Update to 2021-12-01 19:13

2025-07-27 08:15:54 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/httpd_php/defaults/main.yml
+++ b/roles/httpd_php/defaults/main.yml
@@ -0,0 +1,44 @@
+---
+
+httpd_php_common_modules:
+  - cli
+  - ldap
+  - imap
+  - gd
+  - xml
+  - xmlrpc
+  - soap
+  - opcache
+  - fpm
+  - mbstring
+  - mysqlnd
+  - pgsql
+  - json
+  - bcmath
+  - intl
+  - pear
+  - process
+  - snmp
+  - pecl-memcached
+  - pecl-zip
+  - pecl-apcu
+  - pecl-imagick
+
+httpd_php_versions:
+  - 56
+  - 70
+  - 71
+  - 72
+  - 73
+  - 74
+  - 80
+
+httpd_php_default_version: 73
+
+#httpd_php_ansible_pools:
+#  name: glpi
+#  version: 71
+#  conf:
+#    allow_url_fopen: True
+#
+...
--- a/roles/httpd_php/files/tmpfiles.conf
+++ b/roles/httpd_php/files/tmpfiles.conf
@@ -0,0 +1 @@
+d /run/php-fpm 755 root root
--- a/roles/httpd_php/handlers/main.yml
+++ b/roles/httpd_php/handlers/main.yml
@@ -0,0 +1,18 @@
+---
+
+- include: ../httpd_common/handlers/main.yml
+
+# We need to stop all the pools and then start them again
+# because if we move one pool config from one version to another
+# the socket might not be removed at the correct time, depending on the
+# order of execution
+- name: restart php-fpm
+  service: name=php{{ item }}-php-fpm state=stopped enabled=True
+  with_items: "{{ httpd_php_versions }}"
+  notify: start php-fpm
+
+- name: start php-fpm
+  service: name=php{{ item }}-php-fpm state=started enabled=True
+  with_items: "{{ httpd_php_versions }}"
+
+...
--- a/roles/httpd_php/meta/main.yml
+++ b/roles/httpd_php/meta/main.yml
@@ -0,0 +1,5 @@
+---
+dependencies:
+  - role: httpd_common
+  - role: repo_remi
+...
--- a/roles/httpd_php/tasks/main.yml
+++ b/roles/httpd_php/tasks/main.yml
@@ -0,0 +1,96 @@
+---
+
+- name: Build the list of packages
+  set_fact:
+     httpd_php_packages: "{{ httpd_php_packages | default([]) }} + [ 'php{{ item.0 }}-php-{{ item.1 }}' ]"
+  with_nested:
+    - "{{ httpd_php_versions }}"
+    - "{{ httpd_php_common_modules }}"
+  tags: web
+
+- name: Install PHP packages
+  yum: name={{ httpd_php_packages }}
+  notify: restart php-fpm
+  register: httpd_php_installed
+  tags: web
+
+- name: Install scl utils
+  yum:
+    name:
+      - scl-utils
+  tags: web
+
+- name: Create tmpfiles.d fragment
+  copy: src=tmpfiles.conf dest=/etc/tmpfiles.d/php-fpm-scl.conf
+  notify: systemd-tmpfiles
+  register: httpd_php_tmpfiles
+  tags: web
+
+- name: Create tmpfiles
+  command: systemd-tmpfiles --create
+  when: httpd_php_installed.changed or httpd_php_tmpfiles.changed
+  tags: web
+
+- name: Disable default FPM pools
+  template: src=default_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/www.conf
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Deploy main php.ini configuration
+  template: src=php.ini.j2 dest=/etc/opt/remi/php{{ item }}/php.ini
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Deploy PHP FPM master's configuration
+  template: src=php-fpm.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.conf
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Deploy default PHP FPM pools configurations
+  template: src=php_fpm_pool.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/php{{ item }}.conf
