key={{ item.prop }} value='{{ item.value }}'
|
||||
when: phpfpm_use_memcache_redundancy_sessions | bool
|
||||
with_items: '{{ memcache_session }}'
|
||||
notify: Reload php-fpm
|
||||
tags: [ 'php', 'php_ini' ]
|
||||
|
||||
- name: remove php-fpm default pool
|
||||
file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent
|
||||
when: phpfpm_remove_default_pool | bool
|
||||
notify: Restart php-fpm
|
||||
tags: php
|
||||
|
||||
- name: Create the users under the php-fpm processes will run
|
||||
user: name={{ item.user }} comment="{{ item.user }}" home=/dev/null createhome=no shell=/sbin/nologin
|
||||
with_items: '{{ phpfpm_pools }}'
|
||||
when: phpfpm_create_users | bool
|
||||
notify: Restart php-fpm
|
||||
tags: [ 'php', 'fpm_pool' ]
|
||||
|
||||
- name: Create the directories where to store the sessions files. One for each pool
|
||||
file: dest={{ phpfpm_session_prefix }}/{{ item.pool_name }} owner={{ item.user }} group=root mode=0750 state=directory
|
||||
with_items: '{{ phpfpm_pools }}'
|
||||
when:
|
||||
- phpfpm_session_prefix is defined
|
||||
- phpfpm_use_default_template | bool
|
||||
tags: [ 'php', 'fpm_pool' ]
|
||||
|
||||
- name: Create the directories where to store the log files
|
||||
file: dest={{ phpfpm_logdir }} owner=root group=root mode=0750 state=directory
|
||||
tags: [ 'php', 'fpm_pool' ]
|
||||
|
||||
- name: Install the php-fpm logrotate file
|
||||
template: src=php-fpm.logrotate.j2 dest=/etc/logrotate.d/php-fpm owner=root group=root mode=0444
|
||||
tags: [ 'php', 'fpm_conf' ]
|
||||
|
||||
- name: Install the php-fpm main config file
|
||||
template: src=php-fpm.conf.j2 dest={{ phpfpm_base_dir }}/php-fpm.conf owner=root group=root mode=0444
|
||||
notify: Restart php-fpm
|
||||
tags: [ 'php', 'fpm_conf', 'fpm_pool' ]
|
||||
|
||||
- name: Install the php-fpm pools
|
||||
template: src=php-fpm-pool.conf.j2 dest={{ phpfpm_base_dir }}/pool.d/{{ item.pool_name }}.conf owner=root group=root mode=0444
|
||||
with_items: '{{ phpfpm_pools }}'
|
||||
when: phpfpm_use_default_template | bool
|
||||
notify: Restart php-fpm
|
||||
tags: [ 'php', 'fpm_conf', 'fpm_pool', 'fpm_pool_conf' ]
|
||||
|
||||
- name: Ensure that the php-fpm service is started and enabled
|
||||
service: name=php{{ php_version }}-fpm state=started enabled=yes
|
||||
when: phpfpm_service_enabled | bool
|
||||
tags: php
|
||||
|
||||
- name: Ensure that the php-fpm service is stopped and disabled
|
||||
service: name=php{{ php_version }}-fpm state=stopped enabled=no
|
||||
when: not phpfpm_service_enabled
|
||||
tags: php
|
||||
|
|
@ -1,296 +0,0 @@
|
|||
; Start a new pool named 'www'.
|
||||
[{{ item.pool_name | default('www') }}]
|
||||
|
||||
; The address on which to accept FastCGI requests.
|
||||
; Valid syntaxes are:
|
||||
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
|
||||
; a specific port;
|
||||
; 'port' - to listen on a TCP socket to all addresses on a
|
||||
; specific port;
|
||||
; '/path/to/unix/socket' - to listen on a unix socket.
|
||||
; Note: This value is mandatory.
|
||||
listen = {{ item.listen | default ('127.0.0.1:9000') }}
|
||||
|
||||
; Set listen(2) backlog. A value of '-1' means unlimited.
