Update to 2021-12-01 19:13

roles/freepbx/templates/amportal.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+scl enable php{{ fpbx_php_version }} -- /var/lib/asterisk/bin/amportal "$@"

roles/freepbx/templates/asterisk/manager.conf.j2

@@ -0,0 +1,28 @@
+;
+; AMI - Asterisk Manager interface
+;
+; FreePBX needs this to be enabled. Note that if you enable it on a different IP, you need
+; to assure that this can't be reached from un-authorized hosts with the ACL settings (permit/deny).
+; Also, remember to configure non-default port or IP-addresses in amportal.conf.
+;
+; The AMI connection is used both by the portal and the operator's panel in FreePBX.
+;
+; FreePBX assumes an AMI connection to localhost:5038 by default.
+;
+[general]
+enabled = yes
+port = 5038
+bindaddr = 0.0.0.0
+displayconnects=no ;only effects 1.6+
+
+[admin]
+secret = {{ fpbx_manager_pass }}
+deny=0.0.0.0/0.0.0.0
+permit=127.0.0.1/255.255.255.0
+read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
+write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
+writetimeout = 5000
+
+#include manager_additional.conf
+#include manager_custom.conf
+

roles/freepbx/templates/filebeat.yml.j2

@@ -0,0 +1,9 @@
+- type: log
+  enabled: True
+  paths:
+    - /var/log/asterisk/full
+    - /var/log/asterisk/*.log
+    - /var/lib/asterisk/.pm2/pm2.log
+  exclude_files:
+    - '\.[xg]z$'
+    - '\.\d+$'

roles/freepbx/templates/freepbx.conf.j2

@@ -0,0 +1,13 @@
+<?php
+
+// {{ ansible_managed }}
+
+$amp_conf['AMPDBUSER'] = '{{ fpbx_db_user }}';
+$amp_conf['AMPDBPASS'] = '{{ fpbx_db_pass }}';
+$amp_conf['AMPDBHOST'] = 'localhost';
+$amp_conf['AMPDBNAME'] = '{{ fpbx_db_name }}';
+$amp_conf['AMPDBENGINE'] = 'mysql';
+$amp_conf['datasource'] = '';
+
+require_once('/opt/freepbx/web/admin/bootstrap.php');
+?>

roles/freepbx/templates/freepbx.service.j2

@@ -0,0 +1,19 @@
+
+[Unit]
+Description=FreePBX VoIP Server
+{% if fpbx_db_server == 'localhost' or fpbx_db_server == '127.0.0.1' %}
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+Type=forking
+ExecStart=/usr/local/bin/fwconsole start -q
+ExecStop=/usr/local/bin/fwconsole stop -q
+ExecReload=/usr/local/bin/fwconsole reload -q
+SyslogIdentifier=FreePBX
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+ 
+[Install]
+WantedBy=multi-user.target

roles/freepbx/templates/fwconsole.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+scl enable php{{ fpbx_php_version }} -- /var/lib/asterisk/bin/fwconsole "$@"

roles/freepbx/templates/httpd.conf.j2

@@ -0,0 +1,20 @@
+{% if fpbx_alias is defined %}
+Alias /{{ fpbx_alias }} {{ fpbx_root_dir }}/web/
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+ProxyTimeout 900
+RewriteEngine On
+<Directory {{ fpbx_root_dir }}/web/>
+  AllowOverride All
+  Options FollowSymLinks
+{% if fpbx_src_ip is defined %}
+  Require ip {{ fpbx_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ fpbx_php_fpm_pool  | default('freepbx') }}.sock|fcgi://localhost"
+  </FilesMatch>
+</Directory>

roles/freepbx/templates/logrotate.conf.j2

@@ -0,0 +1,27 @@
+/var/log/asterisk/messages
+/var/log/asterisk/event_log
+/var/log/asterisk/queue_log
+/var/log/asterisk/full
+/var/log/asterisk/security
+/var/log/asterisk/freepbx.log
+/var/log/asterisk/freepbx_security.log
+/var/log/asterisk/ucp_err.log
+/var/log/asterisk/ucp_out.log
+/var/log/asterisk/cdr-csv/Master.csv
+{
+    missingok
+    notifempty
+    su asterisk asterisk
+    create 0640 asterisk asterisk
+    sharedscripts
+    daily
+    rotate 365
+    compress
+    compressoptions -T0
+    compresscmd /usr/bin/xz
+    compressext .xz
+    uncompresscmd /usr/bin/unxz
+    postrotate
+        /usr/sbin/asterisk -rx 'logger reload' >/dev/null 2>/dev/null || true
+    endscript
+}