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Create user accounts for ansible PHP FPM pools
+  user: name={{ item }} comment="PHP FPM {{ item }}" system=True shell=/sbin/nologin
+  loop: "{{ httpd_php_ansible_pools | default([]) | selectattr('user', 'defined') | map(attribute='user') | list }}"
+  tags: web
+
+- name: Deploy ansible PHP FPM pools configurations
+  template: src=php_fpm_ansible_pools.conf.j2 dest=/etc/opt/remi/php{{ item }}/php-fpm.d/ansible_pools.conf
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Create log directories
+  file: path=/var/log/php/php{{ item }} state=directory mode=770 owner=root group={{ httpd_user }}
+  loop: "{{ httpd_php_versions }}"
+  notify: restart php-fpm
+  tags: web
+
+- name: Start and enable SCL PHP FPM services
+  service: name=php{{ item }}-php-fpm state=started enabled=yes
+  loop: "{{ httpd_php_versions }}"
+  tags: web
+
+- name: Deploy httpd configuration fragments
+  template: src={{ item.src }} dest={{ item.dest }}
+  loop:
+    - { src: httpd_php.conf.j2, dest: /etc/httpd/ansible_conf.d/php.conf }
+  notify: reload httpd
+  tags: web
+
+- name: Allow network connections in SELinux
+  seboolean: name={{ item }} state=yes persistent=yes
+  loop:
+    - httpd_can_network_connect_db
+    - httpd_can_network_memcache
+    - httpd_can_network_connect
+    - httpd_can_sendmail
+  when: ansible_selinux.status == 'enabled'
+  tags: web
+...
--- a/roles/httpd_php/templates/default_fpm_pool.conf.j2
+++ b/roles/httpd_php/templates/default_fpm_pool.conf.j2
@@ -0,0 +1 @@
+; {{ ansible_managed }}
--- a/roles/httpd_php/templates/httpd_php.conf.j2
+++ b/roles/httpd_php/templates/httpd_php.conf.j2
@@ -0,0 +1,5 @@
+<FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/php{{ httpd_php_default_version | default('71') }}.sock|fcgi://localhost"
+    RewriteEngine On
+    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
+</FilesMatch>
--- a/roles/httpd_php/templates/php-fpm.conf.j2
+++ b/roles/httpd_php/templates/php-fpm.conf.j2
@@ -0,0 +1,9 @@
+
+include = /etc/opt/remi/php{{ item }}/php-fpm.d/*.conf
+
+[global]
+pid = /run/php-fpm/php{{ item }}-fpm.pid
+error_log = syslog
+syslog.facility = daemon
+syslog.ident = php{{ item }}-fpm
+
--- a/roles/httpd_php/templates/php.ini.j2
+++ b/roles/httpd_php/templates/php.ini.j2
@@ -0,0 +1,166 @@
+[php]
+engine=on
+file_uploads={{ php_conf_file_uploads | default('off') }}
+upload_max_filesize={{ php_conf_upload_max_filesize | default('2M') }}
+max_file_uploads={{ php_conf_max_file_uploads | default('20') }}
+max_execution_time={{ php_conf_max_execution_time | default('30') }}
+memory_limit={{ php_conf_memory_limit | default('128M') }}
+post_max_size={{ php_conf_post_max_size | default('8M') }}
+max_input_time=60
+
+zlib.output_compression=off
+
+expose_php=off
+
+display_error=off
+display_startup_errors=off
+log_errors=on
+error_reporting=E_ALL & ~E_DEPRECATED & ~E_STRICT
+report_memleaks=on
+auto_globals_jit=on
+output_buffering=4096
+register_argc_argv=off
+request_order=GP
+variables_order=GPCS
+short_open_tag=off
+
+sys_temp_dir='/tmp'
+upload_tmp_dir='/tmp'
+
+allow_url_fopen={{ php_conf_allow_url_fopen | default('on') }}
