From 5e35c4a48dbcb01b0e18c5ace0e4977b4a86482d Mon Sep 17 00:00:00 2001
From: Hamatoma <author@hamatoma.de>
Date: Wed, 2 Apr 2025 23:20:32 +0200
Subject: [PATCH] first working version

---
 inventory                                     |  3 +-
 playbooks/{i_1_basic.yaml => i_10_basic.yaml} |  0
 playbooks/i_20_nginx.yaml                     | 61 +++++++++++++++
 playbooks/i_2_nginx.yaml                      | 39 ----------
 .../{i_3_mariadb.yaml => i_30_mariadb.yaml}   |  0
 playbooks/i_40_php8.2.yaml                    | 50 ++++++++++++
 playbooks/i_4_php8.3.yaml                     | 76 -------------------
 playbooks/i_99_test.yaml                      | 15 ++++
 playbooks/var/php.yaml                        | 44 +++++++++++
 playbooks/var/ssl-certificate.yaml            |  7 ++
 templates/nginx/index.html                    |  5 ++
 templates/nginx/index.php                     |  2 +
 templates/nginx/test.site                     | 57 ++++++++++++++
 13 files changed, 243 insertions(+), 116 deletions(-)
 rename playbooks/{i_1_basic.yaml => i_10_basic.yaml} (100%)
 create mode 100644 playbooks/i_20_nginx.yaml
 delete mode 100644 playbooks/i_2_nginx.yaml
 rename playbooks/{i_3_mariadb.yaml => i_30_mariadb.yaml} (100%)
 create mode 100644 playbooks/i_40_php8.2.yaml
 delete mode 100644 playbooks/i_4_php8.3.yaml
 create mode 100644 playbooks/i_99_test.yaml
 create mode 100644 playbooks/var/php.yaml
 create mode 100644 playbooks/var/ssl-certificate.yaml
 create mode 100644 templates/nginx/index.html
 create mode 100644 templates/nginx/index.php
 create mode 100644 templates/nginx/test.site

diff --git a/inventory b/inventory
index ddaa9ed..bcda6c4 100644
--- a/inventory
+++ b/inventory
@@ -1,5 +1,6 @@
 [hosts]
-nest
+nest1.gemeinwohl-gesellschaft.de
+#nest
 [hosts:vars]
 ansible_python_interpreter=/usr/bin/python3
 ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
diff --git a/playbooks/i_1_basic.yaml b/playbooks/i_10_basic.yaml
similarity index 100%
rename from playbooks/i_1_basic.yaml
rename to playbooks/i_10_basic.yaml
diff --git a/playbooks/i_20_nginx.yaml b/playbooks/i_20_nginx.yaml
new file mode 100644
index 0000000..99e2f67
--- /dev/null
+++ b/playbooks/i_20_nginx.yaml
@@ -0,0 +1,61 @@
+---
+- name: Install and configure with letsencrypt
+  hosts: all
+  become: yes
+
+  vars:
+    user: www-data
+    hostname: "{{ inventory_hostname }}"
+    log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}"
+  vars_files:
+    - var/ssl-certificate.yaml
+  tasks:
+    - name: Install nginx
+      apt:
+        name: nginx
+        state: latest
+        update_cache: yes
+    - name: Prepare letsencrypt home directory
+      file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory
+    - name: Add test file1
+      copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/
+    - name: Add test file2
+      copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt
+    - name: Prepare letsencrypt
+      copy:
+        src: ../templates/nginx/letsencrypt.conf
+        dest: /etc/nginx/snippets
+    - name: add HTTP-variables
+      copy:
+        src: ../templates/nginx/http.conf
+        dest: /etc/nginx/snippets
+    - name: create a www directory
+      file: path=/home/www state=directory owner=root group=www-data
+      
+    - name: create the /srv/www link
+      file: src=/home/www dest=/srv/www state=link
+    - name: Ensure nginx is running
+      systemd:
+        name: nginx
+        state: started
+        enabled: yes
+    - name: create a test virtual hosts
+      template: 
+        src: ../templates/nginx/test.site
+        dest: /etc/nginx/sites-available/{{hostname}}
+    - name: activate by link in sites-enabled
+      file:
+        src: /etc/nginx/sites-available/{{hostname}}
+        dest: /etc/nginx/sites-enabled/{{hostname}}
+        state: link
+    - name: create a ssh-certificate
