codeenigma · tymofiisobchenko · Apr 4, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
@@ -64,7 +64,10 @@
        - [OpenVPN](/roles/debian/openvpn)
        - [OSSEC](/roles/debian/ossec)
        - [Packer](/roles/debian/packer)
+       - [PHP terminal client](/roles/debian/php-cli)
+       - [PHP common components](/roles/debian/php-common)
        - [PHP Composer](/roles/debian/php_composer)
+       - [PHP-FPM](/roles/debian/php-fpm)
        - [phpMyAdmin](/roles/debian/phpmyadmin)
        - [PHP XDebug](/roles/debian/php_xdebug)
        - [Postfix](/roles/debian/postfix)

diff --git a/docs/roles/debian/nginx.md b/docs/roles/debian/nginx.md
@@ -1,6 +1,6 @@
 # NGINX
 
-Install and configure the nginx webserver.
+Install and configure the NGINX webserver.
 
 Note, the directives are mostly DENY FIRST so if you're expecting to find config that blocks a certain file extension or pattern you should consider it the other way and ensure that pattern is not *allowed* anywhere.
 
@@ -29,6 +29,29 @@ nginx:
     access_log: /var/log/nginx-access.log
     error_log: /var/log/nginx-error.log
     ssl_protocols: "TLSv1.2 TLSv1.3"
+    sendfile: "on"
+    keepalive_timeout: 65
+    gzip_vary: "on"
+    gzip_types:
+      - text/plain
+      - text/css
+      - text/xml
+      - text/javascript
+      - application/javascript
+      - application/x-javascript
+      - application/json
+      - application/xml
+      - application/xml+rss
+      - application/xhtml+xml
+      - application/x-font-ttf
+      - application/x-font-opentype
+      - image/svg+xml
+      - image/x-icon
+    proxy_buffer_size: 512k
+    proxy_buffers: "8 256k"
+    client_body_buffer_size: 512k
+    fastcgi_buffer_size: 512k
+    fastcgi_buffers: "8 256k"
     # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings.
     #custom_directives: []
   # Group prefix. Useful for grouping by environments.

diff --git a/docs/roles/debian/php-cli.md b/docs/roles/debian/php-cli.md
@@ -0,0 +1,45 @@
+# PHP terminal client
+
+Installs and configures terminal client for PHP.
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+php:
+  cli:
+    expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}"
+    display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    engine: "On"
+    short_open_tag: "Off"
+    max_execution_time: 120
+    max_input_time: 60
+    max_input_nesting_level: 64
+    max_input_vars: 1000
+    memory_limit: -1
+    log_errors_max_len: 1024
+    ignore_repeated_errors: "Off"
+    ignore_repeated_source: "Off"
+    post_max_size: 200M
+    upload_max_filesize: 200M
+    max_file_uploads: 20
+    date_timezone: "Europe/London"
+    gc_maxlifetime: 1440
+    zend_assertions: -1
+    overrides: {}
+    opcache:
+      enable: 1
+      enable_cli: 0
+      memory_consumption: 128
+      max_accelerated_files: 2000
+      validate_timestamps: 1
+
+```
+
+<!--ENDROLEVARS-->
diff --git a/docs/roles/debian/php-common.md b/docs/roles/debian/php-common.md
@@ -0,0 +1,19 @@
+# PHP common components
+
+Installs and configures PHP core and required components.
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+php:
+  version:
+    - 8.1 # see https://www.php.net/supported-versions.php
+  apt_origin: "origin=deb.sury.org,codename=${distro_codename}" # used by apt_unattended_upgrades
+
+```
+
+<!--ENDROLEVARS-->
diff --git a/docs/roles/debian/php-fpm.md b/docs/roles/debian/php-fpm.md
@@ -0,0 +1,67 @@
+# PHP-FPM
+
+Installs and configures the PHP-FPM flavour of FastCGI.
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+php:
+  # see php-common for default version
+  fpm:
+    # FPM settings - official documentation is here: https://www.php.net/manual/en/install.fpm.configuration.php
+    unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do
+    server_ip: "127.0.0.1"
+    tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1
+    pool_user: "{{ user_deploy.username }}"
+    pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user
+    pm: dynamic # can also be static, see https://tideways.com/profiler/blog/an-introduction-to-php-fpm-tuning
+    default_socket_timeout: 60
+    max_children: 5
+    start_servers: 2
+    min_spare_servers: 1
+    max_spare_servers: 3
+    process_idle_timeout: 10s
+    max_requests: 500
+    request_terminate_timeout: 0
+    rlimit_core: 0 # Possible Values: 'unlimited' or an integer greater or equal to 0; Default Value: 0
+    slow_log: true
+    request_slowlog_timeout: 0
+    slowlog_file_directory: "/home/{{ user_deploy.username }}"
+    # PHP ini file settings
+    expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}"
+    display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    display_startup_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    html_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}"
+    engine: "On"
+    short_open_tag: "Off"
+    max_execution_time: 120
+    max_input_time: 60
+    max_input_nesting_level: 64
+    max_input_vars: 1000
+    memory_limit: 256M
+    log_errors_max_len: 1024
+    ignore_repeated_errors: "Off"
+    ignore_repeated_source: "Off"
+    post_max_size: 200M
+    upload_max_filesize: 200M
+    max_file_uploads: 20
+    date_timezone: "Europe/London"
+    gc_maxlifetime: 1440
+    cookie_lifetime: 0
+    zend_assertions: -1
+    session_cookie_secure: "Off"
+    opcache:
+      enable: 1
+      enable_cli: 0
+      memory_consumption: 128
+      max_accelerated_files: 2000
+      validate_timestamps: 1
+
+```
+
+<!--ENDROLEVARS-->
diff --git a/docs/roles/debian/php_xdebug.md b/docs/roles/debian/php_xdebug.md
@@ -1,6 +1,6 @@
 # PHP XDebug
 
-Installs and configure XDebug extension for PHP
+Installs and configures XDebug extension for PHP.
 
