From f70a97010635d9ae134cf113f89e5d7cbb5e5c95 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:36 +0200 Subject: [PATCH] [roles/server/nginx/vhost-unified] create nginx vhost --- .../nginx/vhost-unified/defaults/main.yml | 55 ++ .../files/default/php-fpm-www.conf | 498 ++++++++++++++++++ .../files/default/php-fpm.service | 24 + .../nginx/vhost-unified/handlers/main.yml | 15 + .../server/nginx/vhost-unified/tasks/main.yml | 195 +++++++ .../templates/default/awstats.j2 | 20 + .../vhost-unified/templates/default/vhost.j2 | 423 +++++++++++++++ .../vars/default/vars_vhost_custom.yml | 10 + 8 files changed, 1240 insertions(+) create mode 100644 roles/server/nginx/vhost-unified/defaults/main.yml create mode 100644 roles/server/nginx/vhost-unified/files/default/php-fpm-www.conf create mode 100644 roles/server/nginx/vhost-unified/files/default/php-fpm.service create mode 100644 roles/server/nginx/vhost-unified/handlers/main.yml create mode 100644 roles/server/nginx/vhost-unified/tasks/main.yml create mode 100644 roles/server/nginx/vhost-unified/templates/default/awstats.j2 create mode 100644 roles/server/nginx/vhost-unified/templates/default/vhost.j2 create mode 100644 roles/server/nginx/vhost-unified/vars/default/vars_vhost_custom.yml diff --git a/roles/server/nginx/vhost-unified/defaults/main.yml b/roles/server/nginx/vhost-unified/defaults/main.yml new file mode 100644 index 0000000..bc12e68 --- /dev/null +++ b/roles/server/nginx/vhost-unified/defaults/main.yml @@ -0,0 +1,55 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +# if note defined elsewhere -> fail +#vhost_name: "" +vhost_aliases: "" +vhost_aliases_nocert: "" +vhost_https_on: True +vhost_https_force_letsencrypt: False +vhost_http_on: False +vhost_cache_on: True +vhost_gzip_on: True + +# The multilayer is a var include hack. +vhost_custom: + vhost_custom_pre_server: "" + vhost_custom: "" + +# leave unchanged to only use vhost_custom +vhost_type: "" + +# vhost_type: redirect +# if note defined elsewhere -> fail +#vhost_redirect_target_without_protocol: "" +vhost_redirect_code: "301" + +# vhost_type: proxypass +# if note defined elsewhere -> fail +#vhost_proxypass_target: "" + +# vhost_type: php || static +vhost_git_repo: "" +vhost_git_version: "master" + +# vhost_type: php +vhost_php_custom: [] + +# IPs that ignore $maintenance +vhost_maintenance_ips: [] + +# config dotfile protection. +vhost_dotfile_protection: True + +# fix permissions recursively. Can cause some issues with overlayfs duplicating files for no good reason. Therefore allow it to be disabled. +vhost_fix_perms: True + +# awstats. +vhost_awstats_ignore_monitoring_ips: "" +vhost_awstats_valid_http_codes: "200 304" diff --git a/roles/server/nginx/vhost-unified/files/default/php-fpm-www.conf b/roles/server/nginx/vhost-unified/files/default/php-fpm-www.conf new file mode 100644 index 0000000..af85e9b --- /dev/null +++ b/roles/server/nginx/vhost-unified/files/default/php-fpm-www.conf @@ -0,0 +1,498 @@ +;# +;################################################ +;### Managed by someone's ansible provisioner ### +;################################################ +;# Part of: https://git.somenet.org/root/pub/somesible.git +;# 2017-2024 by someone +;# +; Start a new pool named 'www'. +; the variable $pool can be used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'access.log' +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +;prefix = /path/to/pools/$pool + +; Unix user/group of the child processes. This can be used only if the master +; process running user is root. It is set after the child process is created. +; The user and group can be specified either by their name or by their numeric +; IDs. +; Note: If the user is root, the executable needs to be started with +; --allow-to-run-as-root option to work. +; Default Values: The user is set to master process running user by default. +; If the group is not set, the user's group is used. +user = www-data +group = www-data + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php/php-fpm.sock + +; Set listen(2) backlog. +; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) +;listen.backlog = 511 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. The owner +; and group can be specified