+      command: openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/{{hostname}}.key -out /etc/ssl/certs/{{hostname}}.pem -subj "/C={{SSL_COUNTRY}}/ST={{SSL_STATE}}/L={{SSL_LOCALITY}}/O={{SSL_ORGANIZATION}}/CN={{hostname}}"
+      args:
+        creates: /etc/ssl/private/{{hostname}}.key
+    - name: create a document root
+      file: dest=/srv/www/{{hostname}} state=directory owner=www-data group=www-data
+    - name: create a test index.html
+      template: src=../templates/nginx/index.html dest=/srv/www/{{hostname}}/index.html
+    - name: create a test index.php
+      copy: src=../templates/nginx/index.php dest=/srv/www/{{hostname}}/index.php
+
diff --git a/playbooks/i_2_nginx.yaml b/playbooks/i_2_nginx.yaml
deleted file mode 100644
index 1e1067c..0000000
--- a/playbooks/i_2_nginx.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-- name: Install and configure with letsencrypt
-  hosts: all
-  become: yes
-
-  vars:
-    user: www-data
-
-  tasks:
-    - name: Install nginx
-      apt:
-        name: nginx
-        state: latest
-        update_cache: yes
-    - name: Prepare letsencrypt home directory
-      file: path=/home/www/letsencrypt/.well-known/acme-challenge state=directory
-    - name: Add test file1
-      copy: src=../templates/nginx/hi1.txt dest=/home/www/letsencrypt/.well-known/
-    - name: Add test file2
-      copy: src=../templates/nginx/hi2.txt dest=/home/www/letsencrypt/.well-known/acme-challenge/hi2.txt
-    - name: Prepare letsencrypt
-      copy:
-        src: ../templates/nginx/letsencrypt.conf
-        dest: /etc/nginx/snippets
-    - name: add HTTP-variables
-      copy:
-        src: ../templates/nginx/http.conf
-        dest: /etc/nginx/snippets
-    - name: create a www directory
-      file: path=/home/www state=directory owner=root group=www-data
-      
-    - name: create the /srv/www link
-      file: src=/home/www dest=/srv/www state=link
-    - name: Ensure nginx is running
-      systemd:
-        name: nginx
-        state: started
-        enabled: yes
-
diff --git a/playbooks/i_3_mariadb.yaml b/playbooks/i_30_mariadb.yaml
similarity index 100%
rename from playbooks/i_3_mariadb.yaml
rename to playbooks/i_30_mariadb.yaml
diff --git a/playbooks/i_40_php8.2.yaml b/playbooks/i_40_php8.2.yaml
new file mode 100644
index 0000000..d2a6d17
--- /dev/null
+++ b/playbooks/i_40_php8.2.yaml
@@ -0,0 +1,50 @@
+- hosts: all
+  vars:
+    - PHP_VERS: "8.2"
+  vars_files:
+    - var/php.yaml
+  pre_tasks:
+    - name:
+      apt:
+        name: gpg
+        state: present
+        update_cache: true
+    - name: add packages.sury.org (Debian case)
+      block:
+        - name: add gpg repo key
+          apt_key:
+            url:  'https://packages.sury.org/php/apt.gpg'
+            state: present
+
+        - name: add apt repo
+          apt_repository:
+            repo:  'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main'
+            state: present
+            filename: php
+      when: ansible_distribution == 'Debian'
+  tasks:
+    - name: Install PHP {{PHP_VERS}} and common modules
+      ansible.builtin.apt:
+        name: "{{ item }}"
+        state: present
+        update_cache: true
+        cache_valid_time: 3600
+      with_items: "{{ php_packages + php_additional_packages }}"
+    - name: Define PHP variables in php.ini
+      ansible.builtin.ini_file:
+        dest: /etc/php/{{PHP_VERS}}/fpm/php.ini 
+        section: "{{ item.section }}"
+        option: "{{ item.option }}"
+        value: "{{ item.value }}"
+      with_items:
+        "{{ php_ini_settings }}"
+    - name: Ensure PHP-FPM is running
+      ansible.builtin.systemd:
+        name: php{{PHP_VERS}}-fpm
+        state: started
+        enabled: yes
+    - name: Ensure Redis is running
+      ansible.builtin.systemd:
+        name: redis-server
+        state: started
+        enabled: yes
\ No newline at end of file
diff --git a/playbooks/i_4_php8.3.yaml b/playbooks/i_4_php8.3.yaml