 <!--TOC-->
 <!--ENDTOC-->

diff --git a/roles/debian/nginx/README.md b/roles/debian/nginx/README.md
@@ -1,6 +1,6 @@
 # NGINX
 
-Install and configure the nginx webserver.
+Install and configure the NGINX webserver.
 
 Note, the directives are mostly DENY FIRST so if you're expecting to find config that blocks a certain file extension or pattern you should consider it the other way and ensure that pattern is not *allowed* anywhere.
 
@@ -29,6 +29,29 @@ nginx:
     access_log: /var/log/nginx-access.log
     error_log: /var/log/nginx-error.log
     ssl_protocols: "TLSv1.2 TLSv1.3"
+    sendfile: "on"
+    keepalive_timeout: 65
+    gzip_vary: "on"
+    gzip_types:
+      - text/plain
+      - text/css
+      - text/xml
+      - text/javascript
+      - application/javascript
+      - application/x-javascript
+      - application/json
+      - application/xml
+      - application/xml+rss
+      - application/xhtml+xml
+      - application/x-font-ttf
+      - application/x-font-opentype
+      - image/svg+xml
+      - image/x-icon
+    proxy_buffer_size: 512k
+    proxy_buffers: "8 256k"
+    client_body_buffer_size: 512k
+    fastcgi_buffer_size: 512k
+    fastcgi_buffers: "8 256k"
     # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings.
     #custom_directives: []
   # Group prefix. Useful for grouping by environments.

diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml
@@ -17,6 +17,29 @@ nginx:
     access_log: /var/log/nginx-access.log
     error_log: /var/log/nginx-error.log
     ssl_protocols: "TLSv1.2 TLSv1.3"
+    sendfile: "on"
+    keepalive_timeout: 65
+    gzip_vary: "on"
+    gzip_types:
+      - text/plain
+      - text/css
+      - text/xml
+      - text/javascript
+      - application/javascript
+      - application/x-javascript
+      - application/json
+      - application/xml
+      - application/xml+rss
+      - application/xhtml+xml
+      - application/x-font-ttf
+      - application/x-font-opentype
+      - image/svg+xml
+      - image/x-icon
+    proxy_buffer_size: 512k
+    proxy_buffers: "8 256k"
+    client_body_buffer_size: 512k
+    fastcgi_buffer_size: 512k
+    fastcgi_buffers: "8 256k"
     # You can inject custom directives into the main nginx.conf file here by providing them as a list of strings.
     #custom_directives: []
   # Group prefix. Useful for grouping by environments.

diff --git a/roles/debian/nginx/tasks/domain.yml b/roles/debian/nginx/tasks/domain.yml
@@ -1,61 +1,4 @@
 ---
-- name: Temporarily place a vhost for LetsEncrypt to work.
-  ansible.builtin.template:
-    src: vhost_letsencrypt.j2
-    dest: "/etc/nginx/sites-available/{{ domain.server_name }}.conf"
-    owner: root
-    group: root
-    mode: 0644
-  when:
-    - domain.ssl is defined
-    - domain.ssl.handling == 'letsencrypt'
-    - domain.ssl.services | length > 0 # if services[] is defined we can assume we are running certbot on port 80 or 443
-
-- name: Enable vhost.
-  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf"
-    dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf"
-    state: link
-  when:
-    - domain.ssl is defined
-    - domain.ssl.handling == 'letsencrypt'
-    - domain.ssl.services | length > 0
-
-- name: Reload the nginx service.
-  ansible.builtin.service:
-    name: nginx
-    state: reloaded
-  when:
-    - domain.ssl is defined
-    - domain.ssl.handling == 'letsencrypt'
-    - domain.ssl.services | length > 0
-
-- name: Generates SSL keys.
-  ansible.builtin.include_role:
-    name: debian/ssl
-    public: true
-  when: domain.ssl is defined
-  vars:
-    ssl: "{{ domain.ssl }}"
-
-- name: Delete the link to the vhost for LetsEncrypt.
-  ansible.builtin.file:
-    path: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf"
-    state: absent
-  when:
-    - domain.ssl is defined
-    - domain.ssl.handling == 'letsencrypt'
-    - domain.ssl.services | length > 0
-
-- name: Delete the temporary vhost for LetsEncrypt.
-  ansible.builtin.file:
-    path: "/etc/nginx/sites-available/{{ domain.server_name }}.conf"
-    state: absent
-  when:
-    - domain.ssl is defined
-    - domain.ssl.handling == 'letsencrypt'
-    - domain.ssl.services | length > 0
-
 # If auth_enabled is defined and yes, and auth_pass is not defined or is defined but empty, generate a random password.
 - name: Generate random htauth password.
   ansible.builtin.set_fact:
@@ -119,12 +62,14 @@
     owner: root
     group: root
     mode: 0644
+    force: true
 
 - name: Enable vhost.
   ansible.builtin.file:
     src: "/etc/nginx/sites-available/{{ domain.server_name }}.conf"
     dest: "/etc/nginx/sites-enabled/{{ domain.server_name }}.conf"
     state: link
+    force: true
 
 - name: Generates AWS Cloudwatch vhost config.
   ansible.builtin.template: