Installation de Nginx, Letsencrypt, PHP & Mariadb.

README.md

@@ -1,13 +1,16 @@
 # Playbook webserver
 
-This playbook installs webserver (Nginx, Mariadb, PHP)
+This playbook installs webserver (Nginx, Letsencrypt, Mariadb & PHP)
 
 ## Usage
 
-```shell
-# copy config file then change values
-cp hosts.example.ini hosts.ini 
-
-# run playbook
-ansible-playbook -i hosts.ini playbook.yml --extra-vars "ssh_key=id.pub"
+Config
+```bash
+cp hosts.example.ini hosts.ini # copy config file then change values
+touch deploy.pub # paste your ssh pub key for www_user
+```
+
+Then run playbook
+```bash
+ansible-playbook -i hosts.ini playbook.yml
 ```

hosts.example.ini

@@ -1,13 +1,14 @@
 [web]
-127.0.0.1
+example.com
 
 [web:vars]
 ansible_ssh_user=ubuntu
 ansible_python_interpreter=/usr/bin/python3
+
 www_user=user
 www_group=group
 www_home=/home/user
-traefik_dashboard=false
-traefik_dashboard_host=traefik.example.com
-traefik_log_level=ERROR
-traefik_letsencrypt_email=admin@example.com
+
+mysql_root_password='password'
+
+php_version='8.1'

playbook.yml

@@ -11,6 +11,7 @@
         update_cache: yes
 
   roles:
+    - nginx
     - wwwuser
-    - docker
-    - traefik
+    - php
+    - mariadb

roles/docker/tasks/main.yml

@@ -1,45 +0,0 @@
----
-- name: install
-  apt:
-    name:
-      - apt-transport-https
-      - ca-certificates
-      - software-properties-common
-    state: present
-    update_cache: yes
-
-- name: add Docker GPG apt Key
-  apt_key:
-    url: https://download.docker.com/linux/ubuntu/gpg
-    state: present
-
-- name: add Docker Repository
-  apt_repository:
-    repo: "deb [arch=amd64] https://download.docker.com/{{ ansible_system | lower }}/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
-    state: present
-
-- name: update apt and install docker-ce
-  apt:
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-    state: latest
-    update_cache: yes
-
-- name: add the Python client for Docker
-  pip:
-    name: docker-py
-
-- name: install docker-compose
-  get_url:
-    url : https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
-    dest: /usr/local/bin/docker-compose
-    mode: 'u+x,g+x'
-    group: docker
-
-- name: add admin to docker group
-  user:
-    name: "{{ www_user }}"
-    groups: docker
-    append: yes

roles/mariadb/tasks/main.yml

@@ -0,0 +1,26 @@
+- name: install
+  apt:
+    name:
+      - mariadb-server
+      - libmysqlclient-dev
+    state: present
+    update_cache: yes
+
+- name: install python client
+  pip:
+    name: mysqlclient
+    state: present
+
+- name: ensure service is start
+  service:
+    name: mysql
+    state: started
+    enabled: yes
+
+- name: change root password
+  mysql_user:
+    name: root
+    password: '{{ mysql_root_password }}'
+    host: 'localhost'
+    login_user: root
+    login_password: ''

roles/nginx/tasks/main.yml

@@ -0,0 +1,18 @@
+- name: install
+  apt:
+    name:
+      - nginx
+      - letsencrypt
+      - python3-certbot-nginx
+    state: present
+    update_cache: yes
+
+- name: create letsencrypt's challenge directory
+  file:
+    name: /var/www/letsencrypt
+    state: directory
+
+- name: generate letsencrypt's dhparams
+  shell: openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 2048
+  args:
+    creates: /etc/letsencrypt/ssl-dhparams.pem

roles/php/defaults/main.yml

@@ -0,0 +1,17 @@
+php_version: 8.1
+
+php_packages:
+  - php{{ php_version }}-common
+  - php{{ php_version }}-zip
+  - php{{ php_version }}-pdo
+  - php{{ php_version }}-mbstring
+  - php{{ php_version }}-tokenizer
+  - php{{ php_version }}-xml
+  - php{{ php_version }}-opcache
+  - php{{ php_version }}-mysql
+  - php{{ php_version }}-imap
+  - php{{ php_version }}-curl
+  - php{{ php_version }}-memcached
+  - php{{ php_version }}-intl
+  - php{{ php_version }}-gd
+  - php{{ php_version }}-bcmath

roles/php/tasks/main.yml

@@ -0,0 +1,53 @@
+- name: add gpg key (debian)
+  apt_key:
+    url: "https://packages.sury.org/php/apt.gpg"
+    state: present
