rename nginx_owner to nginx_user and some work on wordpress

alphanodes · Jan 17, 2024 · 36b861f · 36b861f
1 parent 8a6a74f
commit 36b861f
Show file tree

Hide file tree

Showing 54 changed files with 711 additions and 40 deletions.
diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
@@ -8,3 +8,6 @@ software_dir: /srv/software
 # software_dir_owner:
 # software_dir_group: "{{ software_dir_owner | omit }}"
 # software_dir_mode:
+
+nginx_user: www-data
+nginx_group: www-data
diff --git a/roles/drupal/README.md b/roles/drupal/README.md
@@ -11,6 +11,13 @@ Available variables can be found in [defaults/main.yml](defaults/main.yml)
 ```yaml
     - hosts: all
 
+    - vars:
+      drupal_major_version: 8
+      drupal_instances:
+        - name: drupal8
+          dir: /srv/drupal8
+          server_name: www.mydrupal8.com
+
       roles:
         - alphanodes.setup.drupal
 ```
diff --git a/roles/drupal/tasks/instance.yml b/roles/drupal/tasks/instance.yml
@@ -46,15 +46,15 @@
 - name: Set drupal permissions - {{ instance.name }}
   ansible.builtin.file:
     path: '{{ instance.dir }}{{ item }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     recurse: true
   loop: '{{ instance.write_permissions | default([]) }}'
 
 - name: Make sure tmp directory exists and permissions are correct - {{ instance.name }}
   ansible.builtin.file:
     path: '{{ instance.dir }}{{ instance.tmp_dir }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     state: directory
     recurse: true

diff --git a/roles/drupal/tasks/instance_drupal7.yml b/roles/drupal/tasks/instance_drupal7.yml
@@ -4,7 +4,7 @@
   ansible.builtin.copy:
     src: .htaccess
     dest: "{{ instance.dir }}{{ instance.vhost_dir | default(drupal_vhost_dir) }}/sites/all/translations/.htaccess"
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     mode: 0644
 
@@ -18,7 +18,7 @@
 - name: Set private files permissions - {{ instance.name }}
   ansible.builtin.file:
     path: '{{ instance.file_private_path }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     recurse: true
   when: instance.file_private_path is defined
@@ -33,4 +33,3 @@
     mode: 0640
   when:
     - instance.write_settings_file is not defined or instance.write_settings_file
-    - drupal_instances | length
diff --git a/roles/drupal/tasks/instance_drupal8.yml b/roles/drupal/tasks/instance_drupal8.yml
@@ -14,14 +14,14 @@
 - name: Set private files permissions - {{ instance.name }}
   ansible.builtin.file:
     path: '{{ file_private_path }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     recurse: true
 
 - name: Set configuration sync permissions - {{ instance.name }}
   ansible.builtin.file:
     path: '{{ config_sync_directory }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     recurse: true
 
@@ -35,4 +35,3 @@
     mode: 0640
   when:
     - instance.write_settings_file is not defined or instance.write_settings_file
-    - drupal_instances | length
diff --git a/roles/drupal/tasks/instance_mysql.yml b/roles/drupal/tasks/instance_mysql.yml
@@ -14,5 +14,6 @@
     password: '{{ instance.db_password | default(drupal_db_password) }}'
     host: '{{ instance.db_host | default(drupal_db_host) }}'
     priv: '{{ instance.db_name | default(instance.name) | replace("-", "_") }}.*:ALL'
+    column_case_sensitive: true
     state: present
   when: instance.db_skip_user_setup is undefined or not instance.db_skip_user_setup
diff --git a/roles/drupal/templates/default.settings7.php.j2 b/roles/drupal/templates/default.settings7.php.j2
@@ -14,7 +14,7 @@ $databases = array (
       'database' => '{{ instance.db_name | default(instance.name) | replace('-', '_') }}',
       'username' => '{{ instance.db_user | default(instance.name) | replace('-', '_') }}',
       'password' => '{{ instance.db_password | default(drupal_db_password) }}',
-      'host' => '{{ instance.db_host | default(drupal_db_host)}}',
+      'host' => '{{ instance.db_host | default(drupal_db_host) }}',
       'port' => '{{ instance.db_port | default(drupal_db_port) }}',
       'driver' => '{{ instance.db_driver | default(drupal_db_driver) }}',
       'prefix' => '{{ instance.db_prefix | default(drupal_db_prefix) }}',