either by name or by their numeric IDs. +; Default Values: Owner is set to the master process running user. If the group +; is not set, the owner's group is used. Mode is set to 0660. +listen.owner = www-data +listen.group = www-data +;listen.mode = 0660 +; When POSIX Access Control Lists are supported you can set them using +; these options, value is a comma separated list of user/group names. +; When set, listen.owner and listen.group are ignored +;listen.acl_users = +;listen.acl_groups = + +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +;listen.allowed_clients = 127.0.0.1 + +; Set the associated the route table (FIB). FreeBSD only +; Default Value: -1 +;listen.setfib = 1 + +; Specify the nice(2) priority to apply to the pool processes (only if set) +; The value can vary from -19 (highest priority) to 20 (lower priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool processes will inherit the master process priority +; unless it specified otherwise +; Default Value: no set +; process.priority = -19 + +; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or +; PROC_TRACE_CTL procctl for FreeBSD) even if the process user +; or group is different than the master process user. It allows to create process +; core dump and ptrace the process for the pool user. +; Default Value: no +; process.dumpable = yes + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives. With this process management, there will be +; always at least 1 children. +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; pm.max_spawn_rate - the maximum number of rate to spawn child +; processes at once. +; ondemand - no children are created at startup. Children will be forked when +; new requests will connect. The following parameter are used: +; pm.max_children - the maximum number of children that +; can be alive at the same time. +; pm.process_idle_timeout - The number of seconds after which +; an idle process will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. The below defaults are based on a server without much resources. Don't +; forget to tweak pm.* to fit your needs. +; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' +; Note: This value is mandatory. +pm.max_children = 64 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: (min_spare_servers + max_spare_servers) / 2 +pm.start_servers = 1 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 2 + +; The number of rate to spawn child processes at once. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +; Default Value: 32 +;pm.max_spawn_rate = 32 + +; The number of seconds after which an idle process will be killed. +; Note: Used only when pm is set to 'ondemand' +; Default Value: 10s +;pm.process_idle_timeout = 10s; + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +pm.max_requests = 100 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. It shows the following information: +; pool - the name of the pool; +; process manager - static, dynamic or ondemand; +; start time - the date and time FPM has started; +; start since - number of seconds since FPM has started; +; accepted conn - the number of request accepted by the pool; +; listen queue - the number of request in the queue of pending +; connections (see backlog in listen(2)); +; max listen queue - the maximum number of requests in the queue +; of pending connections since FPM has started; +; listen queue len - the size of the socket queue of pending connections; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes; +; max active processes - the maximum number of active processes since FPM +; has started; +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic' and 'ondemand'); +; Value are updated in real time. +; Example output: +; pool: www +; process manager: static +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 62636 +; accepted conn: 190460 +; listen queue: 0 +; max listen queue: 1 +; listen queue len: 42 +; idle processes: 4 +; active processes: 11 +; total processes: 15 +; max active processes: 12 +; max children reached: 0 +; +; By default the status page output is formatted as text/plain. Passing either +; 'html', 'xml' or 'json' in the query string will return the corresponding +; output syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; http://www.foo.bar/status?xml +; +; By default the status page only outputs short status. Passing 'full' in the +; query string will also return status for each pool process. +; Example: +; http://www.foo.bar/status?full +; http://www.foo.bar/status?json&full +; http://www.foo.bar/status?html&full +; http://www.foo.bar/status?xml&full +; The Full status returns for each process: +; pid - the PID of the process; +; state - the state of the process (Idle, Running, ...); +; start time - the date and time the process has started; +; start since - the number of seconds since the process has started; +; requests - the number of requests the process has served; +; request duration - the duration in µs of the requests; +; request method - the request method (GET, POST, ...); +; request URI - the request URI with the query string; +; content length - the content length of the request (only with POST); +; user - the user (PHP_AUTH_USER) (or '-' if not set); +; script - the main script called (or '-' if not set); +; last request cpu - the %cpu the last request consumed +; it's always 0 if the process is not in Idle state +; because CPU calculation is done when the request +; processing has terminated; +; last request memory - the max amount of memory the last request consumed +; it's always 0 if the process is not in Idle state +; because memory calculation is done when the request +; processing has terminated; +; If the process is in Idle state, then informations are related to the +; last request the process has served. Otherwise informations are related to +; the current request being served. +; Example output: +; ************************ +; pid: 31330 +; state: Running +; start time: 01/Jul/2011:17:53:49 +0200 +; start since: 63087 +; requests: 12808 +; request duration: 1250261 +; request method: GET +; request URI: /test_mem.php?N=10000 +; content length: 0 +; user: - +; script: /home/fat/web/docs/php/test_mem.php +; last request cpu: 0.00 +; last request memory: 0 +; +; Note: There is a real-time FPM status monitoring sample web page available +; It's available in: /usr/share/php/7.4/fpm/status.html +; +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The address on which to accept FastCGI status request. This creates a new +; invisible pool that can handle requests independently. This is useful +; if the main pool is busy with long running requests because it is still possible +; to get the status before finishing the long running requests. +; +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on +; a specific port; +; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses +; (IPv6 and IPv4-mapped) on a specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Default Value: value of the listen option +;pm.status_listen = 127.0.0.1:9001 + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The access log file +; Default: not set +;access.log = log/$pool.access.log + +; The access log format. +; The following syntax is allowed +; %%: the '%' character +; %C: %CPU used by the request +; it can accept the following format: +; - %{user}C for user CPU only +; - %{system}C for system CPU only +; - %{total}C for user + system CPU (default) +; %d: time taken to serve the request +; it can accept the following format: +; - %{seconds}d (default) +; - %{milliseconds}d +; - %{milli}d +; - %{microseconds}d +; - %{micro}d +; %e: an environment variable (same as $_ENV or $_SERVER) +; it must be associated with embraces to specify the name of the env +; variable. Some examples: +; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e +; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e +; %f: script filename +; %l: content-length of the request (for POST request only) +; %m: request method +; %M: peak of memory allocated by PHP +; it can accept the following format: +; - %{bytes}M (default) +; - %{kilobytes}M +; - %{kilo}M +; - %{megabytes}M +; - %{mega}M +; %n: pool name +; %o: output header +; it must be associated with embraces to specify the name of the header: +; - %{Content-Type}o +; - %{X-Powered-By}o +; - %{Transfert-Encoding}o +; - .... +; %p: PID of the child that serviced the request +; %P: PID of the parent of the child that