diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..d83295a --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,129 @@ +--- +# .ansible-lint + +profile: production # min, basic, moderate,safety, shared, production + +# Allows dumping of results in SARIF format +# sarif_file: result.sarif + +# exclude_paths included in this file are parsed relative to this file's location +# and not relative to the CWD of execution. CLI arguments passed to the --exclude +# option are parsed relative to the CWD of execution. +exclude_paths: + - .github/ + - .ansible-lint +# parseable: true +# quiet: true +# strict: true +# verbosity: 1 + +# Mock modules or roles in order to pass ansible-playbook --syntax-check +#mock_modules: +# - zuul_return +# note the foo.bar is invalid as being neither a module or a collection +# - fake_namespace.fake_collection.fake_module +# - fake_namespace.fake_collection.fake_module.fake_submodule +#mock_roles: +# - mocked_role +# - author.role_name # old standalone galaxy role +# - fake_namespace.fake_collection.fake_role # role within a collection + +# Enable checking of loop variable prefixes in roles +loop_var_prefix: "^(__|{role}_)" + +# Enforce variable names to follow pattern below, in addition to Ansible own +# requirements, like avoiding python identifiers. To disable add `var-naming` +# to skip_list. +var_naming_pattern: "^[a-z_][a-z0-9_]*$" + +use_default_rules: true +# Load custom rules from this specific folder +# rulesdir: +# - ./rule/directory/ + +# Ansible-lint is able to recognize and load skip rules stored inside +# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files. +# To skip a rule just enter filename and tag, like "playbook.yml package-latest" +# on a new line. +# Optionally you can add comments after the tag, prefixed by "#". We discourage +# the use of skip_list below because that will hide violations from the output. +# When putting ignores inside the ignore file, they are marked as ignored, but +# still visible, making it easier to address later. +skip_list: + - risky-shell-pipe +# - skip_this_tag + +# Ansible-lint does not automatically load rules that have the 'opt-in' tag. +# You must enable opt-in rules by listing each rule 'id' below. +enable_list: + - args + - empty-string-compare # opt-in + - no-log-password # opt-in + - no-same-owner # opt-in + - name[prefix] # opt-in + - galaxy-version-incorrect # opt-in + # add yaml here if you want to avoid ignoring yaml checks when yamllint + # library is missing. Normally its absence just skips using that rule. + - yaml +# Report only a subset of tags and fully ignore any others +# tags: +# - jinja[spacing] + +# Ansible-lint does not fail on warnings from the rules or tags listed below +#warn_list: +# - skip_this_tag +# - experimental # experimental is included in the implicit list +# - role-name +# - yaml[document-start] # you can also use sub-rule matches + +# Some rules can transform files to fix (or make it easier to fix) identified +# errors. `ansible-lint --fix` will reformat YAML files and run these transforms. +# By default it will run all transforms (effectively `write_list: ["all"]`). +# You can disable running transforms by setting `write_list: ["none"]`. +# Or only enable a subset of rule transforms by listing rules/tags here. +# write_list: +# - all + +# Offline mode disables installation of requirements.yml and schema refreshing +offline: true + + # Define required Ansible's variables to satisfy syntax check + #extra_vars: + # foo: bar + # multiline_string_variable: | + # line1 + # line2 + # complex_variable: ":{;\t$()" + + # Uncomment to enforce action validation with tasks, usually is not + # needed as Ansible syntax check also covers it. + # skip_action_validation: false + + # List of additional kind:pattern to be added at the top of the default + # match list, first match determines the file kind. + #kinds: + # - playbook: "**/examples/*.