Update to 2021-12-01 19:13

roles/framadate/defaults/main.yml

@@ -0,0 +1,48 @@
+---
+
+# A unique ID for this instance. You can deploy several framadate instances on the same machine
+framadate_id: 1
+
+# Root dir where the app will be installed. Each instance must have a different install path
+framadate_root_dir: /opt/framadate_{{ framadate_id }}
+
+# The version to deploy
+framadate_version: '1.1.17'
+
+# Should ansible manage upgrades, or only initial installation
+framadate_manage_upgrade: True
+
+# The URL to download framadate archive
+framadate_zip_url: https://framagit.org/framasoft/framadate/framadate/-/archive/{{ framadate_version }}/framadate-{{ framadate_version }}.zip
+
+# The sha1 checksum of the archive
+framadate_zip_sha1: 5c0782f1db6a797df70047c3715003178956ca3d
+
+# The user account under which PHP is executed
+framadate_php_user: php-framadate_{{ framadate_id }}
+
+# The version of PHP to use
+framadate_php_version: 74
+
+# Alternatively, use a custom php pool, which must be defined manually
+#framadate_php_fpm_pool: php70
+
+# Database parameters, framadate_mysql_pass must be set
+framadate_mysql_server: "{{ mysql_server | default('localhost') }}"
+framadate_mysql_port: 3306
+framadate_mysql_db: framadate_{{ framadate_id }}
+framadate_mysql_user: framadate_{{ framadate_id }}
+# If not set, a default one will be generated
+# framadate_mysql_pass: framadate
+
+# The email of the admin
+#framadate_admin_email: admin@domain.net
+
+# Logo URL. Can be relative the framadate_root_dir or an absolute URL
+# in which case the logo will be downloaded during the installation
+framadate_logo_url: images/logo-framadate.png
+
+# Should framadate trust the webserver authentication
+framadate_proxy_auth: False
+
+...

roles/framadate/files/framadate.sql

@@ -0,0 +1,67 @@
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE IF NOT EXISTS `fd_comment` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `poll_id` varchar(64) NOT NULL,
+  `name` varchar(64) DEFAULT NULL,
+  `comment` text NOT NULL,
+  `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`),
+  KEY `poll_id` (`poll_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE IF NOT EXISTS `fd_framadate_migration` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `name` text NOT NULL,
+  `execute_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`)
+) ENGINE=MyISAM AUTO_INCREMENT=12 DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE IF NOT EXISTS `fd_poll` (
+  `id` varchar(64) NOT NULL,
+  `admin_id` char(24) NOT NULL,
+  `title` text NOT NULL,
+  `description` text,
+  `admin_name` varchar(64) DEFAULT NULL,
+  `admin_mail` varchar(128) DEFAULT NULL,
+  `creation_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `end_date` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
+  `format` varchar(1) DEFAULT NULL,
+  `editable` tinyint(1) DEFAULT '0',
+  `receiveNewVotes` tinyint(1) DEFAULT '0',
+  `receiveNewComments` tinyint(1) DEFAULT '0',
+  `active` tinyint(1) DEFAULT '1',
+  `hidden` tinyint(1) NOT NULL DEFAULT '0',
+  `password_hash` varchar(255) DEFAULT NULL,
+  `results_publicly_visible` tinyint(1) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE IF NOT EXISTS `fd_slot` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `poll_id` varchar(64) NOT NULL,
+  `title` text,
+  `moments` text,
+  PRIMARY KEY (`id`),
+  KEY `poll_id` (`poll_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE IF NOT EXISTS `fd_vote` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `uniqId` char(16) NOT NULL,
+  `poll_id` varchar(64) NOT NULL,
+  `name` varchar(64) NOT NULL,
+  `choices` text NOT NULL,
+  PRIMARY KEY (`id`),
+  KEY `poll_id` (`poll_id`),
+  KEY `uniqId` (`uniqId`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+/*!40101 SET character_set_client = @saved_cs_client */;

roles/framadate/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- include: ../httpd_common/handlers/main.yml
+...

roles/framadate/meta/main.yml

@@ -0,0 +1,5 @@
+---
+allow_duplicates: true
+dependencies:
+  - role: composer
+...