serviced the request +; %q: the query string +; %Q: the '?' character if query string exists +; %r: the request URI (without the query string, see %q and %Q) +; %R: remote IP address +; %s: status (response code) +; %t: server time the request was received +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %T: time the log has been written (the request has finished) +; it can accept a strftime(3) format: +; %d/%b/%Y:%H:%M:%S %z (default) +; The strftime(3) format must be encapsulated in a %{}t tag +; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t +; %u: remote user +; +; Default: "%R - %u %t \"%m %r\" %s" +;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" + +; A list of request_uri values which should be filtered from the access log. +; +; As a security precuation, this setting will be ignored if: +; - the request method is not GET or HEAD; or +; - there is a request body; or +; - there are query parameters; or +; - the response code is outwith the successful range of 200 to 299 +; +; Note: The paths are matched against the output of the access.format tag "%r". +; On common configurations, this may look more like SCRIPT_NAME than the +; expected pre-rewrite URI. +; +; Default Value: not set +;access.suppress_path[] = /ping +;access.suppress_path[] = /health_check.php + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = log/$pool.log.slow + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; Depth of slow log stack trace. +; Default Value: 20 +;request_slowlog_trace_depth = 20 + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout set by 'request_terminate_timeout' ini option is not engaged after +; application calls 'fastcgi_finish_request' or when application has finished and +; shutdown functions are being called (registered via register_shutdown_function). +; This option will enable timeout limit to be applied unconditionally +; even in such cases. +; Default Value: no +;request_terminate_timeout_track_finished = no + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environment, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Decorate worker output with prefix and suffix containing information about +; the child that writes to the log and if stdout or stderr is used as well as +; log level and time. This options is used only if catch_workers_output is yes. +; Settings to "no" will output data as written to the stdout or stderr. +; Default value: yes +;decorate_workers_output = no + +; Clear environment in FPM workers +; Prevents arbitrary environment variables from reaching FPM worker processes +; by clearing the environment in workers before env vars specified in this +; pool configuration are added. +; Setting to "no" will make all environment variables available to PHP code +; via getenv(), $_ENV and $_SERVER. +; Default Value: yes +;clear_env = no + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; execute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 .php7 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +php_admin_value[memory_limit] = 1025M +php_admin_value[upload_max_filesize] = 1025M +php_admin_value[post_max_size] = 1025M diff --git a/roles/server/nginx/vhost-unified/files/default/php-fpm.service b/roles/server/nginx/vhost-unified/files/default/php-fpm.service new file mode 100644 index 0000000..7d4cae6 --- /dev/null +++ b/roles/server/nginx/vhost-unified/files/default/php-fpm.service @@ -0,0 +1,24 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +[Unit] +Description=The PHP FastCGI Process Manager +After=network.target +OnFailure=unit-status-mail@%n.service + +[Service] +Type=notify +ExecStart=/usr/sbin/php-fpm8.2 --nodaemonize --fpm-config /etc/php/8.2/fpm/php-fpm.conf +ExecStartPost=-/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.2/fpm/pool.d/www.conf 74 +ExecStopPost=-/usr/lib/php/php-fpm-socket-helper remove /run/php/php-fpm.sock /etc/php/8.2/fpm/pool.d/www.conf 74 +ExecReload=/bin/kill -USR2 $MAINPID +Restart=always +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/roles/server/nginx/vhost-unified/handlers/main.yml b/roles/server/nginx/vhost-unified/handlers/main.yml new file mode 100644 index 0000000..a81138d --- /dev/null +++ b/roles/server/nginx/vhost-unified/handlers/main.yml @@ -0,0 +1,15 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: restart nginx.service + systemd: name=nginx.service state=restarted + ignore_errors: yes + + +- name: restart php-fpm.service + systemd: name=php-fpm.service state=restarted + ignore_errors: yes diff --git a/roles/server/nginx/vhost-unified/tasks/main.yml b/roles/server/nginx/vhost-unified/tasks/main.yml new file mode 100644 index 0000000..71ec327 --- /dev/null +++ b/roles/server/nginx/vhost-unified/tasks/main.yml @@ -0,0 +1,195 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: install php + apt: + pkg: + - bzip2 + - php8.2 + - php8.2-cli + - php8.2-fpm + state: present + policy_rc_d: 101 + when: vhost_type|lower() in ["php", "custom+php"] + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: install custom php modules + apt: + pkg: "{{vhost_php_custom}}" + state: present + policy_rc_d: 101 + when: vhost_type|lower() in ["php", "custom+php"] and vhost_php_custom != [] + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: copy php-fpm-www.conf + copy: + src: "{{item}}" + dest: "/etc/php/8.2/fpm/pool.d/www.conf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/php-fpm-www.conf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/php-fpm-www.conf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/php-fpm-www.conf" + - "default/php-fpm-www.conf" + when: vhost_type|lower() in ["php", "custom+php"] + notify: restart php-fpm.service + + +- name: copy php-fpm.service to /etc/systemd/system/ + copy: + src: "{{item}}" + dest: "/etc/systemd/system/php-fpm.service" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/php-fpm.service" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/php-fpm.service" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/php-fpm.service" + - "default/php-fpm.service" + when: vhost_type|lower() in ["php", "custom+php"] + + +- name: enable and start phpsessionclean.timer + include_role: name="base/systemd/enable-and-start" + vars: + service_name: phpsessionclean.timer + when: vhost_type|lower() in ["php", "custom+php"] + + +- name: enable and start php-fpm.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: php-fpm.service + when: vhost_type|lower() in ["php", "custom+php"] + + +- name: request letsencrypt cert for "{{vhost_name}}" + include_role: + name: util/letsencrypt-cert + vars: + letsencrypt_cert_domain: "{{vhost_name}}" + letsencrypt_cert_domain_alias: "{{vhost_aliases}}" + when: vhost_https_on|bool or vhost_https_force_letsencrypt|bool + + +- name: set up webroot-dir for "{{vhost_name}}" + file: + path: "/var/www/{{vhost_name}}" + state: directory + mode: 0750 + owner: "www-data" + group: "www-data" + + +- name: get or update content via git for "{{vhost_name}}" + git: + repo: "{{vhost_git_repo}}" + dest: "/var/www/{{vhost_name}}/" + accept_hostkey: "yes" + clone: "yes" + force: "yes" + recursive: "yes" + track_submodules: "yes" + update: "yes" + version: "{{vhost_git_version}}" + when: vhost_git_repo != "" + tags: "nginx-vhost-content-update" + + +- name: deploy some custom files + copy: + src: "{{item.src}}" + dest: "/var/www/{{vhost_name}}/" + mode: 0640 + owner: "www-data" + group: "www-data" + with_filetree: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{vhost_name}}-deploy-files/" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{vhost_name}}-deploy-files/" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{vhost_name}}-deploy-files/" + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/deploy-files/" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/deploy-files/" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/deploy-files/" + - "default/deploy-files/" + when: item.state == "file" + tags: "nginx-vhost-content-update" + + +- name: "fix webroot-dir permissions for {{vhost_name}}" + file: + path: "/var/www/{{vhost_name}}" + state: directory + recurse: yes + mode: "u=rwX,g=rX,o-rwx" + owner: "www-data" + group: "www-data" + when: vhost_fix_perms|bool + tags: "nginx-vhost-content-update" + + +- name: "include vhost_custom and vhost_custom_pre_server for {{vhost_name}}" + include_vars: + file: "{{item}}" + name: vhost_custom + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{vhost_name}}-vars_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{vhost_name}}-vars_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{vhost_name}}-vars_vhost_custom.yml" + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vars_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vars_vhost_custom.yml" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vars_vhost_custom.yml" + - "default/vars_vhost_custom.yml" + when: vhost_custom.vhost_custom == "" and vhost_custom.vhost_custom_pre_server == "" + + +- name: generate vhost config for "{{vhost_name}}" + template: + src: "{{item}}" + dest: "/etc/nginx/sites-enabled/{{vhost_name}}.vhost" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{vhost_name}}-vhost.j2" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{vhost_name}}-vhost.j2" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{vhost_name}}-vhost.j2" + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/vhost.j2" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/vhost.j2" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/vhost.j2" + - "default/vhost.j2" + notify: restart nginx.service + + +- name: generate awstats config for "{{vhost_name}}" + template: + src: "{{item}}" + dest: "/etc/awstats/awstats.{{vhost_name}}.conf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/{{vhost_name}}-awstats.j2" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/{{vhost_name}}-awstats.j2" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/{{vhost_name}}-awstats.j2" + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/awstats.j2" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/awstats.j2" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/awstats.j2" + - "default/awstats.j2" + + +- name: reset vhost_custom and vhost_custom_pre_server + include_vars: + file: "default/vars_vhost_custom.yml" + name: vhost_custom + when: vhost_custom.vhost_custom != "" or vhost_custom.vhost_custom_pre_server != "" diff --git a/roles/server/nginx/vhost-unified/templates/default/awstats.j2 b/roles/server/nginx/vhost-unified/templates/default/awstats.j2 new file mode 100644 index 0000000..5bfd136 --- /dev/null +++ b/roles/server/nginx/vhost-unified/templates/default/awstats.j2 @@ -0,0 +1,20 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +Include "/etc/awstats/awstats.conf" + +LogFile="/var/log/nginx/{{vhost_name}}-access.log" +SiteDomain="{{vhost_name}}" +{% if vhost_aliases != "" or vhost_aliases_nocert != "" %} +HostAliases="{{vhost_aliases}} {{vhost_aliases_nocert}}" +{% endif %} +{% if vhost_awstats_ignore_monitoring_ips != "" %} +SkipHosts="{{vhost_awstats_ignore_monitoring_ips}}" +{% endif %} + +ValidHTTPCodes="{{vhost_awstats_valid_http_codes}}" diff --git a/roles/server/nginx/vhost-unified/templates/default/vhost.j2 b/roles/server/nginx/vhost-unified/templates/default/vhost.j2 new file mode 100644 index 0000000..90b803d --- /dev/null +++ b/roles/server/nginx/vhost-unified/templates/default/vhost.j2 @@ -0,0 +1,423 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +{% if vhost_custom.vhost_custom_pre_server != "" %} + +############################### +### vhost_custom_pre_server ### +############################### +{{ vhost_custom.vhost_custom_pre_server }} + +{% endif %} + +{% if vhost_cache_on %} +proxy_cache_path /tmp/nginx_cachep_{{vhost_name}} levels=1:2 keys_zone=cachep_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off; +fastcgi_cache_path /tmp/nginx_cachef_{{vhost_name}} levels=1:2 keys_zone=cachef_{{vhost_name}}:16m max_size=1g inactive=1440m use_temp_path=off; +{% endif %} + +{% if vhost_https_on %} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}}; + + ssl_certificate /etc/ssl/letsencrypt/{{vhost_name}}/fullchain.pem; + ssl_certificate_key /etc/ssl/letsencrypt/{{vhost_name}}/privkey.pem; + ssl_certificate /etc/ssl/letsencrypt-rsa/{{vhost_name}}/fullchain.pem; + ssl_certificate_key /etc/ssl/letsencrypt-rsa/{{vhost_name}}/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384; + ssl_prefer_server_ciphers on; +# ssl_dhparam /etc/nginx/dhparams.pem; + ssl_session_cache shared:SSL:10m; + ssl_stapling on; + ssl_stapling_verify on; + add_header Strict-Transport-Security "max-age=31536000" always; + + access_log /var/log/nginx/{{vhost_name}}-access.log; + error_log /var/log/nginx/{{vhost_name}}-error.log; + + client_max_body_size 1025M; + fastcgi_buffers 64 4K; + # fix 414 Request-URI Too Large. + large_client_header_buffers 4 64k; + +{% if vhost_gzip_on %} + ### + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + ### +{%- else %} + ### gzip DISABLED! +{%- endif %} + +{% if vhost_cache_on %} + ### + proxy_cache cachep_{{vhost_name}}; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; + proxy_cache_background_update on; + proxy_cache_revalidate on; +# proxy_cache_key $scheme$proxy_host$request_uri; +# proxy_cache_valid 200 302 60m; +# proxy_cache_valid 301 90m; +# proxy_cache_valid any 10m; + + fastcgi_cache cachef_{{vhost_name}}; + fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; + fastcgi_cache_background_update on; + fastcgi_cache_revalidate on; + fastcgi_cache_key $request_uri; +# fastcgi_cache_valid 200 302 60m; +# fastcgi_cache_valid 301 90m; +# fastcgi_cache_valid any 10m; + + add_header X-Cache-Status $upstream_cache_status always; + ### +{%- else %} + ### cache DISABLED! +{%- endif %} + + ### + location ^~ /.well-known/acme-challenge { + alias /var/www/html/dehydrated; + } + ### +{%- if vhost_dotfile_protection %} + + ### + location ~ /\.(?!well-known\/).* { + return 404; + } + ### +{%- else %} + + ### dotfile protection DISABLED! (not vhost_dotfile_protection) +{%- endif %} + + ### + location = /robots.txt { + root /var/www/; + try_files /{{vhost_name}}/$uri /html/$uri =404; + } + ### + ### + location ^~ /awstats-icon { + alias /usr/share/awstats/icon/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + } + location = /awstats.pl { + root /usr/lib/cgi-bin/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + + gzip off; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl; + } + ### + ### + error_page 503 @maintenance; + location @maintenance { + default_type text/html; + root /var/www; + try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404; + } + set $maintenance "0"; + if (-f "/var/www/maintenance.html") { + set $maintenance "1"; + } + if (-f "/var/www/maintenance.html.{{vhost_name}}") { + set $maintenance "1"; + } +{% for ip in vhost_maintenance_ips %} + if ($remote_addr = "{{ip}}") { + set $maintenance "0"; + } +{% endfor %} + ### + + ############################### + ### real config starts here ### + ############################### +{%- if vhost_type|lower() in ["php", "static"] %} + + root /var/www/{{vhost_name}}; + location / { + try_files $uri $uri/index.html $uri/ =404; + } + + {%- if vhost_type|lower() == "static" %} + + # remove /index.html from path + location ~ ^(.*/)index.html$ { + rewrite ^(.*/)index.html$ $1 permanent; + } + + # remote trailing slashes from path + location ~ ^/(.*)/$ { + rewrite ^/(.*)/$ /$1 permanent; + } + + {%- elif vhost_type|lower() == "php" %} + + index index.php; + + location ~ \.php($|/.*) { + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + include fastcgi_params; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + + fastcgi_split_path_info ^(.+\.php)($|/.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + } + + {% endif %} +{%- elif vhost_type|lower() == "proxypass" %} + + root /var/www/{{vhost_name}}; + location / { + try_files $uri @proxy; + } + location @proxy { + proxy_pass {{vhost_proxypass_target}}; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Accept-Encoding ""; + } + +{%- elif vhost_type|lower() == "redirect" %} + + return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri; + +{%- endif %} +{%- if vhost_custom.vhost_custom != "" %} + + #################### + ### vhost_custom ### + #################### + {{ vhost_custom.vhost_custom | indent(width=4) }} + +{%- endif %} + + ############################# + ### real config ends here ### + ############################# + ### + if ($maintenance = "1") { + return 503; + } + ### +} + +{% endif %} +{% if vhost_http_on %} +server { + listen 80; + listen [::]:80; + server_name {{vhost_name}} {{vhost_aliases}} {{vhost_aliases_nocert}}; + + access_log /var/log/nginx/{{vhost_name}}-access.log; + error_log /var/log/nginx/{{vhost_name}}-error.log; + + client_max_body_size 1025M; + fastcgi_buffers 64 4K; + # fix 414 Request-URI Too Large. + large_client_header_buffers 4 64k; + +{% if vhost_cache_on %} + ### + proxy_cache cachep_{{vhost_name}}; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; + proxy_cache_background_update on; + proxy_cache_revalidate on; +# proxy_cache_key $scheme$proxy_host$request_uri; +# proxy_cache_valid 200 302 60m; +# proxy_cache_valid 301 90m; +# proxy_cache_valid any 10m; + + fastcgi_cache cachef_{{vhost_name}}; + fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; + fastcgi_cache_background_update on; + fastcgi_cache_revalidate on; + fastcgi_cache_key $request_uri; +# fastcgi_cache_valid 200 302 60m; +# fastcgi_cache_valid 301 90m; +# fastcgi_cache_valid any 10m; + + add_header X-Cache-Status $upstream_cache_status always; + ### +{%- else %} + ### proxy_cache DISABLED! +{%- endif %} + + ### + location ^~ /.well-known/acme-challenge { + alias /var/www/html/dehydrated; + } + ### +{%- if vhost_dotfile_protection %} + + ### + location ~ /\.(?!well-known\/).* { + return 404; + } + ### +{%- else %} + + ### dotfile protection DISABLED! (not vhost_dotfile_protection) +{%- endif %} + + ### + location = /robots.txt { + root /var/www/; + try_files /{{vhost_name}}/$uri /html/$uri =404; + } + ### + ### + location ^~ /awstats-icon { + alias /usr/share/awstats/icon/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + } + location = /awstats.pl { + root /usr/lib/cgi-bin/; + auth_pam "awstats"; + auth_pam_service_name "nginx-awstats"; + access_log off; + + gzip off; + include fastcgi_params; + fastcgi_pass unix:/var/run/fcgiwrap.socket; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/awstats.pl; + } + ### + ### + error_page 503 @maintenance; + location @maintenance { + default_type text/html; + root /var/www; + try_files /maintenance.html.{{vhost_name}} /maintenance.html /maintenance.html.dis =404; + } + set $maintenance "0"; + if (-f "/var/www/maintenance.html") { + set $maintenance "1"; + } + if (-f "/var/www/maintenance.html.{{vhost_name}}") { + set $maintenance "1"; + } +{% for ip in vhost_maintenance_ips %} + if ($remote_addr = "{{ip}}") { + set $maintenance "0"; + } +{% endfor %} + ### + + ############################### + ### real config starts here ### + ############################### +{%- if vhost_type|lower() in ["php", "static"] %} + + root /var/www/{{vhost_name}}; + location / { + try_files $uri $uri/index.html $uri/ =404; + } + + {%- if vhost_type|lower() == "static" %} + + # remove /index.html from path + location ~ ^(.*/)index.html$ { + rewrite ^(.*/)index.html$ $1 permanent; + } + + # remote trailing slashes from path + location ~ ^/(.*)/$ { + rewrite ^/(.*)/$ /$1 permanent; + } + + {%- elif vhost_type|lower() == "php" %} + + index index.php; + + location ~ \.php($|/.*) { + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + include fastcgi_params; + fastcgi_pass unix:/var/run/php/php-fpm.sock; + fastcgi_param SCRIPT_FILENAME $request_filename; + + fastcgi_split_path_info ^(.+\.php)($|/.*); + fastcgi_param PATH_INFO $fastcgi_path_info; + } + + {% endif %} +{%- elif vhost_type|lower() == "proxypass" %} + + root /var/www/{{vhost_name}}; + location / { + try_files $uri @proxy; + } + location @proxy { + proxy_pass {{vhost_proxypass_target}}; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_set_header Accept-Encoding ""; + } + +{%- elif vhost_type|lower() == "redirect" %} + + return {{vhost_redirect_code}} $scheme://{{vhost_redirect_target_without_protocol}}$request_uri; + +{%- endif %} +{%- if vhost_custom.vhost_custom != "" %} + + #################### + ### vhost_custom ### + #################### + {{ vhost_custom.vhost_custom | indent(width=4) }} + +{%- endif %} + + ############################# + ### real config ends here ### + ############################# + ### + if ($maintenance = "1") { + return 503; + } + ### +} + +{% endif %} diff --git a/roles/server/nginx/vhost-unified/vars/default/vars_vhost_custom.yml b/roles/server/nginx/vhost-unified/vars/default/vars_vhost_custom.yml new file mode 100644 index 0000000..46d358f --- /dev/null +++ b/roles/server/nginx/vhost-unified/vars/default/vars_vhost_custom.yml @@ -0,0 +1,10 @@ +##################################### +### someone"s ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +vhost_custom_pre_server: |- + +vhost_custom: |- -- 2.43.0