diff --git a/library/roles/mysql/defaults/main.yml b/library/roles/mysql/defaults/main.yml deleted file mode 100644 index 5a80fadf..00000000 --- a/library/roles/mysql/defaults/main.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -mysql_enabled: True -mysql_pkg_state: present -mysql_conf_dir: /etc/mysql/conf.d -mysql_service_conf_dir: /etc/mysql/mysql.conf.d -mysql_socket: /run/mysqld/mysqld.sock -mysql_data_dir: /var/lib/mysql -mysql_log_dir: /var/log/mysql - -mysql_use_ssl: True -mysql_letsencrypt_certificates: True - -# python-mysqldb is needed by ansible to manage users and databases -mysql_packages_list: - - mysql-server - - mysql-client - - mytop - - python-mysqldb - - python-pymysql - - python-mysql.connector - -mysql_db_name: db_name -mysql_db_user: db_user -mysql_db_pwd: "We cannot save the password into the repository. Use another variable and change pgpass.j2 accordingly. Encrypt the file that contains the variable with ansible-vault" - -mysql_binary_logging: True -mysql_server_id: 1 -# Alternatives: utf8 -mysql_default_encoding: utf8mb4 -# Alternatives: utf8_unicode_ci utf8_bin -mysql_default_collation: utf8mb4_unicode_ci -mysql_db_host: localhost -mysql_db_port: 3306 -mysql_db_max_connections: 100 -mysqld_db_read_buffer_size: 128K -mysql_db_read_rnd_buffer_size: 256K -mysql_db_innodb_data_file_path: 'ibdata1:10M:autoextend' -mysql_db_innodb_buffer_pool_size: 256M -mysql_db_innodb_additional_mem_pool_size: 5M -# Set .._log_file_size to 25 % of buffer pool size -mysql_db_innodb_log_file_size: 64M -mysql_db_innodb_log_buffer_size: 9M -mysql_safe_open_files_limit: 1024 -mysql_max_allowed_packet: 16M -mysql_skip_name_resolve: True - -mysql_listen_on_ext_int: False -#mysql_db_data: -# - { name: '{{ mysql_db_name }}', collation: '{{ mysql_default_collation }}', encoding: '{{ mysql_default_encoding }}', user: '{{ mysql_db_user }}', pwd: '{{ mysql_db_pwd }}', user_grant: 'ALL', allowed_hosts: [ 'localhost', 'yyy.yyy.yyy.yyy/32', 'yyy.yyy.yyy.yyy' ] } - -mysql_backup_use_nagios: False -mysql_backup_logdir: '{{ mysql_log_dir }}' -mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log' -mysql_backup_retain_copies: 3 -mysql_backup_destdir: /var/lib/mysql-backup -mysql_backup_exclude_list: "performance_schema" - diff --git a/library/roles/mysql/files/letsencrypt-mysql-hook.sh b/library/roles/mysql/files/letsencrypt-mysql-hook.sh deleted file mode 100644 index aaa74c55..00000000 --- a/library/roles/mysql/files/letsencrypt-mysql-hook.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -H_NAME=$( hostname -f ) -LE_CERTS_DIR=/var/lib/acme/live/$H_NAME -LE_LOG_DIR=/var/log/letsencrypt -LE_LOG_FILE="${LE_LOG_DIR}/mysql.log" -MYSQL_CERTDIR=/var/lib/mysql - -DATE=$( date ) - -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_FILE - -if [ -f "/etc/default/acme_sh_request_env" ] ; then - # shellcheck source=/etc/default/acme_sh_request_env - source "/etc/default/acme_sh_request_env" -else - echo "No letsencrypt default file" >> $LE_LOG_FILE -fi - -echo "Copying the cert files" >> $LE_LOG_FILE -if [ ! -f ${MYSQL_CERTDIR}/ca.pem ] ; then - /bin/cp -f "${LE_CERTS_DIR}/fullchain" ${MYSQL_CERTDIR}/ca.pem - chown mysql:mysql ${MYSQL_CERTDIR}/ca.pem -fi - -/bin/cp -f "${LE_CERTS_DIR}/privkey" ${MYSQL_CERTDIR}/client-key.pem -chmod 400 ${MYSQL_CERTDIR}/client-key.pem -chown mysql:mysql ${MYSQL_CERTDIR}/client-key.pem - -/bin/cp -f "${LE_CERTS_DIR}/cert" ${MYSQL_CERTDIR}/client-cert.pem -chmod 440 ${MYSQL_CERTDIR}/client-cert.pem -chown mysql:mysql ${MYSQL_CERTDIR}/client-cert.pem - -echo "Reload the mysql service" >> $LE_LOG_FILE -if [ -x /bin/systemctl ] ; then - systemctl reload mysql >> $LE_LOG_FILE 2>&1 -else - service mysql reload >> $LE_LOG_FILE 2>&1 -fi - -echo "Done." >> $LE_LOG_FILE - -exit 0 diff --git a/library/roles/mysql/files/mysql-backup.sh b/library/roles/mysql/files/mysql-backup.sh deleted file mode 100755 index 0cdce8c5..00000000 --- a/library/roles/mysql/files/mysql-backup.sh +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -#echo "`date` mysql DUMP temporarly excluded (by Tom)" -#exit 1 - -RETVAL=0 - -MY_BACKUP_USE_NAGIOS="False" -MY_BACKUP_DIR=/var/lib/mysql-backup -MY_DATA_DIR=/var/lib/mysql -N_DAYS_TO_SPARE=7 -# Exclude list -EXCLUDE_LIST='performance_schema' - -if [ -f /etc/default/mysql_backup ] ; then - . /etc/default/mysql_backup -fi - -if [ ! -f /root/.my.cnf ] ; then - exit 1 -fi - -umask 0077 -# Year month day - hour minute second -SAVE_TIME=$( date +%Y%m%d-%H%M%S ) -TIMESTAMP= -TIMESTAMP_LOG=$MY_BACKUP_DIR/.timestamp - -if [ ! -d $MY_BACKUP_DIR ] ; then - mkdir -p $MY_BACKUP_DIR -fi -if [ ! -d $MY_BACKUP_LOG_DIR ] ; then - mkdir -p $MY_BACKUP_LOG_DIR -fi -if [ ! -d $MY_BACKUP_DIR/history ] ; then - mkdir -p $MY_BACKUP_DIR/history -fi -chmod 700 $MY_BACKUP_DIR -LOCKFILE=$MY_DATA_DIR/.mysqldump.lock -NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status - -if [ ! -f $LOCKFILE ] ; then - touch $LOCKFILE - if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then - > $NAGIOS_LOG - fi - for db in $( mysql -Bse "show databases;" | egrep -v $EXCLUDE_LIST ) ; do - if [ "$db" == "information_schema" ]; then - mysqldump --single-transaction -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log - DUMP_RESULT=$? - else - mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log - DUMP_RESULT=$? - fi - chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} - if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then - if [ $DUMP_RESULT -ne 0 ] ; then - echo "$db:FAILED" >> $NAGIOS_LOG - RETVAL=$DUMP_RESULT - else - echo "$db:OK" >> $NAGIOS_LOG - fi - fi - pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 - rm -f $db.sql - ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql - popd >/dev/null 2>&1 - done - # Do a "flush-hosts" after the backup - mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log - TIMESTAMP=$( date +%s ) - echo "$TIMESTAMP" > $TIMESTAMP_LOG - rm -f $LOCKFILE -else - echo "Old backup still running" > /var/log/mysql-backup.log - RETVAL=2 - if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then - echo "old backup still running:WARNING" >> $NAGIOS_LOG - fi -fi - -# Remove the old backups -find ${MY_BACKUP_DIR}/history -ctime +$N_DAYS_TO_SPARE -exec rm -f {} \; - -exit $RETVAL diff --git a/library/roles/mysql/handlers/main.yml b/library/roles/mysql/handlers/main.yml deleted file mode 100644 index 88318ef0..00000000 --- a/library/roles/mysql/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: Restart mysql - service: name=mysql state=restarted - -- name: Reload mysql - service: name=mysql state=reloaded diff --git a/library/roles/mysql/tasks/configure_root_access.yml b/library/roles/mysql/tasks/configure_root_access.yml deleted file mode 100644 index 360c50c3..00000000 --- a/library/roles/mysql/tasks/configure_root_access.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# 'localhost' needs to be the last item for idempotency, the mysql_user docs -- name: Secure the mysql root user with a password - mysql_user: name=root host={{ item }} password={{ mysql_root_password }} login_unix_socket={{ mysql_socket }} - when: mysql_root_password is defined - with_items: - - '{{ ansible_hostname }}' - - 127.0.0.1 - - ::1 - - localhost - ignore_errors: True - tags: [ 'mysql', 'mysql_root' ] - -- name: Secure the mysql root user when no password has been defined - mysql_user: name=root host={{ item }} password="" login_unix_socket={{ mysql_socket }} - when: mysql_root_password is not defined - with_items: - - '{{ ansible_hostname }}' - - 127.0.0.1 - - ::1 - - localhost - ignore_errors: True - tags: [ 'mysql', 'mysql_root' ] - -- name: Install the .my.cnf file with root password credentials - template: src=dot_my.cnf.j2 dest=/root/.my.cnf owner=root group=root mode=0400 - when: mysql_root_password is defined - tags: [ 'mysql', 'mysql_root' ] - -- name: delete anonymous MySQL server user for the server hostname - mysql_user: user="" host="{{ ansible_hostname }}" state="absent" login_unix_socket={{ mysql_socket }} - tags: [ 'mysql', 'mysql_root' ] - -- name: delete anonymous MySQL server user for localhost - mysql_user: user="" state="absent" login_unix_socket={{ mysql_socket }} - tags: mysql - -- name: remove the MySQL test database - mysql_db: db=test state=absent login_unix_socket={{ mysql_socket }} - tags: mysql diff --git a/library/roles/mysql/tasks/disable-mariadb-service.yml b/library/roles/mysql/tasks/disable-mariadb-service.yml deleted file mode 100644 index 1e878be0..00000000 --- a/library/roles/mysql/tasks/disable-mariadb-service.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Stop and disable the mysql server if we do not want it running - service: name=mysql state=stopped enabled=no - when: not mysql_enabled - tags: - - mysql - diff --git a/library/roles/mysql/tasks/main.yml b/library/roles/mysql/tasks/main.yml deleted file mode 100644 index be17d3af..00000000 --- a/library/roles/mysql/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- import_tasks: packages.yml -- import_tasks: mysql-conf.yml - when: mysql_enabled | bool -- import_tasks: manage-mysql-service.yml -- import_tasks: configure_root_access.yml - when: mysql_enabled | bool -- import_tasks: manage_my_db.yml - when: mysql_enabled | bool -- import_tasks: mysql-backup.yml - when: mysql_enabled | bool -- import_tasks: mysql-letsencrypt.yml - when: mysql_letsencrypt_certificates | bool - - diff --git a/library/roles/mysql/tasks/manage-mysql-service.yml b/library/roles/mysql/tasks/manage-mysql-service.yml deleted file mode 100644 index 730d3997..00000000 --- a/library/roles/mysql/tasks/manage-mysql-service.