roles/framadate/tasks/main.yml

@@ -0,0 +1,256 @@
+---
+
+- name: Set install mode
+  set_fact: framadate_install_mode='none'
+  tags: framadate
+
+- name: Install needed tools
+  yum:
+    name:
+      - unzip
+      - acl
+      - tar
+  tags: framadate
+
+- name: Create user account for PHP
+  user:
+    name: "{{ framadate_php_user }}"
+    comment: "PHP FPM {{ framadate_php_user }}"
+    system: True
+    shell: /sbin/nologin
+  tags: framadate
+
+- name: Check if framadate is already installed
+  stat: path={{ framadate_root_dir }}/meta/ansible_version
+  register: framadate_version_file
+  tags: framadate
+
+- name: Check framadate version
+  command:  cat {{ framadate_root_dir }}/meta/ansible_version
+  register: framadate_current_version
+  changed_when: False
+  when: framadate_version_file.stat.exists
+  tags: framadate
+
+- name: Set installation process to install
+  set_fact: framadate_install_mode='install'
+  when: not framadate_version_file.stat.exists
+  tags: framadate
+
+- name: Set installation process to upgrade
+  set_fact: framadate_install_mode='upgrade'
+  when:
+    - framadate_version_file.stat.exists
+    - framadate_current_version.stdout != framadate_version
+    - framadate_manage_upgrade
+  tags: framadate
+
+- name: Create archive dir
+  file: path={{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }} state=directory mode=700
+  when: framadate_install_mode == 'upgrade'
+  tags: framadate
+
+- name: Archive current version
+  synchronize:
+    src: "{{ framadate_root_dir }}/web"
+    dest: "{{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: framadate_install_mode == 'upgrade'
+  tags: framadate
+
+- name: Dump database
+  mysql_db:
+    state: dump
+    name: "{{ framadate_mysql_db }}"
+    target: "{{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }}/{{ framadate_mysql_db }}.sql"
+    login_host: "{{ framadate_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    quick: True
+    single_transaction: True
+  when: framadate_install_mode == 'upgrade'
+  tags: framadate
+
+- name: Create directory structure
+  file: path={{ item }} state=directory
+  with_items:
+    - "{{ framadate_root_dir }}"
+    - "{{ framadate_root_dir }}/web"
+    - "{{ framadate_root_dir }}/web/tpl_c"
+    - "{{ framadate_root_dir }}/tmp"
+    - "{{ framadate_root_dir }}/sessions"
+    - "{{ framadate_root_dir }}/logs"
+    - "{{ framadate_root_dir }}/meta"
+  tags: framadate
+
+- name: Download Framadate
+  get_url:
+    url: "{{ framadate_zip_url }}"
+    dest: "{{ framadate_root_dir }}/tmp/"
+    checksum: "sha1:{{ framadate_zip_sha1 }}"
+  when: framadate_install_mode != 'none'
+  tags: framadate
+
+- name: Extract framadate archive
+  unarchive:
+    src: "{{ framadate_root_dir }}/tmp/framadate-{{ framadate_version }}.zip"
+    dest: "{{ framadate_root_dir }}/tmp/"
+    remote_src: yes
+  when: framadate_install_mode != 'none'
+  tags: framadate
+
+- name: Move the content of framadate to the correct top directory
+  synchronize:
+    src: "{{ framadate_root_dir }}/tmp/framadate-{{ framadate_version }}/"
+    dest: "{{ framadate_root_dir }}/web/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: framadate_install_mode != 'none'
+  tags: framadate
+
+- name: Install libs using composer
+  composer: command=install working_dir={{ framadate_root_dir }}/web executable=/bin/php{{ framadate_php_version }}
+  environment:
+    php: /bin/php{{ framadate_php_version }}
+  tags: framadate
+
+- name: Download custom logo
+  get_url:
+    url: "{{ framadate_logo_url }}"
+    dest: "{{ framadate_root_dir }}/web/images"
+  when: framadate_logo_url is search('https?://')
+  tags: framadate
+
+- name: Generate a random pass for the database
+  shell: openssl rand -base64 45 > {{ framadate_root_dir }}/meta/ansible_dbpass
+  args:
+    creates: "{{ framadate_root_dir }}/meta/ansible_dbpass"
+  when: framadate_mysql_pass is not defined
+  tags: framadate
+
+- name: Read database password
+  command: cat {{ framadate_root_dir }}/meta/ansible_dbpass
+  register: framadate_rand_pass
+  when: framadate_mysql_pass is not defined
+  changed_when: False
+  tags: framadate
+
+- name: Set database pass
+  set_fact: framadate_mysql_pass={{ framadate_rand_pass.stdout }}
+  when: framadate_mysql_pass is not defined
+  tags: framadate
+
+- name: Create MySQL database
+  mysql_db:
+    name: "{{ framadate_mysql_db }}"
+    login_host: "{{ framadate_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  register: framadate_mysql_created
+  tags: framadate
+
+- name: Create MySQL User
+  mysql_user:
+    name: "{{ framadate_mysql_user }}"
+    password: "{{ framadate_mysql_pass }}"
+    priv: "{{ framadate_mysql_db }}.*:ALL"
+    host: "{{ (framadate_mysql_server == 'localhost') | ternary('localhost', item) }}"
+    login_host: "{{ framadate_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+    state: present
+  with_items: "{{ ansible_all_ipv4_addresses }}"
+  tags: framadate
+
+- name: Copy SQL structure
+  copy: src=framadate.sql dest={{ framadate_root_dir }}/tmp/framadate.sql
+  when: framadate_install_mode != 'none'
+  tags: framadate
+
+- name: Inject MySQL schema
+  mysql_db:
+    name: "{{ framadate_mysql_db }}"
+    state: import
+    target: "{{ framadate_root_dir }}/tmp/framadate.sql"
+    login_host: "{{ framadate_mysql_server }}"
+    login_user: sqladmin
+    login_password: "{{ mysql_admin_pass }}"
+  when: framadate_install_mode == 'install'
+  tags: framadate
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  with_items:
+    - "{{ framadate_root_dir }}/tmp/framadate-{{ framadate_version }}"
+    - "{{ framadate_root_dir }}/tmp/framadate-{{ framadate_version }}.zip"
+    - "{{ framadate_root_dir }}/tmp/framadate.sql"
+  tags: framadate
+
+- name: Deploy permission script
+  template: src=perms.sh.j2 dest={{ framadate_root_dir}}/perms.sh mode=755
+  tags: framadate
+
+- name: Deploy httpd configuration
+  template: src=httpd.conf.j2 dest=/etc/httpd/ansible_conf.d/10-framadate_{{ framadate_id }}.conf
+  notify: reload httpd
+  tags: framadate
+
+- name: Deploy PHP configuration
+  template: src=php.conf.j2 dest=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf
+  notify: restart php-fpm
+  tags: framadate
+
+- name: Remove PHP configuration from other versions
+  file: path=/etc/opt/remi/php{{ item }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  with_items: "{{ httpd_php_versions | difference([ framadate_php_version ]) }}"
+  notify: restart php-fpm
+  tags: framadate
+
+- name: Remove PHP configuration (using a custom pool)
+  file: path=/etc/opt/remi/php{{ framadate_php_version }}/php-fpm.d/framadate_{{ framadate_id }}.conf state=absent
+  when: framadate_php_fpm_pool is defined
+  notify: restart php-fpm
+  tags: framadate
+
+- name: Deploy framadate configuration
+  template: src=config.php.j2 dest={{ framadate_root_dir }}/web/app/inc/config.php owner=root group={{ framadate_php_user }} mode=640
+  tags: framadate
+
+- name: Set correct SELinux context
+  sefcontext:
+    target: "{{ framadate_root_dir }}(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  when: ansible_selinux.status == 'enabled'
+  tags: framadate
+
+- name: Restrict permissions
+  command: "{{ framadate_root_dir }}/perms.sh"
+  changed_when: False
+  tags: framadate
+
+- name: Compress previous version
+  command: tar cJf {{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }}.txz ./
+  environment:
+    XZ_OPT: -T0
+  args:
+    chdir: "{{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }}"
+    warn: False
+  when: framadate_install_mode == 'upgrade'
+  tags: framadate
+
+- name: Remove archive directory
+  file: path={{ framadate_root_dir }}/archives/{{ framadate_current_version.stdout }} state=absent
+  when: framadate_install_mode == 'upgrade'
+  tags: framadate
+
+- name: Write version number
+  copy: content={{ framadate_version }} dest={{ framadate_root_dir }}/meta/ansible_version
+  when: framadate_install_mode != 'none'
+  tags: framadate
+
+...