diff --git a/roles/drupal/templates/default.settings8.php.j2 b/roles/drupal/templates/default.settings8.php.j2
@@ -14,7 +14,7 @@
        'database' => '{{ instance.db_name | default(instance.name) | replace('-', '_') }}',
        'username' => '{{ instance.db_user | default(instance.name) | replace('-', '_') }}',
        'password' => '{{ instance.db_password | default(drupal_db_password) }}',
-       'host' => '{{ instance.db_host | default(drupal_db_host)}}',
+       'host' => '{{ instance.db_host | default(drupal_db_host) }}',
        'port' => '{{ instance.db_port | default(drupal_db_port) }}',
        'namespace' => 'Drupal\\Core\\Database\\Driver\\{{ instance.db_driver | default(drupal_db_driver) }}',
        'driver' => '{{ instance.db_driver | default(drupal_db_driver) }}',

diff --git a/roles/gitlab/meta/main.yml b/roles/gitlab/meta/main.yml
@@ -1,6 +1,7 @@
 ---
 dependencies:
   - role: alphanodes.setup.common
+    public: true
 
 galaxy_info:
   description: Setup gitlab

diff --git a/roles/gitlab/tasks/setup.yml b/roles/gitlab/tasks/setup.yml
@@ -98,17 +98,17 @@
     - gitlab_rvm_ruby_apt
 
 # @see https://gitlab.com/gitlab-org/gitlab-workhorse/-/issues/129
-- name: Add redis and www-data to gitlab group
+- name: Add redis and nginx to gitlab group
   ansible.builtin.user:
     name: '{{ gitlab_group }}'
     groups:
       - redis
-      - www-data
+      - '{{ nginx_group }}'
     append: true
 
-- name: Add git to www-data group
+- name: Add nginx user to gitlab group
   ansible.builtin.user:
-    name: www-data
+    name: '{{ nginx_user }}'
     groups:
       - '{{ gitlab_user }}'
     append: true

diff --git a/roles/goaccess/tasks/nginx.yml b/roles/goaccess/tasks/nginx.yml
@@ -12,7 +12,7 @@
     name: '{{ goaccess_user }}'
     password: '{{ goaccess_password }}'
     owner: root
-    group: "{{ nginx_group | default('www-data') }}"
+    group: "{{ nginx_group }}"
     mode: 0640
 
 - name: Provide goaccess nginx configuration

diff --git a/roles/goaccess/tasks/setup.yml b/roles/goaccess/tasks/setup.yml
@@ -12,7 +12,7 @@
     src: goaccess.conf.j2
     dest: /etc/goaccess/goaccess.conf
     owner: root
-    group: www-data
+    group: "{{ nginx_group }}"
     mode: 0640
 
 - name: Include nginx tasks

diff --git a/roles/matomo/defaults/main.yml b/roles/matomo/defaults/main.yml
@@ -9,8 +9,8 @@ matomo_dir: /srv/matomo
 # if matomo_vhost is no, subdirectory is used
 matomo_vhost: true
 
-matomo_user: "{{ nginx_owner | default('www-data') }}"
-matomo_group: "{{ nginx_group | default('www-data') }}"
+matomo_user: "{{ nginx_user | default(nginx_user) | default('www-data') }}"
+matomo_group: "{{ nginx_group | default(nginx_group) | default('www-data') }}"
 
 matomo_config_file: "{{ matomo_dir }}/config/config.ini.php"
 matomo_config_file_mode: "0660"

diff --git a/roles/matomo/tasks/mysql.yml b/roles/matomo/tasks/mysql.yml
@@ -15,6 +15,7 @@
     password: '{{ matomo_db_password }}'
     host: '{{ matomo_db_host }}'
     priv: '{{ matomo_db_name }}.*:ALL/*.*:FILE'
+    column_case_sensitive: true
     state: present
 
 - name: Allow mysql to write to {{ matomo_dir }}

diff --git a/roles/matomo/tasks/setup_plugin.yml b/roles/matomo/tasks/setup_plugin.yml
@@ -73,7 +73,7 @@
           ansible.builtin.unarchive:
             src: '{{ software_dir }}/{{ archive_filename }}'
             dest: '{{ matomo_plugin_path }}'
-            owner: '{{ nginx_owner }}'
+            owner: '{{ nginx_user }}'
             group: '{{ nginx_group }}'
             remote_src: true
 

diff --git a/roles/mysql/tasks/configure.yml b/roles/mysql/tasks/configure.yml
@@ -162,6 +162,7 @@
     password: "{{ mysql_server_debian_sys_maint_password }}"
     host: localhost
     priv: '*.*:ALL,GRANT'
+    column_case_sensitive: true
     state: present
   no_log: true
 