+  when: ansible_distribution == 'Debian'
+
+- name: add repository (debian)
+  apt_repository:
+    repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
+    state: present
+    update_cache: yes
+  when: ansible_distribution == 'Debian'
+
+- name: add repository (ubuntu)
+  apt_repository:
+    repo: ppa:ondrej/php
+    state: present
+    update_cache: yes
+  when: ansible_distribution == 'Ubuntu'
+
+- name: install
+  apt:
+    name: "php{{ php_version }}-fpm"
+    state: present
+    update_cache: yes
+    install_recommends: no
+
+- name: install packages
+  apt:
+    name: "{{ php_packages | list }}"
+    state: present
+    install_recommends: no
+
+- name: change default version
+  alternatives:
+    name: php
+    path: /usr/bin/php{{ php_version }}
+
+- name: define wwwuser as php-fpm's user
+  replace:
+    path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf"
+    regexp: '{{ item.from }}'
+    replace: "{{ item.to }}"
+  with_items:
+    - {from: '^user = (.+)$', to: 'user = {{ www_user }}'}
+    - {from: '^group = (.+)$', to: 'group = {{ www_group }}'}
+    - {from: '^listen.owner = (.+)$', to: 'listen.owner = {{ www_user }}'}
+    - {from: '^listen.group = (.+)$', to: 'listen.group = {{ www_group }}'}
+
+- name: restart php-fpm
+  service:
+    name: php{{ php_version }}-fpm
+    state: restarted

roles/traefik/tasks/main.yml

@@ -1,54 +0,0 @@
----
-- name: create directory
-  file:
-    path: "{{ www_home }}/traefik"
-    state: directory
-    owner: "{{ www_user }}"
-    group: "{{ www_group }}"
-
-- name: check if acme file exists
-  stat:
-    path: "{{ www_home }}/traefik/acme.json"
-  register: acme_file
-
-- name: create acme file if does not exists
-  file:
-    path: "{{ www_home }}/traefik/acme.json"
-    state: touch
-    mode: 0600
-    owner: "{{ www_user }}"
-    group: "{{ www_group }}"
-  when: acme_file.stat.exists == False
-
-- name: add config file
-  template:
-    src: traefik.yml.j2
-    dest: "{{ www_home }}/traefik/traefik.yml"
-    mode: 0600
-    owner: "{{ www_user }}"
-    group: "{{ www_group }}"
-
-- name: create network
-  docker_network:
-    name: web
-
-- name: create container
-  docker_container:
-    name: traefik
-    image: traefik:2.4
-    restart_policy: unless-stopped
-    recreate: true
-    networks:
-      - name: web
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "{{ www_home }}/traefik/traefik.yml:/etc/traefik/traefik.yml"
-      - "{{ www_home }}/traefik/acme.json:/acme.json"
-      - /var/run/docker.sock:/var/run/docker.sock
-    labels:
-      traefik.enable: "true"
-      traefik.http.routers.dashboard.rule: Host(`{{ traefik_dashboard_host }}`)
-      traefik.http.routers.dashboard.entryPoints: http
-      traefik.http.routers.dashboard.service: api@internal

roles/traefik/templates/traefik.yml.j2

@@ -1,24 +0,0 @@
-entryPoints:
-  http:
-    address: :80
-  https:
-    address: :443
-
-log:
-  level: {{ traefik_log_level | default('ERROR') }}
-
-api:
-  dashboard: {{ traefik_dashboard | default(false) }}
-
-providers:
-  docker:
-    network: web
-    exposedByDefault: false
-
-certificatesResolvers:
-  letsencrypt:
-    acme:
-      email: "{{ traefik_letsencrypt_email }}"
-      storage: "acme.json"
-      httpChallenge:
-        entryPoint: http

roles/wwwuser/tasks/main.yml

@@ -1,4 +1,3 @@
----
 - name: create wwwuser group
   group:
     name: "{{ www_group }}"
@@ -19,7 +18,7 @@
   authorized_key:
     user: "{{ www_user }}"
     state: present
-    key: "{{ lookup('file', ssh_key) }}"
+    key: "{{ lookup('file', deploy.pub) }}"
   when: ssh_key is defined
 
 - name: create app's directory
@@ -28,3 +27,11 @@
     state: directory
     owner: "{{ www_user }}"
     group: "{{ www_group }}"
+
+- name: add permission to wwwuser to reload php-fpm
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload$'
+    line: '{{ www_user }} ALL=NOPASSWD: /usr/sbin/service php{{ php_version }}-fpm reload'
+    validate: 'visudo -cf %s'