|
||||
; Default Value: -1
|
||||
;listen.backlog = -1
|
||||
|
||||
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
|
||||
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
|
||||
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
|
||||
; must be separated by a comma. If this value is left blank, connections will be
|
||||
; accepted from any ip address.
|
||||
; Default Value: any
|
||||
listen.allowed_clients = {{ item.allowed_clients | default ('127.0.0.1') }}
|
||||
|
||||
; Set permissions for unix socket, if one is used. In Linux, read/write
|
||||
; permissions must be set in order to allow connections from a web server. Many
|
||||
; BSD-derived systems allow connections regardless of permissions.
|
||||
; Default Values: user and group are set as the running user
|
||||
; mode is set to 0666
|
||||
{% if phpfpm_listen_on_socket %}
|
||||
listen.owner = {{ item.user }}
|
||||
listen.group = www-data
|
||||
listen.mode = 0660
|
||||
{% endif %}
|
||||
|
||||
; Unix user/group of processes
|
||||
; Note: The user is mandatory. If the group is not set, the default user's group
|
||||
; will be used.
|
||||
; RPM: apache Choosed to be able to access some dir as httpd
|
||||
user = {{ item.user | default('php-fpm') }}
|
||||
; RPM: Keep a group allowed to write in log dir.
|
||||
group = {{ item.group | default('php-fpm') }}
|
||||
|
||||
; Choose how the process manager will control the number of child processes.
|
||||
; Possible Values:
|
||||
; static - a fixed number (pm.max_children) of child processes;
|
||||
; dynamic - the number of child processes are set dynamically based on the
|
||||
; following directives:
|
||||
; pm.max_children - the maximum number of children that can
|
||||
; be alive at the same time.
|
||||
; pm.start_servers - the number of children created on startup.
|
||||
; pm.min_spare_servers - the minimum number of children in 'idle'
|
||||
; state (waiting to process). If the number
|
||||
; of 'idle' processes is less than this
|
||||
; number then some children will be created.
|
||||
; pm.max_spare_servers - the maximum number of children in 'idle'
|
||||
; state (waiting to process). If the number
|
||||
; of 'idle' processes is greater than this
|
||||
; number then some children will be killed.
|
||||
; Note: This value is mandatory.
|
||||
pm = {{ item.pm | default('dynamic') }}
|
||||
|
||||
; The number of child processes to be created when pm is set to 'static' and the
|
||||
; maximum number of child processes to be created when pm is set to 'dynamic'.
|
||||
; This value sets the limit on the number of simultaneous requests that will be
|
||||
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
|
||||
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
|
||||
; CGI.
|
||||
; Note: Used when pm is set to either 'static' or 'dynamic'
|
||||
; Note: This value is mandatory.
|
||||
pm.max_children = {{ item.pm_max_children | default('50') }}
|
||||
|
||||
; The number of child processes created on startup.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
|
||||
pm.start_servers = {{ item.pm_start_servers | default('3') }}
|
||||
|
||||
; The desired minimum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.min_spare_servers = {{ item.pm_min_spare | default('1') }}
|
||||
|
||||
; The desired maximum number of idle server processes.
|
||||
; Note: Used only when pm is set to 'dynamic'
|
||||
; Note: Mandatory when pm is set to 'dynamic'
|
||||
pm.max_spare_servers = {{ item.pm_max_spare | default('10') }}
|
||||
|
||||
; The number of requests each child process should execute before respawning.
|
||||
; This can be useful to work around memory leaks in 3rd party libraries. For
|
||||
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
|
||||
; Default Value: 0
|
||||
pm.max_requests = {{ item.pm_max_requests | default('10000') }}
|
||||
|
||||
; The URI to view the FPM status page. If this value is not set, no URI will be
|
||||
; recognized as a status page. By default, the status page shows the following
|
||||
; information:
|
||||
; accepted conn - the number of request accepted by the pool;
|
||||
; pool - the name of the pool;
|
||||
; process manager - static or dynamic;
|
||||
; idle processes - the number of idle processes;
|
||||
; active processes - the number of active processes;
|
||||
; total processes - the number of idle + active processes.