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Ensure that the mysql server is enabled and running - service: name=mysql state=started enabled=yes - when: mysql_enabled - tags: [ 'mysql', 'mariadb' ] - -- name: Stop and disable the mysql server if we do not want it running - service: name=mysql state=stopped enabled=no - when: not mysql_enabled - tags: [ 'mysql', 'mariadb' ] - diff --git a/library/roles/mysql/tasks/manage_my_db.yml b/library/roles/mysql/tasks/manage_my_db.yml deleted file mode 100644 index 851c6cc6..00000000 --- a/library/roles/mysql/tasks/manage_my_db.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Add databases to mysql, if any - mysql_db: name={{ item.name }} collation={{ item.collation }} encoding={{ item.encoding }} state=present login_unix_socket={{ mysql_socket }} - with_items: '{{ mysql_db_data | default([]) }}' - when: item.name is defined - tags: [ 'mysql', 'mysql_db' ] - -- name: Add a user for the databases - mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv="{{ item.0.name }}.*:{{ item.0.user_grant }}" state=present login_unix_socket={{ mysql_socket }} - with_subelements: - - '{{ mysql_db_data | default([]) }}' - - allowed_hosts - when: item.0.name is defined - tags: [ 'mysql', 'mysql_db', 'mysql_user' ] - -- name: Additional user privileges, if defined - mysql_user: name={{ item.0.user }} append_privs=yes priv="{{ item.0.name }}.*:{{ item.0.additional_privs }}" state=present login_unix_socket={{ mysql_socket }} - with_subelements: - - '{{ mysql_db_data | default([]) }}' - - allowed_hosts - when: - - item.0.name is defined - - item.0.additional_privs is defined - tags: [ 'mysql', 'mysql_db', 'mysql_user' ] diff --git a/library/roles/mysql/tasks/mysql-backup.yml b/library/roles/mysql/tasks/mysql-backup.yml deleted file mode 100644 index 036891be..00000000 --- a/library/roles/mysql/tasks/mysql-backup.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Install a script that performs mysql dumps - copy: src=mysql-backup.sh dest=/usr/local/sbin/mysql-backup owner=root group=root mode=0750 - tags: [ 'mysql', 'mysql_backup' ] - -- name: Install the mysql backup defaults - template: src=mysql_backup-default.j2 dest=/etc/default/mysql_backup owner=root group=root mode=0440 - tags: [ 'mysql', 'mysql_backup' ] - -- name: Cron job that executes mysql nightly backups - template: src=mysql-backup.cron.j2 dest=/etc/cron.daily/mysql-backup owner=root group=root mode=0755 - tags: [ 'mysql', 'mysql_backup' ] diff --git a/library/roles/mysql/tasks/mysql-conf.yml b/library/roles/mysql/tasks/mysql-conf.yml deleted file mode 100644 index da9cb005..00000000 --- a/library/roles/mysql/tasks/mysql-conf.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Manage the MySQL configuration files - block: - - name: Create the data directory - file: dest={{ mysql_data_dir }} state=directory owner=mysql group=mysql mode=0700 - - - name: Create the log directory - file: dest={{ mysql_log_dir }} state=directory owner=mysql group=adm mode=1750 - - - name: Install the main configuration files. - template: src={{ item }}.cnf.j2 dest={{ mysql_conf_dir }}/{{ item }}.cnf owner=root group=root mode=0644 - with_items: - - client - - mysql-clients - notify: Restart mysql - - - name: Install the main configuration files. - template: src={{ item }}.cnf.j2 dest={{ mysql_service_conf_dir }}/mysqld.cnf owner=root group=root mode=0644 - with_items: - - server - notify: Restart mysql - - when: mysql_enabled | bool - tags: [ 'mysql', 'mariadb', 'mysql_conf' ] diff --git a/library/roles/mysql/tasks/mysql-letsencrypt.yml b/library/roles/mysql/tasks/mysql-letsencrypt.yml deleted file mode 100644 index 00e75d74..00000000 --- a/library/roles/mysql/tasks/mysql-letsencrypt.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -- name: Manage the letsencrypt configuration - block: - - name: Check if the letsencrypt certificates are in place - stat: path={{ letsencrypt_acme_certs_dir }}/privkey - register: letsencrypt_keyfile - - - name: Copy the letsencrypt certificate key into the right place - copy: src={{ letsencrypt_acme_certs_dir }}/privkey dest=/var/lib/mysql/client-key.pem owner=mysql group=mysql mode=0400 remote_src=yes force=yes - when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool - notify: Restart mysql - - - name: Copy the letsencrypt public certificate into the right place - copy: src={{ letsencrypt_acme_certs_dir }}/cert dest=/var/lib/mysql/client-cert.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes - when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool - notify: Restart mysql - - - name: Copy the letsencrypt CA certificate into the right place - copy: src={{ letsencrypt_acme_certs_dir }}/fullchain dest=/var/lib/mysql/ca.pem owner=mysql group=mysql mode=0444 remote_src=yes force=yes - when: letsencrypt_keyfile.stat.exists is defined and letsencrypt_keyfile.stat.exists | bool - notify: Restart mysql - - - name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_sh_services_scripts_dir }} state=directory owner=root group=root - - - name: Install a script that fix the letsencrypt certificate for mysql and then reload the service - copy: src=letsencrypt-mysql-hook.sh dest={{ letsencrypt_acme_sh_services_scripts_dir }}/mysql owner=root group=root mode=4555 - - when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install | bool - tags: [ 'mysql', 'mariadb', 'letsencrypt', 'mysql_letsencrypt' ] \ No newline at end of file diff --git a/library/roles/mysql/tasks/packages.yml b/library/roles/mysql/tasks/packages.yml deleted file mode 100644 index c11164b6..00000000 --- a/library/roles/mysql/tasks/packages.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: install the mysql packages - apt: pkg={{ item }} state={{ mysql_pkg_state }} - with_items: '{{ mysql_packages_list }}' - tags: mysql - diff --git a/library/roles/mysql/templates/client.cnf.j2 b/library/roles/mysql/templates/client.cnf.j2 deleted file mode 100644 index a0bfa0c8..00000000 --- a/library/roles/mysql/templates/client.cnf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# The following options will be passed to all MariaDB clients -[client] -#password = your_password -port = 3306 -socket = {{ mysql_socket }} - diff --git a/library/roles/mysql/templates/dot_my.cnf.j2 b/library/roles/mysql/templates/dot_my.cnf.j2 deleted file mode 100644 index 74c129fe..00000000 --- a/library/roles/mysql/templates/dot_my.cnf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -[client] -user=root -password={{ mysql_root_password }} - diff --git a/library/roles/mysql/templates/mysql-backup.cron.j2 b/library/roles/mysql/templates/mysql-backup.cron.j2 deleted file mode 100755 index eed3f439..00000000 --- a/library/roles/mysql/templates/mysql-backup.cron.j2 +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -LOG_FILE=/var/log/mysql-backup.log -if [ -x /etc/cron.daily/duplicity_backup ] ; then - echo "duplicity backups active. Exiting" > $LOG_FILE - exit 0 -fi - -# Remote backup performed by BackupPC. If it is active, do not run via cron -if [ -f /var/log/backuppc.log ] ; then - TMSTMP=$( date +%s ) - . /var/log/backuppc.log - LAST_BACKUP_TIME=$( expr $TMSTMP - $BACKUP_TIMESTAMP ) - if [ $LAST_BACKUP_TIME -lt 86400 -a $BACKUP_RESULT == 'OK' ] ; then - echo "BackupPC is active, doing nothing" > $LOG_FILE - exit 0 - fi -fi - -/usr/local/sbin/mysql-backup > $LOG_FILE 2>&1 - -exit 0 diff --git a/library/roles/mysql/templates/mysql-clients.cnf.j2 b/library/roles/mysql/templates/mysql-clients.cnf.j2 deleted file mode 100644 index 0febb179..00000000 --- a/library/roles/mysql/templates/mysql-clients.cnf.j2 +++ /dev/null @@ -1,20 +0,0 @@ - -[mysql] - -[mysql_upgrade] - -[mysqladmin] - -[mysqlbinlog] - -[mysqlcheck] - -[mysqldump] -quick -max_allowed_packet = 16M - -[mysqlimport] - -[mysqlshow] - -[mysqlslap] diff --git a/library/roles/mysql/templates/mysql_backup-default.j2 b/library/roles/mysql/templates/mysql_backup-default.j2 deleted file mode 100644 index b189f3d6..00000000 --- a/library/roles/mysql/templates/mysql_backup-default.j2 +++ /dev/null @@ -1,8 +0,0 @@ -MY_BACKUP_USE_NAGIOS='{{ mysql_backup_use_nagios }}' -MY_BACKUP_LOG_DIR='{{ mysql_backup_logdir }}' -MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}' -N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}' -MY_BACKUP_DIR='{{ mysql_backup_destdir }}' -MY_DATA_DIR='{{ mysql_data_dir }}' -# Exclude list -EXCLUDE_LIST='{{ mysql_backup_exclude_list }}' diff --git a/library/roles/mysql/templates/server.cnf.j2 b/library/roles/mysql/templates/server.cnf.j2 deleted file mode 100644 index b2d006ab..00000000 --- a/library/roles/mysql/templates/server.cnf.j2 +++ /dev/null @@ -1,89 +0,0 @@ -# Here follows entries for some specific programs - -# The MariaDB server -[mysqld] -user = mysql -{% if mysql_listen_on_ext_int %} -bind-address = 0.0.0.0 -{% else %} -bind-address = 127.0.0.1 -{% endif %} -port = {{ mysql_db_port }} -socket = {{ mysql_socket }} -basedir = /usr -datadir = {{ mysql_data_dir }} -log_error = {{ mysql_log_dir }}/error.log -skip-external-locking -# Point the following paths to different dedicated disks -tmpdir = /tmp -lc-messages-dir = /usr/share/mysql - -# -# * Fine Tuning -# -max_connections = {{ mysql_db_max_connections }} -key_buffer_size = 16M -max_allowed_packet = {{ mysql_max_allowed_packet }} -table_open_cache = 512 -sort_buffer_size = 8M -net_buffer_length = 8K -thread_stack = 192K -thread_cache_size = 8 -read_buffer_size = {{ mysqld_db_read_buffer_size }} -read_rnd_buffer_size = {{ mysql_db_read_rnd_buffer_size }} -myisam_sort_buffer_size = 16M -{% if mysql_skip_name_resolve %} -skip-name-resolve -{% endif %} - -{% if mysqld_sql_mode is defined %} -sql_mode = {{ mysqld_sql_mode }} -{% endif %} -{% if mysqld_ft_stopword_file is defined %} -ft_stopword_file = {{ mysqld_ft_stopword_file }} -{% endif %} -{% if mysqld_ft_min_word_lenght is defined %} -ft_min_word_len = {{ mysqld_ft_min_word_lenght }} -{% endif %} -ft_boolean_syntax = '{{ mysql_ft_boolean_syntax | default('+ -><()~*:\"\"&|') }}' - -# -# * Query Cache Configuration -# -query_cache_limit = 1M -query_cache_size = 16M - - -{% if mysql_binary_logging %} -server-id={{ mysql_server_id }} -# Enable binary logging. This is required for acting as a MASTER in a -# replication configuration. You also need the binary log if you need -# the ability to do point in time recovery from your latest backup. -log-bin={{ mysql_log_dir }}/mysql-bin.log -expire_logs_days = 10 -max_binlog_size = 100M -# binary logging format - mixed recommended -binlog_format=mixed -{% endif %} - -# Uncomment the following if you are using InnoDB tables -innodb_data_home_dir = {{ mysql_data_dir }} -innodb_data_file_path = {{ mysql_db_innodb_data_file_path }} -innodb_log_group_home_dir = {{ mysql_data_dir }} -# You can set .._buffer_pool_size up to 50 - 80 % -# of RAM but beware of setting memory usage too high -innodb_buffer_pool_size = {{ mysql_db_innodb_buffer_pool_size }} -# Set .._log_file_size to 25 % of buffer pool size -innodb_log_file_size = {{ mysql_db_innodb_log_file_size }} -innodb_log_buffer_size = {{ mysql_db_innodb_log_buffer_size }} -innodb_flush_log_at_trx_commit = 1 -innodb_lock_wait_timeout = 50 - -{% if mysql_use_ssl %} -ssl-ca=/var/lib/mysql/ca.pem -ssl-cert=/var/lib/mysql/client-cert.pem -ssl-key=/var/lib/mysql/client-key.pem -{% endif %} - -[mysqld_safe] -open-files-limit = {{ mysql_safe_open_files_limit }} diff --git a/library/roles/openvpn/defaults/main.yml b/library/roles/openvpn/defaults/main.yml deleted file mode 100644 index b3649632..00000000 --- a/library/roles/openvpn/defaults/main.yml +++ /dev/null @@ -1,111 +0,0 @@ ---- -openvpn_enabled: True -openvpn_enable_system_forward: True -openvpn_management_enabled: False -openvpn_management_ip: 127.0.0.1 -openvpn_management_port: 1195 -openvpn_management_file: '{{ openvpn_conf_dir }}/auth/management.txt' -# openvpn_management_password: 'set into a vault file' -openvpn_pkg_state: latest -openvpn_pkgs: - - openvpn - -# Authentication choices -openvpn_cert_auth_enabled: True -openvpn_username_pam_auth: False - -openvpn_radius_auth: False -openvpn_radius_pkg: - - openvpn-auth-radius - -# With openvpn-auth-ldap. Broken on Ubuntu trusty -openvpn_ldap_auth: False -openvpn_ldap_pkg: - - openvpn-auth-ldap - -openvpn_ldap_perl_auth: False -openvpn_perl_pkg: - - libnet-ldap-perl - -# Server conf parameters -openvpn_conf_dir: /etc/openvpn -openvpn_conf_name: openvpn.conf - -openvpn_mode: server -openvpn_dev: tun -openvpn_port: 1194 -openvpn_protocol: udp -openvpn_server_net: '192.168.254.0 255.255.255.0' -#openvpn_push_routes: [] -# - '192.168.253.0 255.255.255.0' - -#openvpn_push_settings: -# - "dhcp-option DNS 10.66.0.4" - -#openvpn_remote_servers: [] - -openvpn_force_ccd: False -# openvpn_users_customizations: -# - { cn: 'Joe Bar', ip: '', netmask: '', routes: [ '192.168.253.0 255.255.255.0' ] } - -openvpn_tls_server: True -openvpn_dh: /etc/openvpn/dh2048.pem -openvpn_tls_auth: '/etc/openvpn/ta.key' -openvpn_install_alternative_ca: False -openvpn_alternative_ca_name: ca.pem -openvpn_ca_dir: False -openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain' -openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert' -openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey' - -openvpn_ha: False -# Not a real master. It is only the host where the dh.pem and ta.key are generated -openvpn_master_host: 'localhost' -openvpn_is_master_host: False - -openvpn_compression_enabled: False -openvpn_keepalive: '10 120' - -openvpn_max_clients: 100 -openvpn_run_unprivileged: True -openvpn_unprivileged_user: nobody -openvpn_unprivileged_group: nogroup -# Not recommended. Use a private CA if possible -openvpn_letsencrypt_managed: False - -openvpn_verbosity_log: 3 -openvpn_mute_after: 20 - -# LDAP conf -openvpn_ldap_uri: 'ldap:' -openvpn_ldap_host: ldap.example.org -openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}' -openvpn_ldap_anon_bind: True -openvpn_ldap_binddn: uid=admin -openvpn_ldap_bindpwd: test -openvpn_ldap_ca: '{{ openvpn_ca }}' -openvpn_ldap_use_ca_dir: False -openvpn_ldap_ca_dir: /etc/ssl/certs -openvpn_ldap_starttls: False -openvpn_ldap_tls_auth: False -openvpn_ldap_tls_cert: '{{ openvpn_cert }}' -openvpn_ldap_tls_key: '{{ openvpn_key }}' -openvpn_ldap_tls_ciphersuite: 'ALL:!ADH:@STRENGTH' -# LDAP auth -openvpn_ldap_base_dn: 'ou=People,dc=example,dc=org' -openvpn_ldap_user_search: '(&(uid=%u))' -openvpn_ldap_require_group: False -# See https://github.com/threerings/openvpn-auth-ldap/issues/7 -openvpn_ldap_without_posix_groups: True -openvpn_ldap_group_base: 'ou=Groups,dc=example,dc=org' -openvpn_ldap_group_filter: '(|(cn=developers)(cn=artists))' -openvpn_ldap_group_member_attr: uniqueMember - -# Perl LDAP conf -openvpn_ldap_perl_auth_ssl: True -openvpn_ldap_perl_auth_sslport: 636 -openvpn_ldap_perl_auth_group: vpn_ldap_posix_group - -openvpn_nagios_checks: False -openvpn_nagios_deb_deps: - - libnet-telnet-perl diff --git a/library/roles/openvpn/files/openvpn-letsencrypt-acme.sh b/library/roles/openvpn/files/openvpn-letsencrypt-acme.sh deleted file mode 100644 index aec4da33..00000000 --- a/library/roles/openvpn/files/openvpn-letsencrypt-acme.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -H_NAME=$( hostname -f ) -LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks -LE_CERTS_DIR=/var/lib/acme/live/$H_NAME -LE_LOG_DIR=/var/log/letsencrypt -DATE=$( date ) - -[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR -echo "$DATE" >> $LE_LOG_DIR/openvpn.log - -if [ -f /etc/default/letsencrypt ] ; then - . /etc/default/letsencrypt -else - echo "No letsencrypt default file" >> $LE_LOG_DIR/openvpn.log -fi - -echo "Reload the openvpn service" >> $LE_LOG_DIR/openvpn.log -if [ -x /bin/systemctl ] ; then - systemctl restart openvpn >> $LE_LOG_DIR/openvpn.log 2>&1 -else - service openvpn restart >> $LE_LOG_DIR/openvpn.log 2>&1 -fi - -echo "Done." >> $LE_LOG_DIR/openvpn.log - -exit 0 - diff --git a/library/roles/openvpn/handlers/main.yml b/library/roles/openvpn/handlers/main.yml deleted file mode 100644 index df32d5c0..00000000 --- a/library/roles/openvpn/handlers/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# OpenVPN does not support a service reload -- name: Reload OpenVPN - service: name=openvpn state=restarted - when: openvpn_enabled - -- name: Restart OpenVPN - service: name=openvpn state=restarted - when: openvpn_enabled - -- name: Reload systemd - systemd: daemon_reload=yes - when: ansible_service_mgr == 'systemd' diff --git a/library/roles/openvpn/tasks/letsencrypt-openvpn.yml b/library/roles/openvpn/tasks/letsencrypt-openvpn.yml deleted file mode 100644 index fd6ddc17..00000000 --- a/library/roles/openvpn/tasks/letsencrypt-openvpn.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Create the acme hooks directory if it does not yet exist - file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root - when: - - openvpn_letsencrypt_managed - - letsencrypt_acme_install - tags: [ 'openvpn', 'letsencrypt' ] - -- name: Install a script that fix the letsencrypt certificate for openvpn and then reload the service - copy: src=openvpn-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openvpn owner=root group=root mode=4555 - when: - - openvpn_letsencrypt_managed - - letsencrypt_acme_install - tags: [ 'openvpn', 'letsencrypt' ] diff --git a/library/roles/openvpn/tasks/main.yml b/library/roles/openvpn/tasks/main.yml deleted file mode 100644 index 994407f1..00000000 --- a/library/roles/openvpn/tasks/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- import_tasks: openvpn.yml -- import_tasks: letsencrypt-openvpn.yml - when: openvpn_letsencrypt_managed | bool -- import_tasks: openvpn-nagios.yml - when: - - nagios_enabled is defined and nagios_enabled | bool - - openvpn_nagios_checks | bool diff --git a/library/roles/openvpn/tasks/openvpn-nagios.yml b/library/roles/openvpn/tasks/openvpn-nagios.yml deleted file mode 100644 index f3f92947..00000000 --- a/library/roles/openvpn/tasks/openvpn-nagios.