Update to 2021-12-01 19:13

roles/dolibarr/defaults/main.yml

@@ -0,0 +1,36 @@
+---
+
+dolibarr_id: 1
+dolibarr_manage_upgrade: True
+dolibarr_version: 14.0.2
+dolibarr_archive_url: https://downloads.sourceforge.net/project/dolibarr/Dolibarr%20ERP-CRM/{{ dolibarr_version }}/dolibarr-{{ dolibarr_version }}.tgz
+dolibarr_archive_sha1: 41267d06482937680bfb45982e43208b2669e723
+
+dolibarr_root_dir: /opt/dolibarr_{{ dolibarr_id }}
+dolibarr_php_user: php-dolibarr_{{ dolibarr_id }}
+dolibarr_php_version: 74
+
+# If you prefer using a custom PHP FPM pool, set it's name.
+# You might need to adjust dolibarr_php_user
+# dolibarr_php_fpm_pool: php56
+
+dolibarr_db_server: "{{ mysql_server | default('localhost') }}"
+# dolibarr_db_port: 3306
+dolibarr_db_name: dolibarr_{{ dolibarr_id }}
+dolibarr_db_user: dolibarr_{{ dolibarr_id }}
+# If not defined, a random pass will be generated and stored in the meta directory
+# dolibarr_db_pass: dolibarr
+
+# dolibarr_alias: dolibarr
+# dolibarr_src_ip:
+#   - 192.168.7.0/24
+#   - 10.2.0.0/24
+
+# Must be set to the public URL of Dolibarr
+# dolibarr_public_url: https://dolibarr.domain.net
+
+# Can be dolibarr, http, ldap, openid
+dolibarr_auth: dolibarr
+# Should a cron job be added to sync users from LDAP to Dolibarr
+# LDAP module must be configured
+dolibarr_sync_from_ldap: False

roles/dolibarr/files/dolibarr_token.patch

@@ -0,0 +1,10 @@
+--- /opt/dolibarr_1/web/htdocs/main.inc.php.orig	2021-08-27 11:40:42.177502730 +0200
++++ /opt/dolibarr_1/web/htdocs/main.inc.php	2021-08-27 11:41:02.821219393 +0200
+@@ -507,6 +507,7 @@
+ 	}
+ 
+ 	$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
++	$_GET['token'] = $_SESSION['token']; // Tmp workaround for https://github.com/Dolibarr/dolibarr/issues/16096
+ 	// TODO Get the sessiontokenforthisurl into the array of session token
+ 	if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
+ 		dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"])?'':$_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused due to invalid token, so we disable POST and some GET parameters - referer=".$_SERVER['HTTP_REFERER'].", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha').", _SESSION['token']=".$_SESSION['token'], LOG_WARNING);

roles/dolibarr/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- include: ../httpd_common/handlers/main.yml
+- include: ../httpd_php/handlers/main.yml
+...

roles/dolibarr/meta/main.yml

@@ -0,0 +1,6 @@
+---
+
+dependencies:
+  - role: httpd_php
+  - role: mysql_server
+    when: dolibarr_db_server in [ 'localhost', '127.0.0.1' ]

roles/dolibarr/tasks/archive_post.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Lock installation process
+  copy: content='' dest={{ dolibarr_root_dir }}/data/install.lock
+  tags: dolibarr
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ dolibarr_root_dir }}"
+    - version: "{{ dolibarr_current_version }}"
+  when: dolibarr_install_mode == 'upgrade'
+  tags: dolibarr
+

roles/dolibarr/tasks/archive_pre.yml

@@ -0,0 +1,15 @@
+---
+
+- import_tasks: ../includes/webapps_archive.yml
+  vars:
+    - root_dir: "{{ dolibarr_root_dir }}"
+    - version: "{{ dolibarr_current_version }}"
+    - db_name: "{{ dolibarr_db_name }}"
+    - db_server: "{{ dolibarr_db_server }}"
+  tags: dolibarr
+
+- name: Unlock installation process
+  file: path={{ dolibarr_root_dir }}/data/install.lock state=absent
+  when: dolibarr_install_mode == 'upgrade'
+  tags: dolibarr
+