|
||||
; The values of 'idle processes', 'active processes' and 'total processes' are
|
||||
; updated each second. The value of 'accepted conn' is updated in real time.
|
||||
; Example output:
|
||||
; accepted conn: 12073
|
||||
; pool: www
|
||||
; process manager: static
|
||||
; idle processes: 35
|
||||
; active processes: 65
|
||||
; total processes: 100
|
||||
; By default the status page output is formatted as text/plain. Passing either
|
||||
; 'html' or 'json' as a query string will return the corresponding output
|
||||
; syntax. Example:
|
||||
; http://www.foo.bar/status
|
||||
; http://www.foo.bar/status?json
|
||||
; http://www.foo.bar/status?html
|
||||
; Note: The value must start with a leading slash (/). The value can be
|
||||
; anything, but it may not be a good idea to use the .php extension or it
|
||||
; may conflict with a real PHP file.
|
||||
; Default Value: not set
|
||||
pm.status_path = {{ item.pm_status_path | default('/status') }}
|
||||
|
||||
; The ping URI to call the monitoring page of FPM. If this value is not set, no
|
||||
; URI will be recognized as a ping page. This could be used to test from outside
|
||||
; that FPM is alive and responding, or to
|
||||
; - create a graph of FPM availability (rrd or such);
|
||||
; - remove a server from a group if it is not responding (load balancing);
|
||||
; - trigger alerts for the operating team (24/7).
|
||||
; Note: The value must start with a leading slash (/). The value can be
|
||||
; anything, but it may not be a good idea to use the .php extension or it
|
||||
; may conflict with a real PHP file.
|
||||
; Default Value: not set
|
||||
ping.path = {{ item.ping_path | default('/ping') }}
|
||||
|
||||
; This directive may be used to customize the response of a ping request. The
|
||||
; response is formatted as text/plain with a 200 response code.
|
||||
; Default Value: pong
|
||||
ping.response = {{ item.ping_response | default('www') }}
|
||||
|
||||
access.log = /var/log/php-fpm/$pool-access.log
|
||||
|
||||
; The access log format.
|
||||
; The following syntax is allowed
|
||||
; %%: the '%' character
|
||||
; %C: %CPU used by the request
|
||||
; it can accept the following format:
|
||||
; - %{user}C for user CPU only
|
||||
; - %{system}C for system CPU only
|
||||
; - %{total}C for user + system CPU (default)
|
||||
; %d: time taken to serve the request
|
||||
; it can accept the following format:
|
||||
; - %{seconds}d (default)
|
||||
; - %{miliseconds}d
|
||||
; - %{mili}d
|
||||
; - %{microseconds}d
|
||||
; - %{micro}d
|
||||
; %e: an environment variable (same as $_ENV or $_SERVER)
|
||||
; it must be associated with embraces to specify the name of the env
|
||||
; variable. Some exemples:
|
||||
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
|
||||
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
|
||||
; %f: script filename
|
||||
; %l: content-length of the request (for POST request only)
|
||||
; %m: request method
|
||||
; %M: peak of memory allocated by PHP
|
||||
; it can accept the following format:
|
||||
; - %{bytes}M (default)
|
||||
; - %{kilobytes}M
|
||||
; - %{kilo}M
|
||||
; - %{megabytes}M
|
||||
; - %{mega}M
|
||||
; %n: pool name
|
||||
; %o: ouput header
|
||||
; it must be associated with embraces to specify the name of the header:
|
||||
; - %{Content-Type}o
|
||||
; - %{X-Powered-By}o
|
||||
; - %{Transfert-Encoding}o
|
||||
; - ....