diff --git a/roles/mysql/tasks/replication.yml b/roles/mysql/tasks/replication.yml
@@ -5,6 +5,7 @@
     host: "{{ mysql_replication_user.host | default('%') }}"
     password: "{{ mysql_replication_user.password }}"
     priv: "{{ mysql_replication_user.priv | default('*.*:REPLICATION SLAVE,REPLICATION CLIENT') }}"
+    column_case_sensitive: true
     state: present
   when:
     - mysql_replication_role == 'master'

diff --git a/roles/mysql/tasks/secure-installation.yml b/roles/mysql/tasks/secure-installation.yml
@@ -5,6 +5,7 @@
     host: 'localhost'
     password: "{{ mysql_user_password }}"
     priv: '*.*:ALL,GRANT'
+    column_case_sensitive: true
     state: present
   when: mysql_user_name != mysql_root_username
 

diff --git a/roles/mysql/tasks/zabbix.yml b/roles/mysql/tasks/zabbix.yml
@@ -21,6 +21,7 @@
             # USAGE,REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW
             priv: '*.*:SUPER,PROCESS,RELOAD,SELECT'
             update_password: always
+            column_case_sensitive: true
             state: present
           no_log: true
 

diff --git a/roles/nextcloud/tasks/mysql.yml b/roles/nextcloud/tasks/mysql.yml
@@ -15,4 +15,5 @@
     password: '{{ nextcloud_db_password }}'
     host: '{{ nextcloud_db_host }}'
     priv: '{{ nextcloud_db_name }}.*:ALL'
+    column_case_sensitive: true
     state: present
diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml
@@ -76,7 +76,7 @@
     path: '{{ nextcloud_data }}'
     state: directory
     recurse: true
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
   when: nextcloud_with_data_permission
 
@@ -126,7 +126,7 @@
   ansible.builtin.unarchive:
     src: '{{ nextcloud_source_file_path }}'
     dest: '{{ nextcloud_dir }}'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     remote_src: true
   # workaround for ansible 2.1.0.0 bug
@@ -153,14 +153,14 @@
 
     - name: _update step4_ Run nextcloud update
       become: true
-      become_user: '{{ nginx_owner }}'
+      become_user: '{{ nginx_user }}'
       ansible.builtin.command: php occ upgrade
       args:
         chdir: '{{ nextcloud_htdocs }}'
 
     - name: _update step5_ Enable plugins
       become: true
-      become_user: '{{ nginx_owner }}'
+      become_user: '{{ nginx_user }}'
       ansible.builtin.command: php occ app:install {{ item.name }}
       register: plugin_rc
       failed_when: plugin_rc.rc > 1
@@ -170,7 +170,7 @@
 
 - name: _update step6_ Disable maintenance mode
   become: true
-  become_user: '{{ nginx_owner }}'
+  become_user: '{{ nginx_user }}'
   ansible.builtin.command: php occ maintenance:mode --off
   args:
     chdir: '{{ nextcloud_htdocs }}'
@@ -183,7 +183,7 @@
     src: custom.config.php.j2
     dest: '{{ nextcloud_htdocs }}/config/custom.config.php'
     validate: 'php -l %s'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     mode: 0640
   when: nextcloud_config_exists.stat.exists
@@ -193,7 +193,7 @@
     src: autoconfig.php.j2
     dest: '{{ nextcloud_htdocs }}/config/autoconfig.php'
     validate: 'php -l %s'
-    owner: '{{ nginx_owner }}'
+    owner: '{{ nginx_user }}'
     group: '{{ nginx_group }}'
     mode: 0660
   when:

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
@@ -9,7 +9,7 @@ nginx_worker_connections: 1024
 # leave empty, ansible_processor_nproc is used  with lxc containers)
 nginx_worker_processes: ''
 
-nginx_owner: www-data
+nginx_user: www-data
 nginx_group: www-data
 
 # use it, if e.g. www-data needs access to ssl certs

diff --git a/roles/nginx/tasks/microcache.yml b/roles/nginx/tasks/microcache.yml
@@ -6,7 +6,7 @@
   vars:
     timers:
       microcache_directory:
-        exec_start: /usr/bin/install -g {{ nginx_group }} -o {{ nginx_owner }} -d {{ nginx_fastcgi_microcache_base_dir }}/{{ nginx_fastcgi_microcache_zone }}
+        exec_start: /usr/bin/install -g {{ nginx_group }} -o {{ nginx_user }} -d {{ nginx_fastcgi_microcache_base_dir }}/{{ nginx_fastcgi_microcache_zone }}
         on_boot_sec: 5s
         before_service: nginx.service
 

diff --git a/roles/nginx/templates/nginx.j2 b/roles/nginx/templates/nginx.j2
@@ -1,7 +1,7 @@
 {{ ansible_managed | comment }}
 # nginx configuration
 