roles/framadate/templates/config.php.j2

@@ -0,0 +1,39 @@
+<?php
+
+// {{ ansible_managed }}
+
+const NOMAPPLICATION = 'Framadate';
+const ADRESSEMAILADMIN = '{{ framadate_admin_email | default(system_admin_email) }}';
+const ADRESSEMAILREPONSEAUTO = '<no-reply@{{ ansible_domain }}>';
+const DB_USER = '{{ framadate_mysql_user | default('framadate') }}';
+const DB_PASSWORD = '{{ framadate_mysql_pass }}';
+const DB_CONNECTION_STRING = 'mysql:host={{ framadate_mysql_server }};dbname={{ framadate_mysql_db }};port={{ framadate_mysql_port }}';
+const MIGRATION_TABLE = 'framadate_migration';
+const TABLENAME_PREFIX = 'fd_';
+const DEFAULT_LANGUAGE = 'fr';
+$ALLOWED_LANGUAGES = [
+    'fr' => 'Français',
+    'en' => 'English',
+    'oc' => 'Occitan',
+    'es' => 'Español',
+    'de' => 'Deutsch',
+    'nl' => 'Dutch',
+    'it' => 'Italiano',
+    'br' => 'Brezhoneg',
+];
+const IMAGE_TITRE = '/images/{{ framadate_logo_url | basename }}';
+const URL_PROPRE = true;
+const USE_REMOTE_USER =  {{ framadate_proxy_auth | ternary('true','false') }};
+const LOG_FILE = '../logs/stdout.log';
+const PURGE_DELAY = 60;
+const MAX_SLOTS_PER_POLL = 366;
+const TIME_EDIT_LINK_EMAIL = 60;
+$config = [
+    'use_smtp'                   => true,
+    'show_what_is_that'          => false,
+    'show_the_software'          => false,
+    'show_cultivate_your_garden' => false,
+    'default_poll_duration'      => 180,
+    'user_can_add_img_or_link'   => true,
+    'provide_fork_awesome'       => true,
+];