|
||||
; %p: PID of the child that serviced the request
|
||||
; %P: PID of the parent of the child that serviced the request
|
||||
; %q: the query string
|
||||
; %Q: the '?' character if query string exists
|
||||
; %r: the request URI (without the query string, see %q and %Q)
|
||||
; %R: remote IP address
|
||||
; %s: status (response code)
|
||||
; %t: server time the request was received
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; %T: time the log has been written (the request has finished)
|
||||
; it can accept a strftime(3) format:
|
||||
; %d/%b/%Y:%H:%M:%S %z (default)
|
||||
; %u: remote user
|
||||
;
|
||||
; Default: "%R - %u %t \"%m %r\" %s"
|
||||
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
||||
access.format = "%{REMOTE_ADDR}e - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
|
||||
|
||||
; The timeout for serving a single request after which the worker process will
|
||||
; be killed. This option should be used when the 'max_execution_time' ini option
|
||||
; does not stop script execution for some reason. A value of '0' means 'off'.
|
||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||
; Default Value: 0
|
||||
request_terminate_timeout = {{ item.req_term_timeout | default('240s') }}
|
||||
|
||||
; The timeout for serving a single request after which a PHP backtrace will be
|
||||
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
|
||||
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
|
||||
; Default Value: 0
|
||||
request_slowlog_timeout = {{ item.slowlog_timeout | default('20s') }}
|
||||
|
||||
; The log file for slow requests
|
||||
; Default Value: not set
|
||||
; Note: slowlog is mandatory if request_slowlog_timeout is set
|
||||
slowlog = /var/log/php-fpm/$pool-slow.log
|
||||
|
||||
; Set open file descriptor rlimit.
|
||||
; Default Value: system defined value
|
||||
rlimit_files = {{ item.rlimit_files | default('4096') }}
|
||||
|
||||
; Set max core size rlimit.
|
||||
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||
; Default Value: system defined value
|
||||
;rlimit_core = 0
|
||||
|
||||
; Chroot to this directory at the start. This value must be defined as an
|
||||
; absolute path. When this value is not set, chroot is not used.
|
||||
; Note: chrooting is a great security feature and should be used whenever
|
||||
; possible. However, all PHP paths will be relative to the chroot
|
||||
; (error_log, sessions.save_path, ...).
|
||||
; Default Value: not set
|
||||
;chroot =
|
||||
|
||||
; Chdir to this directory at the start. This value must be an absolute path.
|
||||
; Default Value: current directory or / when chroot
|
||||
;chdir = /var/www
|
||||
|
||||
; Redirect worker stdout and stderr into main error log. If not set, stdout and
|
||||
; stderr will be redirected to /dev/null according to FastCGI specs.
|
||||
; Default Value: no
|
||||
catch_workers_output = yes
|
||||
|
||||
; Limits the extensions of the main script FPM will allow to parse. This can
|
||||
; prevent configuration mistakes on the web server side. You should only limit
|
||||
; FPM to .php extensions to prevent malicious users to use other extensions to
|
||||
; exectute php code.
|
||||
; Note: set an empty value to allow all extensions.
|
||||
; Default Value: .php
|
||||
security.limit_extensions = {{ item.php_extensions | default('.php') }}
|
||||
|
||||
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
|
||||
; the current environment.
|
||||
; Default Value: clean env
|
||||
env[HOSTNAME] = $HOSTNAME
|
||||
env[PATH] = /usr/bin:/bin
|
||||
env[TMP] = /tmp
|
||||
env[TMPDIR] = /tmp
|
||||
env[TEMP] = /tmp
|
||||
|
||||
; Additional php.ini defines, specific to this pool of workers. These settings
|
||||
; overwrite the values previously defined in the php.ini. The directives are the
|
||||
; same as the PHP SAPI:
|
||||
; php_value/php_flag - you can set classic ini defines which can
|
||||
; be overwritten from PHP call 'ini_set'.
|
||||
; php_admin_value/php_admin_flag - these directives won't be overwritten by
|
||||
; PHP call 'ini_set'
|
||||
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
|
||||
|
||||
; Defining 'extension' will load the corresponding shared extension from
|
||||
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
|
||||
; overwrite previously defined php.ini values, but will append the new value
|
||||
; instead.
