mise au point

README.md

@@ -11,35 +11,31 @@ Obviously an apache server, you'll probably want php and some certificates too.
 Role Variables
 --------------
 
-apache_server_name
-apache_server_ip
-apache_ssl_root_email: email to use for certificate
-apache_server_alias (list)
-apache_user_password: default undefined
-apache_base_dir: /srv/{{ apache_server_name }}
-apache_document_root: {{ apache_base_dir }}/www
 apache_access_log: {{ apache_base_dir}}/logs/access_log
+apache_allowoverride: all
+apache_base_dir: /srv/{{ apache_server_name }}
+apache_db_login_password: from my.cnf
+apache_db_login_user: from root/.my.cnf
+apache_db_name: no default
+apache_db_password: no default
+apache_db_user: no default
+apache_document_root: {{ apache_base_dir }}/www
 apache_php_socket: {{ apache_base_dir }}/php-fpm.sock
-apache_use_php: true
-apache_use_ssl: true
-apache_use_dns: true - wether we setup up dns A and CNAME records
-apache_use_zabbix: true - wether we install script to monitor certificate expiry date
-apache_use_certbot: true
-apache_use_stats: true
+apache_server_alias (list)
+apache_server_ip
+apache_server_name
 apache_ssl_certificate: /etc/letsencrypt/live/{{ apache_server_name }}/cert.pem
 apache_ssl_chain: /etc/letsencrypt/live/{{ apache_server_name }}/fullchain.pem
 apache_ssl_key: /etc/letsencrypt/live/{{ apache_server_name }}/privkey.pem
-apache_user: {{ apache_server_name | regex_search( '([^.]+)' ) }} }}
-apache_allowoverride: all
-apache_update_conf: true - wether we override existing config file
+apache_ssl_root_email: email to use for certificate
 apache_ssl_root_email: email used for letsencrypt certificate
 apache_use_database: false
-apache_db_name: no default
-apache_db_user: no default
-apache_db_password: no default
-apache_db_login_user: from root/.my.cnf
-apache_db_login_password: from my.cnf
-
+apache_use_dns: true - wether we setup up dns A and CNAME records
+apache_use_php: true
+apache_use_ssl: true
+apache_use_stats: true
+apache_user: {{ apache_server_name | regex_search( '([^.]+)' ) }} }}
+apache_user_password: default undefined
 Example Playbook
 ----------------
 

defaults/main.yml

@@ -9,12 +9,9 @@ apache_restart: false
 apache_ssl_certificate: "/etc/letsencrypt/live/{{ apache_server_name }}/cert.pem"
 apache_ssl_chain: "/etc/letsencrypt/live/{{ apache_server_name }}/fullchain.pem"
 apache_ssl_key: "/etc/letsencrypt/live/{{ apache_server_name }}/privkey.pem "
-apache_use_certbot: true
 apache_use_dns: true
 apache_use_php: true
 apache_use_ssl: true
 apache_use_stats: true
-apache_use_zabbix: true
 apache_user: "{{ apache_server_name | regex_search( '([^.]+)' ) }}"
-apache_update_conf: true
 apache_use_database: false

files/lld_certlist.py

@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 import json
 import os
 import re

handlers/main.yml

@@ -6,12 +6,6 @@
     state: restarted
   when: apache_restart
 
-- name: restart php-fpm
-  service:
-    name: php73-php-fpm
-    state: restarted
-  when: apache_restart
-
 - name: restart zabbix_agentd
   service:
     name: zabbix-agent

tasks/certbot.yml

@@ -1,6 +1,6 @@
 ---
 - name: install certbot
-  yum:
+  package:
     name: certbot
     state: present
 
@@ -43,4 +43,4 @@
     hour: "01"
     minute: "00"
     weekday: "6"
-    job: "/usr/bin/certbot renew && /sbin/apachectl graceful"
+    job: "/usr/bin/certbot renew"

tasks/db.yml

@@ -1,15 +0,0 @@
----
-
-- name: create database
-  community.mysql.mysql_db:
-    login_user: root
-    name: "{{ apache_db_name }}"
-    state: present
-
-- name: create db user
-  community.mysql.mysql_user:
-    name: "{{ apache_db_user }}"
-    password: "{{ apache_db_password }}"
-    update_password: on_create
-    priv: "{{ apache_db_name }}.*:ALL"
-    state: present

tasks/main.yml

@@ -23,13 +23,6 @@
     shell: /bin/bash
   when: apache_user_password is defined
 
-- name: php-fpm config file
-  template:
-    src: pool.conf.jj
-    dest: /etc/opt/remi/php73/php-fpm.d/{{ apache_server_name }}.conf
-  notify: restart php-fpm
-  when: apache_use_php
-
 - name: create directories
   file:
     path: "{{ item }}"
@@ -48,36 +41,20 @@
   include_tasks: dns.yml
   when: apache_use_dns
 
-- name: generate cert
-  import_tasks: certbot.yml
-  when: apache_use_certbot
-  tags: certbot,ssl
-
 - name: vhost config file
   template:
     src: vhost.conf.jj
     dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
     mode: 0644
   notify: restart apache
-  when: apache_update_conf
 
 - name: logrotate config file
   template:
     src: logrotate.conf.jj
-    dest: "/etc/logrotate.d/vhost.conf"
+    dest: "/etc/logrotate.d/vhost_{{ apache_server_name }}.conf"
     mode: 0644
 
 - name: goaccess
   import_tasks: goaccess.yml
   when: apache_use_stats
-  tags: stats
-
-- name: zabbix setup
-  import_tasks: zabbix.yml
-  when: apache_use_zabbix|bool
-  tags: zabbix, ssl
-
-- name: db setup
-  import_tasks: db.yml
-  when: apache_use_database
-  tags: db
+  tags: stats

tasks/zabbix.yml

@@ -1,13 +0,0 @@
----
-- name: deploy zabbix lld script
-  copy:
-    src: lld_certlist.py
-    dest: /etc/zabbix/scripts
-    group: zabbix
-    mode: 0750
-
-- name: deploy zabbix userparameter
-  copy:
-    dest: /etc/zabbix/zabbix_agentd.d/user_parameter_certificate_discovery.conf
-    content: "UserParameter=certificate.discovery,/etc/zabbix/scripts/lld_certlist.py"
-  notify: restart zabbix_agentd

templates/logrotate.conf.jj

@@ -10,14 +10,3 @@
    endscript
 }
 
-{{ apache_base_dir }}/logs/php*log {
-   daily
-   rotate 15
-   missingok
-   notifempty
-   sharedscripts
-   postrotate
-   /bin/kill -SIGUSR1 `cat /var/opt/remi/php73/run/php-fpm/php-fpm.pid 2>/dev/null` 2>/dev/null || true
-   endscript
-                                 }
-