Update to 2021-12-01 19:13

roles/bookstack/templates/env.j2

@@ -0,0 +1,28 @@
+APP_KEY={{ bookstack_app_key }}
+APP_URL={{ bookstack_public_url }}
+DB_HOST={{ bookstack_db_server }}
+DB_DATABASE={{ bookstack_db_name }}
+DB_USERNAME={{ bookstack_db_user }}
+DB_PASSWORD={{ bookstack_db_pass | quote }}
+MAIL_DRIVER=smtp
+MAIL_FROM_NAME="{{ bookstack_email_name }}"
+MAIL_FROM={{ bookstack_email_from }}
+MAIL_HOST={{ bookstack_email_server }}
+MAIL_PORT={{ bookstack_email_port }}
+{% if bookstack_email_user is defined and bookstack_email_pass is defined %}
+MAIL_USERNAME={{ bookstack_email_user }}
+MAIL_PASSWORD={{ bookstack_email_pass | quote }}
+{% endif %}
+MAIL_ENCRYPTION={{ bookstack_email_encryption }}
+APP_TIMEZONE={{ system_tz | default('UTC') }}
+APP_LANG={{ bookstack_default_lang }}
+SESSION_SECURE_COOKIE={{ (bookstack_public_url | urlsplit('scheme') == 'https') | ternary('true','false') }}
+SESSION_COOKIE_NAME=bookstack_{{ bookstack_id }}_session
+SESSION_LIFETIME={{ bookstack_session_lifetime }}
+CACHE_PREFIX=bookstack_{{ bookstack_id }}
+{% if bookstack_trusted_proxies | length > 0 %}
+APP_PROXIES={{ bookstack_trusted_proxies | join(',') }}
+{% endif %}
+{% for key in bookstack_settings.keys() | list %}
+{{ key }}="{{ bookstack_settings[key] }}"
+{% endfor %}

roles/bookstack/templates/httpd.conf.j2

@@ -0,0 +1,39 @@
+{% if bookstack_web_alias is defined and bookstack_web_alias != False %}
+Alias /{{ bookstack_web_alias | regex_replace('^/','') }} {{ bookstack_root_dir }}/app/public
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ bookstack_root_dir }}/app/public>
+  AllowOverride All
+  Options FollowSymLinks
+{% if bookstack_src_ip is defined and bookstack_src_ip | length > 0 %}
+  Require ip {{ bookstack_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ bookstack_php_fpm_pool | default('bookstack_' + bookstack_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+  RewriteEngine On
+
+  # Handle Authorization Header
+  RewriteCond %{HTTP:Authorization} .
+  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+  # Redirect Trailing Slashes If Not A Folder...
+  RewriteCond %{REQUEST_FILENAME} !-d
+  RewriteCond %{REQUEST_URI} (.+)/$
+  RewriteRule ^ %1 [L,R=301]
+
+  # Send Requests To Front Controller...
+  RewriteCond %{REQUEST_FILENAME} !-d
+  RewriteCond %{REQUEST_FILENAME} !-f
+  RewriteRule ^ index.php [L]
+
+  <FilesMatch "(\.git.*)">
+    Require all denied
+  </FilesMatch>
+
+</Directory>

roles/bookstack/templates/perms.sh.j2

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+restorecon -R {{ bookstack_root_dir }}
+chown root:root {{ bookstack_root_dir }}
+chmod 700 {{ bookstack_root_dir }}
+setfacl -R -k -b {{ bookstack_root_dir }}
+setfacl -m u:{{ bookstack_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:x {{ bookstack_root_dir }}
+find {{ bookstack_root_dir }}/app -type f -exec chmod 644 "{}" \;
+find {{ bookstack_root_dir }}/app -type d -exec chmod 755 "{}" \;
+chown root:{{ bookstack_php_user }} {{ bookstack_root_dir }}/app/.env
+chmod 640 {{ bookstack_root_dir }}/app/.env
+chown -R {{ bookstack_php_user }} {{ bookstack_root_dir }}/app/bootstrap/cache
+chmod 700 {{ bookstack_root_dir }}/app/bootstrap/cache
+chown -R {{ bookstack_php_user }} {{ bookstack_root_dir }}/data
+chmod 700 {{ bookstack_root_dir }}/data
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rx {{ bookstack_root_dir }}/app/public
+setfacl -m u:{{ httpd_user | default('apache') }}:x {{ bookstack_root_dir }}/data/
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rx {{ bookstack_root_dir }}/data/uploads
+find {{ bookstack_root_dir }} -name .htaccess -exec chmod 644 "{}" \;

roles/bookstack/templates/php.conf.j2

@@ -0,0 +1,35 @@
+[bookstack_{{ bookstack_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/bookstack_{{ bookstack_id }}.sock
+user = {{ bookstack_php_user }}
+group = {{ bookstack_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 256M
+php_admin_value[session.save_path] = {{ bookstack_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ bookstack_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ bookstack_root_dir }}/tmp
+php_admin_value[post_max_size] = 100M
+php_admin_value[upload_max_filesize] = 100M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ bookstack_root_dir }}:/usr/share/pear/:/usr/share/php/
+php_admin_value[max_execution_time] = 60
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on

roles/bookstack/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ bookstack_root_dir }}/backup/*.sql.zst

roles/bookstack/templates/pre-backup.j2

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -eo pipefail
+
+/usr/bin/mysqldump \
+{% if bookstack_db_server not in ['localhost','127.0.0.1'] %}
+  --user={{ bookstack_db_user | quote }} \
+  --password={{ bookstack_db_pass | quote }} \
+  --host={{ bookstack_db_server | quote }} \
+  --port={{ bookstack_db_port | quote }} \
+{% endif %}
+  --quick --single-transaction \
+  --add-drop-table {{ bookstack_db_name | quote }} | zstd -c > {{ bookstack_root_dir }}/backup/{{ bookstack_db_name }}.sql.zst
+