|
||||
|
||||
; Default Value: nothing is defined by default except the values in php.ini and
|
||||
; specified at startup with the -d argument
|
||||
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
|
||||
php_flag[display_errors] = {{ item.display_errors | default('off') }}
|
||||
php_admin_value[error_log] = {{ phpfpm_logdir }}/$pool-error.log
|
||||
php_admin_flag[log_errors] = {{ item.log_errors | default('on') }}
|
||||
php_admin_value[memory_limit] = {{ item.memory_limit | default('64M') }}
|
||||
php_admin_value[upload_max_filesize] = {{ item.upload_max_filesize | default('20M') }}
|
||||
php_admin_value[post_max_size] = {{ item.upload_max_filesize | default('20M') }}
|
||||
php_admin_value[upload_tmp_dir] = {{ item.upload_tmp_dir | default('/var/tmp') }}
|
||||
; Set session path to a directory owned by process user
|
||||
php_value[session.save_handler] = '{{ item.session_save_handler | default('files') }}'
|
||||
{% if phpfpm_session_prefix is defined %}
|
||||
php_value[session.save_path] = '{{ phpfpm_session_prefix }}/{{ item.pool_name }}'
|
||||
{% else %}
|
||||
php_value[session.save_path] = '{{ phpfpm_default_session_dir }}'
|
||||
{% endif %}
|
||||
{% if item.define_custom_variables is defined and item.define_custom_variables %}
|
||||
{% for php_var in phpfpm_php_variables %}
|
||||
php_value[{{ php_var.prop }}] = {{ php_var.value }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,115 +0,0 @@
|
|||
;;;;;;;;;;;;;;;;;;;;;
|
||||
; FPM Configuration ;
|
||||
;;;;;;;;;;;;;;;;;;;;;
|
||||
|
||||
; All relative paths in this configuration file are relative to PHP's install
|
||||
; prefix.
|
||||
|
||||
; Include one or more files. If glob(3) exists, it is used to include a bunch of
|
||||
; files from a glob(3) pattern. This directive can be used everywhere in the
|
||||
; file.
|
||||
;include={{ phpfpm_base_dir }}/*.conf
|
||||
|
||||
;;;;;;;;;;;;;;;;;;
|
||||
; Global Options ;
|
||||
;;;;;;;;;;;;;;;;;;
|
||||
|
||||
[global]
|
||||
; Pid file
|
||||
; Default Value: none
|
||||
pid = /run/php/php{{ php_version }}-fpm.pid
|
||||
|
||||
; Error log file
|
||||
; If it's set to "syslog", log is sent to syslogd instead of being written
|
||||
; in a local file.
|
||||
; Default Value: /var/log/php-fpm.log
|
||||
error_log = {{ phpfpm_error_logfile }}
|
||||
|
||||
{% if phpfpm_error_logfile == 'syslog' %}
|
||||
; syslog_facility is used to specify what type of program is logging the
|
||||
; message. This lets syslogd specify that messages from different facilities
|
||||
; will be handled differently.
|
||||
; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
|
||||
; Default Value: daemon
|
||||
syslog.facility = {{ phpfpm_syslog_facility }}
|
||||
|
||||
; syslog_ident is prepended to every message. If you have multiple FPM
|
||||
; instances running on the same server, you can change the default value
|
||||
; which must suit common needs.
|
||||
; Default Value: php-fpm
|
||||
syslog.ident = {{ phpfpm_syslog_ident }}
|
||||
{% endif %}
|
||||
|
||||
; Log level
|
||||
; Possible Values: alert, error, warning, notice, debug
|
||||
; Default Value: notice
|
||||
log_level = {{ phpfpm_log_level }}
|
||||
|
||||
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
|
||||
; interval set by emergency_restart_interval then FPM will restart. A value
|
||||
; of '0' means 'Off'.
|
||||
; Default Value: 0
|
||||
emergency_restart_threshold = {{ phpfpm_emergency_restart_threshold }}
|
||||
|
||||
; Interval of time used by emergency_restart_interval to determine when
|
||||
; a graceful restart will be initiated. This can be useful to work around
|
||||
; accidental corruptions in an accelerator's shared memory.
