Cleaner roles/httpd & roles/nginx

roles/3-base-server/tasks/main.yml

@@ -3,24 +3,29 @@
 - name: ...IS BEGINNING =====================================
   command: echo
 
-- name: HTTPD
-  include_role:
-    name: httpd
-
 - name: MYSQL
   include_role:
     name: mysql
   when: mysql_install | bool
 
-- name: Install APACHE (configured LATER, in Stage 9)
-  include_tasks: roles/httpd/tasks/install.yml
+- name: WEB_SUPPORT
+  include_role:
+    name: web_support
+  #when: web_support_install | bool
+  when: apache_install or nginx_install
+
+- name: APACHE (install now, configure LATER in Stage 9)
+  include_role:
+    name: httpd
   when: apache_install | bool
 
-- name: Install NGINX (configured LATER, in Stage 9)
-  include_tasks: roles/nginx/tasks/install.yml
+- name: NGINX (install now, configure LATER in Stage 9)
+  include_role:
+    name: nginx
+  #include_tasks: roles/nginx/tasks/install.yml
   when: nginx_install | bool
 
-- name: Install dnsmasq (configured LATER, in network)
+- name: dnsmasq (install now, configure LATER in 'network')
   include_tasks: roles/network/tasks/dnsmasq.yml
   when: dnsmasq_install | bool
 

roles/4-server-options/tasks/main.yml

@@ -20,7 +20,7 @@
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
     name: bluetooth
-  when: is_rpi and bluetooth_install    # or bluetooth_installed is defined
+  when: is_rpi and bluetooth_install
 
 - name: USB_LIB
   include_role:
@@ -37,12 +37,27 @@
 - name: CUPS
   include_role:
     name: cups
-  when: cups_install    # or cups_installed is defined
+  when: cups_install | bool
 
 - name: SAMBA
   include_role:
     name: samba
-  when: samba_install    # or samba_installed is defined
+  when: samba_install | bool
+
+# DOES THE FLAG BELOW (apache_allow_sudo) WORK WITH NGINX TOO ?
+
+- name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template
+  template:
+    src: 020_apache_poweroff.j2
+    dest: /etc/sudoers.d/020_apache_poweroff
+    mode: '0755'
+  when: apache_allow_sudo | bool
+
+- name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
+  file:
+    path: /etc/sudoers.d/020_apache_poweroff
+    state: absent
+  when: not apache_allow_sudo
 
 - name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (This script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which ran Apache playbook = roles/httpd/tasks/main.yml)
   command: /usr/bin/iiab-refresh-wiki-docs

roles/9-local-addons/tasks/main.yml

@@ -30,24 +30,34 @@
     name: calibre-web
   when: calibreweb_install | bool
 
-# Could split these two below to Stage 10?
+# Could split these two below to Stage 10?  2020-02-11: Experimentally moving
+# stuff below to roles/web_support, 4-server-options, roles/httpd, roles/nginx.
 
-- name: Fully Enable / Configure NGINX (already installed in Stage 3-BASE-SERVER) if 'nginx_enabled' is True
-  include_role:
-    name: nginx
-  when: nginx_enabled | bool    # WAS: nginx_install
-# If just CONFIGURING (etc) shouldn't we use one of the following instead ??
-# include_tasks: roles/nginx/tasks/setup.yml
-# include_tasks: roles/nginx/tasks/enable.yml
+# - name: "Set 'nginx_enabled: True'"
+#   set_fact:
+#     nginx_enabled: True
+#
+# - name: Fully Enable / Configure NGINX (already installed in Stage 3-BASE-SERVER) if 'nginx_enabled' is True
+#   include_role:
+#     name: nginx
+#   when: nginx_enabled | bool    # WAS: nginx_install
+# # If just CONFIGURING (etc) shouldn't we use one of the following instead ??
+# # include_tasks: roles/nginx/tasks/setup.yml
+# # include_tasks: roles/nginx/tasks/enable.yml
 