roles/dolibarr/tasks/cleanup.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Remove temp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ dolibarr_root_dir }}/tmp/dolibarr-{{ dolibarr_version }}.tgz"
+    - "{{ dolibarr_root_dir }}/tmp/dolibarr-{{ dolibarr_version }}"
+    - /etc/backup/pre.d/dolibarr_{{ dolibarr_id }}_dump_db
+    - /etc/backup/post.d/dolibarr_{{ dolibarr_id }}_rm_dump
+  tags: dolibarr
+

roles/dolibarr/tasks/conf.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Deploy Dolibarr config
+  template: src=dolibarr.conf.j2 dest={{ dolibarr_root_dir }}/web/htdocs/conf/conf.php
+  tags: dolibarr
+
+- name: Initialize Dolibarr installation (first step)
+  command: php{{ dolibarr_php_version }}-cgi step2.php action=set
+  args:
+    chdir: "{{ dolibarr_root_dir }}/web/htdocs/install/"
+    #become_user: "{{ dolibarr_php_user }}"
+  when: dolibarr_install_mode == 'install'
+  tags: dolibarr
+
+- name: Create default admin user
+  command: php{{ dolibarr_php_version }}-cgi step5.php action=set login=admin pass=admin pass_verif=admin
+  args:
+    chdir: "{{ dolibarr_root_dir }}/web/htdocs/install/"
+    #become_user: "{{ dolibarr_php_user }}"
+  when: dolibarr_install_mode == 'install'
+  tags: dolibarr
+
+- name: Upgrade Dolibarr
+  command: php{{ dolibarr_php_version }} {{ item }} {{ dolibarr_current_version }} {{ dolibarr_version }}
+  args:
+    chdir: "{{ dolibarr_root_dir }}/web/htdocs/install/"
+  become_user: "{{ dolibarr_php_user }}"
+  when: dolibarr_install_mode == 'upgrade'
+  with_items:
+    - upgrade.php
+    - upgrade2.php
+    - step5.php
+  tags: dolibarr
+
+- import_tasks: ../includes/webapps_webconf.yml
+  vars:
+    - app_id: dolibarr_{{ dolibarr_id }}
+    - php_version: "{{ dolibarr_php_version }}"
+    - php_fpm_pool: "{{ dolibarr_php_fpm_pool | default('') }}"
+  tags: dolibarr
+

roles/dolibarr/tasks/directories.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Create directory structure
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  with_items:
+    - dir: "{{ dolibarr_root_dir }}"
+    - dir: "{{ dolibarr_root_dir }}/archives"
+    - dir: "{{ dolibarr_root_dir }}/tmp"
+    - dir: "{{ dolibarr_root_dir }}/sessions"
+    - dir: "{{ dolibarr_root_dir }}/meta"
+    - dir: "{{ dolibarr_root_dir }}/db_dumps"
+    - dir: "{{ dolibarr_root_dir }}/data"
+  tags: dolibarr

roles/dolibarr/tasks/facts.yml

@@ -0,0 +1,28 @@
+---
+
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ dolibarr_root_dir }}"
+    - version: "{{ dolibarr_version }}"
+  tags: dolibarr
+- set_fact: dolibarr_install_mode={{ (install_mode == 'upgrade' and not dolibarr_manage_upgrade) | ternary('none',install_mode) }}
+  tags: dolibarr
+- set_fact: dolibarr_current_version={{ current_version | default('') }}
+  tags: dolibarr
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ dolibarr_root_dir }}/meta/ansible_cookie_key"
+  tags: dolibarr
+- set_fact: dolibarr_cookie_key={{ rand_pass }}
+  tags: dolibarr
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ dolibarr_root_dir }}/meta/ansible_dbpass"
+  when: dolibarr_db_pass is not defined
+  tags: dolibarr
+- set_fact: dolibarr_db_pass={{ rand_pass }}
+  when: dolibarr_db_pass is not defined
+  tags: dolibarr
+