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Nagios check configuration for openvpn (NRPE required) - block: - - name: Install the nagios check deb deps - apt: pkg={{ openvpn_nagios_deb_deps }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Install the nagios check script - template: src=check_openvpn.pl.j2 dest={{ nagios_plugins_dir }}/check_openvpn owner=root group=root mode=0755 - - - name: Install the nagios nrpe configuration - template: src=openvpn-nrpe.cfg.j2 dest={{ nrpe_include_dir }}/openvpn.cfg owner=root group=nagios mode=0440 - notify: Reload NRPE server - - when: - - openvpn_enabled | bool - - ansible_distribution_file_variety == "Debian" - tags: [ 'openvpn', 'openvpn_nagios', 'nagios' ] - diff --git a/library/roles/openvpn/tasks/openvpn.yml b/library/roles/openvpn/tasks/openvpn.yml deleted file mode 100644 index 0f17e557..00000000 --- a/library/roles/openvpn/tasks/openvpn.yml +++ /dev/null @@ -1,209 +0,0 @@ ---- -- block: - - name: Install the OpenVPN main packages - apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Create the auth, ipp, ccd and status subdirs - file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770 - with_items: - - ipp - - status - - auth - - ccd - - when: openvpn_enabled | bool - tags: openvpn - -- block: - - name: Install the OpenVPN radius auth plugin package - apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - when: openvpn_radius_auth | bool - tags: [ 'openvpn', 'openvpn_radius' ] - -- block: - - name: Install the OpenVPN radius auth plugin package - template: src=management.txt.j2 dest={{ openvpn_management_file }} owner=root group=root mode=0400 - - when: openvpn_management_enabled | bool - tags: [ 'openvpn', 'openvpn_management' ] - -- block: - - name: Install the OpenVPN ldap auth plugin package - apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Install the LDAP auth configuration file - template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440 - notify: Reload OpenVPN - - when: openvpn_ldap_auth - tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] - -- block: - - name: Remove the LDAP auth configuration file if LDAP is not used - file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent - notify: Reload OpenVPN - - when: not openvpn_ldap_auth - tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] - -- block: - - name: Install the perl libraries needed by the LDAP client authentication script - apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Install the perl LDAP auth script - template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550 - - when: openvpn_ldap_perl_auth - tags: [ 'openvpn', 'openvpn_ldap' ] - -- block: - - name: Install the main OpenVPN configuration file on the servers - template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 - notify: Restart OpenVPN - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf' ] - - - name: Install the custom configuration for specific OpenVPN users in the servers - template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 - with_items: '{{ openvpn_users_customizations | default([]) }}' - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ] - - - name: Install the easy-rsa package on servers when we use the certificate authentication - apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - when: - - openvpn_cert_auth_enabled | bool - - openvpn_is_master_host | bool - - when: openvpn_mode == 'server' - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Install the main OpenVPN configuration file on the clients - template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 - notify: Restart OpenVPN - - when: openvpn_mode != 'server' - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Install the OpenVPN init defaults - template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444 - notify: - - Restart OpenVPN - - Reload systemd - - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Create the dh file - shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 - args: - creates: '{{ openvpn_conf_dir }}/dh2048.pem' - - - name: Fix the dh file permissions - file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444 - - - name: Create the ta key - shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key - args: - creates: '{{ openvpn_conf_dir }}/ta.key' - - - name: Fix the ta.key file permissions - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - - when: openvpn_is_master_host | bool or not openvpn_ha | bool - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Get the dh file from the master host - synchronize: - src: '{{ openvpn_conf_dir }}/dh2048.pem' - #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem' - dest: '/{{ openvpn_conf_dir }}/dh2048.pem' - delegate_to: '{{ openvpn_master_host }}' - ignore_errors: True - - - name: Relax the ta.key file permissions so that it can be copied around - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444 - delegate_to: '{{ openvpn_master_host }}' - ignore_errors: True - - - name: Get the ta key from the master host - synchronize: - src: '{{ openvpn_conf_dir }}/ta.key' - #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key' - dest: '/{{ openvpn_conf_dir }}/ta.key' - delegate_to: '{{ openvpn_master_host }}' - ignore_errors: True - - - name: Fix the ta.key file permissions - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - - - name: Fix the ta.key file permissions on the master host - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - delegate_to: '{{ openvpn_master_host }}' - ignore_errors: True - - when: - - openvpn_ha | bool - - not openvpn_is_master_host | bool - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] - -- block: - - name: Get the dh file from the master host - synchronize: - src: '{{ openvpn_conf_dir }}/dh2048.pem' - #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem' - dest: '/{{ openvpn_conf_dir }}/dh2048.pem' - delegate_to: '{{ openvpn_master_host }}' - - - name: Relax the ta.key file permissions so that it can be copied around - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444 - delegate_to: '{{ openvpn_master_host }}' - - - name: Get the ta key from the master host - synchronize: - src: '{{ openvpn_conf_dir }}/ta.key' - #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key' - dest: '/{{ openvpn_conf_dir }}/ta.key' - delegate_to: '{{ openvpn_master_host }}' - ignore_errors: True - - - name: Fix the ta.key file permissions - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - - - name: Fix the ta.key file permissions on the master host - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - delegate_to: '{{ openvpn_master_host }}' - - when: openvpn_mode != 'server' - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] - - -- block: - - name: Enable kernel forwarding - sysctl: name={{ item }} value=1 reload=yes state=present - with_items: - - net.ipv4.ip_forward - # - net.ipv6.conf.all.forwarding - when: - - openvpn_enable_system_forward | bool - - openvpn_enabled | bool - - - name: Disable kernel forwarding - sysctl: name={{ item }} value=0 reload=yes state=present - with_items: - - net.ipv4.ip_forward - # - net.ipv6.conf.all.forwarding - when: not openvpn_enable_system_forward - - - name: Ensure that the OpenVPN service is enabled and running - service: name=openvpn state=started enabled=yes - when: openvpn_enabled | bool - - - name: Ensure that the OpenVPN service is stopped and disabled - service: name=openvpn state=stopped enabled=no - when: not openvpn_enabled | bool - - tags: openvpn - diff --git a/library/roles/openvpn/templates/auth-ldap.conf.j2 b/library/roles/openvpn/templates/auth-ldap.conf.j2 deleted file mode 100644 index 3c83a1fb..00000000 --- a/library/roles/openvpn/templates/auth-ldap.conf.j2 +++ /dev/null @@ -1,72 +0,0 @@ - - # LDAP server URL - URL {{ openvpn_ldap_url }} - -{% if not openvpn_ldap_anon_bind %} - # Bind DN (If your LDAP server doesn't support anonymous binds) - BindDN "{{ openvpn_ldap_binddn }}" - # Bind Password - Password "{{ openvpn_ldap_bindpwd }}" -{% endif %} - - # Network timeout (in seconds) - Timeout 15 - -{% if openvpn_ldap_starttls %} - # Enable Start TLS - TLSEnable yes -{% else %} - TLSEnable no -{% endif %} - -{% if not openvpn_ldap_anon_bind %} - # Follow LDAP Referrals (anonymously) - FollowReferrals no -{% else %} - FollowReferrals yes -{% endif %} - - # TLS CA Certificate File - TLSCACertFile {{ openvpn_ldap_ca }} - -{% if openvpn_ldap_use_ca_dir %} - # TLS CA Certificate Directory - # TLSCACertDir {{ openvpn_ldap_ca_dir }} -{% endif %} - -{% if openvpn_ldap_tls_auth %} - # Client Certificate and key - # If TLS client authentication is required - TLSCertFile {{ openvpn_ldap_tls_cert }} - TLSKeyFile {{ openvpn_ldap_tls_key }} -{% endif %} - - # Cipher Suite - # The defaults are usually fine here - #TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }} - - - - # Base DN - BaseDN "{{ openvpn_ldap_base_dn }}" - - # User Search Filter - SearchFilter "{{ openvpn_ldap_user_search }}" - - # Require Group Membership - RequireGroup {{ openvpn_ldap_require_group }} - -{% if openvpn_ldap_require_group %} - # Add non-group members to a PF table (disabled) - #PFTable ips_vpn_users - - - BaseDN "{{ openvpn_ldap_group_base }}" - SearchFilter "{{ openvpn_ldap_group_filter }}" - RFC2307bis {{ openvpn_ldap_without_posix_groups }} - MemberAttribute {{ openvpn_ldap_group_member_attr }} - # Add group members to a PF table (disabled) - # #PFTable ips_vpn_eng - -{% endif %} - diff --git a/library/roles/openvpn/templates/auth-ldap.pl.j2 b/library/roles/openvpn/templates/auth-ldap.pl.j2 deleted file mode 100644 index 12ec8251..00000000 --- a/library/roles/openvpn/templates/auth-ldap.pl.j2 +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/perl -w - -{% if openvpn_ldap_perl_auth_ssl %} -use Net::LDAPS; -{% else %} -use Net::LDAP; -{% endif %} -use strict; - -my $ldap; -my $result; - -my $opt_uri = "{{ openvpn_ldap_host }}"; -my $opt_user = $ENV{'username'}; -my $opt_passwd = $ENV{'password'}; -my $opt_group = "cn={{ openvpn_ldap_perl_auth_group }},{{ openvpn_ldap_group_base }}"; -my $opt_binddn = "uid=".