|
||||
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
|
||||
; Default Unit: seconds
|
||||
; Default Value: 0
|
||||
emergency_restart_interval = {{ phpfpm_emergency_restart_interval }}
|
||||
|
||||
; Time limit for child processes to wait for a reaction on signals from master.
|
||||
; Available units: s(econds), m(inutes), h(ours), or d(ays)
|
||||
; Default Unit: seconds
|
||||
; Default Value: 0
|
||||
process_control_timeout = {{ phpfpm_process_control_timeout }}
|
||||
|
||||
; The maximum number of processes FPM will fork. This has been design to control
|
||||
; the global number of processes when using dynamic PM within a lot of pools.
|
||||
; Use it with caution.
|
||||
; Note: A value of 0 indicates no limit
|
||||
; Default Value: 0
|
||||
{% if phpfpm_set_process_max %}
|
||||
process.max = {{ phpfpm_process_max }}
|
||||
{% endif %}
|
||||
|
||||
; Specify the nice(2) priority to apply to the master process (only if set)
|
||||
; The value can vary from -19 (highest priority) to 20 (lower priority)
|
||||
; Note: - It will only work if the FPM master process is launched as root
|
||||
; - The pool process will inherit the master process priority
|
||||
; unless it specified otherwise
|
||||
; Default Value: no set
|
||||
;process.priority = -19
|
||||
|
||||
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
|
||||
; Default Value: yes
|
||||
daemonize = yes
|
||||
|
||||
; Set open file descriptor rlimit for the master process.
|
||||
; Default Value: system defined value
|
||||
;rlimit_files = 1024
|
||||
|
||||
; Set max core size rlimit for the master process.
|
||||
; Possible Values: 'unlimited' or an integer greater or equal to 0
|
||||
; Default Value: system defined value
|
||||
;rlimit_core = 0
|
||||
|
||||
{% if phpfpm_set_event_mechanism %}
|
||||
; Specify the event mechanism FPM will use. The following is available:
|
||||
; - select (any POSIX os)
|
||||
; - poll (any POSIX os)
|
||||
; - epoll (linux >= 2.5.44)
|
||||
; Default Value: not set (auto detection)
|
||||
events.mechanism = {{ phpfpm_event_mechanism }}
|
||||
{% endif %}
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
; Pool Definitions ;
|
||||
;;;;;;;;;;;;;;;;;;;;
|
||||
|
||||
; See /etc/php-fpm.d/*.conf
|
||||
|
||||
; To configure the pools it is recommended to have one .conf file per
|
||||
; pool in the following directory:
|
||||
include={{ phpfpm_base_dir }}/pool.d/*.conf
|
|
@ -1,10 +0,0 @@
|
|||
{{ phpfpm_logdir}}/*log {
|
||||
missingok
|
||||
notifempty
|
||||
sharedscripts
|
||||
delaycompress
|
||||
postrotate
|
||||
/usr/lib/php5/php5-fpm-reopenlogs
|
||||
endscript
|
||||
}
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
Role Name
|
||||
=========
|
||||
|
||||
Role that installs phpMyAdmin. Optionally depends on apache/nginx and php-fpm. I do not force the dependency because it could be installed together with other PHP applications.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Some PHP package dependencies are listed in the documentation at <https://docs.phpmyadmin.net/en/latest/require.html#php>.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
No Galaxy dependecies right now
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
- hosts: servers
|
||||
roles:
|
||||
- { role: phpMyAdmin }
