From 6bcdb51419a2b9fe11b4fba9658d8c32bb2311e6 Mon Sep 17 00:00:00 2001 From: William Date: Fri, 17 Jun 2022 23:07:30 +0200 Subject: [PATCH] Installation de Nginx, Letsencrypt, PHP & Mariadb. --- README.md | 17 ++++---- hosts.example.ini | 11 +++--- playbook.yml | 5 ++- roles/docker/tasks/main.yml | 45 --------------------- roles/mariadb/tasks/main.yml | 26 +++++++++++++ roles/nginx/tasks/main.yml | 18 +++++++++ roles/php/defaults/main.yml | 17 ++++++++ roles/php/tasks/main.yml | 53 +++++++++++++++++++++++++ roles/traefik/tasks/main.yml | 54 -------------------------- roles/traefik/templates/traefik.yml.j2 | 24 ------------ roles/wwwuser/tasks/main.yml | 11 +++++- 11 files changed, 142 insertions(+), 139 deletions(-) delete mode 100644 roles/docker/tasks/main.yml create mode 100644 roles/mariadb/tasks/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/php/defaults/main.yml create mode 100644 roles/php/tasks/main.yml delete mode 100644 roles/traefik/tasks/main.yml delete mode 100644 roles/traefik/templates/traefik.yml.j2 diff --git a/README.md b/README.md index aed382a..5afc8d2 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,16 @@ # Playbook webserver -This playbook installs webserver (Nginx, Mariadb, PHP) +This playbook installs webserver (Nginx, Letsencrypt, Mariadb & PHP) ## Usage -```shell -# copy config file then change values -cp hosts.example.ini hosts.ini - -# run playbook -ansible-playbook -i hosts.ini playbook.yml --extra-vars "ssh_key=id.pub" +Config +```bash +cp hosts.example.ini hosts.ini # copy config file then change values +touch deploy.pub # paste your ssh pub key for www_user +``` + +Then run playbook +```bash +ansible-playbook -i hosts.ini playbook.yml ``` diff --git a/hosts.example.ini b/hosts.example.ini index 2b20623..7f063f1 100644 --- a/hosts.example.ini +++ b/hosts.example.ini @@ -1,13 +1,14 @@ [web] -127.0.0.1 +example.com [web:vars] ansible_ssh_user=ubuntu ansible_python_interpreter=/usr/bin/python3 + www_user=user www_group=group www_home=/home/user -traefik_dashboard=false -traefik_dashboard_host=traefik.example.com -traefik_log_level=ERROR -traefik_letsencrypt_email=admin@example.com + +mysql_root_password='password' + +php_version='8.1' diff --git a/playbook.yml b/playbook.yml index 735625b..032bb41 100644 --- a/playbook.yml +++ b/playbook.yml @@ -11,6 +11,7 @@ update_cache: yes roles: + - nginx - wwwuser - - docker - - traefik + - php + - mariadb diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml deleted file mode 100644 index 0dc5efe..0000000 --- a/roles/docker/tasks/main.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: install - apt: - name: - - apt-transport-https - - ca-certificates - - software-properties-common - state: present - update_cache: yes - -- name: add Docker GPG apt Key - apt_key: - url: https://download.docker.com/linux/ubuntu/gpg - state: present - -- name: add Docker Repository - apt_repository: - repo: "deb [arch=amd64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable" - state: present - -- name: update apt and install docker-ce - apt: - name: - - docker-ce - - docker-ce-cli - - containerd.io - state: latest - update_cache: yes - -- name: add the Python client for Docker - pip: - name: docker-py - -- name: install docker-compose - get_url: - url : https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 - dest: /usr/local/bin/docker-compose - mode: 'u+x,g+x' - group: docker - -- name: add admin to docker group - user: - name: "{{ www_user }}" - groups: docker - append: yes diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml new file mode 100644 index 0000000..297720e --- /dev/null +++ b/roles/mariadb/tasks/main.yml @@ -0,0 +1,26 @@ +- name: install + apt: + name: + - mariadb-server + - libmysqlclient-dev + state: present + update_cache: yes + +- name: install python client + pip: + name: mysqlclient + state: present + +- name: ensure service is start + service: + name: mysql + state: started + enabled: yes + +- name: change root password + mysql_user: + name: root + password: '{{ mysql_root_password }}' + host: 'localhost' + login_user: root + login_password: '' diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..67b91f7 --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,18 @@ +- name: install + apt: + name: + - nginx + - letsencrypt + - python3-certbot-nginx + state: present + update_cache: yes + +- name: create letsencrypt's challenge directory + file: + name: /var/www/letsencrypt + state: directory + +- name: generate letsencrypt's dhparams + shell: openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048 + args: + creates: /etc/letsencrypt/ssl-dhparams.pem diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml new file mode 100644 index 0000000..47c5530 --- /dev/null +++ b/roles/php/defaults/main.yml @@ -0,0 +1,17 @@ +php_version: 8.1 + +php_packages: + - php{{ php_version }}-common + - php{{ php_version }}-zip + - php{{ php_version }}-pdo + - php{{ php_version }}-mbstring + - php{{ php_version }}-tokenizer + - php{{ php_version }}-xml + - php{{ php_version }}-opcache + - php{{ php_version }}-mysql + - php{{ php_version }}-imap + - php{{ php_version }}-curl + - php{{ php_version }}-memcached + - php{{ php_version }}-intl + - php{{ php_version }}-gd + - php{{ php_version }}-bcmath diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml new file mode 100644 index 0000000..952191d --- /dev/null +++ b/roles/php/tasks/main.yml @@ -0,0 +1,53 @@ +- name: add gpg key (debian) + apt_key: + url: "https://packages.sury.org/php/apt.gpg" + state: present + when: ansible_distribution == 'Debian' + +- name: add repository (debian) + apt_repository: + repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" + state: present + update_cache: yes + when: ansible_distribution == 'Debian' + +- name: add repository (ubuntu) + apt_repository: + repo: ppa:ondrej/php + state: present + update_cache: yes + when: ansible_distribution == 'Ubuntu' + +- name: install + apt: + name: "php{{ php_version }}-fpm" + state: present + update_cache: yes + install_recommends: no + +- name: install packages + apt: + name: "{{ php_packages | list }}" + state: present + install_recommends: no + +- name: change default version + alternatives: + name: php + path: /usr/bin/php{{ php_version }} + +- name: define wwwuser as php-fpm's user + replace: + path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf" + regexp: '{{ item.from }}' + replace: "{{ item.to }}" + with_items: + - {from: '^user = (.+)$', to: 'user = {{ www_user }}'} + - {from: '^group = (.+)$', to: 'group = {{ www_group }}'} + - {from: '^listen.owner = (.+)$', to: 'listen.owner = {{ www_user }}'} + - {from: '^listen.group = (.+)$', to: 'listen.group = {{ www_group }}'} + +- name: restart php-fpm + service: + name: php{{ php_version }}-fpm + state: restarted diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml deleted file mode 100644 index 3dbc8f0..0000000 --- a/roles/traefik/tasks/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -- name: create directory - file: - path: "{{ www_home }}/traefik" - state: directory - owner: "{{ www_user }}" - group: "{{ www_group }}" - -- name: check if acme file exists - stat: - path: "{{ www_home }}/traefik/acme.json" - register: acme_file - -- name: create acme file if does not exists - file: - path: "{{ www_home }}/traefik/acme.json" - state: touch - mode: 0600 - owner: "{{ www_user }}" - group: "{{ www_group }}" - when: acme_file.stat.exists == False - -- name: add config file - template: - src: traefik.yml.j2 - dest: "{{ www_home }}/traefik/traefik.yml" - mode: 0600 - owner: "{{ www_user }}" - group: "{{ www_group }}" - -- name: create network - docker_network: - name: web - -- name: create container - docker_container: - name: traefik - image: traefik:2.4 - restart_policy: unless-stopped - recreate: true - networks: - - name: web - ports: - - "80:80" - - "443:443" - volumes: - - "{{ www_home }}/traefik/traefik.yml:/etc/traefik/traefik.yml" - - "{{ www_home }}/traefik/acme.json:/acme.json" - - /var/run/docker.sock:/var/run/docker.sock - labels: - traefik.enable: "true" - traefik.http.routers.dashboard.rule: Host(`{{ traefik_dashboard_host }}`) - traefik.http.routers.dashboard.entryPoints: http - traefik.http.routers.dashboard.service: api@internal diff --git a/roles/traefik/templates/traefik.yml.j2 b/roles/traefik/templates/traefik.yml.j2 deleted file mode 100644 index cb1face..0000000 --- a/roles/traefik/templates/traefik.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -entryPoints: - http: - address: :80 - https: - address: :443 - -log: - level: {{ traefik_log_level | default('ERROR') }} - -api: - dashboard: {{ traefik_dashboard | default(false) }} - -providers: - docker: - network: web - exposedByDefault: false - -certificatesResolvers: - letsencrypt: - acme: - email: "{{ traefik_letsencrypt_email }}" - storage: "acme.json" - httpChallenge: - entryPoint: http diff --git a/roles/wwwuser/tasks/main.yml b/roles/wwwuser/tasks/main.yml index 8c30735..522e427 100644 --- a/roles/wwwuser/tasks/main.yml +++ b/roles/wwwuser/tasks/main.yml @@ -1,4 +1,3 @@ ---- - name: create wwwuser group group: name: "{{ www_group }}" @@ -19,7 +18,7 @@ authorized_key: user: "{{ www_user }}" state: present - key: "{{ lookup('file', ssh_key) }}" + key: "{{ lookup('file', deploy.pub) }}" when: ssh_key is defined - name: create app's directory @@ -28,3 +27,11 @@ state: directory owner: "{{ www_user }}" group: "{{ www_group }}" + +- name: add permission to wwwuser to reload php-fpm + lineinfile: + dest: /etc/sudoers + state: present + regexp: '^{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload$' + line: '{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload' + validate: 'visudo -cf %s'