-- name: Fully Enable / Configure Apache systemd service ({{ apache_service }}) if 'apache_enabled' is True
-  include_role:
-    name: httpd-enable
-  when: apache_enabled | bool    # WAS: apache_install
-# WARNING THAT APACHE IS AUTO-ENABLED BY THESE ~6 APPS ALONE!
-# https://github.com/holta/iiab/blob/scaff2/roles/0-init/tasks/main.yml#L40-L44
-# Summarized @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
-# 2020-01-23: APACHE FUTURE SUMMARY QUESTIONS @ roles/httpd/tasks/main.yml
+# - name: "Set 'apache_enabled: True'"
+#   set_fact:
+#     apache_enabled: True
+#
+# - name: Fully Enable / Configure Apache systemd service ({{ apache_service }}) if 'apache_enabled' is True
+#   include_role:
+#     name: httpd
+#     #name: httpd-enable
+#   when: apache_enabled | bool    # WAS: apache_install
+# # WARNING THAT APACHE IS AUTO-ENABLED BY THESE ~6 APPS ALONE!
+# # https://github.com/holta/iiab/blob/scaff2/roles/0-init/tasks/main.yml#L40-L44
+# # Summarized @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# # 2020-01-23: APACHE FUTURE SUMMARY QUESTIONS @ roles/httpd/tasks/main.yml
 
 - name: Recording STAGE 9 HAS COMPLETED ====================
   lineinfile:

roles/httpd/tasks/enable.yml

@@ -1,69 +0,0 @@
-# For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
-# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
-  lineinfile:
-    path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
-    regexp: "{{ item.regexp }}"
-    line: "{{ item.line }}"
-  when: apache_high_php_limits | bool
-  with_items:
-    - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
-    - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
-    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
-    - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
-    - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
-
-- name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    # owner: root
-    # group: root
-    # mode: 0644
-  with_items:
-    - { src: 'roles/httpd/templates/010-iiab.conf.j2', dest: '/etc/{{ apache_conf_dir }}/010-iiab.conf' }
-    - { src: 'roles/httpd/templates/proxy_ajp.conf.j2', dest: '/etc/{{ apache_conf_dir }}/proxy_ajp.conf' }
-
-- name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu)
-  file:
-    src: "/etc/{{ apache_conf_dir }}/010-iiab.conf"
-    path: /etc/apache2/sites-enabled/010-iiab.conf
-    state: link
-  when: is_debuntu | bool
-
-# SEE https://github.com/iiab/iiab/issues/1143 as the old roles/osm playbook is rarely used as of late 2018 (if anybody still uses roles/osm, they can overwrite osm.conf using the original osm playbook, or in other ways)
-- name: Install /etc/{{ apache_conf_dir }}/osm.conf for http://box/maps (all OS's)
-  copy:
-    src: roles/httpd/files/osm.conf
-    dest: "/etc/{{ apache_conf_dir }}"
-    # owner: root
-    # group: root
-    # mode: 0644
-  when: osm_vector_maps_install | bool
-
-- name: Symlink /etc/apache2/sites-enabled/osm.conf -> /etc/{{ apache_conf_dir }}/osm.conf (debuntu)
-  file:
-    src: "/etc/{{ apache_conf_dir }}/osm.conf"
-    path: /etc/apache2/sites-enabled/osm.conf
-    state: link
-  when: is_debuntu and osm_vector_maps_enabled
-
-- name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template
-  template:
-    src: roles/httpd/templates/020_apache_poweroff.j2
-    dest: /etc/sudoers.d/020_apache_poweroff
-    mode: 0755
-  when: apache_allow_sudo | bool
-
-- name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
-  file:
-    path: /etc/sudoers.d/020_apache_poweroff
-    state: absent
-  when: not apache_allow_sudo
-
-- name: Restart Apache systemd service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"
-    state: restarted
-    enabled: yes
-    daemon_reload: yes

roles/httpd/tasks/install.yml

@@ -49,7 +49,7 @@
     state: present
   when: is_redhat | bool
 
-# remove symlinks for mpm-event, replace with mpm-prefork
+# Remove symlinks for mpm_event, replace with mpm_prefork
 - name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu)
   file:
     path: "/etc/apache2/mods-enabled/{{ item }}"
@@ -69,6 +69,19 @@
     - mpm_prefork.load
   when: is_debuntu | bool
 