$opt_user.",{{ openvpn_ldap_base_dn }}"; - -{% if openvpn_ldap_perl_auth_ssl %} -$ldap = Net::LDAPS->new($opt_uri, version => 3, - port => '{{ openvpn_ldap_perl_auth_sslport }}', - verify => 'require', - {% if openvpn_ca_dir %} - capath => '{{ openvpn_ldap_ca }}' - {% else %} - cafile => '{{ openvpn_ldap_ca }}' - {% endif %} - ) or die("LDAPS connect to $opt_uri failed!"); -{% else %} -$ldap = Net::LDAP->new($opt_uri) or die("LDAP connect to $opt_uri failed!"); -{% endif %} - -{% if openvpn_ldap_nonanon_bind %} -$result = $ldap->bind('{{ openvpn_ldap_binddn }}', password => '{{ openvpn_ldap_bindpwd | default('') }}'); -{% else %} -$result = $ldap->bind($opt_binddn, password => $opt_passwd); -{% endif %} -$result->code and die($result->error); -$result = $ldap->search(base=>$opt_group, filter => "(&({{ openvpn_ldap_group_member_attr }}=$opt_user))"); -$result->code(); -if ($result->count == 1) { exit 0; } -unless($result->count){ exit 1; } diff --git a/library/roles/openvpn/templates/check_openvpn.pl.j2 b/library/roles/openvpn/templates/check_openvpn.pl.j2 deleted file mode 100644 index ea871605..00000000 --- a/library/roles/openvpn/templates/check_openvpn.pl.j2 +++ /dev/null @@ -1,219 +0,0 @@ -#!/usr/bin/perl -w - -####################################################################### -# -# Copyright (c) 2007 Jaime Gascon Romero -# -# License Information: -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# $Id: check_openvpn.pl,v 1.0 2007/07/15 16:07:20 jgr Exp jgr $ -# $Revision: 1.0 $ -# Home Site: http://emergeworld.blogspot.com/ -# ##################################################################### - -use diagnostics; -use strict; -use Net::Telnet (); -use Getopt::Long qw(:config no_ignore_case); -use vars qw($PROGNAME $VERSION); -{% if ansible_distribution_file_variety == "Debian" %} -use lib "/usr/lib/nagios/plugins"; -{% elif ansible_distribution_file_variety == "Debian" %} -use lib "/usr/lib64/nagios/plugins"; -{% endif %} -use utils qw(%ERRORS); - -$PROGNAME = "check_openvpn"; -$VERSION = '$Revision: 1.0 $'; - -$ENV{'PATH'}=''; -$ENV{'BASH_ENV'}=''; -$ENV{'ENV'}=''; - -my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r); - -sub print_help (); -sub print_usage (); - -GetOptions - ("h" => \$opt_h, "help" => \$opt_h, - "H=s" => \$opt_H, "host=s" => \$opt_H, - "p=i" => \$opt_p, "port=i" => \$opt_p, - "P=s" => \$opt_P, "password=s" => \$opt_P, - "t=i" => \$opt_t, "timeout=i" => \$opt_t, - "i" => \$opt_i, "ip" => \$opt_i, - "n" => \$opt_n, "numeric" => \$opt_n, - "c" => \$opt_c, "critical" => \$opt_c, - "w" => \$opt_w, "warning" => \$opt_w, - "C=s" => \$opt_C, "common_name=s" => \$opt_C, - "r=s" => \$opt_r, "remote_ip=s" => \$opt_r, - ) or exit $ERRORS{'UNKNOWN'}; - -# default values -unless ( defined $opt_t ) { - $opt_t = 10; -} - -if ($opt_h) {print_help(); exit $ERRORS{'OK'};} - -if ( ! defined($opt_H) || ! defined($opt_p) ) { - print_usage(); - exit $ERRORS{'UNKNOWN'} -} - -my @lines; -my @clients; -my @clients_ip; -my $t; - -eval { -$t = new Net::Telnet (Timeout => $opt_t, - Port => $opt_p, - Prompt => '/END$/' - ); -$t->open($opt_H); -if ( defined $opt_P ) { - $t->waitfor('/ENTER PASSWORD:$/'); - $t->print($opt_P); -} -$t->waitfor('/^$/'); -@lines = $t->cmd("status 2"); -$t->close; -}; - -if ($@) { - print "OpenVPN Critical: Can't connect to server\n"; - exit $ERRORS{'CRITICAL'}; -} - - -if (defined $opt_i || defined $opt_r) { - foreach (@lines) { - if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) { - push @clients_ip, $1; - } -} - if (defined $opt_i) { - print "OpenVPN OK: "."@clients_ip "; - exit $ERRORS{'OK'}; - } elsif (defined $opt_r) { - if ( ! grep /\b$opt_r\b/, @clients_ip) { - if (defined $opt_c) { - print "OpenVPN CRITICAL: $opt_r don't found"; - exit $ERRORS{'CRITICAL'}; - } else { - print "OpenVPN WARNING: $opt_r don't found"; - exit $ERRORS{'WARNING'}; - } - } - print "OpenVPN OK: "."@clients_ip "; - exit $ERRORS{'OK'}; - } -} - -foreach (@lines) { - if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) { - push @clients, $1; - } -} - -if (defined $opt_C) { - if ( ! grep /\b$opt_C\b/, @clients) { - if (defined $opt_c) { - print "OpenVPN CRITICAL: $opt_C don't found"; - exit $ERRORS{'CRITICAL'}; - } else { - print "OpenVPN WARNING: $opt_C don't found"; - exit $ERRORS{'WARNING'}; - } - } -} - - -if (defined $opt_n) { -print "OpenVPN OK: ".@clients." connected clients."; -exit $ERRORS{'OK'}; -} - -print "OpenVPN OK: "."@clients "; -exit $ERRORS{'OK'}; - -####################################################################### -###### Subroutines #################################################### - -sub print_usage() { - print "Usage: $PROGNAME -H | --host -p | --port [-P | --password] [-t | --timeout] - [-i | --ip] [-n | --numeric] [-C | --common_name] [-r | --remote_ip] [-c | --critical] [-w | --warning]\n\n"; - print " $PROGNAME [-h | --help]\n"; -} - -sub print_help() { - print "$PROGNAME $VERSION\n\n"; - print "Copyright (c) 2007 Jaime Gascon Romero - -Nagios plugin to check the clients connected to a openvpn server. - -"; - print_usage(); - print " --H | --host - IP address or hostname of the openvpn server. - --p | --port - Management port interface of the openvpn server. - --P | --password - Password for the management interface of the openvpn server. - --t | --timeout - Timeout for the connection attempt. Optional, default 10 seconds. - - - Optional parameters - =================== - --i | --ip - Prints the IP address of the remote client instead of the common name. - --n | --numeric - Prints the number of clients connected to the openvpn server. - - - Matching Parameters - =================== - --C | --common_name - The common name, as it is specified in the client certificate, who is wanted to check. - --r | --remote_ip - The client remote ip address who is wanted to check. - --c | --critical - Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected. - --w | --warning - Exits with WARNING status if the client specified by the common name or the remote ip address is not connected. - - - Other Parameters - ================ - --h | --help - Show this help. -"; - -} - -# vim:sts=2:sw=2:ts=2:et diff --git a/library/roles/openvpn/templates/client.conf.j2 b/library/roles/openvpn/templates/client.conf.j2 deleted file mode 100644 index efc12890..00000000 --- a/library/roles/openvpn/templates/client.conf.j2 +++ /dev/null @@ -1,32 +0,0 @@ -client -dev {{ openvpn_dev }} -proto {{ openvpn_protocol }} -{% for srv in openvpn_remote_servers %} -remote {{ srv.host }} {{ srv.port }} -{% endfor %} -remote-random -resolv-retry infinite -nobind -{% if openvpn_run_unprivileged %} -# Downgrade privileges after initialization (non-Windows only) -user {{ openvpn_unprivileged_user }} -group {{ openvpn_unprivileged_group }} -{% endif %} -# Try to preserve some state across restarts. -persist-key -persist-tun -ca {{ openvpn_ca }} -cert {{ openvpn_cert }} -key {{ openvpn_key }} -{% if openvpn_cert_auth_enabled %} -tls-client -remote-cert-tls server -{% endif %} -tls-auth {{ openvpn_tls_auth }} 1 -key-direction 1 -cipher AES-256-CBC -keepalive {{ openvpn_keepalive }} -# Set log file verbosity. -verb {{ openvpn_verbosity_log }} -# Silence repeating messages -mute {{ openvpn_mute_after }} diff --git a/library/roles/openvpn/templates/management.txt.j2 b/library/roles/openvpn/templates/management.txt.j2 deleted file mode 100644 index de14389c..00000000 --- a/library/roles/openvpn/templates/management.txt.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ openvpn_management_password }} diff --git a/library/roles/openvpn/templates/openvpn-defaults.j2 b/library/roles/openvpn/templates/openvpn-defaults.j2 deleted file mode 100644 index cff032db..00000000 --- a/library/roles/openvpn/templates/openvpn-defaults.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# This is the configuration file for /etc/init.d/openvpn - -# -# Start only these VPNs automatically via init script. -# Allowed values are "all", "none" or space separated list of -# names of the VPNs. If empty, "all" is assumed. -# The VPN name refers to the VPN configutation file name. -# i.e. "home" would be /etc/openvpn/home.conf -# -# If you're running systemd, changing this variable will -# require running "systemctl daemon-reload" followed by -# a restart of the openvpn service (if you removed entries -# you may have to stop those manually) -# -AUTOSTART="all" -#AUTOSTART="none" -#AUTOSTART="home office" -# -# WARNING: If you're running systemd the rest of the -# options in this file are ignored. -# -# Refresh interval (in seconds) of default status files -# located in /var/run/openvpn.