roles/dolibarr/tasks/install.yml

@@ -0,0 +1,142 @@
+---
+
+- name: Install needed tools
+  yum:
+    name:
+      - tar
+      - mariadb
+      - acl
+      - patch
+  tags: dolibarr
+
+- name: Download Dolibarr
+  get_url:
+    url: "{{ dolibarr_archive_url }}"
+    dest: "{{ dolibarr_root_dir }}/tmp/"
+    checksum: "sha1:{{ dolibarr_archive_sha1 }}"
+  when: dolibarr_install_mode != 'none'
+  tags: dolibarr
+
+- name: Extract dolibarr archive
+  unarchive:
+    src: "{{ dolibarr_root_dir }}/tmp/dolibarr-{{ dolibarr_version }}.tgz"
+    dest: "{{ dolibarr_root_dir }}/tmp"
+    remote_src: yes
+  when: dolibarr_install_mode != 'none'
+  tags: dolibarr
+
+- name: Move files to the correct directory
+  synchronize:
+    src: "{{ dolibarr_root_dir }}/tmp/dolibarr-{{ dolibarr_version }}/"
+    dest: "{{ dolibarr_root_dir }}/web/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: dolibarr_install_mode != 'none'
+  tags: dolibarr
+
+- name: Apply local patches
+  patch:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    backup: True
+  loop:
+    - src: dolibarr_token.patch
+      dest: "{{ dolibarr_root_dir }}/web/htdocs/main.inc.php"
+  tags: dolibarr
+
+  # Custom dir is where custom modules are installed.
+  # This dir was in data previously, but this is not working with
+  # some modules which use relative path for their includes
+- name: Check if custom dir is linked to the data dir
+  stat: path={{ dolibarr_root_dir }}/web/htdocs/custom
+  register: dolibarr_custom_link
+  tags: dolibarr
+- stat: path={{ dolibarr_root_dir }}/data/custom
+  register: dolibarr_custom_data
+  tags: dolibarr
+
+- name: Remove custom symlink
+  file: path={{ dolibarr_root_dir }}/web/htdocs/custom state=absent
+  when:
+    - dolibarr_custom_link.stat.islnk is defined
+    - dolibarr_custom_link.stat.islnk == True
+  tags: dolibarr
+
+- name: Make sure the custom dir exists
+  file: path={{ dolibarr_root_dir }}/web/htdocs/custom state=directory
+  tags: dolibarr
+
+- name: Move custom content to the htdocs/custom dir
+  synchronize:
+    src: "{{ dolibarr_root_dir }}/data/custom/"
+    dest: "{{ dolibarr_root_dir }}/web/htdocs/custom/"
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  when:
+    - dolibarr_custom_link.stat.islnk is defined
+    - dolibarr_custom_link.stat.islnk == True
+    - dolibarr_custom_data.stat.isdir is defined
+    - dolibarr_custom_data.stat.isdir == True
+  tags: dolibarr
+
+- name: Remove custom dir from the data dir
+  file: path={{ dolibarr_root_dir }}/data/custom/ state=absent
+  when:
+    - dolibarr_custom_data.stat.isdir is defined
+    - dolibarr_custom_data.stat.isdir == True
+  tags: dolibarr
+
+- name: Restore custom dir after an upgrade
+  synchronize:
+    src: "{{ dolibarr_root_dir }}/archives/{{ dolibarr_current_version }}/web/htdocs/custom/"
+    dest: "{{ dolibarr_root_dir }}/web/htdocs/custom/"
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: dolibarr_install_mode == 'upgrade'
+  tags: dolibarr
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ dolibarr_db_name }}"
+    - db_user: "{{ dolibarr_db_user }}"
+    - db_server: "{{ dolibarr_db_server }}"
+    - db_pass: "{{ dolibarr_db_pass }}"
+  tags: dolibarr
+
+- name: Add a script to sync from LDAP
+  copy:
+    content: |
+      #!/bin/sh
+      /bin/php{{ dolibarr_php_version }} {{ dolibarr_root_dir }}/web/scripts/user/sync_users_ldap2dolibarr.php now -y
+      /bin/php{{ dolibarr_php_version }} {{ dolibarr_root_dir }}/web/scripts/user/sync_groups_ldap2dolibarr.php now -y
+    dest: "{{ dolibarr_root_dir }}/web/scripts/user/sync_ldap2dolibarr.sh"
+  tags: dolibarr
+
+- name: Deploy backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/dolibarr_{{ dolibarr_id }} mode=750
+  loop:
+    - pre
+    - post
+  tags: dolibarr
+
+- name: Setup cron job to sync users and groups from LDAP
+  cron:
+    name: dolibarr_{{ dolibarr_id }}_ldap
+    minute: '*/15'
+    user: "{{ dolibarr_php_user }}"
+    job: "sleep $[ ( $RANDOM \\% 30 ) ] && {{ dolibarr_root_dir }}/web/scripts/user/sync_ldap2dolibarr.sh | /bin/systemd-cat -t dolibarr_{{ dolibarr_id }}"
+    cron_file: dolibarr_{{ dolibarr_id }}_ldap
+    state: "{{ (dolibarr_sync_from_ldap is defined and dolibarr_sync_from_ldap) | ternary('present','absent') }}"
+  tags: dolibarr
+
+- name: Set var_log_t context for log files
+  sefcontext:
+    target: '{{ dolibarr_root_dir }}/data/.*\.log'
+    setype: httpd_log_t
+  when: ansible_selinux.status == 'enabled'
+  tags: dolibarr
+
+- name: Install logrotate configuration
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/dolibarr_{{ dolibarr_id }}
+  tags: dolibarr

