From 5518f672c6b9f03a8a7e857c5da36cd066ae96b1 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Dec 2023 16:59:31 +0100 Subject: [PATCH 1/5] Supporting a fixed PHP version with a fixed port number. --- roles/debian/nginx/defaults/main.yml | 7 +++---- roles/debian/nginx/templates/symfony4.j2 | 1 - roles/debian/php-fpm/defaults/main.yml | 5 ++++- roles/debian/php-fpm/tasks/main.yml | 10 +++++++++- .../debian/php-fpm/templates/www.conf-fixedport.j2 | 13 +++++++++++++ roles/debian/php-fpm/templates/www.conf.j2 | 4 ++-- 6 files changed, 31 insertions(+), 9 deletions(-) create mode 100755 roles/debian/php-fpm/templates/www.conf-fixedport.j2 diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 61f2be571..8f86c7321 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -22,10 +22,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/debian/nginx/templates/symfony4.j2 b/roles/debian/nginx/templates/symfony4.j2 index 1bab930bf..b01fb1a8e 100644 --- a/roles/debian/nginx/templates/symfony4.j2 +++ b/roles/debian/nginx/templates/symfony4.j2 @@ -7,7 +7,6 @@ location ~ \.php(/|$) { fastcgi_pass {{ nginx.php_fastcgi_backend }}; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; - fastcgi_param APP_DEBUG 1; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 079312f3c..909b34e3a 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -1,6 +1,9 @@ --- php: + # see php-common for default version fpm: + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" @@ -21,7 +24,7 @@ php: max_file_uploads: 20 date_timezone: "Europe/London" pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user default_socket_timeout: 60 max_children: 5 start_servers: 2 diff --git a/roles/debian/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml index b485040ea..e965e8458 100644 --- a/roles/debian/php-fpm/tasks/main.yml +++ b/roles/debian/php-fpm/tasks/main.yml @@ -16,12 +16,20 @@ loop_control: loop_var: version -- name: Copy default pool configuration. +- name: Copy default pool configuration for a single, fixed port PHP version. + ansible.builtin.template: + dest: "/etc/php/{{ php.version[0] }}/fpm/pool.d/www.conf" + src: "www.conf-fixedport.j2" + mode: 0555 + when: php.fpm.tcp_port | length > 0 + +- name: Copy default pool configuration for dynamic PHP versioning. ansible.builtin.template: dest: "/etc/php/{{ version }}/fpm/pool.d/www.conf" src: "www.conf.j2" mode: 0555 with_items: "{{ php.version }}" + when: php.fpm.tcp_port | length == 0 loop_control: loop_var: version diff --git a/roles/debian/php-fpm/templates/www.conf-fixedport.j2 b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 new file mode 100755 index 000000000..7d986a2b5 --- /dev/null +++ b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 @@ -0,0 +1,13 @@ +[www] +user = {{ php.fpm.pool_user }} +group = {{ php.fpm.pool_group }} +listen = 127.0.0.1:{{ php.fpm.tcp_port }} +listen.owner = {{ php.fpm.pool_user }} +listen.group = {{ php.fpm.pool_group }} +pm = dynamic +pm.max_children = {{ php.fpm.max_children }} +pm.start_servers = {{ php.fpm.start_servers }} +pm.min_spare_servers = {{ php.fpm.min_spare_servers }} +pm.max_spare_servers = {{ php.fpm.max_spare_servers }} +pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} +pm.max_requests = {{ php.fpm.max_requests }} diff --git a/roles/debian/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 index e960f6c53..551387d5e 100755 --- a/roles/debian/php-fpm/templates/www.conf.j2 +++ b/roles/debian/php-fpm/templates/www.conf.j2 @@ -1,7 +1,7 @@ [www] user = {{ php.fpm.pool_user }} group = {{ php.fpm.pool_group }} -listen = 127.0.0.1:90{{ version | replace('.','') }} +listen = {% if php.fpm.unix_socket %}'/var/run/php{{ version | replace('.','') }}-fpm.sock'{% else %}127.0.0.1:90{{ version | replace('.','') }}{% endif %} listen.owner = {{ php.fpm.pool_user }} listen.group = {{ php.fpm.pool_group }} pm = dynamic @@ -10,4 +10,4 @@ pm.start_servers = {{ php.fpm.start_servers }} pm.min_spare_servers = {{ php.fpm.min_spare_servers }} pm.max_spare_servers = {{ php.fpm.max_spare_servers }} pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} -pm.max_requests = {{ php.fpm.max_requests }} \ No newline at end of file +pm.max_requests = {{ php.fpm.max_requests }} From e2defdfa312449b22119051eb76c1f1c14f257da Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 13:49:36 +0100 Subject: [PATCH 2/5] Accidently re-added the old VPN role - re-deleting! --- docs/roles/debian/openvpn_config.md | 69 ------ roles/debian/openvpn_config/README.md | 69 ------ roles/debian/openvpn_config/defaults/main.yml | 54 ----- roles/debian/openvpn_config/tasks/main.yml | 155 ------------ .../templates/auth-ldap.conf.j2 | 39 --- .../openvpn_config/templates/openvpn.j2 | 3 - roles/debian/openvpn_config/templates/vars.j2 | 222 ------------------ 7 files changed, 611 deletions(-) delete mode 100644 docs/roles/debian/openvpn_config.md delete mode 100644 roles/debian/openvpn_config/README.md delete mode 100644 roles/debian/openvpn_config/defaults/main.yml delete mode 100644 roles/debian/openvpn_config/tasks/main.yml delete mode 100644 roles/debian/openvpn_config/templates/auth-ldap.conf.j2 delete mode 100644 roles/debian/openvpn_config/templates/openvpn.j2 delete mode 100644 roles/debian/openvpn_config/templates/vars.j2 diff --git a/docs/roles/debian/openvpn_config.md b/docs/roles/debian/openvpn_config.md deleted file mode 100644 index 02bbd8167..000000000 --- a/docs/roles/debian/openvpn_config.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/README.md b/roles/debian/openvpn_config/README.md deleted file mode 100644 index 02bbd8167..000000000 --- a/roles/debian/openvpn_config/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/defaults/main.yml b/roles/debian/openvpn_config/defaults/main.yml deleted file mode 100644 index 6c711fe99..000000000 --- a/roles/debian/openvpn_config/defaults/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so diff --git a/roles/debian/openvpn_config/tasks/main.yml b/roles/debian/openvpn_config/tasks/main.yml deleted file mode 100644 index b07353521..000000000 --- a/roles/debian/openvpn_config/tasks/main.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -- name: "Ensure {{ openvpn_config.easyrsa_path }} exists." - ansible.builtin.file: - path: "{{ openvpn_config.easyrsa_path }}" - state: directory - owner: root - group: root - mode: "0755" - -# The Galaxy role creates the certs every time it runs using easy-rsa so we set a vars file: -# https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example -- name: Place easy-rsa vars file for SSL cert generation. - ansible.builtin.template: - src: vars.j2 - dest: "{{ openvpn_config.easyrsa_path }}/vars" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.install - -- name: Install OpenVPN server. - ansible.builtin.include_role: - name: robertdebock.openvpn - when: - - openvpn_config.install - -# Loop files from https://github.com/robertdebock/ansible-role-openvpn/blob/master/tasks/server.yml#L58 -- name: Ensure keys permission are correct. - ansible.builtin.file: - path: /etc/openvpn/server/{{ item | basename }} - mode: "0600" - loop: - - ca.crt - - dh.pem - - ta.key - - issued/client.crt - - issued/server.crt - - private/ca.key - - private/client.key - - private/server.key - -# Manipulate the server.conf file set by the OpenVPN role in Galaxy -- name: Prevent pushing DNS servers. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "dhcp-option DNS" - state: absent - -- name: Remove remote-cert-eku assumption. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "remote-cert-eku" - state: absent - -- name: Make forced redirect optional. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "redirect-gateway def1 bypass-dhcp" - state: absent - when: not openvpn_config.force_redirect_gateway - -- name: Enable VPN compression. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: comp-lzo - create: true - when: openvpn_config.compress - -- name: Set no client cert required. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: verify-client-cert none - create: true - when: openvpn_config.no_client_cert - -- name: Alter VPN IP range. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "server " - line: "{{ openvpn_config.server_ip_range }}" - -# Handle LDAP configuration -- name: Place LDAP CA cert. - ansible.builtin.copy: - src: "{{ openvpn_config.ldap.tls_cert_local }}" - dest: "{{ openvpn_config.ldap.tls_cert }}" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.ldap.tls_cert_local - - openvpn_config.ldap.install - -- name: Install OpenVPN LDAP auth package. - ansible.builtin.package: - name: openvpn-auth-ldap - state: present - when: openvpn_config.ldap.install - -- name: Ensure LDAP config directory exists. - ansible.builtin.file: - path: "{{ openvpn_config.configuration_directory }}/auth" - state: directory - mode: "0755" - when: openvpn_config.ldap.install - -- name: Place auth-ldap.conf file. - ansible.builtin.template: - src: auth-ldap.conf.j2 - dest: "{{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - owner: root - group: root - mode: "0644" - when: openvpn_config.ldap.install - -- name: Enable LDAP config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/openvpn/openvpn-auth-ldap.so {{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - create: true - when: openvpn_config.ldap.install - -# Handle PAM config -- name: Place openvpn PAM config. - ansible.builtin.template: - src: openvpn.j2 - dest: /etc/pam.d/openvpn - owner: root - group: root - mode: "0644" - when: openvpn_config.pam.install - -- name: Enable PAM config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" - create: true - when: openvpn_config.pam.install - -# Handle extra directives -- name: Create custom directives. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "{{ item }}" - create: true - loop: "{{ openvpn_config.custom_directives }}" - when: openvpn_config.custom_directives - -# @TODO this should be a handler if we change the LDAP config rather than a task -- name: Restart OpenVPN. - ansible.builtin.systemd: - name: "{{ openvpn_config.service }}" - state: restarted - daemon_reload: true diff --git a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 b/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 deleted file mode 100644 index bb3614af3..000000000 --- a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{{ ansible_managed | comment }} - - - # LDAP server URL - URL {{ openvpn_config.ldap.url }} - -{% if openvpn_config.ldap.tls %} - # Enable Start TLS - TLSEnable yes - # TLS CA Certificate File - TLSCACertFile {{ openvpn_config.ldap.tls_cert }} -{% else %} - # Enable Start TLS - TLSEnable no -{% endif %} - - # Network timeout (in seconds) - Timeout {{ openvpn_config.ldap.timeout }} - - - - # Base DN - BaseDN "{{ openvpn_config.ldap.basedn }}" - - # User Search Filter - SearchFilter "{{ openvpn_config.ldap.search_filter }}" - - # Require Group Membership - RequireGroup {{ openvpn_config.ldap.require_group }} - - - #RFC2307bis false - BaseDN "{{ openvpn_config.ldap.group_basedn }}" - SearchFilter "{{ openvpn_config.ldap.group_filter }}" - MemberAttribute memberUid - # Add group members to a PF table (disabled) - #PFTable ips_vpn_eng - - diff --git a/roles/debian/openvpn_config/templates/openvpn.j2 b/roles/debian/openvpn_config/templates/openvpn.j2 deleted file mode 100644 index 97a46ddd3..000000000 --- a/roles/debian/openvpn_config/templates/openvpn.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_managed | comment }} - -{{ openvpn_config.pam.pam_config }} diff --git a/roles/debian/openvpn_config/templates/vars.j2 b/roles/debian/openvpn_config/templates/vars.j2 deleted file mode 100644 index d19baead5..000000000 --- a/roles/debian/openvpn_config/templates/vars.j2 +++ /dev/null @@ -1,222 +0,0 @@ -{{ ansible_managed | comment }} - -# Easy-RSA 3 parameter settings - -# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit -# this file in place -- instead, you should copy the entire easy-rsa directory -# to another location so future upgrades don't wipe out your changes. - -# HOW TO USE THIS FILE -# -# vars.example contains built-in examples to Easy-RSA settings. You MUST name -# this file 'vars' if you want it to be used as a configuration file. If you do -# not, it WILL NOT be automatically read when you call easyrsa commands. -# -# It is not necessary to use this config file unless you wish to change -# operational defaults. These defaults should be fine for many uses without the -# need to copy and edit the 'vars' file. -# -# All of the editable settings are shown commented and start with the command -# 'set_var' -- this means any set_var command that is uncommented has been -# modified by the user. If you're happy with a default, there is no need to -# define the value to its default. - -# NOTES FOR WINDOWS USERS -# -# Paths for Windows *MUST* use forward slashes, or optionally double-escaped -# backslashes (single forward slashes are recommended.) This means your path to -# the openssl binary might look like this: -# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# A little housekeeping: DON'T EDIT THIS SECTION -# -# Easy-RSA 3.x doesn't source into the environment directly. -# Complain if a user tries to do this: -if [ -z "$EASYRSA_CALLER" ]; then - echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 - echo "This is no longer necessary and is disallowed. See the section called" >&2 - echo "'How to use this file' near the top comments for more details." >&2 - return 1 -fi - -# DO YOUR EDITS BELOW THIS POINT - -# This variable is used as the base location of configuration files needed by -# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) -# may override this default. -# -# The default value of this variable is the location of the easyrsa script -# itself, which is also where the configuration files are located in the -# easy-rsa tree. - -#set_var EASYRSA "${0%/*}" - -# If your OpenSSL command is not in the system PATH, you will need to define the -# path to it here. Normally this means a full path to the executable, otherwise -# you could have left it undefined here and the shown default would be used. -# -# Windows users, remember to use paths with forward-slashes (or escaped -# back-slashes.) Windows users should declare the full path to the openssl -# binary here if it is not in their system PATH. - -#set_var EASYRSA_OPENSSL "openssl" -# -# This sample is in Windows syntax -- edit it for your path if not using PATH: -#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# Edit this variable to point to your soon-to-be-created key directory. By -# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the -# directory you are currently in). -# -# WARNING: init-pki will do a rm -rf on this directory so make sure you define -# it correctly! (Interactive mode will prompt before acting.) - -#set_var EASYRSA_PKI "$PWD/pki" - -# Define directory for temporary subdirectories. - -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - -# Define X509 DN mode. -# This is used to adjust what elements are included in the Subject field as the DN -# (this is the "Distinguished Name.") -# Note that in cn_only mode the Organizational fields further below aren't used. -# -# Choices are: -# cn_only - use just a CN value -# org - use the "traditional" Country/Province/City/Org/OU/email/CN format - -set_var EASYRSA_DN "{{ openvpn_config.certs.dn_mode }}" - -# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) -# These are the default values for fields which will be placed in the -# certificate. Don't leave any of these fields blank, although interactively -# you may omit any specific field by typing the "." symbol (not valid for -# email.) - -set_var EASYRSA_REQ_COUNTRY "{{ openvpn_config.certs.country }}" -set_var EASYRSA_REQ_PROVINCE "{{ openvpn_config.certs.province }}" -set_var EASYRSA_REQ_CITY "{{ openvpn_config.certs.city }}" -set_var EASYRSA_REQ_ORG "{{ openvpn_config.certs.org }}" -set_var EASYRSA_REQ_EMAIL "{{ openvpn_config.certs.email }}" -set_var EASYRSA_REQ_OU "{{ openvpn_config.certs.org_unit }}" - -# Choose a size in bits for your keypairs. The recommended value is 2048. Using -# 2048-bit keys is considered more than sufficient for many years into the -# future. Larger keysizes will slow down TLS negotiation and make key/DH param -# generation take much longer. Values up to 4096 should be accepted by most -# software. Only used when the crypto alg is rsa (see below.) - -#set_var EASYRSA_KEY_SIZE 2048 - -# The default crypto mode is rsa; ec can enable elliptic curve support. -# Note that not all software supports ECC, so use care when enabling it. -# Choices for crypto alg are: (each in lower-case) -# * rsa -# * ec -# * ed - -#set_var EASYRSA_ALGO rsa - -# Define the named curve, used in ec & ed modes: - -#set_var EASYRSA_CURVE secp384r1 - -# In how many days should the root CA key expire? - -#set_var EASYRSA_CA_EXPIRE 3650 - -# In how many days should certificates expire? - -#set_var EASYRSA_CERT_EXPIRE 825 - -# How many days until the next CRL publish date? Note that the CRL can still be -# parsed after this timeframe passes. It is only used for an expected next -# publication date. -#set_var EASYRSA_CRL_DAYS 180 - -# How many days before its expiration date a certificate is allowed to be -# renewed? -#set_var EASYRSA_CERT_RENEW 30 - -# Random serial numbers by default, set to no for the old incremental serial numbers -# -#set_var EASYRSA_RAND_SN "yes" - -# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default -# is "no" to discourage use of deprecated extensions. If you require this -# feature to use with --ns-cert-type, set this to "yes" here. This support -# should be replaced with the more modern --remote-cert-tls feature. If you do -# not use --ns-cert-type in your configs, it is safe (and recommended) to leave -# this defined to "no". When set to "yes", server-signed certs get the -# nsCertType=server attribute, and also get any NS_COMMENT defined below in the -# nsComment field. - -#set_var EASYRSA_NS_SUPPORT "no" - -# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. -# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. - -#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - -# A temp file used to stage cert extensions during signing. The default should -# be fine for most users; however, some users might want an alternative under a -# RAM-based FS, such as /dev/shm or /tmp on some systems. - -#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" - -# !! -# NOTE: ADVANCED OPTIONS BELOW THIS POINT -# PLAY WITH THEM AT YOUR OWN RISK -# !! - -# Broken shell command aliases: If you have a largely broken shell that is -# missing any of these POSIX-required commands used by Easy-RSA, you will need -# to define an alias to the proper path for the command. The symptom will be -# some form of a 'command not found' error from your shell. This means your -# shell is BROKEN, but you can hack around it here if you really need. These -# shown values are not defaults: it is up to you to know what you're doing if -# you touch these. -# -#alias awk="/alt/bin/awk" -#alias cat="/alt/bin/cat" - -# X509 extensions directory: -# If you want to customize the X509 extensions used, set the directory to look -# for extensions here. Each cert type you sign must have a matching filename, -# and an optional file named 'COMMON' is included first when present. Note that -# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then -# fallback to $EASYRSA for the 'x509-types' dir. You may override this -# detection with an explicit dir here. -# -#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" - -# If you want to generate KDC certificates, you need to set the realm here. -#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - -# OpenSSL config file: -# If you need to use a specific openssl config file, you can reference it here. -# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the -# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA -# specific and you cannot just use a standard config file, so this is an -# advanced feature. - -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" - -# Default CN: -# This is best left alone. Interactively you will set this manually, and BATCH -# callers are expected to set this themselves. - -set_var EASYRSA_REQ_CN "{{ openvpn_config.certs.cn }}" - -# Cryptographic digest to use. -# Do not change this default unless you understand the security implications. -# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 - -#set_var EASYRSA_DIGEST "sha256" - -# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly -# in batch mode without any user input, confirmation on dangerous operations, -# or most output. Setting this to any non-blank string enables batch mode. - -#set_var EASYRSA_BATCH "" From 0e8a08a583ec16388755d72252f6ec9b1f97aff9 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Wed, 16 Jul 2025 17:21:58 +0200 Subject: [PATCH 3/5] Fixing PHP defaults. --- roles/debian/php-fpm/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 7aec91483..588c041ee 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -3,17 +3,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 From 92ef036adf4e6b0c96e61136bd7437d64886dece Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 18 Jul 2025 16:23:07 +0200 Subject: [PATCH 4/5] Minor docs improvements. --- roles/_meta/webserver/meta/main.yml | 1 + roles/debian/nginx/templates/vhost_letsencrypt.j2 | 8 ++++---- roles/debian/php-fpm/README.md | 4 +++- roles/debian/php-fpm/defaults/main.yml | 4 ++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/roles/_meta/webserver/meta/main.yml b/roles/_meta/webserver/meta/main.yml index ea92145d0..20e081f58 100644 --- a/roles/_meta/webserver/meta/main.yml +++ b/roles/_meta/webserver/meta/main.yml @@ -8,4 +8,5 @@ dependencies: - role: debian/nodejs - role: debian/php-cli - role: debian/php-fpm + - role: debian/php_composer - role: debian/nginx diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2 index b66b35b02..4130ad503 100644 --- a/roles/debian/nginx/templates/vhost_letsencrypt.j2 +++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2 @@ -9,10 +9,10 @@ server { server_name {{ domain.server_name }}; error_log {{ domain.error_log }} {{ domain.error_log_level }}; access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }}; - # Proxy for certbot (LetsEncrypt) {% if domain.ssl.web_server | default('standalone') == 'standalone' %} - location /.well-known/acme-challenge/ { - proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; - } + # Proxy for certbot (LetsEncrypt) + location /.well-known/acme-challenge/ { + proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri; + } {% endif %} } diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index f32ff94b2..cb4e7fc97 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -2,6 +2,8 @@ Installs and configures the PHP-FPM flavour of FastCGI. +Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP. + @@ -23,7 +25,7 @@ php: # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 588c041ee..e09869d9a 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -6,8 +6,8 @@ php: unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more From d061fe381d26185043365cd328dd62e179d59965 Mon Sep 17 00:00:00 2001 From: Greg Harvey Date: Fri, 18 Jul 2025 16:24:05 +0200 Subject: [PATCH 5/5] Updating documentation. --- docs/_Sidebar.md | 1 + docs/roles/aws/aws_ec2_with_eip.md | 3 +- docs/roles/aws/aws_vpc.md | 7 ++ docs/roles/debian/apt_unattended_upgrades.md | 1 + docs/roles/debian/fluent-bit.md | 64 +++++++++++++++++++ docs/roles/debian/gitlab.md | 1 + docs/roles/debian/nginx.md | 4 +- docs/roles/debian/php-fpm.md | 12 ++-- docs/roles/debian/user_ansible.md | 5 +- roles/aws/aws_ec2_with_eip/README.md | 3 +- roles/aws/aws_vpc/README.md | 7 ++ .../debian/apt_unattended_upgrades/README.md | 1 + roles/debian/fluent-bit/README.md | 6 +- roles/debian/gitlab/README.md | 1 + roles/debian/nginx/README.md | 4 +- roles/debian/php-fpm/README.md | 10 +-- roles/debian/user_ansible/README.md | 5 +- 17 files changed, 111 insertions(+), 24 deletions(-) create mode 100644 docs/roles/debian/fluent-bit.md diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md index f22944d94..0453d8178 100644 --- a/docs/_Sidebar.md +++ b/docs/_Sidebar.md @@ -56,6 +56,7 @@ - [Docker Registry](/roles/debian/docker_registry) - [Duplicity](/roles/debian/duplicity) - [Firewall Config](/roles/debian/firewall_config) + - [Fluent-bit](/roles/debian/fluent-bit) - [Frontail](/roles/debian/frontail) - [Gitlab](/roles/debian/gitlab) - [Gitlab Runner](/roles/debian/gitlab_runner) diff --git a/docs/roles/aws/aws_ec2_with_eip.md b/docs/roles/aws/aws_ec2_with_eip.md index 88fee112e..378720926 100644 --- a/docs/roles/aws/aws_ec2_with_eip.md +++ b/docs/roles/aws/aws_ec2_with_eip.md @@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address. aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already. + hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already. force: false # Force a new EC2 machine to be created if a new AMI is packed. instance_type: t3.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. @@ -37,6 +37,7 @@ aws_ec2_with_eip: root_volume_delete_on_termination: true ebs_optimized: true security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + public_ip: true # usually this needs to be true for cloud-init to work tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/docs/roles/aws/aws_vpc.md b/docs/roles/aws/aws_vpc.md index 57ef8041c..d9005630f 100644 --- a/docs/roles/aws/aws_vpc.md +++ b/docs/roles/aws/aws_vpc.md @@ -78,6 +78,7 @@ _common_security_groups: - 22 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 22. + rules_egress: [] web_open: name: web_open description: Allow all incoming web traffic on ports 80 and 443. @@ -88,6 +89,7 @@ _common_security_groups: - 443 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + rules_egress: [] mailpit_open: name: mailpit_open description: Allow all incoming traffic on port 8025 for Mailpit. @@ -97,6 +99,7 @@ _common_security_groups: - 8025 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 8025. + rules_egress: [] ftp_open: name: ftp_open description: Allow all incoming traffic on ports 20 and 21 for FTP. @@ -107,6 +110,7 @@ _common_security_groups: - 21 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + rules_egress: [] sftp_open: name: sftp_open description: Allow all incoming traffic on ports 989 and 990 for sFTP. @@ -117,6 +121,7 @@ _common_security_groups: - 990 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + rules_egress: [] ossec: name: ossec description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. @@ -127,6 +132,7 @@ _common_security_groups: - 1515 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + rules_egress: [] openvpn: name: openvpn description: Allow all incoming traffic on port 1194 for OpenVPN. @@ -136,6 +142,7 @@ _common_security_groups: - 1194 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on port 1194. + rules_egress: [] ``` diff --git a/docs/roles/debian/apt_unattended_upgrades.md b/docs/roles/debian/apt_unattended_upgrades.md index 3b6f93df0..da7390658 100644 --- a/docs/roles/debian/apt_unattended_upgrades.md +++ b/docs/roles/debian/apt_unattended_upgrades.md @@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true + linotp: "false" # unattended-upgrades template vars. # booleans must be strings to avoid Jinja2 interpretting. origins: "{{ _apt_unattended_upgrades_default_origins }}" diff --git a/docs/roles/debian/fluent-bit.md b/docs/roles/debian/fluent-bit.md new file mode 100644 index 000000000..6a0ee2d3e --- /dev/null +++ b/docs/roles/debian/fluent-bit.md @@ -0,0 +1,64 @@ +# Fluent-bit + +## Description + +Deploy [Fluent-bit](https://github.com/fluent/fluent-bit) using ansible. + +### Requirements + +Role expects to be provided with the following information: +* `fluentbit_main_config` - the main Fluent-bit configuration + +### Example +Minimum Fluent-bit config that will send a test log, filter it, and output to stdout. + +```yaml +fluentbit_main_config: + service: + flush: 5 + log_level: info + +parsers: + - name: json + format: json + time_key: time + time_format: '%d/%b/%Y:%H:%M:%S %z' + + pipeline: + inputs: + - name: dummy + dummy: '{"endpoint":"localhost", "value":"something"}' + tag: dummy + filters: + - name: grep + match: '*' + logical_op: or + regex: + - value something + - value error + outputs: + - name: stdout + +``` + +For more details on setting up the Fluent-bit config, refer to official documentation: +https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexporter + + + + + +## Default variables +```yaml +--- +# Default variables for Fluent-bit role +fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key +fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc +fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main" +fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml + +fluent_bit_configuration: "" + +``` + + diff --git a/docs/roles/debian/gitlab.md b/docs/roles/debian/gitlab.md index 3bc52c4ff..15ccbe900 100644 --- a/docs/roles/debian/gitlab.md +++ b/docs/roles/debian/gitlab.md @@ -109,6 +109,7 @@ gitlab: redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;" + block_removed_ldap_users_on_calendar: "*-*-* 02:30:00" ``` diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md index 1eb74e189..4828099e1 100644 --- a/docs/roles/debian/nginx.md +++ b/docs/roles/debian/nginx.md @@ -26,8 +26,8 @@ nginx: worker_connections: 768 http: server_names_hash_bucket_size: 256 - access_log: /var/log/nginx-access.log - error_log: /var/log/nginx-error.log + access_log: /var/log/nginx/nginx-access.log + error_log: /var/log/nginx/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" sendfile: "on" keepalive_timeout: 65 diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md index f32ff94b2..a2f458c19 100644 --- a/docs/roles/debian/php-fpm.md +++ b/docs/roles/debian/php-fpm.md @@ -2,6 +2,8 @@ Installs and configures the PHP-FPM flavour of FastCGI. +Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP. + @@ -13,17 +15,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/docs/roles/debian/user_ansible.md b/docs/roles/debian/user_ansible.md index cccc424d5..692d53290 100644 --- a/docs/roles/debian/user_ansible.md +++ b/docs/roles/debian/user_ansible.md @@ -13,14 +13,15 @@ user_ansible: # This sets both username and main group. username: "{{ _user_ansible_username }}" home: "/home/{{ _user_ansible_username }}" - create: true # if you know the user already exists, set this to false to not create the user. + create: true # if you know the user already exists, set this to false to not create the user. create_home: true update_password: "always" + system_user: true # creates a system user - see useradd --system docs # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - sudo_config: {} # an empty dictionary will skip creating a sudo config + sudo_config: {} # an empty dictionary will skip creating a sudo config # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. # entity_name: "{{ _user_ansible_username }}" # hosts: "ALL" diff --git a/roles/aws/aws_ec2_with_eip/README.md b/roles/aws/aws_ec2_with_eip/README.md index 88fee112e..378720926 100644 --- a/roles/aws/aws_ec2_with_eip/README.md +++ b/roles/aws/aws_ec2_with_eip/README.md @@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address. aws_ec2_with_eip: aws_profile: "{{ _aws_profile }}" region: "{{ _aws_region }}" - hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already. + hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already. force: false # Force a new EC2 machine to be created if a new AMI is packed. instance_type: t3.micro key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key. @@ -37,6 +37,7 @@ aws_ec2_with_eip: root_volume_delete_on_termination: true ebs_optimized: true security_groups: [] # list of security group names, converted to IDs by aws_security_groups role + public_ip: true # usually this needs to be true for cloud-init to work tags: Name: "{{ _domain_name }}" # Add an A record tied to the EIP. diff --git a/roles/aws/aws_vpc/README.md b/roles/aws/aws_vpc/README.md index 57ef8041c..d9005630f 100644 --- a/roles/aws/aws_vpc/README.md +++ b/roles/aws/aws_vpc/README.md @@ -78,6 +78,7 @@ _common_security_groups: - 22 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 22. + rules_egress: [] web_open: name: web_open description: Allow all incoming web traffic on ports 80 and 443. @@ -88,6 +89,7 @@ _common_security_groups: - 443 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 80 and 443. + rules_egress: [] mailpit_open: name: mailpit_open description: Allow all incoming traffic on port 8025 for Mailpit. @@ -97,6 +99,7 @@ _common_security_groups: - 8025 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on port 8025. + rules_egress: [] ftp_open: name: ftp_open description: Allow all incoming traffic on ports 20 and 21 for FTP. @@ -107,6 +110,7 @@ _common_security_groups: - 21 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 20 and 21. + rules_egress: [] sftp_open: name: sftp_open description: Allow all incoming traffic on ports 989 and 990 for sFTP. @@ -117,6 +121,7 @@ _common_security_groups: - 990 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming tcp traffic on ports 989 and 990. + rules_egress: [] ossec: name: ossec description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC. @@ -127,6 +132,7 @@ _common_security_groups: - 1515 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on ports 1514 and 1515. + rules_egress: [] openvpn: name: openvpn description: Allow all incoming traffic on port 1194 for OpenVPN. @@ -136,6 +142,7 @@ _common_security_groups: - 1194 cidr_ip: 0.0.0.0/0 rule_desc: Allow all incoming udp traffic on port 1194. + rules_egress: [] ``` diff --git a/roles/debian/apt_unattended_upgrades/README.md b/roles/debian/apt_unattended_upgrades/README.md index 3b6f93df0..da7390658 100644 --- a/roles/debian/apt_unattended_upgrades/README.md +++ b/roles/debian/apt_unattended_upgrades/README.md @@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins: - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security" apt_unattended_upgrades: enable: true + linotp: "false" # unattended-upgrades template vars. # booleans must be strings to avoid Jinja2 interpretting. origins: "{{ _apt_unattended_upgrades_default_origins }}" diff --git a/roles/debian/fluent-bit/README.md b/roles/debian/fluent-bit/README.md index 92e1f1846..6a0ee2d3e 100644 --- a/roles/debian/fluent-bit/README.md +++ b/roles/debian/fluent-bit/README.md @@ -52,15 +52,13 @@ https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexp ```yaml --- # Default variables for Fluent-bit role -# Construct the download URL using the version variable. fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main" fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml -# fluent-bit configuration -fluentbit_main_config: {} -# Example config +fluent_bit_configuration: "" + ``` diff --git a/roles/debian/gitlab/README.md b/roles/debian/gitlab/README.md index 3bc52c4ff..15ccbe900 100644 --- a/roles/debian/gitlab/README.md +++ b/roles/debian/gitlab/README.md @@ -109,6 +109,7 @@ gitlab: redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;" + block_removed_ldap_users_on_calendar: "*-*-* 02:30:00" ``` diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md index 1eb74e189..4828099e1 100644 --- a/roles/debian/nginx/README.md +++ b/roles/debian/nginx/README.md @@ -26,8 +26,8 @@ nginx: worker_connections: 768 http: server_names_hash_bucket_size: 256 - access_log: /var/log/nginx-access.log - error_log: /var/log/nginx-error.log + access_log: /var/log/nginx/nginx-access.log + error_log: /var/log/nginx/nginx-error.log ssl_protocols: "TLSv1.2 TLSv1.3" sendfile: "on" keepalive_timeout: 65 diff --git a/roles/debian/php-fpm/README.md b/roles/debian/php-fpm/README.md index cb4e7fc97..a2f458c19 100644 --- a/roles/debian/php-fpm/README.md +++ b/roles/debian/php-fpm/README.md @@ -15,17 +15,17 @@ php: # see php-common for default version fpm: # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php - unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do server_ip: "127.0.0.1" - tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 - pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 + pool_user: "{{ user_deploy.username }}" # this should always be the deploy user, usually deploy + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user, often www-data pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning default_socket_timeout: 60 # It is important to scale up processes on bigger servers, so that more # requests can be handled. Double the number of vCPUs is a good default. # Can be between 5 and 64. - max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks + max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks start_servers: 2 min_spare_servers: 1 max_spare_servers: 3 diff --git a/roles/debian/user_ansible/README.md b/roles/debian/user_ansible/README.md index cccc424d5..692d53290 100644 --- a/roles/debian/user_ansible/README.md +++ b/roles/debian/user_ansible/README.md @@ -13,14 +13,15 @@ user_ansible: # This sets both username and main group. username: "{{ _user_ansible_username }}" home: "/home/{{ _user_ansible_username }}" - create: true # if you know the user already exists, set this to false to not create the user. + create: true # if you know the user already exists, set this to false to not create the user. create_home: true update_password: "always" + system_user: true # creates a system user - see useradd --system docs # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet # This is shown for documentation, you should do this in your config repo # uid: 999 # gid: 999 - sudo_config: {} # an empty dictionary will skip creating a sudo config + sudo_config: {} # an empty dictionary will skip creating a sudo config # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details. # entity_name: "{{ _user_ansible_username }}" # hosts: "ALL"