$NAME.status -# Defaults to 10, 0 disables status file generation -# -#STATUSREFRESH=10 -#STATUSREFRESH=0 -# Optional arguments to openvpn's command line -OPTARGS="" -# -# If you need openvpn running after sendsigs, i.e. -# to let umountnfs work over the vpn, set OMIT_SENDSIGS -# to 1 and include umountnfs as Required-Stop: in openvpn's -# init.d script (remember to run insserv after that) -# -OMIT_SENDSIGS=0 diff --git a/library/roles/openvpn/templates/openvpn-nrpe.cfg.j2 b/library/roles/openvpn/templates/openvpn-nrpe.cfg.j2 deleted file mode 100644 index a623b90c..00000000 --- a/library/roles/openvpn/templates/openvpn-nrpe.cfg.j2 +++ /dev/null @@ -1,2 +0,0 @@ -# OpenVPN connected users -command[openvpn_users]={{ nagios_plugins_dir }}/check_openvpn -H {{ openvpn_management_ip }} -p {{ openvpn_management_port }} -P {{ openvpn_management_password }} diff --git a/library/roles/openvpn/templates/openvpn.conf.j2 b/library/roles/openvpn/templates/openvpn.conf.j2 deleted file mode 100644 index f2bf690f..00000000 --- a/library/roles/openvpn/templates/openvpn.conf.j2 +++ /dev/null @@ -1,126 +0,0 @@ -mode {{ openvpn_mode }} -dev {{ openvpn_dev }} - -port {{ openvpn_port }} -proto {{ openvpn_protocol }} - -{% if openvpn_tls_server %} -tls-server -{% endif %} - -dh {{ openvpn_dh }} -ca {{ openvpn_ca }} -cert {{ openvpn_cert }} -key {{ openvpn_key }} - -topology subnet - -server {{ openvpn_server_net }} - -ifconfig-pool-persist ipp/ipp.txt - -client-config-dir ccd -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -;client-config-dir ccd -;route 192.168.40.128 255.255.255.248 -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. - -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 10.9.0.0 255.255.255.252 -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 - -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script - -{% for route in openvpn_push_routes %} -push "route {{ route }}" -{% endfor %} - -{% for route in openvpn_push_routes %} -push "route {{ route }}" -{% endfor %} - -{% if openvpn_push_settings is defined %} -{% for dhcp_opt in openvpn_push_settings %} -push "{{ dhcp_opt }}" -{% endfor %} -{% endif %} - -tls-auth {{ openvpn_tls_auth }} - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage -cipher AES-256-CBC - - -{% if openvpn_compression_enabled %} -compress lz4-v2 -push "compress lz4-v2" -{% endif %} - -keepalive {{ openvpn_keepalive }} - -{% if not openvpn_cert_auth_enabled %} -# Disable cert-auth -client-cert-not-required -{% endif %} - -{% if openvpn_username_pam_auth %} -username-as-common-name -# PAM login -plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login -{% endif %} - -{% if openvpn_ldap_auth %} -plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf -{% endif %} - -{% if openvpn_ldap_perl_auth %} -auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env -#script-security 3 execve -{% endif %} - -max-clients {{ openvpn_max_clients }} - -persist-tun -persist-key - -status status/openvpn-status.log - -{% if openvpn_run_unprivileged %} -user {{ openvpn_unprivileged_user }} -group {{ openvpn_unprivileged_group }} -{% endif %} - -verb {{ openvpn_verbosity_log }} -mute {{ openvpn_mute_after }} - -# Notify the client that when the server restarts so it -# can automatically reconnect. -explicit-exit-notify 1 diff --git a/library/roles/openvpn/templates/server.conf.j2 b/library/roles/openvpn/templates/server.conf.j2 deleted file mode 100644 index 37a8d65a..00000000 --- a/library/roles/openvpn/templates/server.conf.j2 +++ /dev/null @@ -1,79 +0,0 @@ -mode {{ openvpn_mode }} -{% if openvpn_management_enabled %} -management {{ openvpn_management_ip }} {{ openvpn_management_port }} {{ openvpn_management_file }} -{% endif %} -dev {{ openvpn_dev }} -port {{ openvpn_port }} -proto {{ openvpn_protocol }} -topology subnet -server {{ openvpn_server_net }} -{% if openvpn_ifconfig_pool is defined %} -# Works in bridge mode only -#ifconfig-pool {{ openvpn_ifconfig_pool }} -{% endif %} -ifconfig-pool-persist ipp/ipp.txt -client-config-dir ccd -{% if openvpn_force_ccd %} -ccd-exclusive -{% endif %} -{% if openvpn_client_routes is defined %} -{% for route in openvpn_client_routes %} -route {{ route }} -{% endfor %} -{% endif %} -{% if openvpn_push_routes is defined %} -{% for route in openvpn_push_routes %} -push "route {{ route }}" -{% endfor %} -{% endif %} -{% if openvpn_push_settings is defined %} -{% for dhcp_opt in openvpn_push_settings %} -push "{{ dhcp_opt }}" -{% endfor %} -{% endif %} -cipher AES-256-CBC -{% if openvpn_compression_enabled %} -compress lz4-v2 -push "compress lz4-v2" -{% endif %} -keepalive {{ openvpn_keepalive }} -{% if openvpn_cert_auth_enabled %} -tls-server -{% endif %} -tls-auth {{ openvpn_tls_auth }} 0 -key-direction 0 -dh {{ openvpn_dh }} -ca {{ openvpn_ca }} -cert {{ openvpn_cert }} -key {{ openvpn_key }} -{% if not openvpn_cert_auth_enabled %} -# Disable cert-auth -client-cert-not-required -{% endif %} -{% if openvpn_username_pam_auth %} -username-as-common-name -# PAM login -plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login -{% endif %} -{% if openvpn_ldap_auth %} -plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf -{% endif %} -{% if openvpn_ldap_perl_auth %} -auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env -script-security 3 execve -{% endif %} -max-clients {{ openvpn_max_clients }} -persist-tun -persist-key -status status/openvpn-status.log -{% if openvpn_run_unprivileged %} -user {{ openvpn_unprivileged_user }} -group {{ openvpn_unprivileged_group }} -{% endif %} -verb {{ openvpn_verbosity_log }} -mute {{ openvpn_mute_after }} -{% if openvpn_protocol == 'udp' %} -# Notify the client that when the server restarts so it -# can automatically reconnect. -explicit-exit-notify 1 -{% endif %} diff --git a/library/roles/openvpn/templates/user-ccd.conf.j2 b/library/roles/openvpn/templates/user-ccd.conf.j2 deleted file mode 100644 index 0ca993a7..00000000 --- a/library/roles/openvpn/templates/user-ccd.conf.j2 +++ /dev/null @@ -1,4 +0,0 @@ -ifconfig-push {{ item.ip }} {{ item.netmask }} -{% for net in item.routes %} -push "route {{ net }}" -{% endfor %} diff --git a/library/roles/php-fpm/defaults/main.yml b/library/roles/php-fpm/defaults/main.yml deleted file mode 100644 index 377f4fdf..00000000 --- a/library/roles/php-fpm/defaults/main.yml +++ /dev/null @@ -1,92 +0,0 @@ ---- -# -# IMPORTANT: the template will be used on a task that refers 'phpfpm_pools' inside a 'with_items' loop. So -# the variables into the template are all 'item.XXX' -# -phpfpm_service_enabled: True -phpfpm_remove_php_module: True -php_from_ppa: False -php_ppa: ppa:ondrej/php -php_version: 7.2 -php_run_dir: '/run/php' - -phpfpm_root_dir: '/etc/php/{{ php_version }}' -phpfpm_base_dir: '{{ phpfpm_root_dir }}/fpm' -phpfpm_cli_dir: '{{ phpfpm_root_dir }}/cli' - -php_fpm_packages: - - 'php{{ php_version }}-fpm' - - 'php{{ php_version }}-cli' - -#php_global_settings: -# - { option: '', value: '', state: '' } -#php_cli_global_settings: -# - { option: '', value: '', state: '' } - -# Main confign file settings -# It can be 'syslog' -phpfpm_logdir: /var/log/php-fpm -phpfpm_error_logfile: '/var/log/php{{ php_version }}-fpm.log' -phpfpm_syslog_facility: daemon -phpfpm_syslog_ident: php-fpm -phpfpm_log_level: notice -phpfpm_emergency_restart_threshold: 5 -phpfpm_emergency_restart_interval: 2m -phpfpm_process_control_timeout: 10s -phpfpm_set_process_max: False -phpfpm_process_max: 256 -phpfpm_set_event_mechanism: False -phpfpm_event_mechanism: epoll - - -# Pools settings -phpfpm_default_pool_name: "php-fpm" -phpfpm_pool_name: "{{ phpfpm_default_pool_name }}" -phpfpm_remove_default_pool: True -phpfpm_use_default_template: True -phpfpm_create_users: True -phpfpm_default_user: php-fpm -phpfpm_default_group: '{{ phpfpm_default_user }}' -phpfpm_listen_on_socket: False -phpfpm_default_listen: "{{ php_run_dir }}/{{ phpfpm_pool_name }}.sock" -#phpfpm_default_listen: "127.0.0.1:9000" -phpfpm_default_allowed_clients: "127.0.0.1" -phpfpm_default_pm: "dynamic" -phpfpm_default_pm_max_children: "50" -phpfpm_default_pm_start_servers: "8" -phpfpm_default_pm_min_spare_servers: "5" -phpfpm_default_pm_max_spare_servers: "12" -phpfpm_default_pm_max_requests: "10000" -phpfpm_default_pm_status_enabled: False -phpfpm_default_pm_status_path: "/status" -phpfpm_default_ping_enabled: False -phpfpm_default_ping_path: "/ping" -phpfpm_default_ping_response: '{{ phpfpm_default_pool_name }}' -phpfpm_default_display_errors: "off" -phpfpm_default_log_errors: "on" -phpfpm_default_memory_limit: "64M" -phpfpm_default_request_terminate_timeout: "240s" -phpfpm_default_slowlog_timeout: "20s" -phpfpm_default_rlimit_files: "4096" -phpfpm_default_extensions: ".php" -phpfpm_default_context: '/' -phpfpm_default_session_handler: 'files' -phpfpm_default_session_prefix: '/var/lib/php' -phpfpm_default_session_dir: '{{ phpfpm_default_session_prefix }}/sessions' -phpfpm_default_define_custom_variables: False - -phpfpm_use_memcache_redundancy_sessions: False -phpfpm_use_memcached_redundancy_sessions: False - -memcache_session: - - { prop: 'memcache.allow_failover', value: 1 } - - { prop: 'memcache.session_redundancy', value: 3 } - - { prop: 'memcache.hash_strategy', value: 'standard' } - - { prop: 'memcache.max_failover_attempts', value: '20' } - -phpfpm_php_variables: - - { prop: 'session.gc_maxlifetime', value: 1440 } - - { prop: 'session.cache_expire', value: 180 } - -phpfpm_pools: - - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}' } diff --git a/library/roles/php-fpm/handlers/main.yml b/library/roles/php-fpm/handlers/main.yml deleted file mode 100644 index dc9b0beb..00000000 --- a/library/roles/php-fpm/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Reload php-fpm - service: name=php{{ php_version }}-fpm state=reloaded - when: phpfpm_service_enabled - -- name: Restart php-fpm - service: name=php{{ php_version }}-fpm state=restarted - when: phpfpm_service_enabled diff --git a/library/roles/php-fpm/tasks/main.yml b/library/roles/php-fpm/tasks/main.yml deleted file mode 100644 index 09435172..00000000 --- a/library/roles/php-fpm/tasks/main.