roles/dolibarr/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: dolibarr_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: archive_post.yml
+  when: dolibarr_install_mode == 'upgrade'
+- include: write_version.yml
+- include: cleanup.yml

roles/dolibarr/tasks/user.yml

@@ -0,0 +1,8 @@
+---
+
+- import_tasks: ../includes/create_system_user.yml
+  vars:
+    - user: "{{ dolibarr_php_user }}"
+    - comment: "PHP FPM for dolibarr {{ dolibarr_id }}"
+  tags: dolibarr
+

roles/dolibarr/tasks/write_version.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_post.yml
+  vars:
+    - root_dir: "{{ dolibarr_root_dir }}"
+    - version: "{{ dolibarr_version }}"
+  tags: dolibarr

roles/dolibarr/templates/dolibarr.conf.j2

@@ -0,0 +1,30 @@
+<?php
+
+{% if dolibarr_public_url is defined %}
+$dolibarr_main_url_root='{{ dolibarr_public_url }}';
+{% endif %}
+$dolibarr_main_document_root='{{ dolibarr_root_dir }}/web/htdocs';
+$dolibarr_main_url_root_alt='/custom';
+$dolibarr_main_document_root_alt='{{ dolibarr_root_dir }}/web/htdocs/custom';
+$dolibarr_main_data_root='{{ dolibarr_root_dir }}/data';
+$dolibarr_main_db_host='{{ dolibarr_db_server }}';
+$dolibarr_main_db_port='{{ dolibarr_db_port | default('3306') }}';
+$dolibarr_main_db_name='{{ dolibarr_db_name }}';
+$dolibarr_main_db_prefix='llx_';
+$dolibarr_main_db_user='{{ dolibarr_db_user }}';
+$dolibarr_main_db_pass='{{ dolibarr_db_pass }}';
+$dolibarr_main_db_type='mysqli';
+$dolibarr_main_db_character_set='utf8';
+$dolibarr_main_db_collation='utf8_unicode_ci';
+
+// Authentication settings
+$dolibarr_main_authentication='{{ dolibarr_auth }}';
+
+// Security settings
+$dolibarr_main_prod='1';
+$dolibarr_main_force_https='0';
+$dolibarr_main_restrict_os_commands='mysqldump, mysql';
+$dolibarr_nocsrfcheck='0';
+$dolibarr_main_cookie_cryptkey='{{ dolibarr_cookie_key }}';
+$dolibarr_mailing_limit_sendbyweb='0';
+