roles/freepbx/templates/perms.sh.j2

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+restorecon -R {{ fpbx_root_dir }}
+chmod 755 {{ fpbx_root_dir }}
+chown root:root {{ fpbx_root_dir }}/{meta,db_dumps}
+chmod 700 {{ fpbx_root_dir }}/{meta,db_dumps}
+setfacl -k -b {{ fpbx_root_dir }}
+setfacl -m u:asterisk:rx,u:{{ httpd_user | default('apache') }}:rx {{ fpbx_root_dir }}
+chown -R root:root {{ fpbx_root_dir }}/web
+chown -R asterisk:asterisk {{ fpbx_root_dir }}/{tmp,sessions,web}
+chmod 755 {{ fpbx_root_dir }}/provisioning
+chown -R asterisk:asterisk {{ fpbx_root_dir }}/provisioning
+setfacl -m u:phone:rX {{ fpbx_root_dir }}/provisioning/*
+setfacl -R -m u:phone:rwX {{ fpbx_root_dir }}/provisioning/{contacts,logs,overrides,licenses,bmp}
+chmod 700 {{ fpbx_root_dir }}/{tmp,sessions}
+find {{ fpbx_root_dir }}/web -type f -exec chmod 644 "{}" \;
+find {{ fpbx_root_dir }}/web -type d -exec chmod 755 "{}" \;
+scl enable php{{ fpbx_php_version }} -- /usr/local/bin/fwconsole chown

roles/freepbx/templates/php.conf.j2

@@ -0,0 +1,45 @@
+; {{ ansible_managed }}
+
+[freepbx]
+
+listen.owner = root
+listen.group = {{ httpd_user | default('apache') }}
+listen.mode = 0660
+listen = /run/php-fpm/freepbx.sock
+user = asterisk
+group = asterisk
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 60m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 512M
+php_admin_value[session.save_path] = {{ fpbx_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ fpbx_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ fpbx_root_dir }}/tmp
+php_admin_value[post_max_size] = 50M
+php_admin_value[upload_max_filesize] = 50M
+php_admin_value[max_execution_time] = 900
+php_admin_value[max_input_time] = 900
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = on
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on
+
+; Needed so that the #!/usr/bin/env php shebang will point to the correct PHP version
+env[PATH] = /opt/remi/php{{ fpbx_php_version }}/root/usr/bin:/opt/remi/php{{ fpbx_php_version }}/root/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
+{% if system_proxy is defined and system_proxy != '' %}
+env[http_proxy] = {{ system_proxy }}
+env[https_proxy] = {{ system_proxy }}
+{% if system_proxy_no_proxy is defined and system_proxy_no_proxy | length > 0 %}
+env[no_proxy] = {{ system_proxy_no_proxy | join(',') }}
+{% endif %}
+{% endif %}

roles/freepbx/templates/post_backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ fpbx_root_dir }}/backup/*

roles/freepbx/templates/pre_backup.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump \
+  --quick --single-transaction \
+{% if fpbx_db_server not in ['127.0.0.1', 'localhost'] %}
+  --user={{ fpbx_db_user }} \
+  --password={{ fpbx_db_pass | quote }} \
+  --host={{ fpbx_db_server }} \
+{% endif %}
+  --add-drop-table {{ fpbx_db_name }} | zstd -T0 -c > {{ fpbx_root_dir }}/backup/{{ fpbx_db_name }}.sql.zst
+/usr/bin/mysqldump \
+  --quick --single-transaction \
+{% if fpbx_db_server not in ['127.0.0.1', 'localhost'] %}
+  --user={{ fpbx_db_user }} \
+  --password={{ fpbx_db_pass | quote }} \
+  --host={{ fpbx_db_server }} \
+{% endif %}
+  --add-drop-table {{ fpbx_cdr_db_name }} | zstd -T0 -c > {{ fpbx_root_dir }}/backup/{{ fpbx_cdr_db_name }}.sql.zst

roles/freepbx/templates/vsftpd/chroot_list.j2

@@ -0,0 +1 @@
+phone

roles/freepbx/templates/vsftpd/pam.j2

@@ -0,0 +1,7 @@
+#%PAM-1.0
+session    optional     pam_keyinit.so    force revoke
+auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
+auth       include      password-auth
+account    include      password-auth
+session    required     pam_loginuid.so
+session    include      password-auth

roles/freepbx/templates/vsftpd/user_list.j2

@@ -0,0 +1 @@
+phone

roles/freepbx/templates/vsftpd/vsftpd.conf.j2

@@ -0,0 +1,15 @@
+anonymous_enable=NO
+local_enable=YES
+write_enable=YES
+local_umask=007
+xferlog_enable=YES
+xferlog_std_format=YES
+chroot_list_enable=YES
+listen=YES
+pam_service_name=vsftpd
+userlist_enable=YES
+tcp_wrappers=YES
+userlist_deny=NO
+pasv_enable=YES
+pasv_min_port=40000
+pasv_max_port=40100