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
EUPL 1.2
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>
|
|
@ -1,45 +0,0 @@
|
|||
---
|
||||
phpmyadmin_shared_installation: True
|
||||
phpmyadmin_behind_nginx: True
|
||||
phpmyadmin_behind_apache: False
|
||||
phpmyadmin_version: 5.0.2
|
||||
phpmyadmin_app: 'phpMyAdmin-{{ phpmyadmin_version }}-all-languages'
|
||||
phpmyadmin_download_link: 'https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_app }}.zip'
|
||||
|
||||
phpmyadmin_install_dir: /srv/phpmyadmin
|
||||
phpmyadmin_phpfpm_pool_name: phpmyadmin
|
||||
phpmyadmin_phpfpm_pool_user: phpmyadmin
|
||||
phpmyadmin_phpfpm_doc_root: '{{ phpmyadmin_install_dir }}/phpmyadmin'
|
||||
phpmyadmin_phpfpm_app_context: '/phpmyadmin'
|
||||
phpmyadmin_phpfpm_listen_port: 9000
|
||||
phpmyadmin_phpfpm_pm_max_children: "6"
|
||||
phpmyadmin_phpfpm_pm_start_servers: 2
|
||||
phpmyadmin_phpfpm_pm_min_spare_servers: 2
|
||||
phpmyadmin_phpfpm_pm_max_spare_servers: 3
|
||||
phpmyadmin_phpfpm_virthost: '{{ ansible_fqdn }}'
|
||||
phpmyadmin_default_lang: 'en'
|
||||
#phpmyadmin_blowfish_secret: 'generate it'
|
||||
|
||||
phpmyadmin_target_servers:
|
||||
- { description: 'local mysql server', host: 'localhost', port: 3306, socket: '', ssl: 'true', auth_type: 'cookie', user: '', password: '', only_db: "'db1', 'db2'", allowroot: 'false' }
|
||||
|
||||
phpmyadmin_php_packages:
|
||||
- 'php{{ php_version }}-fpm'
|
||||
- 'php{{ php_version }}-json'
|
||||
- 'php{{ php_version }}-intl'
|
||||
- 'php{{ php_version }}-cli'
|
||||
- 'php{{ php_version }}-mysqlnd'
|
||||
- 'php{{ php_version }}-gd'
|
||||
- 'php{{ php_version }}-json'
|
||||
- 'php{{ php_version }}-curl'
|
||||
- 'php{{ php_version }}-mbstring'
|
||||
- 'php{{ php_version }}-readline'
|
||||
- 'php{{ php_version }}-bz2'
|
||||
- 'php{{ php_version }}-zip'
|
||||
- php-php-gettext
|
||||
- php-phpseclib
|
||||
- php-tcpdf
|
||||
- imagemagick
|
||||
|
||||
phpmyadmin_phpfpm_pool:
|
||||
- { pool_name: '{{ phpmyadmin_phpfpm_pool_name }}', app_context: '{{ phpmyadmin_phpfpm_app_context }}', doc_root: '{{ phpmyadmin_install_dir }}', user: '{{ phpmyadmin_phpfpm_pool_user }}', group: '{{ phpfpm_co_guard_user }}', listen: '{{ phpfpm_listen_host }}:{{ phpmyadmin_phpfpm_listen_port }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpmyadmin_phpfpm_pm_max_children }}', pm_start_servers: '{{ phpmyadmin_phpfpm_pm_start_servers }}', pm_min_spare: '{{ phpmyadmin_phpfpm_pm_min_spare_servers }}', pm_max_spare: '{{ phpmyadmin_phpfpm_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', req_term_timeout: '240s', admin_write: True, virthost: '{{ phpmyadmin_phpfpm_virthost }}' }
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
# handlers file for phpMyAdmin
|
|
@ -1,46 +0,0 @@
|
|||
galaxy_info:
|
||||
author: Andrea Dell'Amico
|
||||
description: IT architect
|
||||
company: ISTI-CNR
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
# Some suggested licenses:
|
||||
# - BSD (default)
|
||||
# - MIT
|
||||
# - GPLv2
|
||||
# - GPLv3
|
||||
# - Apache
|
||||
# - CC-BY
|
||||
license: EUPL 1.2
|
||||
|
||||
min_ansible_version: 2.7
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies:
|
||||
- { role: '../../library/roles/php-fpm', when: not phpmyadmin_shared_installation | bool }
|
||||
