diff --git a/roles/adm_instance/scripts/install_composer.sh b/roles/adm_instance/scripts/install_composer.sh index 6f01e38fa8d49ddced5029e5b53d3c9e017b1a00..ed3c0fbfb5de7de2c95471c9bae53c295deee93c 100644 --- a/roles/adm_instance/scripts/install_composer.sh +++ b/roles/adm_instance/scripts/install_composer.sh @@ -11,7 +11,8 @@ then exit 1 fi -php composer-setup.php --quiet +# La dernière version de composer qui supporte PHP 5.6 est 2.2.12 +php composer-setup.php --quiet --version=2.2.12 RESULT=$? rm composer-setup.php exit $RESULT diff --git a/roles/humhub/.travis.yml b/roles/humhub/.travis.yml new file mode 100644 index 0000000000000000000000000000000000000000..36bbf6208cfd42ac91bfbe7f9126bc9044e186c6 --- /dev/null +++ b/roles/humhub/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/humhub/README.md b/roles/humhub/README.md new file mode 100644 index 0000000000000000000000000000000000000000..5aee64c4130161c01f30623b98212fc46746f6d6 --- /dev/null +++ b/roles/humhub/README.md @@ -0,0 +1,24 @@ +# HUMHUB + +Humhub is a company internal social network + +## Requirements +- PHP >=7.4 + +## Example Playbook + +```yaml +- role: humhub + description: test humhub + app_domain: humhub.example.com + app_instance_id: humhub + app_user: www-humhub + clear_app_user_password: ZdPreELr4b2XZazsFKjhXeD3FCxNhofZ + app_user_password: $6$$du/QXTiclJ1/Ns0RXJCXy6WBx7aN2gTMqJOzrWvzgYp3dQO.1j.pHngnbb8lBHZwIMu6JVuVRxCtrBnP1ts6D1 + php_version: 7.4 + restic_password: "1582369652dezs5z2d4" + database_password: ZdPreELr4b2XZazsFKjhXeD3FCxNhofZ +``` +### License + +GPLV3 diff --git a/roles/humhub/defaults/main.yml b/roles/humhub/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..111add29fbcffc89f3cdfbeb341c401fe7c9ae23 --- /dev/null +++ b/roles/humhub/defaults/main.yml @@ -0,0 +1,18 @@ +--- +app_version: 1.10.3 + +app_user_chrooted: "yes" + +php_composer: "no" +python3: "no" +app_wsgi: "no" + +# +# smtp default parameters +# + +smtp_security: STARTTLS +smtp_host: false +smtp_user: null +smtp_pass: null +smtp_port: 587 diff --git a/roles/humhub/handlers/main.yml b/roles/humhub/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..d2cb7173ec31de7e8a4642d812ff99cd5bb7802c --- /dev/null +++ b/roles/humhub/handlers/main.yml @@ -0,0 +1,6 @@ +--- +# handlers file for humhub +- name: php-fpm reload humhub + service: name=php{{ php_version }}-fpm state=reloaded +- name: nginx reload humhub + service: name=nginx state=reloaded diff --git a/roles/humhub/meta/main.yml b/roles/humhub/meta/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..c572acc9f8b466bea50f2799b0ca1956418b862c --- /dev/null +++ b/roles/humhub/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/humhub/tasks/install.yml b/roles/humhub/tasks/install.yml new file mode 100644 index 0000000000000000000000000000000000000000..4022146f4cbc3b5c14cfef92ded87de886383d36 --- /dev/null +++ b/roles/humhub/tasks/install.yml @@ -0,0 +1,57 @@ +--- + +- import_role: + name: _web_app + +- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" + template: + src: "{{ rev_proxy }}_app.j2" + dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + when: app_wsgi == "no" + notify: "nginx reload humhub" + tags: + - garradin_rev_proxy + +- name: "Configuration of Humhub (common)" + template: + src: "common_php.j2" + dest: "{{ app_instance_root }}/protected/config/common.php" + tags: + - humhub_common + - humhub_conf + +- name: Check if app folder exists + stat: + path: "{{ app_instance_root }}" + register: app_folder + +- name: Check if data folder exists + stat: + path: "{{ app_data }}" + register: data_folder + tags: "data_setup" + +- name: "dir {{ app_data }}" + file: + path: "{{ app_data }}" + state: directory + mode: 0700 + group: "www-data" + owner: "{{ app_user }}" + when: data_folder.stat.exists == false and app_folder.stat.exists + tags: "data_setup" + notify: "php-fpm reload humhub" + +- name: Import Backup Role + import_role: + name: _app_backup + +- name: "Cron Humhub - queue" + cron: + name: "Cron Humhub - queue" + job: "/usr/bin/php{{ php_version }} {{ app_instance_root }}/protected/yii queue/run >/dev/null 2>&1" + +- name: "Cron Humhub - cron" + cron: + name: "Cron Humhub - cron" + job: "/usr/bin/php{{ php_version }} {{ app_instance_root }}/protected/yii cron/run >/dev/null 2>&1" diff --git a/roles/humhub/tasks/main.yml b/roles/humhub/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..e68deade829252ac3702e36a446c97c3b18ec6c7 --- /dev/null +++ b/roles/humhub/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- import_tasks: install.yml + when: app_run in ['install', 'reinstall'] + +#- import_tasks: upgrade.yml +# when: app_run == 'upgrade' + +- import_tasks: uninstall.yml + when: app_run == 'uninstall' \ No newline at end of file diff --git a/roles/humhub/tasks/uninstall.yml b/roles/humhub/tasks/uninstall.yml new file mode 100644 index 0000000000000000000000000000000000000000..36960b821726cf5e4f908457a440631d67ff649d --- /dev/null +++ b/roles/humhub/tasks/uninstall.yml @@ -0,0 +1,3 @@ +--- +- import_role: + name: _web_app \ No newline at end of file diff --git a/roles/humhub/templates/common_php.j2 b/roles/humhub/templates/common_php.j2 new file mode 100644 index 0000000000000000000000000000000000000000..3d9bf502e62c6c3c518b72c50b2bac04da1b8965 --- /dev/null +++ b/roles/humhub/templates/common_php.j2 @@ -0,0 +1,42 @@ + [ + 'cache' => [ + 'class' => 'yii\redis\Cache', + 'redis' => [ + 'hostname' => 'localhost', + 'port' => 6379, + 'database' => 0, + ] + ], + 'db' => [ + 'dsn' => 'mysql:host=localhost;dbname={{ database_name }}', + 'username' => '{{ database_user }}', + 'password' => '{{ database_password }}', + ], + ], + + 'modules' => [ + 'file' => [ + 'imageMaxResolution' => '1920x1080', + 'imageJpegQuality' => 75, + 'imagePngCompressionLevel' => 9, + 'imageWebpQuality' => 75, + ], + 'user' => [ + 'minimumUsernameLength' => 1 + ] + ], + + 'aliases' => [ + '@filestore' => '{{ app_data }}' + ] + +]; \ No newline at end of file diff --git a/roles/humhub/templates/nginx_app.j2 b/roles/humhub/templates/nginx_app.j2 new file mode 100644 index 0000000000000000000000000000000000000000..73658f341948d160b125d114177ee46580cfe4d8 --- /dev/null +++ b/roles/humhub/templates/nginx_app.j2 @@ -0,0 +1,101 @@ +upstream php-handler{{ app_instance_id }} { + server unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock; +} + + +map $http_user_agent $log_ua { + ~Monit 0; + default 1; +} + +server { + listen 80; + listen [::]:80; + server_name {{ app_domain | mandatory }}; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ app_domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security "max-age=15768000"; + + access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua; + error_log {{ www_log }}/{{ app_instance_id }}/error.log; + + include {{ app_instance_www_root }}/nginx/*.conf; + + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + location / { + + # Path to source + alias {{ app_instance_www_root }}/; + + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + + index index.php index.html ; + try_files $uri $uri/ /index.php?$args; + + location ~ \.php$ { + if (!-e $request_filename) { + rewrite ^/?(.*)$ /_route.php?/$1 last; + break; + } + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + + location ~ ^/(protected|framework|themes/\w+/views|\.|uploads/file) { + deny all; + } + + location ~ ^/(assets|static|themes|uploads) { + expires 10d; + add_header Cache-Control "public, no-transform"; + } + + # Increase size limit + client_max_body_size 2M; + } + +} diff --git a/roles/humhub/tests/inventory b/roles/humhub/tests/inventory new file mode 100644 index 0000000000000000000000000000000000000000..878877b0776c44f55fc4e458f70840f31da5bb01 --- /dev/null +++ b/roles/humhub/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/humhub/tests/test.yml b/roles/humhub/tests/test.yml new file mode 100644 index 0000000000000000000000000000000000000000..a4e4c94510c91c642468cc241dfd193fc240bb7a --- /dev/null +++ b/roles/humhub/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - humhub diff --git a/roles/humhub/vars/main.yml b/roles/humhub/vars/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..b4e3b431b0d609b6a8d587d0631fb1f967aaa4af --- /dev/null +++ b/roles/humhub/vars/main.yml @@ -0,0 +1,17 @@ +--- +app_program: "Humub" + +app_src_root_name: "humhub-{{ app_version }}" +packages_list: [ "redis", "php{{ php_version }}-bz2", "php{{ php_version }}-redis", "php{{ php_version }}-fpm", "php{{ php_version }}-cli", "php{{ php_version }}-imagick", "php{{ php_version }}-curl", "php{{ php_version }}-bz2", "php{{ php_version }}-gd", "php{{ php_version }}-intl", "php{{ php_version }}-mysql", "php{{ php_version }}-zip", "php{{ php_version }}-apcu-bc", "php{{ php_version }}-apcu", "php{{ php_version }}-xml", "php{{ php_version }}-ldap" ] + +app_src: "https://www.humhub.com/download/package/humhub-{{ app_version }}.tar.gz" +php_version: "7.4" + +app_data: "{{ app_instance_root }}/../{{ app_instance_id }}.data" + +app_group: "{{ app_user }}" + +database_type: "mysql" +#database_name: "{{ app_instance_id }}_db" +#database_user: "{{ app_instance_id }}_usr" +#database_password: "{{ app_instance_id }}_pwd"