deleted file mode 100644
index d418d7a..0000000
--- a/playbooks/i_4_php8.3.yaml
+++ /dev/null
@@ -1,76 +0,0 @@
-- hosts: all
-  vars:
-    - PHP_VERS: "8.3"
-
-  pre_tasks:
-    - name: add packages.sury.org (Debian case)
-      block:
-        - name: add gpg repo key
-          apt_key:
-            url:  'https://packages.sury.org/php/apt.gpg'
-            state: present
-
-        - name: add apt repo
-          apt_repository:
-            repo:  'deb https://packages.sury.org/php/ {{ ansible_distribution_release|lower }} main'
-            state: present
-            filename: php
-      when: ansible_distribution == 'Debian'
-  tasks:
-    - name: Install PHP 8.3 and common modules
-      ansible.builtin.apt:
-        name:
-          - php{{PHP_VERS}}
-          - php{{PHP_VERS}}-cli
-          - php{{PHP_VERS}}-common
-          - php{{PHP_VERS}}-curl
-          - php{{PHP_VERS}}-fpm
-          - php{{PHP_VERS}}-gd
-          - php{{PHP_VERS}}-igbinary
-          - php{{PHP_VERS}}-imagick
-          - php{{PHP_VERS}}-imap
-          - php{{PHP_VERS}}-intl
-          - php{{PHP_VERS}}-mbstring
-          - php{{PHP_VERS}}-memcached
-          - php{{PHP_VERS}}-msgpack
-          - php{{PHP_VERS}}-mysql
-          - php{{PHP_VERS}}-opcache
-          - php{{PHP_VERS}}-phpdbg
-          - php{{PHP_VERS}}-readline
-          - php{{PHP_VERS}}-redis
-          - php{{PHP_VERS}}-xdebug
-          - php{{PHP_VERS}}-xml
-          - php{{PHP_VERS}}-zip
-          - redis-server
-          - imagemagick 
-        state: present
-        update_cache: yes
-    - name: Define PHP variables in php.ini
-      ansible.builtin.ini_file:
-        dest: /etc/php/{{PHP_VERS}}/fpm/php.ini 
-        section: "{{ item.section }}"
-        option: "{{ item.option }}"
-        value: "{{ item.value }}"
-      with_items:
-        - { section: "DEFAULT", option: "memory_limit", value: 512M }
-        - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
-        - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
-        - { section: "DEFAULT", option: "post_max_size", value: "512M" }
-        - { section: "DEFAULT", option: "max_execution_time", value: 600 }
-        - { section: "DEFAULT", option: "max_input_time", value: 600 }
-        - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
-        - { section: "Session", option: "session.save_handler", value: "redis" }
-        - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
-        - { section: "opcache", option: "opcache.enable", value: 1 }
-        - { section: "opcache", option: "opcache.memory_consumption", value: 1024 }
-        - { section: "opcache", option: "opcache.interned_strings_buffer", value: 512 }
-    - name: Ensure PHP-FPM is running
-      ansible.builtin.systemd:
-        name: php{{PHP_VERS}}-fpm
-        state: started
-        enabled: yes
-    - name: Ensure Redis is running
-      ansible.builtin.systemd:
-        name: redis-server
-        state: started
-        enabled: yes
\ No newline at end of file
diff --git a/playbooks/i_99_test.yaml b/playbooks/i_99_test.yaml
new file mode 100644
index 0000000..e21156f
--- /dev/null
+++ b/playbooks/i_99_test.yaml
@@ -0,0 +1,15 @@
+---
+- name: Install and configure with letsencrypt
+  hosts: all
+  become: yes
+
+  vars:
+    user: www-data
+    hostname: "{{ inventory_hostname }}"
+    log_name: "{{ inventory_hostname | regex_search('[0-9a-zA-Z_]+') }}"
+  vars_files:
+    - var/ssl-certificate.yaml
+  tasks:
+    - name: Install nginx
+      debug: 
+        msg: "hostname: {{hostname}} log_name: {{log_name}}"
\ No newline at end of file
diff --git a/playbooks/var/php.yaml b/playbooks/var/php.yaml
new file mode 100644
index 0000000..5bc552c
--- /dev/null
+++ b/playbooks/var/php.yaml
@@ -0,0 +1,44 @@
+---
+# php.yaml:
+# Defines variables for the PHP role.
+# This file is used to set up the PHP environment and configuration.
