strichliste: deploy on tschunk

Signed-off-by: Thomas Schmid <tom@lfence.de>

group_vars/all/vars.yml

@@ -163,6 +163,11 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 
+strichliste_domain: tschunk.binary.kitchen
+strichliste_dbname: strichliste
+strichliste_dbuser: strichliste
+strichliste_dbpass: "{{ vault_strichliste_dbpass }}"
+
 vaultwarden_domain: vault.binary-kitchen.de
 vaultwarden_dbname: vaultwarden
 vaultwarden_dbuser: vaultwarden

roles/strichliste/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+strichliste_checksum: sha256:4615e4faef8c9839c2ce4bb068bb52fc0dfa036329b5dc500e4b6d57160f235d
+strichliste_version: 1.8.2
+strichliste_url: https://github.com/strichliste/strichliste/releases/download/v{{ strichliste_version }}/strichliste-v{{ strichliste_version }}.tar.gz

roles/strichliste/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart nginx
+  service: name=nginx state=restarted

roles/strichliste/meta/main.yml

@@ -2,3 +2,4 @@
 
 dependencies:
 - { role: acertmgr }
+- { role: nginx, nginx_ssl: True }

roles/strichliste/tasks/main.yml

@@ -2,3 +2,80 @@
 
 - name: Request nsupdate key for certificate
   include_role: name=acme-dnskey-generate
+
+- name: Enable sury php apt-key
+  apt_key: url="https://packages.sury.org/php/apt.gpg"
+
+- name: Enable sury php repository
+  apt_repository: repo="deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
+
+- name: Install packages
+  apt:
+    name:
+    - php8.1
+    - php8.1-common
+    - php8.1-curl
+    - php8.1-mysql
+    - php8.1-mbstring
+    - php8.1-cli
+    - php8.1-opcache
+    - php8.1-xml
+    - php8.1-fpm
+    - php8.1-readline
+    - mariadb-server
+    - python3-mysqldb
+    - python3-psycopg2
+
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ strichliste_domain }}.key -out /etc/nginx/ssl/{{ strichliste_domain }}.crt -days 730 -subj "/CN={{ strichliste_domain }}" creates=/etc/nginx/ssl/{{ strichliste_domain }}.crt
+  notify: Restart nginx
+
+- name: Configure certificate manager for strichliste
+  template: src=certs.j2 dest=/etc/acertmgr/{{ strichliste_domain }}.conf
+  notify: Run acertmgr
+
+- name: Create vhost directory
+  file: path=/var/www/strichliste state=directory owner=www-data group=www-data
+
+- name: Install Mariadb
+  apt:
+    name:
+    - mariadb-server
+    - python3-mysqldb
+
+- name: Configure Mariadb database
+  community.mysql.mysql_db: name={{ strichliste_dbname }}
+  become: true
+
+- name: Configure Mariadb user
+  community.mysql.mysql_user: name={{ strichliste_dbuser }} password={{ strichliste_dbpass }} priv='{{ strichliste_dbname }}.*:ALL' state=present
+  become: true
+
+- name: Download strichliste
+  get_url: url={{ strichliste_url }} dest=/tmp/ checksum={{ strichliste_checksum }} mode=0755
+
+- name: Unpack strichliste
+  unarchive:
+    remote_src: true
+    src: /tmp/strichliste-v{{ strichliste_version }}.tar.gz
+    dest: /var/www/strichliste
+    owner: www-data
+    group: www-data
+  notify: Restart nginx
+
+- name: Configure strichliste database
+  lineinfile:
+    path: /var/www/strichliste/.env
+    regexp: '^DATABASE_URL='
+    line: DATABASE_URL="mysql://strichliste:{{ strichliste_dbpass }}@localhost/strichliste"
+
+- name: Configure vhost
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/strichliste
+  notify: Restart nginx
+
+- name: Enable vhost
+  file: src=/etc/nginx/sites-available/strichliste dest=/etc/nginx/sites-enabled/strichliste state=link
+  notify: Restart nginx
+
+- name: Start php8.1-fpm
+  service: name=php8.1-fpm state=started enabled=yes

roles/strichliste/templates/certs.j2

@@ -0,0 +1,18 @@
+---
+
+{{ strichliste_domain }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ strichliste_domain }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ strichliste_domain }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'

roles/strichliste/templates/vhost.j2

@@ -0,0 +1,57 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name {{ strichliste_domain }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ strichliste_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ strichliste_domain }}.crt;
+
+    root /var/www/strichliste/public;
+
+    location / {
+        # try to serve file directly, fallback to index.php
+        try_files $uri /index.php$is_args$args;
+    }
+
+    location ~ ^/index\.php(/|$) {
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+
+        #Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;
+        fastcgi_param front_controller_active true;
+        fastcgi_pass unix:/run/php/php-fpm.sock;
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/index.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+
+}
+
+server {
+    listen [::]:80;
+    listen 80;
+
+    server_name {{ strichliste_domain }};
+
+    if ($host = {{ strichliste_domain }}) {
+        return 301 https://$host$request_uri;
+    }
+
+    return 404;
+}