+# - name: Remove mpm_event.conf & mpm_event.load symlinks, using a2dissite
+#   command: "a2dissite {{ item }}"
+#   with_items:
+#     - mpm_event.conf
+#     - mpm_event.load
+#   ignore_errors: yes
+#
+# - name: Symlink mpm_prefork.conf & mpm_prefork.load, using a2ensite
+#   command: "a2ensite {{ item }}"
+#   with_items:
+#     - mpm_prefork.conf
+#     - mpm_prefork.load
+
 #- name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)'
 #  command: a2enmod {{ item }}
 #  with_items:
@@ -100,11 +113,11 @@
 
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
   file:
+    state: directory
     path: "/var/run/{{ apache_user }}"
     owner: root
     group: root
     mode: '0755'
-    state: directory
 
 - name: 'Create group: admin'
   group:
@@ -120,25 +133,25 @@
 
 - name: Create Apache dir /var/log/{{ apache_service }}
   file:
+    state: directory
     path: "/var/log/{{ apache_service }}"
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
     mode: '0755'
-    state: directory
 
-- name: Enable Apache systemd service ({{ apache_service }})
-  service:
-    name: "{{ apache_service }}"
-    enabled: yes
-    state: stopped
+- name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - { src: 'roles/httpd/templates/010-iiab.conf.j2', dest: '/etc/{{ apache_conf_dir }}/010-iiab.conf' }
+    - { src: 'roles/httpd/templates/proxy_ajp.conf.j2', dest: '/etc/{{ apache_conf_dir }}/proxy_ajp.conf' }
 
-- name: Create /library/www/html/info directory for http://box/info offline docs
-  file:
-    path: "{{ doc_root }}/info"
-    owner: "{{ apache_user }}"
-    group: "{{ apache_user }}"
-    mode: '0755'
-    state: directory
+# - name: Enable & Stop '{{ apache_service }}' systemd service
+#   systemd:
+#     name: "{{ apache_service }}"
+#     enabled: yes
+#     state: stopped
 
 
 # RECORD Apache AS INSTALLED

roles/httpd/tasks/main.yml

@@ -1,20 +1,83 @@
 # 2020-01-23 TO DO / Questions:
-# - Validate input vars apache_install & apache_enabled here.
+# - [DONE] Validate input vars apache_install & apache_enabled here.
 #   - Use as nec, with 'when: apache_installed is undefined'
-# - Encapsulate all 3 tasks below into httpd/roles/install.yml ?
+# - [DONE: moved them to roles/web_support] Encapsulate all 3 tasks below into httpd/roles/install.yml ?
 # - Similarly sanity-check httpd/roles/enable.yml or httpd/roles/enable-or-disable.yml...
 #   - Verify that 9-local-addons/tasks/main.yml's invocation of
 #     roles/httpd/tasks/enable.yml (via roles/httpd-enable/tasks/main.yml, if
 #     apache_enabled is True) does the right thing!
 #   - And that we really don't want to invoke it hereunder?
-# - Save relevant apache_* vars to /etc/iiab/iiab.ini
+# - [DONE] Save relevant apache_* vars to /etc/iiab/iiab.ini
 
-#- include_tasks: install.yml
-- include_tasks: html.yml
-- include_tasks: php-stem.yml
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
 
-- name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (Script can be run manually and/or at the end of Stage 4 = roles/4-server-options/tasks/main.yml)
-  template:
-    src: refresh-wiki-docs.sh
-    dest: /usr/bin/iiab-refresh-wiki-docs
-    mode: '0755'
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
+
+- name: Assert that "apache_install is sameas true" (boolean not string etc)
+  assert:
+    that: apache_install is sameas true
+    fail_msg: "PLEASE SET 'apache_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- name: Assert that "apache_enabled | type_debug == 'bool'" (boolean not string etc)
+  assert:
+    that: apache_enabled | type_debug == 'bool'
+    fail_msg: "PLEASE GIVE VARIABLE 'apache_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- debug:
+    var: apache_install
+- debug:
+    var: apache_enabled
+- debug:
+    var: apache_installed
+
+
+- name: Install Apache if 'apache_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  include_tasks: install.yml
+  when: apache_installed is undefined
+
+
+- name: "IN CASE NGINX IS DISABLED: Enable IIAB pages via Apache (e.g. on port 80) by running 'a2ensite 010-iiab.conf', if apache_enabled"
+  command: a2ensite 010-iiab.conf
+  when: apache_enabled | bool
+
+- name: Disable IIAB pages via Apache (e.g. on port 80) by running 'a2dissite 010-iiab.conf', if not apache_enabled"
+  command: a2dissite 010-iiab.conf
+  when: not apache_enabled
+
+- name: Enable & (Re)Start {{ apache_service }} systemd service, if apache_enabled
+  systemd:
+    name: "{{ apache_service }}"
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+  when: apache_enabled | bool
+
+- name: Disable & Stop {{ apache_service }} systemd service, if not apache_enabled
+  systemd:
+    name: "{{ apache_service }}"
+    enabled: no
+    state: stopped
+  when: not apache_enabled
+
+
+- name: Add 'apache' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: wordpress
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+    - option: name
+      value: Apache
+    - option: description
+      value: '"The Apache HTTP Server (''httpd'')."'
+    - option: apache_install
+      value: "{{ apache_install }}"
+    - option: apache_enabled
+      value: "{{ apache_enabled }}"

roles/internetarchive/tasks/main.yml

@@ -20,7 +20,7 @@
 
 
 # 2020-02-11: @mitra42 & @holta agree (#2247) that the following 2-stanza
-# "UPDATE internetarchive" block should run whenever one is isn't installing
+# "UPDATE internetarchive" block should run whenever one isn't installing
 # (or reinstalling) internetarchive, for now.  We're aware this means slowness
 # during "./runrole internetarchive" but that's very intentional for now -- as
 # it leads to more testing of more recent versions of internetarchive, which

roles/nginx/tasks/enable-or-disable.yml

@@ -0,0 +1,40 @@
+- name: Ensure that Apache (({{ apache_service }})) is not running -- we may need port swap
+  systemd:
+    name: "{{ apache_service }}"
+    state: stopped
+
+- name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only
+  template:
+    src: ports.conf.j2
+    dest: "/etc/{{ apache_service }}/ports.conf"
+  when: nginx_enabled | bool
+
+- name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only
+  template:
+    src: stock-apache-ports.conf
+    dest: "/etc/{{ apache_service }}/ports.conf"
+  when: not nginx_enabled
+
+- name: Enable & Restart '{{ apache_service }}' if apache_enabled or not nginx_enabled, since we stopped it
+  systemd:
+    name: "{{ apache_service }}"
+    daemon_reload: yes
+    state: restarted
+    enabled: true
+  when: apache_enabled or not nginx_enabled
+
+
+- name: Enable & (Re)Start 'nginx' systemd service, if nginx_enabled
+  systemd:
+    name: nginx
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+  when: nginx_enabled | bool
+
+- name: Disable & Stop 'nginx' systemd service, if not nginx_enabled
+  systemd:
+    name: nginx
+    enabled: no
+    state: stopped
+  when: not nginx_enabled

roles/nginx/tasks/install.yml

@@ -1,4 +1,14 @@
-- name: Install NGINX required and helper packages
+# This stanza can likely be removed later in 2020:
+- name: 'Remove legacy files if present: /etc/systemd/system/uwsgi.service, {{ nginx_conf_dir }}/usb-lib.conf, {{ nginx_conf_dir }}/modules.conf'
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  with_items:
+    - { path: "/etc/systemd/system/uwsgi.service" }
+    - { path: "{{ nginx_conf_dir }}/usb-lib.conf" }
+    - { path: "{{ nginx_conf_dir }}/modules.conf" }
+
+- name: Install required and helper packages for NGINX
   package:
     name: "{{ item }}"
     state: present
@@ -9,7 +19,7 @@
     - php-fpm
     - libnginx-mod-http-subs-filter
 