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -# php as a standalone service -- name: Install the Ubuntu PHP PPA - apt_repository: repo={{ php_ppa }} state=present update_cache=yes - when: php_from_ppa | bool - tags: [ 'php', 'php_ppa' ] - -- name: Remove the Ubuntu PHP PPA - apt_repository: repo={{ php_ppa }} state=absent update_cache=yes - when: not php_from_ppa - tags: [ 'php', 'php_ppa' ] - -- name: Install the php-fpm package - apt: pkg={{ php_fpm_packages }} state=present update_cache=yes cache_valid_time=3600 - tags: php - -- name: Install additional php packages - apt: pkg={{ php_additional_packages | default([]) }} state=present update_cache=yes cache_valid_time=3600 - tags: php - -- name: Set the timezone if we have one - ini_file: dest={{ phpfpm_base_dir }}/php.ini section=Date option=date.timezone value={{ timezone }} backup=yes - when: timezone is defined - notify: Reload php-fpm - tags: [ 'php', 'php_ini' ] - -- name: Modify the global php settings - ini_file: dest={{ phpfpm_base_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }} - with_items: '{{ php_global_settings | default([]) }}' - notify: Reload php-fpm - tags: [ 'php', 'php_ini' ] - -- name: Modify the global php cli settings - ini_file: dest={{ phpfpm_cli_dir }}/php.ini section={{ item.section | default('PHP') }} option={{ item.option }} value={{ item.value }} backup=yes state={{ item.state | default('present') }} - with_items: '{{ php_cli_global_settings | default([]) }}' - tags: [ 'php', 'php_ini' ] - -- name: Activate the memcache sessions support and redundancy if needed - action: configfile path={{ phpfpm_base_dir }}/conf.d/20-memcache.ini key={{ item.prop }} value='{{ item.value }}' - when: phpfpm_use_memcache_redundancy_sessions | bool - with_items: '{{ memcache_session }}' - notify: Reload php-fpm - tags: [ 'php', 'php_ini' ] - -- name: remove php-fpm default pool - file: dest={{ phpfpm_base_dir }}/pool.d/www.conf state=absent - when: phpfpm_remove_default_pool | bool - notify: Restart php-fpm - tags: php - -- name: Create the users under the php-fpm processes will run - user: name={{ item.user }} comment="{{ item.user }}" home=/dev/null createhome=no shell=/sbin/nologin - with_items: '{{ phpfpm_pools }}' - when: phpfpm_create_users | bool - notify: Restart php-fpm - tags: [ 'php', 'fpm_pool' ] - -- name: Create the directories where to store the sessions files. One for each pool - file: dest={{ phpfpm_session_prefix }}/{{ item.pool_name }} owner={{ item.user }} group=root mode=0750 state=directory - with_items: '{{ phpfpm_pools }}' - when: - - phpfpm_session_prefix is defined - - phpfpm_use_default_template | bool - tags: [ 'php', 'fpm_pool' ] - -- name: Create the directories where to store the log files - file: dest={{ phpfpm_logdir }} owner=root group=root mode=0750 state=directory - tags: [ 'php', 'fpm_pool' ] - -- name: Install the php-fpm logrotate file - template: src=php-fpm.logrotate.j2 dest=/etc/logrotate.d/php-fpm owner=root group=root mode=0444 - tags: [ 'php', 'fpm_conf' ] - -- name: Install the php-fpm main config file - template: src=php-fpm.conf.j2 dest={{ phpfpm_base_dir }}/php-fpm.conf owner=root group=root mode=0444 - notify: Restart php-fpm - tags: [ 'php', 'fpm_conf', 'fpm_pool' ] - -- name: Install the php-fpm pools - template: src=php-fpm-pool.conf.j2 dest={{ phpfpm_base_dir }}/pool.d/{{ item.pool_name }}.conf owner=root group=root mode=0444 - with_items: '{{ phpfpm_pools }}' - when: phpfpm_use_default_template | bool - notify: Restart php-fpm - tags: [ 'php', 'fpm_conf', 'fpm_pool', 'fpm_pool_conf' ] - -- name: Ensure that the php-fpm service is started and enabled - service: name=php{{ php_version }}-fpm state=started enabled=yes - when: phpfpm_service_enabled | bool - tags: php - -- name: Ensure that the php-fpm service is stopped and disabled - service: name=php{{ php_version }}-fpm state=stopped enabled=no - when: not phpfpm_service_enabled - tags: php - diff --git a/library/roles/php-fpm/templates/php-fpm-pool.conf.j2 b/library/roles/php-fpm/templates/php-fpm-pool.conf.j2 deleted file mode 100644 index 9f95184b..00000000 --- a/library/roles/php-fpm/templates/php-fpm-pool.conf.j2 +++ /dev/null @@ -1,296 +0,0 @@ -; Start a new pool named 'www'. -[{{ item.pool_name | default('www') }}] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = {{ item.listen | default ('127.0.0.1:9000') }} - -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = {{ item.allowed_clients | default ('127.0.0.1') }} - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -{% if phpfpm_listen_on_socket %} -listen.owner = {{ item.user }} -listen.group = www-data -listen.mode = 0660 -{% endif %} - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -; RPM: apache Choosed to be able to access some dir as httpd -user = {{ item.user | default('php-fpm') }} -; RPM: Keep a group allowed to write in log dir. -group = {{ item.group | default('php-fpm') }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = {{ item.pm | default('dynamic') }} - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = {{ item.pm_max_children | default('50') }} - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -pm.start_servers = {{ item.pm_start_servers | default('3') }} - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = {{ item.pm_min_spare | default('1') }} - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = {{ item.pm_max_spare | default('10') }} - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = {{ item.pm_max_requests | default('10000') }} - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = {{ item.pm_status_path | default('/status') }} - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -ping.path = {{ item.ping_path | default('/ping') }} - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -ping.response = {{ item.ping_response | default('www') }} - -access.log = /var/log/php-fpm/$pool-access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{miliseconds}d -; - %{mili}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some exemples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: ouput header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" -access.format = "%{REMOTE_ADDR}e - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%" - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -request_terminate_timeout = {{ item.req_term_timeout | default('240s') }} - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -request_slowlog_timeout = {{ item.slowlog_timeout | default('20s') }} - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/$pool-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -rlimit_files = {{ item.rlimit_files | default('4096') }} - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -security.limit_extensions = {{ item.php_extensions | default('.php') }} - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -env[HOSTNAME] = $HOSTNAME -env[PATH] = /usr/bin:/bin -env[TMP] = /tmp -env[TMPDIR] = /tmp -env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -php_flag[display_errors] = {{ item.display_errors | default('off') }} -php_admin_value[error_log] = {{ phpfpm_logdir }}/$pool-error.log -php_admin_flag[log_errors] = {{ item.log_errors | default('on') }} -php_admin_value[memory_limit] = {{ item.memory_limit | default('64M') }} -php_admin_value[upload_max_filesize] = {{ item.upload_max_filesize | default('20M') }} -php_admin_value[post_max_size] = {{ item.upload_max_filesize | default('20M') }} -php_admin_value[upload_tmp_dir] = {{ item.upload_tmp_dir | default('/var/tmp') }} -; Set session path to a directory owned by process user -php_value[session.save_handler] = '{{ item.session_save_handler | default('files') }}' -{% if phpfpm_session_prefix is defined %} -php_value[session.save_path] = '{{ phpfpm_session_prefix }}/{{ item.pool_name }}' -{% else %} -php_value[session.save_path] = '{{ phpfpm_default_session_dir }}' -{% endif %} -{% if item.define_custom_variables is defined and item.define_custom_variables %} -{% for php_var in phpfpm_php_variables %} -php_value[{{ php_var.prop }}] = {{ php_var.value }} -{% endfor %} -{% endif %} diff --git a/library/roles/php-fpm/templates/php-fpm.conf.j2 b/library/roles/php-fpm/templates/php-fpm.conf.j2 deleted file mode 100644 index 692d3542..00000000 --- a/library/roles/php-fpm/templates/php-fpm.conf.j2 +++ /dev/null @@ -1,115 +0,0 @@ -;;;;;;;;;;;;;;;;;;;;; -; FPM Configuration ; -;;;;;;;;;;;;;;;;;;;;; - -; All relative paths in this configuration file are relative to PHP's install -; prefix. - -; Include one or more files. If glob(3) exists, it is used to include a bunch of -; files from a glob(3) pattern. This directive can be used everywhere in the -; file. -;include={{ phpfpm_base_dir }}/*.conf - -;;;;;;;;;;;;;;;;;; -; Global Options ; -;;;;;;;;;;;;;;;;;; - -[global] -; Pid file -; Default Value: none -pid = /run/php/php{{ php_version }}-fpm.pid - -; Error log file -; If it's set to "syslog", log is sent to syslogd instead of being written -; in a local file. -; Default Value: /var/log/php-fpm.log -error_log = {{ phpfpm_error_logfile }} - -{% if phpfpm_error_logfile == 'syslog' %} -; syslog_facility is used to specify what type of program is logging the -; message. This lets syslogd specify that messages from different facilities -; will be handled differently. -; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) -; Default Value: daemon -syslog.facility = {{ phpfpm_syslog_facility }} - -; syslog_ident is prepended to every message. If you have multiple FPM -; instances running on the same server, you can change the default value -; which must suit common needs. -; Default Value: php-fpm -syslog.ident = {{ phpfpm_syslog_ident }} -{% endif %} - -; Log level -; Possible Values: alert, error, warning, notice, debug -; Default Value: notice -log_level = {{ phpfpm_log_level }} - -; If this number of child processes exit with SIGSEGV or SIGBUS within the time -; interval set by emergency_restart_interval then FPM will restart. A value -; of '0' means 'Off'. -; Default Value: 0 -emergency_restart_threshold = {{ phpfpm_emergency_restart_threshold }} - -; Interval of time used by emergency_restart_interval to determine when -; a graceful restart will be initiated. This can be useful to work around -; accidental corruptions in an accelerator's shared memory. -; Available Units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -emergency_restart_interval = {{ phpfpm_emergency_restart_interval }} - -; Time limit for child processes to wait for a reaction on signals from master. -; Available units: s(econds), m(inutes), h(ours), or d(ays) -; Default Unit: seconds -; Default Value: 0 -process_control_timeout = {{ phpfpm_process_control_timeout }} - -; The maximum number of processes FPM will fork. This has been design to control -; the global number of processes when using dynamic PM within a lot of pools. -; Use it with caution. -; Note: A value of 0 indicates no limit -; Default Value: 0 -{% if phpfpm_set_process_max %} -process.max = {{ phpfpm_process_max }} -{% endif %} - -; Specify the nice(2) priority to apply to the master process (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool process will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -;process.priority = -19 - -; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. -; Default Value: yes -daemonize = yes - -; Set open file descriptor rlimit for the master process. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit for the master process. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -{% if phpfpm_set_event_mechanism %} -; Specify the event mechanism FPM will use. The following is available: -; - select (any POSIX os) -; - poll (any POSIX os) -; - epoll (linux >= 2.5.44) -; Default Value: not set (auto detection) -events.mechanism = {{ phpfpm_event_mechanism }} -{% endif %} - -;;;;;;;;;;;;;;;;;;;; -; Pool Definitions ; -;;;;;;;;;;;;;;;;;;;; - -; See /etc/php-fpm.d/*.conf - -; To configure the pools it is recommended to have one .conf file per -; pool in the following directory: -include={{ phpfpm_base_dir }}/pool.d/*.conf diff --git a/library/roles/php-fpm/templates/php-fpm.logrotate.j2 b/library/roles/php-fpm/templates/php-fpm.logrotate.j2 deleted file mode 100644 index 75c3b0d3..00000000 --- a/library/roles/php-fpm/templates/php-fpm.logrotate.j2 +++ /dev/null @@ -1,10 +0,0 @@ -{{ phpfpm_logdir}}/*log { - missingok - notifempty - sharedscripts - delaycompress - postrotate - /usr/lib/php5/php5-fpm-reopenlogs - endscript -} - diff --git a/library/roles/phpMyAdmin/README.md b/library/roles/phpMyAdmin/README.md deleted file mode 100644 index afc69617..00000000 --- a/library/roles/phpMyAdmin/README.md +++ /dev/null @@ -1,36 +0,0 @@ -Role Name -========= - -Role that installs phpMyAdmin. Optionally depends on apache/nginx and php-fpm. I do not force the dependency because it could be installed together with other PHP applications. - -Requirements ------------- - -Some PHP package dependencies are listed in the documentation at . - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -No Galaxy dependecies right now - -Example Playbook ----------------- - - - hosts: servers - roles: - - { role: phpMyAdmin } - -License -------- - -EUPL 1.2 - -Author Information ------------------- - -Andrea Dell'Amico, diff --git a/library/roles/phpMyAdmin/defaults/main.yml b/library/roles/phpMyAdmin/defaults/main.yml deleted file mode 100644 index 5da9a42b..00000000 --- a/library/roles/phpMyAdmin/defaults/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -phpmyadmin_shared_installation: True -phpmyadmin_behind_nginx: True -phpmyadmin_behind_apache: False -phpmyadmin_version: 5.0.2 -phpmyadmin_app: 'phpMyAdmin-{{ phpmyadmin_version }}-all-languages' -phpmyadmin_download_link: 'https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_app }}.zip' - -phpmyadmin_install_dir: /srv/phpmyadmin -phpmyadmin_phpfpm_pool_name: phpmyadmin -phpmyadmin_phpfpm_pool_user: phpmyadmin -phpmyadmin_phpfpm_doc_root: '{{ phpmyadmin_install_dir }}/phpmyadmin' -phpmyadmin_phpfpm_app_context: '/phpmyadmin' -phpmyadmin_phpfpm_listen_port: 9000 -phpmyadmin_phpfpm_pm_max_children: "6" -phpmyadmin_phpfpm_pm_start_servers: 2 -phpmyadmin_phpfpm_pm_min_spare_servers: 2 -phpmyadmin_phpfpm_pm_max_spare_servers: 3 -phpmyadmin_phpfpm_virthost: '{{ ansible_fqdn }}' -phpmyadmin_default_lang: 'en' -#phpmyadmin_blowfish_secret: 'generate it' - -phpmyadmin_target_servers: - - { description: 'local mysql server', host: 'localhost', port: 3306, socket: '', ssl: 'true', auth_type: 'cookie', user: '', password: '', only_db: "'db1', 'db2'", allowroot: 'false' } - -phpmyadmin_php_packages: - - 'php{{ php_version }}-fpm' - - 'php{{ php_version }}-json' - - 'php{{ php_version }}-intl' - - 'php{{ php_version }}-cli' - - 'php{{ php_version }}-mysqlnd' - - 'php{{ php_version }}-gd' - - 'php{{ php_version }}-json' - - 'php{{ php_version }}-curl' - - 'php{{ php_version }}-mbstring' - - 'php{{ php_version }}-readline' - - 'php{{ php_version }}-bz2' - - 'php{{ php_version }}-zip' - - php-php-gettext - - php-phpseclib - - php-tcpdf - - imagemagick - -phpmyadmin_phpfpm_pool: - - { pool_name: '{{ phpmyadmin_phpfpm_pool_name }}', app_context: '{{ phpmyadmin_phpfpm_app_context }}', doc_root: '{{ phpmyadmin_install_dir }}', user: '{{ phpmyadmin_phpfpm_pool_user }}', group: '{{ phpfpm_co_guard_user }}', listen: '{{ phpfpm_listen_host }}:{{ phpmyadmin_phpfpm_listen_port }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpmyadmin_phpfpm_pm_max_children }}', pm_start_servers: '{{ phpmyadmin_phpfpm_pm_start_servers }}', pm_min_spare: '{{ phpmyadmin_phpfpm_pm_min_spare_servers }}', pm_max_spare: '{{ phpmyadmin_phpfpm_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', req_term_timeout: '240s', admin_write: True, virthost: '{{ phpmyadmin_phpfpm_virthost }}' } diff --git a/library/roles/phpMyAdmin/handlers/main.yml b/library/roles/phpMyAdmin/handlers/main.yml deleted file mode 100644 index 9df1fcb4..00000000 --- a/library/roles/phpMyAdmin/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for phpMyAdmin \ No newline at end of file diff --git a/library/roles/phpMyAdmin/meta/main.yml b/library/roles/phpMyAdmin/meta/main.yml deleted file mode 100644 index 710b1a55..00000000 --- a/library/roles/phpMyAdmin/meta/main.yml +++ /dev/null @@ -1,46 +0,0 @@ -galaxy_info: - author: Andrea Dell'Amico - description: IT architect - company: ISTI-CNR - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL 1.2 - - min_ansible_version: 2.7 - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - platforms: - - name: EL - versions: - - 7 - - name: Ubuntu - versions: - - bionic - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: - - { role: '../../library/roles/php-fpm', when: not phpmyadmin_shared_installation | bool } - - { role: '../../library/roles/nginx', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_nginx | bool } - - { role: '../../library/roles/apache', when: not phpmyadmin_shared_installation | bool and phpmyadmin_behind_apache | bool } diff --git a/library/roles/phpMyAdmin/tasks/main.yml b/library/roles/phpMyAdmin/tasks/main.yml deleted file mode 100644 index a5ea7b3b..00000000 --- a/library/roles/phpMyAdmin/tasks/main.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Install and configure phpMyAdmin - block: - - name: Create the phpmyadmin download directory - file: dest={{ phpmyadmin_install_dir }} state=directory - - - name: Create the phpmyadmin download, upload and tmp directories - file: dest={{ item }} state=directory owner={{ phpmyadmin_phpfpm_pool_user }} mode=0700 - with_items: - - '{{ phpmyadmin_install_dir }}/upload' - - '{{ phpmyadmin_install_dir }}/download' - - '{{ phpmyadmin_install_dir }}/tmp' - - - name: Download and unarchive the phpMyAdmin distribution - unarchive: remote_src=yes src={{ phpmyadmin_download_link }} dest={{ phpmyadmin_install_dir }} - args: - creates: '{{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/index.php' - - - name: Remove the test and setup directories - file: dest={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }}/{{ item }} state=absent - with_items: - - 'test' - - setup - - - name: Set the path to the phpMyAdmin installation - file: src={{ phpmyadmin_install_dir }}/{{ phpmyadmin_app }} dest={{ phpmyadmin_phpfpm_doc_root }} state=link - - - name: Install the phpMyAdmin config file - template: src=phpmyadmin-config.inc.php.j2 dest={{ phpmyadmin_phpfpm_doc_root }}/config.inc.php owner={{ phpmyadmin_phpfpm_pool_user }} group={{ phpmyadmin_phpfpm_pool_user }} mode=0440 - - tags: [ 'phpMyadmin', 'phpmyadmin' ] diff --git a/library/roles/phpMyAdmin/templates/phpmyadmin-config.inc.php.j2 b/library/roles/phpMyAdmin/templates/phpmyadmin-config.inc.php.j2 deleted file mode 100644 index ef1c6595..00000000 --- a/library/roles/phpMyAdmin/templates/phpmyadmin-config.inc.php.j2 +++ /dev/null @@ -1,25 +0,0 @@ - \ No newline at end of file diff --git a/library/roles/phpMyAdmin/tests/inventory b/library/roles/phpMyAdmin/tests/inventory deleted file mode 100644 index 878877b0..00000000 --- a/library/roles/phpMyAdmin/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/library/roles/phpMyAdmin/tests/test.yml b/library/roles/phpMyAdmin/tests/test.yml deleted file mode 100644 index 17ba05e0..00000000 --- a/library/roles/phpMyAdmin/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - phpMyAdmin \ No newline at end of file diff --git a/library/roles/phpMyAdmin/vars/main.yml b/library/roles/phpMyAdmin/vars/main.yml deleted file mode 100644 index 9cf9e6e6..00000000 --- a/library/roles/phpMyAdmin/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for phpMyAdmin \ No newline at end of file