+allow_url_include=off
+
+[CLI Server]
+cli_server.color=on
+
+[Date]
+date.timezone={{ php_conf_date_timezone | default('Europe/Paris') }}
+
+[filter]
+
+[iconv]
+
+[intl]
+
+[sqlite]
+
+[sqlite3]
+
+[Pcre]
+pcre.jit=0
+
+[Pdo]
+
+[Pdo_mysql]
+pdo_mysql.cache_size=2000
+pdo_mysql.default_socket=
+
+[Phar]
+
+[mail function]
+sendmail_path=/usr/sbin/sendmail -t -i
+mail.add_x_header=On
+
+[SQL]
+sql.safe_mode=off
+
+[ODBC]
+odbc.allow_persistent=on
+odbc.check_persistent=on
+odbc.max_persistent=-1
+odbc.max_links=-1
+odbc.defaultlrl=4096
+odbc.defaultbinmode=1
+
+[Interbase]
+ibase.allow_persistent=1
+ibase.max_persistent=-1
+ibase.max_links=-1
+ibase.timestampformat="%Y-%m-%d %H:%M:%S"
+ibase.dateformat="%Y-%m-%d"
+ibase.timeformat="%H:%M:%S"
+
+[MySQLi]
+mysqli.max_persistent=-1
+mysqli.allow_persistent=on
+mysqli.max_links=-1
+mysqli.cache_size=2000
+mysqli.default_port=3306
+mysqli.default_socket=
+mysqli.default_host=
+mysqli.default_user=
+mysqli.default_pw=
+mysqli.reconnect=off
+
+[mysqlnd]
+mysqlnd.collect_statistics=on
+mysqlnd.collect_memory_statistics=off
+
+[PostgreSQL]
+pgsql.allow_persistent=on
+pgsql.auto_reset_persistent=off
+pgsql.max_persistent=-1
+pgsql.max_links=-1
+pgsql.ignore_notice=0
+pgsql.log_notice=0
+
+[bcmath]
+bcmath.scale=0
+
+[browscap]
+
+[Sessions]
+session.save_handler=files
+session.save_path=/var/lib/php/sessions
+session.use_strict_mode=1
+session.use_cookies=1
+session.use_only_cookies=1
+session.name=PHPSESSID
+session.auto_start=0
+session.cookie_lifetime=0
+session.cookie_path=/
+session.cookie_httponly=1
+session.serialize_handler=php
+session.gc_divisor=1000
+session.gc_maxlifetime={{ php_conf_session_gc_maxlifetime | default('1440') }}
+session.hash_bits_per_character=5
+session.referer_check=
+session.cache_limiter=nocache
+session.cache_expire=100
+session.use_trans_sid=0
+session.hash_function=1
+
+
+url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
+
+[Assertion]
+zend.assertions=-1
+
+[mbstring]
+
+[gd]
+
+[exif]
+
+[Tidy]
+tidy.clean_output=off
+
+[soap]
+soap.wsdl_cache_enabled=1
+soap.wsdl_cache_dir=/var/lib/php/wsdlcache/
+soap.wsdl_cache_ttl=86400
+soap.wsdl_cache_limit=5
+
+[sysvshm]
+
+[ldap]
+ldap.max_links=-1
+
+[mcrypt]
+
+[dba]
+
+[curl]
+
+[openssl]
+
--- a/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2
+++ b/roles/httpd_php/templates/php_fpm_ansible_pools.conf.j2
@@ -0,0 +1,61 @@
+; {{ ansible_managed }}
+{% for pool in httpd_php_ansible_pools | default([]) %}
+{% if pool.version | default(httpd_php_default_version) == item %}
+{% if pool.conf is not defined %}
+{% set conf = {} %}
+{% else %}
+{% set conf = pool.conf %}
+{% endif %}
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;  Begin pool {{ pool.name }}
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+[{{ pool.name }}]
+
+listen.owner = root
+listen.group = {{ httpd_group }}
+listen.mode = 0660
+listen = /run/php-fpm/{{ pool.name }}.sock
+user = {{ pool.user | default(httpd_user) }}
+group = {{ pool.user | default(httpd_group) }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = {{ conf.max_children | default('15') }}
+pm.start_servers = {{ conf.start_servers | default('3') }}
+pm.min_spare_servers = {{ conf.min_spare_servers | default('3') }}
+pm.max_spare_servers = {{ conf.max_spare_servers | default('6') }}
+pm.max_requests = {{ conf.max_requests | default('5000') }}
+request_terminate_timeout = {{ conf.request_terminate_timeout | default('5m') }}
+
+php_flag[display_errors] = {{ conf.display_errors | default(False) | ternary('on','off') }}
+php_admin_flag[log_errors] = {{ conf.log_errors | default(True) | ternary('on','off') }}
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = {{ conf.memory_limit | default('128M') }}
+php_admin_value[session.save_path] = {{ conf.session_save_path | default('/var/lib/php/session') }}
+php_admin_value[upload_tmp_dir] = {{ conf.tmp_dir | default('/tmp') }}
+php_admin_value[sys_temp_dir] = {{ conf.tmp_dir | default('/tmp') }}
+php_admin_value[post_max_size] = {{ conf.post_max_size | default('5M') }}
+php_admin_value[upload_max_filesize] = {{ conf.upload_max_filesize | default('5M') }}
+php_admin_value[disable_functions] = {{ conf.disable_functions | default([ 'system', 'show_source', 'symlink', 'exec', 'dl', 'shell_exec', 'passthru', 'phpinfo', 'escapeshellarg', 'escapeshellcmd' ]) | difference(conf.enable_functions | default([]) ) | join(', ') }}
+{% if conf.open_basedir is defined %}
+php_admin_value[open_basedir] = {{ conf.open_basedir | join(':') }}
+{% endif %}
+php_admin_value[max_execution_time] = {{ conf.max_execution_time | default('60') }}
+php_admin_value[max_input_time] = {{ conf.max_input_time | default('60') }}
+php_admin_flag[allow_url_include] = {{ conf.allow_url_include | default(False) | ternary('on','off') }}
+php_admin_flag[allow_url_fopen] = {{ conf.allow_url_fopen | default(False) | ternary('on','off') }}
+php_admin_flag[file_uploads] = {{ conf.file_uploads | default(True) | ternary('on','off') }}
+php_admin_flag[session.cookie_httponly] = on
+
+{% if conf.custom_conf is defined %}
+{{ conf.custom_conf }}
+{% endif %}
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;  End pool {{ pool.name }}
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+
+{% endif %}
+{% endfor %}
--- a/roles/httpd_php/templates/php_fpm_pool.conf.j2
+++ b/roles/httpd_php/templates/php_fpm_pool.conf.j2
@@ -0,0 +1,30 @@
+[php{{ item }}]
+listen.owner = root
+listen.group = {{ httpd_group }}
+listen.mode = 0660
+pm = dynamic
+pm.max_children = {{ httpd_php_pool_max_children | default('15') }}
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+listen = /run/php-fpm/php{{ item }}.sock
+user = {{ httpd_user }}
+group = {{ httpd_group }}
+
+
+php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f php@{{ ansible_domain }}
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = {{ php_pool_memory_limit | default('128M') }}
+php_value[session.save_handler] = files
+{% if '7' in item|string %}
+{% set var_lib_path = "/var/opt/remi/php" ~ item ~ "/lib/php" %}
+{% else %}
+{% set var_lib_path = "/opt/remi/php" ~ item ~ "/root/var/lib" %}
+{% endif %}
+php_admin_value[session.save_path] = {{ var_lib_path }}/session
+php_value[soap.wsdl_cache_dir]  = {{ var_lib_path }}/wsdlcache
+php_value[opcache.file_cache]  = {{ var_lib_path }}/opcache