-user {{ nginx_owner }};
+user {{ nginx_user }};
 
 error_log {{ nginx_error_log }};
 pid /run/nginx.pid;

diff --git a/roles/nodejs/tasks/setup.yml b/roles/nodejs/tasks/setup.yml
@@ -62,6 +62,7 @@
 - name: Ensure Node.js and npm are installed.
   ansible.builtin.apt:
     name: nodejs
+    allow_downgrades: yes
     state: present
 
 - name: Set prefix for npm (root)

diff --git a/roles/php_fpm/defaults/main.yml b/roles/php_fpm/defaults/main.yml
@@ -22,12 +22,12 @@ php_max_file_uploads: 10
 php_max_input_time: 60
 php_max_input_vars: 1000
 php_memory_limit: 192M
-php_post_max_size: 72M
+php_post_max_size: 128M
 php_realpath_cache_size: 32K
 php_realpath_cache_ttl: 100
 php_serialize_precision: 17
 php_short_open_tag: "Off"
-php_upload_max_filesize: 64M
+php_upload_max_filesize: 128M
 
 php_session_save_handler: files
 php_session_save_path: "{{ __php_session_save_path | default('/var/lib/php/sessions') }}"

diff --git a/roles/php_fpm/meta/main.yml b/roles/php_fpm/meta/main.yml
@@ -1,5 +1,7 @@
 ---
 dependencies:
+  - role: alphanodes.setup.common
+    public: true
   - role: alphanodes.setup.php_cli
 
 galaxy_info:

diff --git a/roles/php_fpm/tasks/pools.yml b/roles/php_fpm/tasks/pools.yml
@@ -13,7 +13,7 @@
   ansible.builtin.user:
     name: '{{ item.user | default(item.name) }}'
     home: '{{ item.home | default(omit) }}'
-    groups: www-data
+    groups: '{{ nginx_group }}'
     append: true
     system: true
   loop: '{{ php_fpm_extra_pools | default([]) }}'

diff --git a/roles/php_fpm/templates/pool.j2 b/roles/php_fpm/templates/pool.j2
@@ -21,7 +21,7 @@
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
-user = {{ item.user | default(item.name) if item is defined else nginx_owner }}
+user = {{ item.user | default(item.name) if item is defined else nginx_user }}
 group = {{ item.user | default(item.name) if item is defined else nginx_group }}
 
 ; The address on which to accept FastCGI requests.
@@ -45,7 +45,7 @@ listen = {{ php_fpm_listen_base + '-' + item.name + '.sock' if item is defined e
 ; BSD-derived systems allow connections regardless of permissions.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0660
-listen.owner = {{ nginx_owner }}
+listen.owner = {{ nginx_user }}
 listen.group = {{ nginx_group }}
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using

diff --git a/roles/phpmyadmin/defaults/main.yml b/roles/phpmyadmin/defaults/main.yml
@@ -13,8 +13,8 @@ phpmyadmin_db_ssl_key: /etc/ssl/private/mysql_client.key
 phpmyadmin_db_ssl_cert: /etc/ssl/certs/mysql_client.crt
 phpmyadmin_db_ssl_ca: /etc/ssl/certs/mysql_ca.crt
 
-phpmyadmin_owner: "{{ nginx_owner | default('www-data') }}"
-phpmyadmin_group: "{{ nginx_group | default('www-data') }}"
+phpmyadmin_owner: "{{ nginx_user }}"
+phpmyadmin_group: "{{ nginx_group }}"
 
 phpmyadmin_ssl_only: true
 

diff --git a/roles/phpmyadmin/meta/main.yml b/roles/phpmyadmin/meta/main.yml
@@ -1,5 +1,7 @@
 ---
 dependencies:
+  - role: alphanodes.setup.common
+    public: true
   - role: alphanodes.setup.mysql_client
   - role: alphanodes.setup.php_fpm
   - role: geerlingguy.composer

diff --git a/roles/phpmyadmin/tasks/setup.yml b/roles/phpmyadmin/tasks/setup.yml
@@ -44,6 +44,7 @@
     login_user: "{{ phpmyadmin_db_user if phpmyadmin_db_host != 'localhost' else omit }}"
     login_password: "{{ phpmyadmin_db_password if phpmyadmin_db_host != 'localhost' else omit }}"
     priv: 'mysql.*:SELECT/{{ phpmyadmin_db_name }}.*:ALL'
+    column_case_sensitive: true
     state: present
   when: not phpmyadmin_no_dbserver