From 05d5901b8f919d979dac9a3de0c3a55c7df57106 Mon Sep 17 00:00:00 2001 From: frju365 Date: Wed, 17 Nov 2021 17:07:26 +0100 Subject: [PATCH 01/21] [wip] Create role backup data --- roles/_app_backup_data/README.md | 2 ++ roles/_app_backup_data/tasks/install.yml | 10 ++++++++++ roles/_app_backup_data/tasks/main.yml | 10 ++++++++++ roles/_app_backup_data/tasks/uninstall.yml | 5 +++++ roles/_app_backup_data/templates/app_backup_data.j2 | 5 +++++ 5 files changed, 32 insertions(+) create mode 100644 roles/_app_backup_data/README.md create mode 100644 roles/_app_backup_data/tasks/install.yml create mode 100644 roles/_app_backup_data/tasks/main.yml create mode 100644 roles/_app_backup_data/tasks/uninstall.yml create mode 100644 roles/_app_backup_data/templates/app_backup_data.j2 diff --git a/roles/_app_backup_data/README.md b/roles/_app_backup_data/README.md new file mode 100644 index 00000000..a151482a --- /dev/null +++ b/roles/_app_backup_data/README.md @@ -0,0 +1,2 @@ +# Backup task for Apps Data + diff --git a/roles/_app_backup_data/tasks/install.yml b/roles/_app_backup_data/tasks/install.yml new file mode 100644 index 00000000..3b6d288f --- /dev/null +++ b/roles/_app_backup_data/tasks/install.yml @@ -0,0 +1,10 @@ +--- + + - name: "template for backup - no database" + template: + src: app_backup_data.j2 + dest: "{{ backup_item_dir }}/20-{{ app_instance_id }}-data.sh" + mode: 0640 + when: app_backup_data == "yes" + + \ No newline at end of file diff --git a/roles/_app_backup_data/tasks/main.yml b/roles/_app_backup_data/tasks/main.yml new file mode 100644 index 00000000..af2267e1 --- /dev/null +++ b/roles/_app_backup_data/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- import_tasks: install.yml + when: app_run in ['install', 'reinstall'] + +#- import_tasks: upgrade.yml +# when: app_run == 'upgrade' + +- import_tasks: uninstall.yml + when: app_run == 'uninstall' diff --git a/roles/_app_backup_data/tasks/uninstall.yml b/roles/_app_backup_data/tasks/uninstall.yml new file mode 100644 index 00000000..c3c6c084 --- /dev/null +++ b/roles/_app_backup_data/tasks/uninstall.yml @@ -0,0 +1,5 @@ +--- + - name: "remove backup task" + file: + path: "{{ backup_item_dir }}/20-{{ app_instance_id }}-data.sh" + state: absent diff --git a/roles/_app_backup_data/templates/app_backup_data.j2 b/roles/_app_backup_data/templates/app_backup_data.j2 new file mode 100644 index 00000000..0880f7e3 --- /dev/null +++ b/roles/_app_backup_data/templates/app_backup_data.j2 @@ -0,0 +1,5 @@ +# Note: the spaces around the equal sign ('=') are optional. +when = everyday at {{ backup_app_service_conf_time | mandatory }} + +rsync -aAx --del {{ app_data }} {{ backup_prod_dir }}/{{ app_instance_id }}.data +rc=$?; if [[ $rc != 0 ]]; then error "app" ; fi -- GitLab From 296eafe3dae0da532c48a948636bbdc4461c6f2e Mon Sep 17 00:00:00 2001 From: frju365 Date: Wed, 17 Nov 2021 17:24:46 +0100 Subject: [PATCH 02/21] [wip] import role for nexcloud and _web_app --- roles/_web_app/tasks/install.yml | 7 ++++++- roles/nextcloud_instance/tasks/install.yml | 5 +++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/_web_app/tasks/install.yml b/roles/_web_app/tasks/install.yml index 97949e59..2b2dd068 100644 --- a/roles/_web_app/tasks/install.yml +++ b/roles/_web_app/tasks/install.yml @@ -22,7 +22,12 @@ - import_tasks: deploy_program.yml - import_role: - name: _app_backup + name: _app_backup + + - name: "Backup data" + import_role: + name: _app_backup_data + when: app_backup_data == "yes" ### reverse proxy configuration - block: diff --git a/roles/nextcloud_instance/tasks/install.yml b/roles/nextcloud_instance/tasks/install.yml index 7eff8f4c..0a349906 100644 --- a/roles/nextcloud_instance/tasks/install.yml +++ b/roles/nextcloud_instance/tasks/install.yml @@ -101,6 +101,11 @@ - import_role: name: _app_backup + - name: "Backup data" + import_role: + name: _app_backup_data + when: app_backup_data == "yes" + - import_role: name: _app_logrotate -- GitLab From 7841b17c75a07c6c9d3ae51b53f438c946477854 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 19 Nov 2021 19:10:11 +0100 Subject: [PATCH 03/21] [wip] garradin instance --- .idea/.gitignore | 8 + .idea/ansible-paquerette.iml | 9 + .idea/misc.xml | 6 + .idea/modules.xml | 8 + .idea/runConfigurations.xml | 10 + .idea/vcs.xml | 6 + roles/garradin_instance/.gitignore | 1 + roles/garradin_instance/README.md | 1 + roles/garradin_instance/defaults/main.yml | 25 + roles/garradin_instance/tasks/configure.yml | 24 + roles/garradin_instance/tasks/main.yml | 6 + .../template/config.local.php.j2 | 433 ++++++++++++++++++ .../template/garradin_rights.j2 | 9 + roles/garradin_instance/template/nginx_app.j2 | 144 ++++++ roles/garradin_instance/vars/main.yml | 7 + 15 files changed, 697 insertions(+) create mode 100644 .idea/.gitignore create mode 100644 .idea/ansible-paquerette.iml create mode 100644 .idea/misc.xml create mode 100644 .idea/modules.xml create mode 100644 .idea/runConfigurations.xml create mode 100644 .idea/vcs.xml create mode 100644 roles/garradin_instance/.gitignore create mode 100644 roles/garradin_instance/README.md create mode 100644 roles/garradin_instance/defaults/main.yml create mode 100644 roles/garradin_instance/tasks/configure.yml create mode 100644 roles/garradin_instance/tasks/main.yml create mode 100644 roles/garradin_instance/template/config.local.php.j2 create mode 100644 roles/garradin_instance/template/garradin_rights.j2 create mode 100644 roles/garradin_instance/template/nginx_app.j2 create mode 100644 roles/garradin_instance/vars/main.yml diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 00000000..8b2d7151 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Datasource local storage ignored files +/../../../../../../../../:\Users\ina\Documents\Dev\Pâquerette\ansible-paquerette\.idea/dataSources/ +/dataSources.local.xml +# Editor-based HTTP Client requests +/httpRequests/ diff --git a/.idea/ansible-paquerette.iml b/.idea/ansible-paquerette.iml new file mode 100644 index 00000000..d6ebd480 --- /dev/null +++ b/.idea/ansible-paquerette.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/.idea/misc.xml b/.idea/misc.xml new file mode 100644 index 00000000..639900d1 --- /dev/null +++ b/.idea/misc.