{yml,yaml}" + # - galaxy: "**/folder/galaxy.yml" + # - tasks: "**/tasks/*.yml" + # - vars: "**/vars/*.yml" +# - meta: "**/meta/main.yml" +# - yaml: "**/*.yaml-too" + +# List of additional collections to allow in only-builtins rule. +# only_builtins_allow_collections: +# - example_ns.example_collection + +# List of additions modules to allow in only-builtins rule. +# only_builtins_allow_modules: +# - example_module + +# Allow setting custom prefix for name[prefix] rule +#task_name_prefix: "{stem} | " +# Complexity related settings + +# Limit the depth of the nested blocks: +# max_block_depth: 20 + +# Also recognize these versions of Ansible as supported: +# supported_ansible_also: +# - "2.14" diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml new file mode 100644 index 0000000..4505a53 --- /dev/null +++ b/.github/workflows/pull-request.yml @@ -0,0 +1,12 @@ +--- +name: Pull request + +on: pull_request + +jobs: + ansible-lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run ansible-lint + uses: ansible/ansible-lint@main diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..723ef36 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea \ No newline at end of file diff --git a/README.md b/README.md index a274928..a996889 100644 --- a/README.md +++ b/README.md @@ -157,6 +157,22 @@ Example Playbook roles: - { role: f500.php8, php8_version: 8.0, php8_enable_fpm: yes } +Linting +------- +Github actions will check this role with ansible-lint. To run this locally, you will need to follow the following steps: + +```bash +brew install ansible-lint +brew install yamllint +ansible-lint +``` + +to fix the linting errors, run: + +```bash +ansible-lint --fix +``` + License ------- diff --git a/defaults/main.yml b/defaults/main.yml index 962433b..bcff0a0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,50 +2,48 @@ php8_version: 8.0 -php8_enable_apache: no -php8_enable_cgi: no -php8_enable_fpm: no +php8_enable_apache: false +php8_enable_cgi: false +php8_enable_fpm: false -php8_enable_dev: no +php8_enable_dev: false php8_ini_directives_default: - allow_url_fopen: no + allow_url_fopen: false disable_functions: "exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec" - expose_php: no - session.cookie_httponly: yes - session.cookie_secure: yes + expose_php: false + session.cookie_httponly: true + session.cookie_secure: true session.hash_bits_per_character: 4 session.hash_function: sha256 session.sid_bits_per_character: 4 session.sid_length: 64 - session.use_strict_mode: yes + session.use_strict_mode: true php8_ini_directives_global: {} php8_ini_directives_cli: {} php8_ini_directives_apache: {} php8_ini_directives_cgi: {} php8_ini_directives_fpm: {} - php8_extensions: [] php8_versioned_extensions: [] - php8_fpm_pid: "/run/php/php{{ php8_version }}-fpm.pid" php8_fpm_error_log: "/var/log/php{{ php8_version }}-fpm.log" php8_fpm_log_level: warning -php8_fpm_syslog_facility: ~ -php8_fpm_syslog_ident: ~ +php8_fpm_syslog_facility: +php8_fpm_syslog_ident: php8_fpm_emergency_restart_threshold: 0 php8_fpm_emergency_restart_interval: 0 php8_fpm_process_control_timeout: 0 php8_fpm_process_max: 0 -php8_fpm_process_priority: ~ -php8_fpm_daemonize: yes -php8_fpm_rlimit_files: ~ -php8_fpm_rlimit_core: ~ +php8_fpm_process_priority: +php8_fpm_daemonize: true +php8_fpm_rlimit_files: +php8_fpm_rlimit_core: php8_fpm_events_mechanism: epoll php8_fpm_systemd_interval: 10 -php8_fpm_pool_enabled: yes +php8_fpm_pool_enabled: true php8_fpm_pool_name: www php8_fpm_pool_user: www-data php8_fpm_pool_group: www-data @@ -54,9 +52,9 @@ php8_fpm_pool_listen_backlog: 512 php8_fpm_pool_listen_owner: "{{ php8_fpm_pool_user }}" php8_fpm_pool_listen_group: "{{ php8_fpm_pool_group }}" php8_fpm_pool_listen_mode: "0660" -php8_fpm_pool_listen_acl_users: ~ -php8_fpm_pool_listen_acl_groups: ~ -php8_fpm_pool_listen_allowed_clients: ~ +php8_fpm_pool_listen_acl_users: +php8_fpm_pool_listen_acl_groups: +php8_fpm_pool_listen_allowed_clients: php8_fpm_pool_pm: dynamic php8_fpm_pool_pm_max_children: 5 php8_fpm_pool_pm_start_servers: 2 @@ -67,17 +65,17 @@ php8_fpm_pool_pm_max_requests: 512 php8_fpm_pool_status_path: /status php8_fpm_pool_ping_path: /ping php8_fpm_pool_ping_response: pong -php8_fpm_pool_access_log: ~ -php8_fpm_pool_access_format: ~ -php8_fpm_pool_slowlog: ~ +php8_fpm_pool_access_log: +php8_fpm_pool_access_format: +php8_fpm_pool_slowlog: php8_fpm_pool_request_slowlog_timeout: 0 php8_fpm_pool_request_terminate_timeout: 0 -php8_fpm_pool_rlimit_files: ~ -php8_fpm_pool_rlimit_core: ~ -php8_fpm_pool_chroot: ~ +php8_fpm_pool_rlimit_files: +php8_fpm_pool_rlimit_core: +php8_fpm_pool_chroot: php8_fpm_pool_chdir: /var/www -php8_fpm_pool_catch_workers_output: yes -php8_fpm_pool_clear_env: yes +php8_fpm_pool_catch_workers_output: true +php8_fpm_pool_clear_env: true php8_fpm_pool_security_limit_extensions: .php php8_fpm_pool_env: {} php8_fpm_pool_php_admin_value: {} diff --git a/filter_plugins/__pycache__/prefix.cpython-313.pyc b/filter_plugins/__pycache__/prefix.cpython-313.pyc new file mode 100644 index 0000000..828f145 Binary files /dev/null and b/filter_plugins/__pycache__/prefix.cpython-313.pyc differ diff --git a/handlers/main.yml b/handlers/main.yml index 7c3df43..369f401 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,13 +1,12 @@ --- - - name: Restart Apache - service: + ansible.builtin.service: name: apache2 state: restarted when: php8_enable_apache | bool - name: Restart PHP FPM - service: + ansible.builtin.service: name: "php{{ php8_version }}-fpm" state: restarted when: php8_enable_fpm | bool diff --git a/meta/main.yml b/meta/main.yml index 440c02b..63b8876 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,15 +2,16 @@ galaxy_info: role_name: php8 + namespace: f500 author: "Jasper N. Brouwer, Ramon de la Fuente" description: Install PHP version 8.X from deb.sury.org company: Future500 license: LGPL-3.0 min_ansible_version: "2.0" platforms: - - name: Debian - versions: - - bullseye - - bookworm + - name: Debian + versions: + - bullseye + - bookworm galaxy_tags: - web diff --git a/tasks/main.yml b/tasks/main.yml index a5304dc..258a122 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,119 +1,125 @@ --- - - name: Validate version value - fail: + ansible.builtin.fail: msg: "The value of php8_version must >= 8.0 and < 9.0" when: not (php8_version >= 8.0 and php8_version < 9.0) - name: Install packages needed to use the deb.sury.org repository - apt: - name: ['apt-transport-https', 'ca-certificates'] + ansible.builtin.apt: + name: ["apt-transport-https", "ca-certificates"] state: present - name: Add the deb.sury.org trusted key ansible.builtin.get_url: dest: /etc/apt/trusted.gpg.d/php.gpg - mode: 0644 - force: yes + mode: "0644" + force: true url: https://packages.sury.org/php/apt.gpg - name: Add the deb.sury.org repository - apt_repository: + ansible.builtin.apt_repository: repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main" - update_cache: yes + update_cache: true - name: Install PHP CLI - apt: + ansible.builtin.apt: name: "php{{ php8_version }}-cli" - name: Configure PHP for CLI - template: + ansible.builtin.template: src: php.ini.j2 dest: "/etc/php/{{ php8_version }}/cli/conf.d/99-customization.ini" + mode: "0644" vars: php8_ini_directives: "{{ php8_ini_directives_default | combine(php8_ini_directives_global) | combine(php8_ini_directives_cli) }}" - name: Install PHP module development files - apt: + ansible.builtin.apt: name: "php{{ php8_version }}-dev" when: php8_enable_dev | bool - name: Install PHP Apache2 module - apt: + ansible.builtin.apt: name: "libapache2-mod-php{{ php8_version }}" when: php8_enable_apache | bool - name: Configure PHP for Apache2 - template: + ansible.builtin.template: src: php.ini.j2 dest: "/etc/php/{{ php8_version }}/apache2/conf.d/99-customization.ini" + mode: "0644" vars: php8_ini_directives: "{{ php8_ini_directives_default | combine(php8_ini_directives_global) | combine(php8_ini_directives_apache) }}" notify: Restart Apache when: php8_enable_apache | bool - name: Install PHP CGI binary - apt: + ansible.builtin.apt: name: "php{{ php8_version }}-cgi" when: php8_enable_cgi | bool - name: Configure PHP for CGI - template: + ansible.builtin.template: src: php.ini.j2 dest: "/etc/php/{{ php8_version }}/cgi/conf.d/99-customization.ini" + mode: "0644" vars: php8_ini_directives: "{{ php8_ini_directives_default | combine(php8_ini_directives_global) | combine(php8_ini_directives_cgi) }}" when: php8_enable_cgi | bool - name: Install PHP FPM binary - apt: + ansible.builtin.apt: name: "php{{ php8_version }}-fpm" when: php8_enable_fpm | bool - name: Configure PHP for FPM - template: + ansible.builtin.template: src: php.ini.j2 dest: "/etc/php/{{ php8_version }}/fpm/conf.d/99-customization.ini" + mode: "0644" vars: php8_ini_directives: "{{ php8_ini_directives_default | combine(php8_ini_directives_global) | combine(php8_ini_directives_fpm) }}" notify: Restart PHP FPM when: php8_enable_fpm | bool - name: Configure FPM - template: + ansible.builtin.template: src: php-fpm.conf.j2 dest: "/etc/php/{{ php8_version }}/fpm/php-fpm.conf" + mode: "0644" notify: Restart PHP FPM when: php8_enable_fpm | bool - name: Ensure "chdir" in the standard pool exists - file: + ansible.builtin.file: path: "{{ php8_fpm_pool_chdir }}" state: directory + mode: "0755" when: php8_enable_fpm | bool and php8_fpm_pool_enabled | bool - name: Configure the standard pool for FPM - template: + ansible.builtin.template: src: php-fpm-pool.conf.j2 dest: "/etc/php/{{ php8_version }}/fpm/pool.d/{{ php8_fpm_pool_name }}.conf" + mode: "0644" notify: Restart PHP FPM when: php8_enable_fpm | bool and php8_fpm_pool_enabled | bool - name: Remove the standard pool for FPM - file: + ansible.builtin.file: path: "/etc/php/{{ php8_version }}/fpm/pool.d/{{ php8_fpm_pool_name }}.conf" state: absent notify: Restart PHP FPM when: php8_enable_fpm | bool and not php8_fpm_pool_enabled | bool - name: Enable the FPM service - service: + ansible.builtin.service: name: "php{{ php8_version }}-fpm" - enabled: yes + enabled: true when: php8_enable_fpm | bool - name: Install PHP extensions - apt: + ansible.builtin.apt: name: "{{ php8_extensions | map('prefix', 'php-') | list }}" state: present notify: @@ -121,7 +127,7 @@ - Restart PHP FPM - name: Install versioned PHP extensions - apt: + ansible.builtin.apt: name: "{{ php8_versioned_extensions | map('prefix', 'php' ~ php8_version ~ '-') | list }}" notify: - Restart Apache