roles/dolibarr/templates/httpd.conf.j2

@@ -0,0 +1,19 @@
+{% if dolibarr_alias is defined %}
+Alias /{{ dolibarr_alias }} {{ dolibarr_root_dir }}/web/htdocs
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+RewriteEngine On
+<Directory {{ dolibarr_root_dir }}/web/htdocs>
+  AllowOverride All
+  Options FollowSymLinks
+{% if dolibarr_src_ip is defined %}
+  Require ip {{ dolibarr_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ dolibarr_php_fpm_pool  | default('dolibarr_' + dolibarr_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+</Directory>

roles/dolibarr/templates/logrotate.conf.j2

@@ -0,0 +1,7 @@
+{{ dolibarr_root_dir }}/data/*.log {
+  daily
+  rotate 90
+  compress
+  missingok
+  create 640 {{ dolibarr_php_user }} {{ dolibarr_php_user }}
+}

roles/dolibarr/templates/perms.sh.j2

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+restorecon -R {{ dolibarr_root_dir }}
+chown root:root {{ dolibarr_root_dir }}
+chmod 700 {{ dolibarr_root_dir }}
+chown root:root {{ dolibarr_root_dir }}/{meta,db_dumps}
+chmod 700 {{ dolibarr_root_dir }}/{meta,db_dumps}
+setfacl -k -b {{ dolibarr_root_dir }}
+setfacl -m u:{{ dolibarr_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ dolibarr_root_dir }}
+chown -R root:root {{ dolibarr_root_dir }}/web
+chown -R {{ dolibarr_php_user }} {{ dolibarr_root_dir }}/{tmp,sessions,data}
+chmod 700 {{ dolibarr_root_dir }}/{tmp,sessions,data}
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ dolibarr_root_dir }}/data
+find {{ dolibarr_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ dolibarr_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown -R :{{ dolibarr_php_user }} {{ dolibarr_root_dir }}/web/htdocs/{conf,custom}
+chmod 770 {{ dolibarr_root_dir }}/web/htdocs/custom
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ dolibarr_root_dir }}/web/htdocs/custom
+chmod 770 {{ dolibarr_root_dir }}/web/htdocs/conf
+chmod 640 {{ dolibarr_root_dir }}/web/htdocs/conf/*
+chmod 755 {{ dolibarr_root_dir }}/web/scripts/user/sync_ldap2dolibarr.sh

roles/dolibarr/templates/php.conf.j2

@@ -0,0 +1,37 @@
+; {{ ansible_managed }}
+
+[dolibarr_{{ dolibarr_id }}]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/dolibarr_{{ dolibarr_id }}.sock
+user = {{ dolibarr_php_user }}
+group = {{ dolibarr_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 60m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 512M
+php_admin_value[session.save_path] = {{ dolibarr_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ dolibarr_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ dolibarr_root_dir }}/tmp
+php_admin_value[post_max_size] = 20M
+php_admin_value[upload_max_filesize] = 20M
+php_admin_value[disable_functions] = system, show_source, symlink, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ dolibarr_root_dir }}
+php_admin_value[max_execution_time] = 900
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on

roles/dolibarr/templates/post-backup.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+rm -f {{ dolibarr_root_dir }}/db_dumps/*

roles/dolibarr/templates/pre-backup.j2

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump --user={{ dolibarr_db_user }} \
+                   --password={{ dolibarr_db_pass | quote }} \
+                   --host={{ dolibarr_db_server }} \
+                   --quick --single-transaction \
+                   --add-drop-table {{ dolibarr_db_name }} | zstd -c > {{ dolibarr_root_dir }}/db_dumps/{{ dolibarr_db_name }}.sql.zst