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/.idea/modules.xml b/.idea/modules.xml new file mode 100644 index 00000000..6a8ae173 --- /dev/null +++ b/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/.idea/runConfigurations.xml b/.idea/runConfigurations.xml new file mode 100644 index 00000000..797acea5 --- /dev/null +++ b/.idea/runConfigurations.xml @@ -0,0 +1,10 @@ + + + + + + \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 00000000..35eb1ddf --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/roles/garradin_instance/.gitignore b/roles/garradin_instance/.gitignore new file mode 100644 index 00000000..85e7c1df --- /dev/null +++ b/roles/garradin_instance/.gitignore @@ -0,0 +1 @@ +/.idea/ diff --git a/roles/garradin_instance/README.md b/roles/garradin_instance/README.md new file mode 100644 index 00000000..3e7e62fb --- /dev/null +++ b/roles/garradin_instance/README.md @@ -0,0 +1 @@ +# Instance Garradin \ No newline at end of file diff --git a/roles/garradin_instance/defaults/main.yml b/roles/garradin_instance/defaults/main.yml new file mode 100644 index 00000000..94a74b24 --- /dev/null +++ b/roles/garradin_instance/defaults/main.yml @@ -0,0 +1,25 @@ +--- +packages_list: [ "php{{ php_version }}-sqlite3", "chromium" ] +app_version: 1.1.14 + +app_user_chrooted: "yes" +app_group: "{{ app_user }}" + +php_composer: "no" +python3: "no" +app_wsgi: "no" + +php_version: "8.0" + +app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" + +# +# smtp default parameters +# + +smtp_security: STARTTLS +smtp_host: false +smtp_user: null +smtp_pass: null +smtp_port: 587 + diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml new file mode 100644 index 00000000..f8ef8460 --- /dev/null +++ b/roles/garradin_instance/tasks/configure.yml @@ -0,0 +1,24 @@ +--- + +- name: "dir {{ app_data }}" + file: + path: "{{ app_data }}" + state: directory + mode: 0700 + group: "{{ app_user }}" + owner: "{{ app_user }}" + +- name: "Configuring Garradin" + template: + src: "config.local.php.j2" + dest: "{{ app_instance_root }}/config.local.php" + backup: yes + tags: + - configure + +- name: "cron mode for background jobs" + cron: + name: "{{ app_instance_root }}/scripts/cron.php >/dev/null 2>&1" + user: "{{ app_user }}" + day: "*/1" + job: "php -f {{ app_instance_root }}/cron.php >/dev/null 2>&1" diff --git a/roles/garradin_instance/tasks/main.yml b/roles/garradin_instance/tasks/main.yml new file mode 100644 index 00000000..96e7dc7e --- /dev/null +++ b/roles/garradin_instance/tasks/main.yml @@ -0,0 +1,6 @@ +--- + +- import_role: + name: _web_app + +- import_tasks: configure.yml diff --git a/roles/garradin_instance/template/config.local.php.j2 b/roles/garradin_instance/template/config.local.php.j2 new file mode 100644 index 00000000..bebd73cf --- /dev/null +++ b/roles/garradin_instance/template/config.local.php.j2 @@ -0,0 +1,433 @@ + Avancé (accessible uniquement si ENABLE_TECH_DETAILS est à true) + * + * Défaut : null + */ + +//const FILE_STORAGE_CONFIG = null; + +/** + * Forcer le quota disponible pour les fichiers + * + * Si cette constante est renseignée (en octets) alors il ne sera + * pas possible de stocker plus que cette valeur. + * Tout envoi de fichier sera refusé. + * + * Défaut : null (dans ce cas c'est le stockage qui détermine la taille disponible, donc généralement l'espace dispo sur le disque dur !) + */ + +//const FILE_STORAGE_QUOTA = 10000; // Forcer le quota alloué à 10 Mo, quel que soit le backend de stockage diff --git a/roles/garradin_instance/template/garradin_rights.j2 b/roles/garradin_instance/template/garradin_rights.j2 new file mode 100644 index 00000000..3728eaf7 --- /dev/null +++ b/roles/garradin_instance/template/garradin_rights.j2 @@ -0,0 +1,9 @@ + +cd {{ app_instance_root }} + +chmod -R o-rwx '{{ app_instance_root }}' +find '{{ app_instance_root }}' -type d -exec chmod 550 {} + +find '{{ app_instance_root }}' -type f -exec chmod 440 {} + +find '{{ app_instance_root }}/data' -type d -exec chmod 770 {} + +find '{{ app_instance_root }}/data' -type f -exec chmod 660 {} + +chmod 660 '{{ app_instance_root }}/config.local.php' \ No newline at end of file diff --git a/roles/garradin_instance/template/nginx_app.j2 b/roles/garradin_instance/template/nginx_app.j2 new file mode 100644 index 00000000..486fca67 --- /dev/null +++ b/roles/garradin_instance/template/nginx_app.j2 @@ -0,0 +1,144 @@ +upstream php-handler{{ app_instance_id }} { + server unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock; +} + + +map $http_user_agent $log_ua { + ~Monit 0; + default 1; +} + +server { + listen 80; + listen [::]:80; + server_name {{ app_domain | mandatory }}; + # enforce https + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ app_domain }}; + + ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Strict-Transport-Security "max-age=15768000"; + + # Path to the root of your installation + root {{ app_instance_www_root }}; + + access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua; + error_log {{ www_log }}/{{ app_instance_id }}/error.log; + + include {{ app_instance_www_root }}/nginx/*.conf; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). + # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) + location ~ /\. { + deny all; + } + + # Deny access to any files with a .php extension in the uploads directory + # Works in sub-directory installs and also in multisite network + # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) + location ~* /(?:uploads|files)/.*\.php$ { + deny all; + } + + # set max upload size + client_max_body_size 512M; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + index index.php; + + location / { + # This is cool because no php is touched for static content. + # include the "?$args" part so non-default permalinks doesn't break when using query string + index index.php /_route.php; + try_files $uri $uri/ /_route.php?