-- name: Add http server user to shadow group, so it can authenticate Admin Console
+- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
   user:
     name: "{{ apache_user }}"
     groups: shadow
@@ -19,29 +29,30 @@
     path: /etc/nginx/sites-enabled/default
     state: absent
 
-- name: 'Install 4 files from template: /etc/nginx/server.conf, /etc/nginx/nginx.conf, /etc/{{ apache_service }}/ports.conf, /etc/systemd/system/uwsgi.service'
+- name: 'Install 3-or-4 files from template: /etc/nginx/server.conf, /etc/nginx/nginx.conf, /etc/{{ apache_service }}/ports.conf'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
   with_items:
-    - { src: 'roles/nginx/templates/server.conf.j2', dest: '/etc/nginx/server.conf' }
-    - { src: 'roles/nginx/templates/nginx.conf.j2', dest: '/etc/nginx/nginx.conf' }
-    - { src: 'roles/nginx/templates/ports.conf.j2', dest: '/etc/{{ apache_service }}/ports.conf' }
+    - { src: 'server.conf.j2', dest: '/etc/nginx/server.conf' }
+    - { src: 'nginx.conf.j2', dest: '/etc/nginx/nginx.conf' }
+    #- { src: 'ports.conf.j2', dest: '/etc/{{ apache_service }}/ports.conf' }    # Moved to enable-or-disable.yml
+    - { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" }
 
-# php stem extension is installed in role httpd
+# php-stem extension installed by roles/web_support/tasks/php-stem.yml
 # here it is linked to php-fpm
-- name: Create softlink 20-stem.ini to /etc/php/{{ php_version }}/mods-available/stem.ini
+- name: Symlink /etc/php/{{ php_version }}/fpm/conf.d/20-stem.ini -> /etc/php/{{ php_version }}/mods-available/stem.ini
   file:
     src: "/etc/php/{{ php_version }}/mods-available/stem.ini"
     path: "/etc/php/{{ php_version }}/fpm/conf.d/20-stem.ini"
     state: link
-  when: nginx_enabled
+  #when: nginx_enabled | bool
 
-- name: Restart php{{ php_version }}-fpm service
-  service:
+- name: Restart php{{ php_version }}-fpm systemd service
+  systemd:
     name: "php{{ php_version }}-fpm"
     state: restarted
-  when: nginx_enabled
+  #when: nginx_enabled | bool
 