- { role: '../../library/roles/nginx', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_nginx | bool }
|
||||
- { role: '../../library/roles/apache', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_apache | bool }
|
|
@ -1,31 +0,0 @@
|
|||
---
|
||||
- name: Install and configure phpMyAdmin
|
||||
block:
|
||||
- name: Create the phpmyadmin download directory
|
||||
file: dest={{ phpmyadmin_install_dir }} state=directory
|
||||
|
||||
- name: Create the phpmyadmin download, upload and tmp directories
|
||||
file: dest={{ item }} state=directory owner={{ phpmyadmin_phpfpm_pool_user }} mode=0700
|
||||
with_items:
|
||||
- '{{ phpmyadmin_install_dir }}/upload'
|
||||
- '{{ phpmyadmin_install_dir }}/download'
|
||||
- '{{ phpmyadmin_install_dir }}/tmp'
|
||||
|
||||
- name: Download and unarchive the phpMyAdmin distribution
|
||||
unarchive: remote_src=yes src={{ phpmyadmin_download_link }} dest={{ phpmyadmin_install_dir }}
|
||||
args:
|
||||
creates: '{{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/index.php'
|
||||
|
||||
- name: Remove the test and setup directories
|
||||
file: dest={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/{{ item }} state=absent
|
||||
with_items:
|
||||
- 'test'
|
||||
- setup
|
||||
|
||||
- name: Set the path to the phpMyAdmin installation
|
||||
file: src={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }} dest={{ phpmyadmin_phpfpm_doc_root }} state=link
|
||||
|
||||
- name: Install the phpMyAdmin config file
|
||||
template: src=phpmyadmin-config.inc.php.j2 dest={{ phpmyadmin_phpfpm_doc_root }}/config.inc.php owner={{ phpmyadmin_phpfpm_pool_user }} group={{ phpmyadmin_phpfpm_pool_user }} mode=0440
|
||||
|
||||
tags: [ 'phpMyadmin', 'phpmyadmin' ]
|
|
@ -1,25 +0,0 @@
|
|||
<?php
|
||||
/* Servers configuration */
|
||||
{% for server in phpmyadmin_target_servers %}
|
||||
/* Server: {{ server.description }} [{{ server.id }}] */
|
||||
$cfg['Servers'][{{ server.id }}]['verbose'] = '{{ server.description }}';
|
||||
$cfg['Servers'][{{ server.id }}]['host'] = '{{ server.host }}';
|
||||
$cfg['Servers'][{{ server.id }}]['port'] = {{ server.port }};
|
||||
$cfg['Servers'][{{ server.id }}]['socket'] = '{{ server.socket }}';
|
||||
$cfg['Servers'][{{ server.id }}]['ssl'] = {{ server.ssl }};
|
||||
$cfg['Servers'][{{ server.id }}]['auth_type'] = '{{ server.auth_type }}';
|
||||
$cfg['Servers'][{{ server.id }}]['user'] = '{{ server.user }}';
|
||||
$cfg['Servers'][{{ server.id }}]['password'] = '{{ server.password }}';
|
||||
$cfg['Servers'][{{ server.id }}]['only_db'] = array({{ server.only_db }});
|
||||
$cfg['Servers'][{{ server.id }}]['AllowRoot'] = {{ server.allowroot }};
|
||||
|
||||
{% endfor %}
|
||||
/* End of servers configuration */
|
||||
|
||||
$cfg['blowfish_secret'] = "{{ phpmyadmin_blowfish_secret }}";
|
||||
$cfg['DefaultLang'] = '{{ phpmyadmin_default_lang }}';
|
||||
$cfg['ServerDefault'] = 1;
|
||||
$cfg['UploadDir'] = '{{ phpmyadmin_install_dir }}/upload';
|
||||
$cfg['SaveDir'] = '{{ phpmyadmin_install_dir}}/download';
|
||||
$cfg['TempDir'] = '{{ phpmyadmin_install_dir}}/tmp';
|
||||
?>
|
|
@ -1,2 +0,0 @@
|
|||
localhost
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- phpMyAdmin
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
# vars file for phpMyAdmin
|
Loading…
Reference in New Issue