$query_string; + + # Increase size limit + client_max_body_size 2M; + } + + location ~ \.php$ { + #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + #include fastcgi.conf; + #fastcgi_intercept_errors on; + #fastcgi_pass php; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + #Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass php-handler{{ app_instance_id }}; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + # Adding the cache control header for js and css files + # Make sure it is BELOW the PHP block + location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|svg)$ { + try_files $uri /index.php$uri$is_args$args; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + # add_header Strict-Transport-Security "max-age=15768000; + # includeSubDomains; preload;"; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + # add_header X-Robots-Tag all; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # Optional: Don't log access to assets + access_log off; + } +} diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml new file mode 100644 index 00000000..3c8afafe --- /dev/null +++ b/roles/garradin_instance/vars/main.yml @@ -0,0 +1,7 @@ +--- +app_program: "Garradin" + +app_src_root_name: "garradin" +app_version: "latest" +app_old_version: "automatic" +database_type: "mysql" -- GitLab From 6e28cdfbd42fcf13e80863ba34c1a2d86233a2dd Mon Sep 17 00:00:00 2001 From: Admin paquerette Date: Mon, 22 Nov 2021 16:14:26 +0100 Subject: [PATCH 04/21] [fix] garradin role --- roles/garradin_instance/tasks/configure.yml | 30 ++++++++------- roles/garradin_instance/tasks/main.yml | 16 ++++++++ .../config.local.php.j2 | 37 ++++++++++++++++++- .../garradin_rights.j2 | 0 .../{template => templates}/nginx_app.j2 | 14 +++---- roles/garradin_instance/vars/main.yml | 9 +++-- 6 files changed, 80 insertions(+), 26 deletions(-) rename roles/garradin_instance/{template => templates}/config.local.php.j2 (90%) rename roles/garradin_instance/{template => templates}/garradin_rights.j2 (100%) rename roles/garradin_instance/{template => templates}/nginx_app.j2 (95%) diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml index f8ef8460..3e6979da 100644 --- a/roles/garradin_instance/tasks/configure.yml +++ b/roles/garradin_instance/tasks/configure.yml @@ -1,20 +1,24 @@ --- -- name: "dir {{ app_data }}" - file: - path: "{{ app_data }}" - state: directory - mode: 0700 - group: "{{ app_user }}" - owner: "{{ app_user }}" +- name: "Configuring Garradin" + template: + src: "config.local.php.j2" + dest: "{{ app_instance_root }}/config.local.php" + backup: yes + tags: + - configure - name: "Configuring Garradin" - template: - src: "config.local.php.j2" - dest: "{{ app_instance_root }}/config.local.php" - backup: yes - tags: - - configure + template: + src: "garradin_rights.j2" + dest: "{{ app_instance_root }}/rights.sh" + mode: 0700 + backup: no + tags: + - configure + +- name: "Apply rights to garradin app folder" + command: "bash {{ app_instance_root }}/rights.sh" - name: "cron mode for background jobs" cron: diff --git a/roles/garradin_instance/tasks/main.yml b/roles/garradin_instance/tasks/main.yml index 96e7dc7e..895b7ff5 100644 --- a/roles/garradin_instance/tasks/main.yml +++ b/roles/garradin_instance/tasks/main.yml @@ -3,4 +3,20 @@ - import_role: name: _web_app +- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" + template: + src: "{{ rev_proxy }}_app.j2" + dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + when: app_wsgi == "no" + notify: reload {{ rev_proxy }} web_app + tags: + - rev_proxy + +- name: reload nginx web_app + service: name=nginx state=reloaded + - import_tasks: configure.yml + +- name: reload php-fpm web_app + service: name=php{{ php_version }}-fpm state=reloaded + diff --git a/roles/garradin_instance/template/config.local.php.j2 b/roles/garradin_instance/templates/config.local.php.j2 similarity index 90% rename from roles/garradin_instance/template/config.local.php.j2 rename to roles/garradin_instance/templates/config.local.php.j2 index bebd73cf..68ce8597 100644 --- a/roles/garradin_instance/template/config.local.php.j2 +++ b/roles/garradin_instance/templates/config.local.php.j2 @@ -26,7 +26,7 @@ namespace Garradin; * une valeur aléatoire dans le fichier config.local.php. */ -const SECRET_KEY = '{{ secret_key }}'; +//const SECRET_KEY = '{{ secret_key }}'; /** * Se connecter automatiquement avec l'ID de membre indiqué @@ -153,7 +153,7 @@ const WWW_URI = '/'; * Défaut : découverte à partir de HTTP_HOST ou SERVER_NAME + WWW_URI */ -const WWW_URL = 'https://{{ url_site }}' . WWW_URI; +const WWW_URL = 'https://{{ app_domain }}' . WWW_URI; /** * Adresse URL HTTP(S) de l'admin Garradin @@ -431,3 +431,36 @@ const SMTP_SECURITY = '{{ smtp_security | default() }}'; */ //const FILE_STORAGE_QUOTA = 10000; // Forcer le quota alloué à 10 Mo, quel que soit le backend de stockage + +/** + * Commande de création de PDF + * + * Commande qui sera exécutée pour créer un fichier PDF à partir d'un HTML. + * Si laissé non spécifié (ou NULL), Garradin essaiera de détecter une solution entre + * PrinceXML, Chromium, wkhtmltopdf ou weasyprint. + * + * %1$s sera remplacé par le chemin du fichier HTML, et %2$s par le chemin du fichier PDF. + * + * Exemple : chromium --headless --print-to-pdf=%2$s %1$s + * + * Défaut : null + */ +const PDF_COMMAND = 'chromium --headless --print-to-pdf=%2$s %1$s'; + +/** + * Clé de licence + * + * Cette clé permet de débloquer certaines fonctionnalités dans des extensions officielles. + * + * Pour l'obtenir il faut se créer un compte sur Garradin.eu + * et faire une contribution financière. + * La clé apparaîtra ensuite en dessous des informations + * de l'association dans la page "Mon abonnement Garradin.eu". + * + * Il faut recopier cette clé dans le fichier config.local.php + * dans la constante CONTRIBUTOR_LICENSE. + * + * Merci de ne pas essayer de contourner cette licence et de contribuer au + * financement de notre travail :-) + */ +//const CONTRIBUTOR_LICENSE = 'XXXXX'; diff --git a/roles/garradin_instance/template/garradin_rights.j2 b/roles/garradin_instance/templates/garradin_rights.j2 similarity index 100% rename from roles/garradin_instance/template/garradin_rights.j2 rename to roles/garradin_instance/templates/garradin_rights.j2 diff --git a/roles/garradin_instance/template/nginx_app.j2 b/roles/garradin_instance/templates/nginx_app.j2 similarity index 95% rename from roles/garradin_instance/template/nginx_app.j2 rename to roles/garradin_instance/templates/nginx_app.j2 index 486fca67..a2a59c89 100644 --- a/roles/garradin_instance/template/nginx_app.j2 +++ b/roles/garradin_instance/templates/nginx_app.j2 @@ -43,7 +43,7 @@ server { add_header Strict-Transport-Security "max-age=15768000"; # Path to the root of your installation - root {{ app_instance_www_root }}; + root {{ app_instance_www_root }}/www; access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua; error_log {{ www_log }}/{{ app_instance_id }}/error.log; @@ -86,19 +86,19 @@ server { gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; - index index.php; - location / { - # This is cool because no php is touched for static content. - # include the "?