Opcache vars v2 pr devel 2.x

docs/_Sidebar.md

@@ -62,6 +62,7 @@
        - [Docker Registry](/roles/debian/docker_registry)
        - [Duplicity](/roles/debian/duplicity)
        - [Firewall Config](/roles/debian/firewall_config)
+       - [Fluent-bit](/roles/debian/fluent-bit)
        - [Frontail](/roles/debian/frontail)
        - [Gitlab](/roles/debian/gitlab)
        - [Gitlab Runner](/roles/debian/gitlab_runner)

docs/roles/aws/aws_ec2_with_eip.md

@@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address.
 aws_ec2_with_eip:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
-  hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already.
+  hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already.
   force: false # Force a new EC2 machine to be created if a new AMI is packed.
   instance_type: t3.micro
   key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key.
@@ -37,6 +37,7 @@ aws_ec2_with_eip:
   root_volume_delete_on_termination: true
   ebs_optimized: true
   security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
+  public_ip: true  # usually this needs to be true for cloud-init to work
   tags:
     Name: "{{ _domain_name }}"
   # Add an A record tied to the EIP.

docs/roles/aws/aws_vpc.md

@@ -78,6 +78,7 @@ _common_security_groups:
           - 22
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on port 22.
+    rules_egress: []
   web_open:
     name: web_open
     description: Allow all incoming web traffic on ports 80 and 443.
@@ -88,6 +89,7 @@ _common_security_groups:
           - 443
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 80 and 443.
+    rules_egress: []
   mailpit_open:
     name: mailpit_open
     description: Allow all incoming traffic on port 8025 for Mailpit.
@@ -97,6 +99,7 @@ _common_security_groups:
           - 8025
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on port 8025.
+    rules_egress: []
   ftp_open:
     name: ftp_open
     description: Allow all incoming traffic on ports 20 and 21 for FTP.
@@ -107,6 +110,7 @@ _common_security_groups:
           - 21
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 20 and 21.
+    rules_egress: []
   sftp_open:
     name: sftp_open
     description: Allow all incoming traffic on ports 989 and 990 for sFTP.
@@ -117,6 +121,7 @@ _common_security_groups:
           - 990
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 989 and 990.
+    rules_egress: []
   ossec:
     name: ossec
     description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC.
@@ -127,6 +132,7 @@ _common_security_groups:
           - 1515
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming udp traffic on ports 1514 and 1515.
+    rules_egress: []
   openvpn:
     name: openvpn
     description: Allow all incoming traffic on port 1194 for OpenVPN.
@@ -136,6 +142,7 @@ _common_security_groups:
           - 1194
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming udp traffic on port 1194.
+    rules_egress: []
 
 ```
 

docs/roles/debian/apt_unattended_upgrades.md

@@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins:
     - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"
 apt_unattended_upgrades:
   enable: true
+  linotp: "false"
   # unattended-upgrades template vars.
   # booleans must be strings to avoid Jinja2 interpretting.
   origins: "{{ _apt_unattended_upgrades_default_origins }}"

docs/roles/debian/fluent-bit.md

@@ -0,0 +1,64 @@
+# Fluent-bit
+
+## Description
+
+Deploy [Fluent-bit](https://github.com/fluent/fluent-bit) using ansible.
+
+### Requirements
+
+Role expects to be provided with the following information:
+* `fluentbit_main_config` - the main Fluent-bit configuration
+
+### Example
+Minimum Fluent-bit config that will send a test log, filter it, and output to stdout.
+
+```yaml
+fluentbit_main_config:
+  service:
+    flush: 5
+    log_level: info
+
+parsers:
+    - name: json
+      format: json
+      time_key: time
+      time_format: '%d/%b/%Y:%H:%M:%S %z'
+
+  pipeline:
+    inputs:
+        - name: dummy
+          dummy: '{"endpoint":"localhost", "value":"something"}'
+          tag: dummy
+    filters:
+        - name: grep
+          match: '*'
+          logical_op: or
+          regex:
+            - value something
+            - value error
+    outputs:
+        - name: stdout
+
+```
+
+For more details on setting up the Fluent-bit config, refer to official documentation:
+https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexporter
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+# Default variables for Fluent-bit role
+fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key
+fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc
+fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main"
+fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml
+
+fluent_bit_configuration: ""
+
+```
+
+<!--ENDROLEVARS-->

docs/roles/debian/gitlab.md

@@ -109,6 +109,7 @@ gitlab:
     redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above
     redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above
     custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;"
+  block_removed_ldap_users_on_calendar: "*-*-* 02:30:00"
 
 ```
 

docs/roles/debian/nginx.md

@@ -26,8 +26,8 @@ nginx:
     worker_connections: 768
   http:
     server_names_hash_bucket_size: 256
-    access_log: /var/log/nginx-access.log
-    error_log: /var/log/nginx-error.log
+    access_log: /var/log/nginx/nginx-access.log
+    error_log: /var/log/nginx/nginx-error.log
     ssl_protocols: "TLSv1.2 TLSv1.3"
     sendfile: "on"
     keepalive_timeout: 65

docs/roles/debian/php-fpm.md

@@ -2,6 +2,8 @@
 
 Installs and configures the PHP-FPM flavour of FastCGI.
 
+Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP.
+
 <!--TOC-->
 <!--ENDTOC-->
 
@@ -13,17 +15,17 @@ php:
   # see php-common for default version
   fpm:
     # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php
-    unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do
+    unix_socket: false  # set to true to use a unix socket, you must also update nginx and cachetool if you do
     server_ip: "127.0.0.1"
-    tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1
-    pool_user: "{{ user_deploy.username }}"
-    pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user
+    tcp_port: ""  # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1
+    pool_user: "{{ user_deploy.username }}"   # this should always be the deploy user, usually deploy
+    pool_group: "{{ user_deploy.username }}"  # if using unix socket this should be the web server user, often www-data
     pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning
     default_socket_timeout: 60
     # It is important to scale up processes on bigger servers, so that more
     # requests can be handled. Double the number of vCPUs is a good default.
     # Can be between 5 and 64.
-    max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks
+    max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}"  # Fallback in case ansible_processor_nproc is not gathered before tasks
     start_servers: 2
     min_spare_servers: 1
     max_spare_servers: 3

docs/roles/debian/user_ansible.md

@@ -13,14 +13,15 @@ user_ansible:
   # This sets both username and main group.
   username: "{{ _user_ansible_username }}"
   home: "/home/{{ _user_ansible_username }}"
-  create: true # if you know the user already exists, set this to false to not create the user.
+  create: true  # if you know the user already exists, set this to false to not create the user.
   create_home: true
   update_password: "always"
+  system_user: true  # creates a system user - see useradd --system docs
   # It is often desirable to fix POSIX IDs for system users so they are consistent across your fleet
   # This is shown for documentation, you should do this in your config repo
   # uid: 999
   # gid: 999
-  sudo_config: {} # an empty dictionary will skip creating a sudo config
+  sudo_config: {}  # an empty dictionary will skip creating a sudo config
   # Example sudo config allowing full sudo permissions - see the debian/sudo_config role for more details.
   #  entity_name: "{{ _user_ansible_username }}"
   #  hosts: "ALL"

roles/_meta/webserver/meta/main.yml

@@ -8,4 +8,5 @@ dependencies:
   - role: debian/nodejs
   - role: debian/php-cli
   - role: debian/php-fpm
+  - role: debian/php_composer
   - role: debian/nginx

roles/aws/aws_ec2_with_eip/README.md

@@ -12,7 +12,7 @@ Creates a new EC2 instance at AWS with a static IP address.
 aws_ec2_with_eip:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
-  hostname: "{{ _domain_name }}" # The hostname is used to check if the machine exists already.
+  hostname: "{{ _aws_resource_name }}" # The hostname is used to check if the machine exists already.
   force: false # Force a new EC2 machine to be created if a new AMI is packed.
   instance_type: t3.micro
   key_name: "{{ ce_provision.username }}@{{ ansible_hostname }}" # This needs to match your "provision" user SSH key.
@@ -37,6 +37,7 @@ aws_ec2_with_eip:
   root_volume_delete_on_termination: true
   ebs_optimized: true
   security_groups: [] # list of security group names, converted to IDs by aws_security_groups role
+  public_ip: true  # usually this needs to be true for cloud-init to work
   tags:
     Name: "{{ _domain_name }}"
   # Add an A record tied to the EIP.