+# needed variables: PHP_VERS
+
+php_packages:
+  - php{{PHP_VERS}}-common
+  - php{{PHP_VERS}}-curl
+  - php{{PHP_VERS}}-fpm
+  - php{{PHP_VERS}}-gd
+  - php{{PHP_VERS}}-igbinary
+  - php{{PHP_VERS}}-imagick
+  - php{{PHP_VERS}}-imap
+  - php{{PHP_VERS}}-intl
+  - php{{PHP_VERS}}-mbstring
+  - php{{PHP_VERS}}-memcached
+  - php{{PHP_VERS}}-msgpack
+  - php{{PHP_VERS}}-mysql
+  - php{{PHP_VERS}}-opcache
+  - php{{PHP_VERS}}-phpdbg
+  - php{{PHP_VERS}}-readline
+  - php{{PHP_VERS}}-redis
+  - php{{PHP_VERS}}-xdebug
+  - php{{PHP_VERS}}-xml
+  - php{{PHP_VERS}}-zip
+php_additional_packages:
+  - redis-server
+  - imagemagick
+
+php_ini_settings:
+  - { section: "DEFAULT", option: "memory_limit", value: "512M" }
+  - { section: "DEFAULT", option: "upload_max_filesize", value: "512M" }
+  - { section: "DEFAULT", option: "max_file_uploads", value: 100 }
+  - { section: "DEFAULT", option: "post_max_size", value: "512M" }
+  - { section: "DEFAULT", option: "max_execution_time", value: 600 }
+  - { section: "DEFAULT", option: "max_input_time", value: 600 }
+  - { section: "DEFAULT", option: "default_socket_timeout", value: 600 }
+  - { section: "Session", option: "session.save_handler", value: "redis" }
+  - { section: "Session", option: "session.save_path", value: "tcp://127.0.0.1:6379" }
+  - { section: "opcache", option: "opcache.enable", value: 1 }
+  - { section: "opcache", option: "opcache.memory_consumption", value: 512 }
+  - { section: "opcache", option: "opcache.interned_strings_buffer", value: 256 }
+
diff --git a/playbooks/var/ssl-certificate.yaml b/playbooks/var/ssl-certificate.yaml
new file mode 100644
index 0000000..07bc809
--- /dev/null
+++ b/playbooks/var/ssl-certificate.yaml
@@ -0,0 +1,7 @@
+---
+# "/C=DE/ST=NRW/L=Bochum/O=IT/CN={{hostname}}"
+SSL_COUNTRY: DE
+SSL_STATE: Bavaria
+SSL_LOCALITY: Kempten
+SSL_ORGANIZATION: IT
+
diff --git a/templates/nginx/index.html b/templates/nginx/index.html
new file mode 100644
index 0000000..0e0cbca
--- /dev/null
+++ b/templates/nginx/index.html
@@ -0,0 +1,5 @@
+<html>
+<body>
+<h1>Welcome to {{hostname}}!</h1>
+</body
+</html>
\ No newline at end of file
diff --git a/templates/nginx/index.php b/templates/nginx/index.php
new file mode 100644
index 0000000..bfd863b
--- /dev/null
+++ b/templates/nginx/index.php
@@ -0,0 +1,2 @@
+<?php
+phpinfo();
\ No newline at end of file
diff --git a/templates/nginx/test.site b/templates/nginx/test.site
new file mode 100644
index 0000000..7e8c6e5
--- /dev/null
+++ b/templates/nginx/test.site
@@ -0,0 +1,57 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{hostname}} hamatoma.de;
+    include snippets/letsencrypt.conf;
+    server_name {{hostname}};
+    root /srv/www/{{hostname}};
+    location / {
+      return 301 https://{{hostname}}$request_uri;  # enforce https
+    }
+  }
+  
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{hostname}};
+  access_log /var/log/nginx/a_{{log_name}}.log;
+  error_log /var/log/nginx/e_{{log_name}}.log;
+  
+  #ssl_certificate     /etc/letsencrypt/live/latest/fullchain.pem;
+  #ssl_certificate_key /etc/letsencrypt/live/latest/privkey.pem;
+  ssl_certificate /etc/ssl/certs/{{hostname}}.pem;
+  ssl_certificate_key /etc/ssl/private/{{hostname}}.key;
+  
+  # Path to the root of your installation
+  root /home/www/{{hostname}};
+  autoindex off;
+  client_max_body_size 1m; # set max upload size
+  fastcgi_buffers 64 4K;
+  
+  index index.html;
+  
+  location = /robots.txt {
+     allow all;
+     log_not_found off;
+     access_log off;
+  }
+  location / {
+    allow all;
+  }
+  # Optional: set long EXPIRES header on static assets
+  location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
+    expires 30d;
+    # Optional: Don't log access to assets
+    access_log off;
+  }
+  location ~ ^(.+?\.php)(/.*)?$ {
+    try_files $1 = 404;
+  
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$1;
+    fastcgi_param PATH_INFO $2;
+    fastcgi_param HTTPS on;
+    fastcgi_pass unix:/run/php/php8.3-fpm.sock;
+  }
+} 
+  
\ No newline at end of file
-- 
2.39.5