$args" part so non-default permalinks doesn't break when using query string - index index.php /_route.php; try_files $uri $uri/ /_route.php?$query_string; - + index index.php /_route.php; + # Increase size limit client_max_body_size 2M; } location ~ \.php$ { + if (!-e $request_filename) { + rewrite ^/?(.*)$ /_route.php?/$1 last; + break; + } #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini #include fastcgi.conf; #fastcgi_intercept_errors on; diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index 3c8afafe..36191fa1 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -1,7 +1,8 @@ --- app_program: "Garradin" -app_src_root_name: "garradin" -app_version: "latest" -app_old_version: "automatic" -database_type: "mysql" +app_src_root_name: "garradin-{{ app_version }}" +database_type: "sqlite" +packages_list: [ "php{{ php_version }}-sqlite3", "chromium-browser", "php{{ php_version }}-fpm", "php{{ php_version }}-intl", "php{{ php_version }}-cli", "php{{ php_version }}-imagick" ] + +app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" -- GitLab From 9e6a69ac06bb49b3e2c9a2caee8291adfa4bbc55 Mon Sep 17 00:00:00 2001 From: Admin paquerette Date: Mon, 22 Nov 2021 18:51:16 +0100 Subject: [PATCH 05/21] [fix] correction in nginx --- roles/garradin_instance/tasks/configure.yml | 7 +- .../templates/garradin_rights.j2 | 2 +- .../garradin_instance/templates/nginx_app.j2 | 98 +++++-------------- 3 files changed, 29 insertions(+), 78 deletions(-) diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml index 3e6979da..4972bb01 100644 --- a/roles/garradin_instance/tasks/configure.yml +++ b/roles/garradin_instance/tasks/configure.yml @@ -8,17 +8,19 @@ tags: - configure -- name: "Configuring Garradin" +- name: "Move rights script" template: src: "garradin_rights.j2" dest: "{{ app_instance_root }}/rights.sh" mode: 0700 backup: no tags: - - configure + - rights - name: "Apply rights to garradin app folder" command: "bash {{ app_instance_root }}/rights.sh" + tags: + - rights - name: "cron mode for background jobs" cron: @@ -26,3 +28,4 @@ user: "{{ app_user }}" day: "*/1" job: "php -f {{ app_instance_root }}/cron.php >/dev/null 2>&1" + diff --git a/roles/garradin_instance/templates/garradin_rights.j2 b/roles/garradin_instance/templates/garradin_rights.j2 index 3728eaf7..b74e8cf7 100644 --- a/roles/garradin_instance/templates/garradin_rights.j2 +++ b/roles/garradin_instance/templates/garradin_rights.j2 @@ -6,4 +6,4 @@ find '{{ app_instance_root }}' -type d -exec chmod 550 {} + find '{{ app_instance_root }}' -type f -exec chmod 440 {} + find '{{ app_instance_root }}/data' -type d -exec chmod 770 {} + find '{{ app_instance_root }}/data' -type f -exec chmod 660 {} + -chmod 660 '{{ app_instance_root }}/config.local.php' \ No newline at end of file +#chmod 660 '{{ app_instance_root }}/config.local.php' diff --git a/roles/garradin_instance/templates/nginx_app.j2 b/roles/garradin_instance/templates/nginx_app.j2 index a2a59c89..683848a8 100644 --- a/roles/garradin_instance/templates/nginx_app.j2 +++ b/roles/garradin_instance/templates/nginx_app.j2 @@ -42,37 +42,11 @@ server { add_header X-Permitted-Cross-Domain-Policies none; add_header Strict-Transport-Security "max-age=15768000"; - # Path to the root of your installation - root {{ app_instance_www_root }}/www; - access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua; error_log {{ www_log }}/{{ app_instance_id }}/error.log; include {{ app_instance_www_root }}/nginx/*.conf; - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location = /favicon.ico { - log_not_found off; - access_log off; - } - - # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). - # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) - location ~ /\. { - deny all; - } - - # Deny access to any files with a .php extension in the uploads directory - # Works in sub-directory installs and also in multisite network - # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) - location ~* /(?:uploads|files)/.*\.php$ { - deny all; - } # set max upload size client_max_body_size 512M; @@ -87,58 +61,32 @@ server { gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; location / { - try_files $uri $uri/ /_route.php?$query_string; + + # Path to source + alias {{ app_instance_www_root }}/www/; + + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + index index.php /_route.php; - + try_files $uri $uri/ //_route.php?$query_string; + + location ~ \.php$ { + if (!-e $request_filename) { + rewrite ^/?(.*)$ /_route.php?/$1 last; + break; + } + fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-{{ app_user }}.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param REMOTE_USER $remote_user; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param SCRIPT_FILENAME $request_filename; + } + # Increase size limit client_max_body_size 2M; } - location ~ \.php$ { - if (!-e $request_filename) { - rewrite ^/?(.*)$ /_route.php?/$1 last; - break; - } - #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini - #include fastcgi.conf; - #fastcgi_intercept_errors on; - #fastcgi_pass php; - fastcgi_split_path_info ^(.+\.php)(/.*)$; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler{{ app_instance_id }}; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|svg)$ { - try_files $uri /index.php$uri$is_args$args; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; - # includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - # add_header X-Robots-Tag all; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - # Optional: Don't log access to assets - access_log off; - } } -- GitLab From 79832c12568b63341b719bf18d170c99917fa11e Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 09:37:35 +0100 Subject: [PATCH 06/21] [fix] pb configuration et supression de l'app_group --- roles/garradin_instance/defaults/main.yml | 7 ++----- roles/garradin_instance/templates/config.local.php.j2 | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/roles/garradin_instance/defaults/main.yml b/roles/garradin_instance/defaults/main.yml index 94a74b24..8be7c7e8 100644 --- a/roles/garradin_instance/defaults/main.yml +++ b/roles/garradin_instance/defaults/main.yml @@ -1,17 +1,14 @@ --- -packages_list: [ "php{{ php_version }}-sqlite3", "chromium" ] + app_version: 1.1.14 app_user_chrooted: "yes" -app_group: "{{ app_user }}" php_composer: "no" python3: "no" app_wsgi: "no" -php_version: "8.0" - -app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" +php_version: "7.4" # # smtp default parameters diff --git a/roles/garradin_instance/templates/config.local.php.j2 b/roles/garradin_instance/templates/config.local.php.j2 index 68ce8597..d87f92bf 100644 --- a/roles/garradin_instance/templates/config.local.php.j2 +++ b/roles/garradin_instance/templates/config.local.php.j2 @@ -285,7 +285,7 @@ const USE_CRON = true; * Défaut : false */ -const SMTP_HOST = {{ smtp_host | default() }}; +const SMTP_HOST = '{{ smtp_host | default() }}'; /** * Port du serveur SMTP -- GitLab From 5537436447e32ccb1057aacfc391b3ec51e240ca Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 10:02:37 +0100 Subject: [PATCH 07/21] [feat] Ajout d'un handlers + simplification des tags --- roles/garradin_instance/handlers/main.yml | 10 ++++++++++ roles/garradin_instance/tasks/configure.yml | 8 +++++--- roles/garradin_instance/tasks/main.yml | 17 ++++++++++------- 3 files changed, 25 insertions(+), 10 deletions(-) create mode 100644 roles/garradin_instance/handlers/main.yml diff --git a/roles/garradin_instance/handlers/main.yml b/roles/garradin_instance/handlers/main.yml new file mode 100644 index 00000000..bb6dd5ad --- /dev/null +++ b/roles/garradin_instance/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: reload apache2 web_app + service: name=apache2 state=reloaded + +- name: reload nginx web_app + service: name=nginx state=reloaded + +- name: reload php-fpm web_app + service: name=php{{ php_version }}-fpm state=reloaded \ No newline at end of file diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml index 4972bb01..33961dde 100644 --- a/roles/garradin_instance/tasks/configure.yml +++ b/roles/garradin_instance/tasks/configure.yml @@ -6,7 +6,7 @@ dest: "{{ app_instance_root }}/config.local.php" backup: yes tags: - - configure + - garradin_local_conf - name: "Move rights script" template: @@ -15,12 +15,12 @@ mode: 0700 backup: no tags: - - rights + - garradin_rights - name: "Apply rights to garradin app folder" command: "bash {{ app_instance_root }}/rights.sh" tags: - - rights + - garradin_rights - name: "cron mode for background jobs" cron: @@ -28,4 +28,6 @@ user: "{{ app_user }}" day: "*/1" job: "php -f {{ app_instance_root }}/cron.php >/dev/null 2>&1" + tags: + - garradin_cron diff --git a/roles/garradin_instance/tasks/main.yml b/roles/garradin_instance/tasks/main.yml index 895b7ff5..fe0458f2 100644 --- a/roles/garradin_instance/tasks/main.yml +++ b/roles/garradin_instance/tasks/main.yml @@ -10,13 +10,16 @@ when: app_wsgi == "no" notify: reload {{ rev_proxy }} web_app tags: - - rev_proxy + - garradin_rev_proxy -- name: reload nginx web_app - service: name=nginx state=reloaded +- name: Check if app folder exists + stat: + path: "{{ app_instance_root }}" + register: app_folder -- import_tasks: configure.yml - -- name: reload php-fpm web_app - service: name=php{{ php_version }}-fpm state=reloaded +- name: Configuring garradin if app folder exists + import_tasks: configure.yml + when: app_folder.stat.exists + tags: + - garradin_configure -- GitLab From e065abb7451a9f90215b638f3f5dd0321746932f Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 10:12:09 +0100 Subject: [PATCH 08/21] On force l'App group --- roles/garradin_instance/vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index 36191fa1..d80cf69d 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -5,4 +5,6 @@ app_src_root_name: "garradin-{{ app_version }}" database_type: "sqlite" packages_list: [ "php{{ php_version }}-sqlite3", "chromium-browser", "php{{ php_version }}-fpm", "php{{ php_version }}-intl", "php{{ php_version }}-cli", "php{{ php_version }}-imagick" ] +app_group: www-data + app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" -- GitLab From a821e36844494a7a01474cac14eee92185354638 Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 10:21:53 +0100 Subject: [PATCH 09/21] [fix] decommenter secret_key --- roles/garradin_instance/templates/config.local.php.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/garradin_instance/templates/config.local.php.j2 b/roles/garradin_instance/templates/config.local.php.j2 index d87f92bf..a27ad103 100644 --- a/roles/garradin_instance/templates/config.local.php.j2 +++ b/roles/garradin_instance/templates/config.local.php.j2 @@ -26,7 +26,7 @@ namespace Garradin; * une valeur aléatoire dans le fichier config.local.php. */ -//const SECRET_KEY = '{{ secret_key }}'; +const SECRET_KEY = '{{ secret_key }}'; /** * Se connecter automatiquement avec l'ID de membre indiqué -- GitLab From 23cebf84b842e0ac7f30d4a03171c24c0f128320 Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 13:19:56 +0100 Subject: [PATCH 10/21] [fix] Groupe garradin --- roles/garradin_instance/README.md | 27 ++++++++++++++++++++++- roles/garradin_instance/defaults/main.yml | 3 --- roles/garradin_instance/tasks/upgrade.yml | 0 roles/garradin_instance/vars/main.yml | 4 ++-- 4 files changed, 28 insertions(+), 6 deletions(-) create mode 100644 roles/garradin_instance/tasks/upgrade.yml diff --git a/roles/garradin_instance/README.md b/roles/garradin_instance/README.md index 3e7e62fb..441927e4 100644 --- a/roles/garradin_instance/README.md +++ b/roles/garradin_instance/README.md @@ -1 +1,26 @@ -# Instance Garradin \ No newline at end of file +# Instance Garradin + +## Résumé + +Rôle permettant d'installer garradin. https://garradin.eu + +## Variables + +### Configuration du mail +```` +smtp_security: STARTTLS +smtp_host: false +smtp_user: null +smtp_pass: null +smtp_port: 587 +```` + +### Chrootage de l'environnement utilisateur +```` +app_user_chrooted: "yes" +```` + +### Version de l'application +```` +app_version: 1.1.14 +```` \ No newline at end of file diff --git a/roles/garradin_instance/defaults/main.yml b/roles/garradin_instance/defaults/main.yml index 8be7c7e8..74bf1fa6 100644 --- a/roles/garradin_instance/defaults/main.yml +++ b/roles/garradin_instance/defaults/main.yml @@ -1,5 +1,4 @@ --- - app_version: 1.1.14 app_user_chrooted: "yes" @@ -8,8 +7,6 @@ php_composer: "no" python3: "no" app_wsgi: "no" -php_version: "7.4" - # # smtp default parameters # diff --git a/roles/garradin_instance/tasks/upgrade.yml b/roles/garradin_instance/tasks/upgrade.yml new file mode 100644 index 00000000..e69de29b diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index d80cf69d..c5367ba1 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -5,6 +5,6 @@ app_src_root_name: "garradin-{{ app_version }}" database_type: "sqlite" packages_list: [ "php{{ php_version }}-sqlite3", "chromium-browser", "php{{ php_version }}-fpm", "php{{ php_version }}-intl", "php{{ php_version }}-cli", "php{{ php_version }}-imagick" ] -app_group: www-data - app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" +php_version: "7.4" + -- GitLab From 760a322d87f8d73f9d0e8a7ccc4356eb220f5ef1 Mon Sep 17 00:00:00 2001 From: frju365 Date: Tue, 23 Nov 2021 17:44:11 +0100 Subject: [PATCH 11/21] [feat] Separate Data and app --- roles/garradin_instance/tasks/main.yml | 24 ++++++++++++++++++++++++ roles/garradin_instance/vars/main.yml | 2 ++ 2 files changed, 26 insertions(+) diff --git a/roles/garradin_instance/tasks/main.yml b/roles/garradin_instance/tasks/main.yml index fe0458f2..66a9e38b 100644 --- a/roles/garradin_instance/tasks/main.yml +++ b/roles/garradin_instance/tasks/main.yml @@ -3,6 +3,30 @@ - import_role: name: _web_app +- name: Check if data folder exists + stat: + path: "{{ app_data }}" + register: data_folder + tags: "data_setup" + +- name: "dir {{ app_data }}" + file: + path: "{{ app_data }}" + state: directory + mode: 0700 + group: "www-data" + owner: "{{ app_user }}" + when: data_folder.stat.exists is false + tags: "data_setup" + +- name: "link data directory" + file: + state: link + src: "{{ app_data }}" + path: "{{ app_instance_root }}/data" + when: data_folder.stat.exists is false + tags: "data_setup" + - name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" template: src: "{{ rev_proxy }}_app.j2" diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index c5367ba1..43979735 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -8,3 +8,5 @@ packages_list: [ "php{{ php_version }}-sqlite3", "chromium-browser", "php{{ php_ app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" php_version: "7.4" +app_data: "{{ app_instance_root }}/../{{ app_instance_id }}.data" + -- GitLab From c317be7defd272429900b34de594d13b22fd1b3c Mon Sep 17 00:00:00 2001 From: Admin paquerette Date: Wed, 24 Nov 2021 09:15:39 +0100 Subject: [PATCH 12/21] remove app_group --- roles/garradin_instance/vars/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index d80cf69d..36191fa1 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -5,6 +5,4 @@ app_src_root_name: "garradin-{{ app_version }}" database_type: "sqlite" packages_list: [ "php{{ php_version }}-sqlite3", "chromium-browser", "php{{ php_version }}-fpm", "php{{ php_version }}-intl", "php{{ php_version }}-cli", "php{{ php_version }}-imagick" ] -app_group: www-data - app_src: "https://fossil.kd2.org/garradin/uv/garradin-{{ app_version }}.tar.bz2" -- GitLab From f679b83d2c7b16e864ab63d52c93d20917a91f29 Mon Sep 17 00:00:00 2001 From: Admin paquerette Date: Wed, 24 Nov 2021 11:19:06 +0100 Subject: [PATCH 13/21] add folder in conf, instead of linking is --- roles/garradin_instance/tasks/main.yml | 38 ++++++-------- roles/garradin_instance/tasks/main.yml.save | 50 +++++++++++++++++++ .../templates/config.local.php.j2 | 2 +- 3 files changed, 66 insertions(+), 24 deletions(-) create mode 100644 roles/garradin_instance/tasks/main.yml.save diff --git a/roles/garradin_instance/tasks/main.yml b/roles/garradin_instance/tasks/main.yml index 66a9e38b..6fdeae59 100644 --- a/roles/garradin_instance/tasks/main.yml +++ b/roles/garradin_instance/tasks/main.yml @@ -3,6 +3,20 @@ - import_role: name: _web_app +- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" + template: + src: "{{ rev_proxy }}_app.j2" + dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + when: app_wsgi == "no" + notify: reload {{ rev_proxy }} web_app + tags: + - garradin_rev_proxy + +- name: Check if app folder exists + stat: + path: "{{ app_instance_root }}" + register: app_folder + - name: Check if data folder exists stat: path: "{{ app_data }}" @@ -16,31 +30,9 @@ mode: 0700 group: "www-data" owner: "{{ app_user }}" - when: data_folder.stat.exists is false + when: data_folder.stat.exists == false and app_folder.stat.exists tags: "data_setup" -- name: "link data directory" - file: - state: link - src: "{{ app_data }}" - path: "{{ app_instance_root }}/data" - when: data_folder.stat.exists is false - tags: "data_setup" - -- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" - template: - src: "{{ rev_proxy }}_app.j2" - dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" - when: app_wsgi == "no" - notify: reload {{ rev_proxy }} web_app - tags: - - garradin_rev_proxy - -- name: Check if app folder exists - stat: - path: "{{ app_instance_root }}" - register: app_folder - - name: Configuring garradin if app folder exists import_tasks: configure.yml when: app_folder.stat.exists diff --git a/roles/garradin_instance/tasks/main.yml.save b/roles/garradin_instance/tasks/main.yml.save new file mode 100644 index 00000000..3a6101ce --- /dev/null +++ b/roles/garradin_instance/tasks/main.yml.save @@ -0,0 +1,50 @@ +--- + +- import_role: + name: _web_app + +- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" + template: + src: "{{ rev_proxy }}_app.j2" + dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" + when: app_wsgi == "no" + notify: reload {{ rev_proxy }} web_app + tags: + - garradin_rev_proxy + +- name: Check if app folder exists + stat: + path: "{{ app_instance_root }}" + register: app_folder + +- name: Check if data folder exists + stat: + path: "{{ app_data }}" + register: data_folder + tags: "data_setup" + +- name: "dir {{ app_data }}" + file: + path: "{{ app_data }}" + state: directory + mode: 0700 + group: "www-data" + owner: "{{ app_user }}" + when: data_folder.stat.exists == false + tags: "data_setup" + +- name: "link data directory" + file: + state: link + src: "{{ app_data }}" + path: "{{ app_instance_root }}/data" + when: data_folder.stat.exists == false and app_folder.stat.exists + tags: "data_setup" + + +- name: Configuring garradin if app folder exists + import_tasks: configure.yml + when: app_folder.stat.exists + tags: + - garradin_configure + diff --git a/roles/garradin_instance/templates/config.local.php.j2 b/roles/garradin_instance/templates/config.local.php.j2 index a27ad103..792d2568 100644 --- a/roles/garradin_instance/templates/config.local.php.j2 +++ b/roles/garradin_instance/templates/config.local.php.j2 @@ -87,7 +87,7 @@ const PREFER_HTTPS = true; * Défaut : sous-répertoire "data" de la racine */ -//const DATA_ROOT = ROOT . '/data'; +const DATA_ROOT = '{{ app_data | default() }}'; /** * Répertoire où est situé le cache, -- GitLab From c13466516c7df8dc1213054c36e6fcf571aa4d64 Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Wed, 24 Nov 2021 10:20:52 +0000 Subject: [PATCH 14/21] Delete main.yml.save --- roles/garradin_instance/tasks/main.yml.save | 50 --------------------- 1 file changed, 50 deletions(-) delete mode 100644 roles/garradin_instance/tasks/main.yml.save diff --git a/roles/garradin_instance/tasks/main.yml.save b/roles/garradin_instance/tasks/main.yml.save deleted file mode 100644 index 3a6101ce..00000000 --- a/roles/garradin_instance/tasks/main.yml.save +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- import_role: - name: _web_app - -- name: "template {{ rev_proxy }}_app.j2 {{ app_instance_id }}" - template: - src: "{{ rev_proxy }}_app.j2" - dest: "/etc/{{ rev_proxy }}/sites-available/{{ app_instance_id }}.conf" - when: app_wsgi == "no" - notify: reload {{ rev_proxy }} web_app - tags: - - garradin_rev_proxy - -- name: Check if app folder exists - stat: - path: "{{ app_instance_root }}" - register: app_folder - -- name: Check if data folder exists - stat: - path: "{{ app_data }}" - register: data_folder - tags: "data_setup" - -- name: "dir {{ app_data }}" - file: - path: "{{ app_data }}" - state: directory - mode: 0700 - group: "www-data" - owner: "{{ app_user }}" - when: data_folder.stat.exists == false - tags: "data_setup" - -- name: "link data directory" - file: - state: link - src: "{{ app_data }}" - path: "{{ app_instance_root }}/data" - when: data_folder.stat.exists == false and app_folder.stat.exists - tags: "data_setup" - - -- name: Configuring garradin if app folder exists - import_tasks: configure.yml - when: app_folder.stat.exists - tags: - - garradin_configure - -- GitLab From 721310d701612868f1a37a82b78c3ee8554d0cf9 Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Wed, 24 Nov 2021 10:29:45 +0000 Subject: [PATCH 15/21] Delete upgrade.yml --- roles/garradin_instance/tasks/upgrade.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 roles/garradin_instance/tasks/upgrade.yml diff --git a/roles/garradin_instance/tasks/upgrade.yml b/roles/garradin_instance/tasks/upgrade.yml deleted file mode 100644 index e69de29b..00000000 -- GitLab From 0379e3035fd62cad0cc76e73eb8134b2d75351d8 Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Wed, 24 Nov 2021 18:27:57 +0000 Subject: [PATCH 16/21] [fix] Supprimer idea --- .idea/.gitignore | 8 -------- .idea/ansible-paquerette.iml | 9 --------- .idea/misc.xml | 6 ------ .idea/modules.xml | 8 -------- .idea/runConfigurations.xml | 10 ---------- .idea/vcs.xml | 6 ------ 6 files changed, 47 deletions(-) delete mode 100644 .idea/.gitignore delete mode 100644 .idea/ansible-paquerette.iml delete mode 100644 .idea/misc.xml delete mode 100644 .idea/modules.xml delete mode 100644 .idea/runConfigurations.xml delete mode 100644 .idea/vcs.xml diff --git a/.idea/.gitignore b/.idea/.gitignore deleted file mode 100644 index 8b2d7151..00000000 --- a/.idea/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -# Default ignored files -/shelf/ -/workspace.xml -# Datasource local storage ignored files -/../../../../../../../../:\Users\ina\Documents\Dev\Pâquerette\ansible-paquerette\.idea/dataSources/ -/dataSources.local.xml -# Editor-based HTTP Client requests -/httpRequests/ diff --git a/.idea/ansible-paquerette.iml b/.idea/ansible-paquerette.iml deleted file mode 100644 index d6ebd480..00000000 --- a/.idea/ansible-paquerette.iml +++ /dev/null @@ -1,9 +0,0 @@ - - - - - - - - - \ No newline at end of file diff --git a/.idea/misc.xml b/.idea/misc.xml deleted file mode 100644 index 639900d1..00000000 --- a/.idea/misc.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/.idea/modules.xml b/.idea/modules.xml deleted file mode 100644 index 6a8ae173..00000000 --- a/.idea/modules.xml +++ /dev/null @@ -1,8 +0,0 @@ - - - - - - - - \ No newline at end of file diff --git a/.idea/runConfigurations.xml b/.idea/runConfigurations.xml deleted file mode 100644 index 797acea5..00000000 --- a/.idea/runConfigurations.xml +++ /dev/null @@ -1,10 +0,0 @@ - - - - - - \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml deleted file mode 100644 index 35eb1ddf..00000000 --- a/.idea/vcs.xml +++ /dev/null @@ -1,6 +0,0 @@ - - - - - - \ No newline at end of file -- GitLab From d8988bfaafaea0cb87ebd9943eff43cc0eff12e6 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 26 Nov 2021 15:31:29 +0100 Subject: [PATCH 17/21] [fix] Name in handler and remove rights --- .gitignore | 3 +++ roles/garradin_instance/handlers/main.yml | 7 ++----- roles/garradin_instance/tasks/configure.yml | 15 +-------------- .../templates/garradin_rights.j2 | 9 --------- 4 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 roles/garradin_instance/templates/garradin_rights.j2 diff --git a/.gitignore b/.gitignore index b3f910c5..eab982a8 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,6 @@ group_vars/* releases/* contract/* paquerette_utils.conf.yml + +# IDE +.idea \ No newline at end of file diff --git a/roles/garradin_instance/handlers/main.yml b/roles/garradin_instance/handlers/main.yml index bb6dd5ad..0bb9a7bd 100644 --- a/roles/garradin_instance/handlers/main.yml +++ b/roles/garradin_instance/handlers/main.yml @@ -1,10 +1,7 @@ --- -- name: reload apache2 web_app - service: name=apache2 state=reloaded - -- name: reload nginx web_app +- name: reload nginx web_app - Garradin service: name=nginx state=reloaded -- name: reload php-fpm web_app +- name: reload php-fpm web_app - Garradin service: name=php{{ php_version }}-fpm state=reloaded \ No newline at end of file diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml index 33961dde..4c9c68a2 100644 --- a/roles/garradin_instance/tasks/configure.yml +++ b/roles/garradin_instance/tasks/configure.yml @@ -5,23 +5,10 @@ src: "config.local.php.j2" dest: "{{ app_instance_root }}/config.local.php" backup: yes + mode: 0660 tags: - garradin_local_conf -- name: "Move rights script" - template: - src: "garradin_rights.j2" - dest: "{{ app_instance_root }}/rights.sh" - mode: 0700 - backup: no - tags: - - garradin_rights - -- name: "Apply rights to garradin app folder" - command: "bash {{ app_instance_root }}/rights.sh" - tags: - - garradin_rights - - name: "cron mode for background jobs" cron: name: "{{ app_instance_root }}/scripts/cron.php >/dev/null 2>&1" diff --git a/roles/garradin_instance/templates/garradin_rights.j2 b/roles/garradin_instance/templates/garradin_rights.j2 deleted file mode 100644 index b74e8cf7..00000000 --- a/roles/garradin_instance/templates/garradin_rights.j2 +++ /dev/null @@ -1,9 +0,0 @@ - -cd {{ app_instance_root }} - -chmod -R o-rwx '{{ app_instance_root }}' -find '{{ app_instance_root }}' -type d -exec chmod 550 {} + -find '{{ app_instance_root }}' -type f -exec chmod 440 {} + -find '{{ app_instance_root }}/data' -type d -exec chmod 770 {} + -find '{{ app_instance_root }}/data' -type f -exec chmod 660 {} + -#chmod 660 '{{ app_instance_root }}/config.local.php' -- GitLab From 752963dddb0215566a8602b4f793165801eca763 Mon Sep 17 00:00:00 2001 From: frju365 Date: Fri, 26 Nov 2021 15:50:01 +0100 Subject: [PATCH 18/21] Prefer Restic --- roles/nextcloud_instance/tasks/install.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/nextcloud_instance/tasks/install.yml b/roles/nextcloud_instance/tasks/install.yml index 0a349906..7eff8f4c 100644 --- a/roles/nextcloud_instance/tasks/install.yml +++ b/roles/nextcloud_instance/tasks/install.yml @@ -101,11 +101,6 @@ - import_role: name: _app_backup - - name: "Backup data" - import_role: - name: _app_backup_data - when: app_backup_data == "yes" - - import_role: name: _app_logrotate -- GitLab From 5d4b46981b1adcb271d50f316cd34e00c9360433 Mon Sep 17 00:00:00 2001 From: Admin paquerette Date: Sun, 28 Nov 2021 19:25:25 +0100 Subject: [PATCH 19/21] Correction --- roles/_web_app/defaults/main.yml | 2 +- roles/_web_app/tasks/install.yml | 2 +- roles/garradin_instance/vars/main.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/_web_app/defaults/main.yml b/roles/_web_app/defaults/main.yml index 38e10e06..8c2afcf4 100644 --- a/roles/_web_app/defaults/main.yml +++ b/roles/_web_app/defaults/main.yml @@ -2,7 +2,7 @@ packages_list: [] app_user_chrooted: "yes" - app_group: "{{ app_user }}" + app_group: "www-data" app_git_repo: "" app_src: "" diff --git a/roles/_web_app/tasks/install.yml b/roles/_web_app/tasks/install.yml index 2b2dd068..f0284637 100644 --- a/roles/_web_app/tasks/install.yml +++ b/roles/_web_app/tasks/install.yml @@ -22,7 +22,7 @@ - import_tasks: deploy_program.yml - import_role: - name: _app_backup + name: _app_backup - name: "Backup data" import_role: diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index 43979735..d2997aa6 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -10,3 +10,4 @@ php_version: "7.4" app_data: "{{ app_instance_root }}/../{{ app_instance_id }}.data" +app_grou: www-data -- GitLab From 35e33a597ff3519c5b1c3f1b94a4446b48fbe6eb Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Mon, 29 Nov 2021 09:13:20 +0000 Subject: [PATCH 20/21] [fix] app_group + add app_backup_data as "no" by default in _web_app and "yes" in garradin role --- roles/_app_backup_data/tasks/install.yml | 2 +- roles/_web_app/defaults/main.yml | 2 ++ roles/garradin_instance/defaults/main.yml | 2 ++ roles/garradin_instance/vars/main.yml | 2 +- 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/_app_backup_data/tasks/install.yml b/roles/_app_backup_data/tasks/install.yml index 3b6d288f..f1029ce0 100644 --- a/roles/_app_backup_data/tasks/install.yml +++ b/roles/_app_backup_data/tasks/install.yml @@ -7,4 +7,4 @@ mode: 0640 when: app_backup_data == "yes" - \ No newline at end of file + diff --git a/roles/_web_app/defaults/main.yml b/roles/_web_app/defaults/main.yml index 8c2afcf4..4f17c556 100644 --- a/roles/_web_app/defaults/main.yml +++ b/roles/_web_app/defaults/main.yml @@ -28,6 +28,8 @@ app_wsgi_entry_point: "{{ app_instance_root }}/{{ app_instance_id }}.wsgi" app_wsgi_script_reloading: "On" app_wsgi_pass_authorization: "On" + + app_backup_data: "no" diff --git a/roles/garradin_instance/defaults/main.yml b/roles/garradin_instance/defaults/main.yml index 74bf1fa6..0f47072d 100644 --- a/roles/garradin_instance/defaults/main.yml +++ b/roles/garradin_instance/defaults/main.yml @@ -17,3 +17,5 @@ smtp_user: null smtp_pass: null smtp_port: 587 + +app_backup_data: "yes" diff --git a/roles/garradin_instance/vars/main.yml b/roles/garradin_instance/vars/main.yml index d2997aa6..68704b7f 100644 --- a/roles/garradin_instance/vars/main.yml +++ b/roles/garradin_instance/vars/main.yml @@ -10,4 +10,4 @@ php_version: "7.4" app_data: "{{ app_instance_root }}/../{{ app_instance_id }}.data" -app_grou: www-data +app_group: www-data -- GitLab From e3f54f8c119815d090275f76b170f7ae763c23a1 Mon Sep 17 00:00:00 2001 From: Jean-Yves LEBLEU Date: Mon, 29 Nov 2021 12:23:35 +0100 Subject: [PATCH 21/21] Fix rights on deploy config file add owner and group for template --- roles/garradin_instance/tasks/configure.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/garradin_instance/tasks/configure.yml b/roles/garradin_instance/tasks/configure.yml index 4c9c68a2..509d6200 100644 --- a/roles/garradin_instance/tasks/configure.yml +++ b/roles/garradin_instance/tasks/configure.yml @@ -4,6 +4,8 @@ template: src: "config.local.php.j2" dest: "{{ app_instance_root }}/config.local.php" + owner: "{{ app_user }}" + group: "{{ app_group }}" backup: yes mode: 0660 tags: -- GitLab