roles/framadate/templates/httpd.conf.j2

@@ -0,0 +1,45 @@
+{% if framadate_alias is defined %}
+Alias /{{ framadate_alias }} {{ framadate_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ framadate_root_dir }}/web>
+  AllowOverride None
+  Options FollowSymLinks
+{% if framadate_allowed_ip is defined %}
+  Require ip {{ framadate_allowed_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ framadate_php_fpm_pool | default('framadate_' + framadate_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+{% if framadate_proxy_auth %}
+  SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
+{% endif %}
+
+  RewriteEngine On
+  RewriteCond %{REQUEST_FILENAME} -f [OR]
+  RewriteCond %{REQUEST_FILENAME} -d
+  RewriteRule . - [L]
+
+  RewriteRule ^([a-zA-Z0-9-]+)$ studs.php?poll=$1 [L]
+  RewriteRule ^([a-zA-Z0-9-]+)/action/([a-zA-Z_-]+)/(.+)$ studs.php?poll=$1&$2=$3
+  RewriteRule ^([a-zA-Z0-9-]+)/vote/([a-zA-Z0-9]{16})$ studs.php?poll=$1&vote=$2
+  RewriteRule ^(action/)?([a-zA-Z0-9-]{24})/admin$ adminstuds.php?poll=$2
+  RewriteRule ^([a-zA-Z0-9-]{24})/admin/vote/([a-zA-Z0-9]{16})$ adminstuds.php?poll=$1&vote=$2
+  RewriteRule ^([a-zA-Z0-9-]{24})/admin/action/([a-zA-Z_-]+)(/(.+))?$ adminstuds.php?poll=$1&$2=$4
+
+  <FilesMatch "(composer\..*|\.gitignore|\.editorconfig|.*\.(md|bat|sh|ini)|LICEN[SC]E\..*|htaccess\.txt|\.ansible_version)">
+    <IfModule mod_authz_core.c>
+        Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        Order allow,deny
+        Deny from all
+    </IfModule>
+  </FilesMatch>
+
+</Directory>
+

roles/framadate/templates/perms.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+restorecon -R {{ framadate_root_dir }}
+chown root:root {{ framadate_root_dir }}
+chmod 700 {{ framadate_root_dir }}
+setfacl -k -b {{ framadate_root_dir }}
+setfacl -m u:{{ framadate_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:rx {{ framadate_root_dir }}
+chown -R root:root {{ framadate_root_dir }}/web
+chown -R {{ framadate_php_user }} {{ framadate_root_dir }}/{tmp,sessions,logs}
+chmod 700 {{ framadate_root_dir }}/{tmp,sessions,logs}
+find {{ framadate_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ framadate_root_dir }}/web -type d -exec chmod 755 "{}" \;
+chown :{{ framadate_php_user }} {{ framadate_root_dir }}/web/app/inc/config.php
+chmod 640 {{ framadate_root_dir }}/web/app/inc/config.php
+[ -d {{ framadate_root_dir }}/web/tpl_c ] || mkdir -p {{ framadate_root_dir }}/web/tpl_c
+chown :{{ framadate_php_user }} {{ framadate_root_dir }}/web/tpl_c
+chmod 775 {{ framadate_root_dir }}/web/tpl_c

roles/framadate/templates/php.conf.j2

@@ -0,0 +1,36 @@
+[framadate_{{ framadate_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/framadate_{{ framadate_id }}.sock
+user = {{ framadate_php_user }}
+group = {{ framadate_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 64M
+php_admin_value[session.save_path] = {{ framadate_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ framadate_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ framadate_root_dir }}/tmp
+php_admin_value[post_max_size] = 2M
+php_admin_value[upload_max_filesize] = 2M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ framadate_root_dir }}
+php_admin_value[max_execution_time] = 60
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = off
+php_admin_flag[session.cookie_httponly] = on
+