 
 # RECORD NGINX AS INSTALLED

roles/nginx/tasks/main.yml

@@ -1,70 +1,51 @@
-- name: Remove stale files (usb-lib.conf, modules.conf) from {{ nginx_conf_dir }}
-  file:
-    path: "{{ item.path }}"
-    state: absent
+# "How do i fail a task in Ansible if the variable contains a boolean value?
+# I want to perform input validation for Ansible playbooks"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
+
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
+
+- name: Assert that "nginx_install is sameas true" (boolean not string etc)
+  assert:
+    that: nginx_install is sameas true
+    fail_msg: "PLEASE SET 'nginx_install: True' e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- name: Assert that "nginx_enabled | type_debug == 'bool'" (boolean not string etc)
+  assert:
+    that: nginx_enabled | type_debug == 'bool'
+    fail_msg: "PLEASE GIVE VARIABLE 'nginx_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
+    quiet: yes
+
+- debug:
+    var: nginx_install
+- debug:
+    var: nginx_enabled
+- debug:
+    var: nginx_installed
+
+
+- name: Install NGINX if 'nginx_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  include_tasks: install.yml
+  when: nginx_installed is undefined
+
+
+- include_tasks: enable-or-disable.yml
+
+
+- name: Add 'nginx' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: wordpress
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
   with_items:
-    - { path: "/etc/systemd/system/uwsgi.service" }
-    - { path: "{{ nginx_conf_dir }}/usb-lib.conf" }
-    - { path: "{{ nginx_conf_dir }}/modules.conf" }
-
-- name: Ensure that Apache (({{ apache_service }})) is not running -- we may need port swap
-  systemd:
-    name: "{{ apache_service }}"
-    state: stopped
-
-- name: "Install from template: /etc/nginx/server.conf, /etc/nginx/nginx.conf, /etc/{{ apache_service }}/ports.conf, {{ nginx_conf_dir }}/iiab.conf"
-  template:
-    src: "{{ item.src}}"
-    dest: "{{ item.dest }}"
-  with_items:
-    - { src: 'server.conf.j2', dest: '/etc/nginx/server.conf' }
-    - { src: 'nginx.conf.j2', dest: '/etc/nginx/nginx.conf' }
-    - { src: 'ports.conf.j2', dest: "/etc/{{ apache_service }}/ports.conf" }
-    - { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" }
-  when: nginx_enabled | bool
-
-# the below slides in nginx's proxypass config files for apache on localhost
-# via the ports.conf file installed above
-#- name: Install proxpass to Apache running on localhost port {{ apache_port }}
-#  include_tasks: uses_apache.yml
-#  when: apache_enabled | bool
-
-# the below task contains the same logic contained in the playbooks to enable
-# 'runrole nginx' to do the right thing but with the 'src' path set to role's
-# templates path ie roles/<rolename>/template/
-#- name: Install proxpass to other services 'dual mode' roles
-#  include_tasks: only_nginx.yml
-#  when: nginx_enabled | bool
-
-- name: Stop & Disable 'nginx' systemd service, when not nginx_enabled
-  systemd:
-    name: nginx
-    state: stopped
-    enabled: false
-  when: not nginx_enabled
-
-- name: Disable Apache port {{ apache_port }} localhost only, when not nginx_enabled
-  template:
-    dest: /etc/{{ apache_service }}/ports.conf
-    src: stock-apache-ports.conf
-  when: not nginx_enabled
-
-# should have the logic to handle both modes in the playbook
-#- name: Enable Apache (a2ensite) for 'dual mode' for the role when NGINX is disabled
-#  include_tasks: disable.yml
-#  when: not nginx_enabled
-
-- name: Enable & Restart Apache, since we stopped it ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"
-    daemon_reload: yes
-    state: restarted
-    enabled: true
-  when: apache_enabled or not nginx_enabled
-
-- name: Enable & Restart NGINX, to pick up the config files installed
-  systemd:
-    name: nginx
-    state: restarted
-    enabled: true
-  when: nginx_enabled | bool
+    - option: name
+      value: NGINX
+    - option: description
+      value: '"NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache."'
+    - option: nginx_install
+      value: "{{ nginx_install }}"
+    - option: nginx_enabled
+      value: "{{ nginx_enabled }}"

roles/web_support/tasks/main.yml

@@ -0,0 +1,36 @@
+- include_tasks: html.yml
+
+
+- include_tasks: php-stem.yml
+
+# DOES THE FLAG BELOW (apache_high_php_limits) WORK WITH NGINX TOO?
+
+# For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
+# WARNING: Enabling this might cause excess use of RAM/disk or other resources!
+- name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
+  lineinfile:
+    path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  when: apache_high_php_limits | bool
+  with_items:
+    - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
+    - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
+    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
+    - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
+    - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
+
+
+- name: Create dir {{ doc_root }}/info for http://box/info offline docs
+  file:
+    state: directory
+    path: "{{ doc_root }}/info"    # /library/www/html
+    owner: "{{ apache_user }}"
+    group: "{{ apache_user }}"
+    #mode: '0755'
+
+- name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (Script can be run manually and/or at the end of Stage 4 = roles/4-server-options/tasks/main.yml)
+  template:
+    src: iiab-refresh-wiki-docs.sh
+    dest: /usr/bin/iiab-refresh-wiki-docs
+    mode: '0755'

roles/web_support/tasks/php-stem.yml

@@ -23,7 +23,7 @@
     remote_src: yes
   when: ansible_machine == "x86_64"
 
-# link to php done in nginx when php-fpm is installed
+# link to php done in roles/nginx/tasks/install.yml when php-fpm is installed
 
 # Not sure what to do for apache, so do nothing for now