roles/aws/aws_vpc/README.md

@@ -78,6 +78,7 @@ _common_security_groups:
           - 22
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on port 22.
+    rules_egress: []
   web_open:
     name: web_open
     description: Allow all incoming web traffic on ports 80 and 443.
@@ -88,6 +89,7 @@ _common_security_groups:
           - 443
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 80 and 443.
+    rules_egress: []
   mailpit_open:
     name: mailpit_open
     description: Allow all incoming traffic on port 8025 for Mailpit.
@@ -97,6 +99,7 @@ _common_security_groups:
           - 8025
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on port 8025.
+    rules_egress: []
   ftp_open:
     name: ftp_open
     description: Allow all incoming traffic on ports 20 and 21 for FTP.
@@ -107,6 +110,7 @@ _common_security_groups:
           - 21
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 20 and 21.
+    rules_egress: []
   sftp_open:
     name: sftp_open
     description: Allow all incoming traffic on ports 989 and 990 for sFTP.
@@ -117,6 +121,7 @@ _common_security_groups:
           - 990
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming tcp traffic on ports 989 and 990.
+    rules_egress: []
   ossec:
     name: ossec
     description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC.
@@ -127,6 +132,7 @@ _common_security_groups:
           - 1515
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming udp traffic on ports 1514 and 1515.
+    rules_egress: []
   openvpn:
     name: openvpn
     description: Allow all incoming traffic on port 1194 for OpenVPN.
@@ -136,6 +142,7 @@ _common_security_groups:
           - 1194
         cidr_ip: 0.0.0.0/0
         rule_desc: Allow all incoming udp traffic on port 1194.
+    rules_egress: []
 
 ```
 

roles/debian/apt_unattended_upgrades/README.md

@@ -52,6 +52,7 @@ _apt_unattended_upgrades_default_origins:
     - "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"
 apt_unattended_upgrades:
   enable: true
+  linotp: "false"
   # unattended-upgrades template vars.
   # booleans must be strings to avoid Jinja2 interpretting.
   origins: "{{ _apt_unattended_upgrades_default_origins }}"

roles/debian/fluent-bit/README.md

@@ -52,15 +52,13 @@ https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bitexp
 ```yaml
 ---
 # Default variables for Fluent-bit role
-# Construct the download URL using the version variable.
 fluent_bit_repo_key_url: https://packages.fluentbit.io/fluentbit.key
 fluent_bit_key_location: /usr/share/keyrings/fluentbit-keyring.asc
 fluent_bit_apt_source: "deb [signed-by=/usr/share/keyrings/fluentbit-keyring.asc] https://packages.fluentbit.io/debian/{{ ansible_distribution_release }} {{ ansible_distribution_release }} main"
 fluent_bit_startup_command: /opt/fluent-bit/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml
 
-# fluent-bit configuration
-fluentbit_main_config: {}
-# Example config
+fluent_bit_configuration: ""
+
 ```
 
 <!--ENDROLEVARS-->

roles/debian/gitlab/README.md

@@ -109,6 +109,7 @@ gitlab:
     redirect_http_to_https: "true" # must be enabled if you're using LetsEncrypt above
     redirect_http_to_https_port: 80 # must be 80 if you're using LetsEncrypt above
     custom_nginx_config: "" # include extra config, for example "include /etc/nginx/conf.d/example.conf;"
+  block_removed_ldap_users_on_calendar: "*-*-* 02:30:00"
 
 ```
 

roles/debian/nginx/README.md

@@ -26,8 +26,8 @@ nginx:
     worker_connections: 768
   http:
     server_names_hash_bucket_size: 256
-    access_log: /var/log/nginx-access.log
-    error_log: /var/log/nginx-error.log
+    access_log: /var/log/nginx/nginx-access.log
+    error_log: /var/log/nginx/nginx-error.log
     ssl_protocols: "TLSv1.2 TLSv1.3"
     sendfile: "on"
     keepalive_timeout: 65

roles/debian/nginx/templates/vhost_letsencrypt.j2

@@ -10,10 +10,10 @@ server {
     root /tmp;
     error_log {{ domain.error_log }} {{ domain.error_log_level }};
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
-    # Proxy for certbot (LetsEncrypt)
     {% if domain.ssl.web_server | default('standalone') == 'standalone' %}
-        location /.well-known/acme-challenge/ {
-            proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri;
-        }
+    # Proxy for certbot (LetsEncrypt)
+    location /.well-known/acme-challenge/ {
+        proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri;
+    }
     {% endif %}
 }

roles/debian/php-fpm/README.md

@@ -2,6 +2,8 @@
 
 Installs and configures the PHP-FPM flavour of FastCGI.
 
+Note, for legacy reasons this role sets up PHP-FPM to use TCP/IP instead of a Unix socket by default. However, we *recommend* you change this by setting `unix_socket: true` unless you really need to run PHP-FPM over TCP/IP, as a Unix socket is much faster. If you do, be sure to set the `pool_group` variable to match your web server user, or the web server will be unable to interact with PHP.
+
 <!--TOC-->
 <!--ENDTOC-->
 
@@ -13,17 +15,17 @@ php:
   # see php-common for default version
   fpm:
     # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php
-    unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do
+    unix_socket: false  # set to true to use a unix socket, you must also update nginx and cachetool if you do
     server_ip: "127.0.0.1"
-    tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1
-    pool_user: "{{ user_deploy.username }}"
-    pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user
+    tcp_port: ""  # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1
+    pool_user: "{{ user_deploy.username }}"   # this should always be the deploy user, usually deploy
+    pool_group: "{{ user_deploy.username }}"  # if using unix socket this should be the web server user, often www-data
     pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning
     default_socket_timeout: 60
     # It is important to scale up processes on bigger servers, so that more
     # requests can be handled. Double the number of vCPUs is a good default.
     # Can be between 5 and 64.
-    max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks
+    max_children: "{{ [10, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}"  # Fallback in case ansible_processor_nproc is not gathered before tasks
     start_servers: 2
     min_spare_servers: 1
     max_spare_servers: 3