move apache_allow_sudo into 4-server-options, move dnsmasq install to 3-base-server

move dnsmasq to 3-base split httpd make 'osm' files optional
2025-03-09 15:40:17 +00:00 · 2019-08-24 13:52:25 -05:00 · 2019-08-24 13:52:25 -05:00 · c8dab06ea6
commit c8dab06ea6
parent 0cd7f15376
6 changed files with 226 additions and 230 deletions
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@ -15,11 +15,10 @@
  # has no "when: XXXXX_install" flag
  tags: base, mysql
- name: Restart Apache systemd service ({{ apache_service }})
+- name: Install dnsmasq
-  systemd:
+  include_tasks: roles/network/tasks/dnsmasq.yml
-    name: "{{ apache_service }}"
+  when: dnsmasq_install | bool
-    state: restarted
+  tags: base, domain, dnsmasq, network
  when: not installing
 - name: Recording STAGE 3 HAS COMPLETED =====================
  lineinfile:
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -5,11 +5,6 @@
    path: "{{ iiab_state_file }}"
    state: touch
 - name: Install dnsmasq
  include_tasks: roles/network/tasks/dnsmasq.yml
  when: dnsmasq_install | bool
  tags: base, domain, dnsmasq, network
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install | bool
@ -75,6 +70,11 @@
  command: /usr/bin/iiab-refresh-wiki-docs
  when: internet_available and not nodocs
 - name: Configure Apache systemd service ({{ apache_service }})
  include_role:
    name: httpd-enable
  tags: base, httpd
 - name: Recording STAGE 4 HAS COMPLETED ==================
  lineinfile:
    dest: "{{ iiab_env_file }}"
--- a/roles/httpd-enable/tasks/main.yml
+++ b/roles/httpd-enable/tasks/main.yml
@ -0,0 +1 @@
 - include_tasks: roles/httpd/tasks/enable.yml
--- a/roles/httpd/tasks/enable.yml
+++ b/roles/httpd/tasks/enable.yml
@ -0,0 +1,69 @@
 # For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
 - name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
  lineinfile:
    path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  when: apache_high_php_limits | bool
  with_items:
    - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
    - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
    - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
    - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
 - name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: 0644
  with_items:
    - { src: 'roles/httpd/templates/010-iiab.conf.j2', dest: '/etc/{{ apache_config_dir }}/010-iiab.conf' }
    - { src: 'roles/httpd/templates/proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf' }
 - name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/010-iiab.conf"
    path: /etc/apache2/sites-enabled/010-iiab.conf
    state: link
  when: is_debuntu | bool
 # SEE https://github.com/iiab/iiab/issues/1143 as the old roles/osm playbook is rarely used as of late 2018 (if anybody still uses roles/osm, they can overwrite osm.conf using the original osm playbook, or in other ways)
 - name: Install /etc/{{ apache_config_dir }}/osm.conf for http://box/maps (all OS's)
  copy:
    src: roles/httpd/files/osm.conf
    dest: "/etc/{{ apache_config_dir }}"
    owner: root
    group: root
    mode: 0644
  when: osm_vector_maps_install | bool
 - name: Symlink /etc/apache2/sites-enabled/osm.conf to /etc/{{ apache_config_dir }}/osm.conf (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/osm.conf"
    path: /etc/apache2/sites-enabled/osm.conf
    state: link
  when: is_debuntu | bool and osm_vector_maps_enabled | bool
 - name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template
  template:
    src: roles/httpd/templates/020_apache_poweroff.j2
    dest: /etc/sudoers.d/020_apache_poweroff
    mode: 0755
  when: apache_allow_sudo | bool
 - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
  file:
    path: /etc/sudoers.d/020_apache_poweroff
    state: absent
  when: not apache_allow_sudo
 - name: Restart Apache systemd service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"
    state: restarted
    enabled: yes
    daemon_reload: yes
--- a/roles/httpd/tasks/install.yml
+++ b/roles/httpd/tasks/install.yml
@ -0,0 +1,145 @@
 - name: 'Install 3 packages: apache2, php{{ php_version }}, php{{ php_version }}-curl (debian)'
  package:
    #name: [u'apache2', u'php{{ php_version }}', u'php{{ php_version }}-curl']    # FAILS ('u' for Unicode strings)
    #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
    name:
      - apache2
      - "php{{ php_version }}"
      - "php{{ php_version }}-curl"
    state: present
  when: is_debian | bool
  tags:
    - download
 - name: 'Install 2 packages: apache2, php (ubuntu)'
  package:
    #name: [u'apache2', u'php']    # FAILS ('u' for Unicode strings)
    #name: ['apache2', 'php']      # WORKS
    name:
      - apache2
      - php
    state: present
  when: is_ubuntu | bool
  tags:
    - download
 # 2019-05-30: It's interesting that http://box.lan/admin and everything seems
 # to work even without php{{ php_version }}-sqlite3 as confirmed on Ubuntu
 # 16.04 (SEE PR #1697).  And likely all others?  @tim-moody writes "I think
 # we decided that because sqlite3 and php are part of the base install the
 # connector should be too."
 #
 # We might *try* deprecating this here as we transition beyond {raspbian-9,
 # debian-9, ubuntu-18} in coming months to verify that roles/osm-vector-maps
 # is the only role that needs it?
 #
 # Legacy Comment: SQLite3 no longer included in another package
 - name: Install php{{ php_version }}-sqlite3 (raspbian-9+ or debian-9+ or ubuntu-18+)
  package:
    name: "php{{ php_version }}-sqlite3"
  #when: is_raspbian_9 or is_debian_9 or is_ubuntu_18
  when: is_debuntu and (not is_debian_8) and (not is_ubuntu_16)
  #when: (is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18
 - name: 'Install 4 packages: httpd, mod_authnz_external, php, php-curl (redhat)'
  package:
    #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external']    # FAILS ('u' for Unicode strings)
    #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external']        # WORKS
    name:
      - httpd
      - mod_authnz_external
      - php
      - php-curl
    state: present
  when: is_redhat | bool
  tags:
    - download
 # remove symlinks for mpm-event, replace with mpm-prefork
 - name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu)
  file:
    path: "/etc/apache2/mods-enabled/{{ item }}"
    state: absent
  with_items:
    - mpm_event.conf
    - mpm_event.load
  when: is_debuntu | bool
 - name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
  file:
    src: "/etc/apache2/mods-available/{{ item }}"
    path: "/etc/apache2/mods-enabled/{{ item }}"
    state: link
  with_items:
    - mpm_prefork.conf
    - mpm_prefork.load
  when: is_debuntu | bool
 #- name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)'
 #  command: a2enmod {{ item }}
 #  with_items:
 #    - proxy
 #    - proxy_html
 #    - headers
 #    - rewrite
 #  when: is_debuntu | bool
 - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc--if debuntu)'
  apache2_module:
    name: "{{ item }}"
    - headers
    - proxy
    - proxy_html
    - proxy_http
    - rewrite
  when: is_debuntu | bool
 - name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/apache2/000-default.conf    # Not nec on Raspbian.  Is this really still needed elsewhere?
    - /etc/apache2/sites-enabled/000-default.conf
  when: is_debuntu | bool
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
  file:
    path: "/var/run/{{ apache_user }}"
    mode: 0755
    owner: root
    group: root
    state: directory
 - name: 'Create group: admin'
  group:
    name: admin
    state: present
 - name: Add user {{ apache_user }} (from variable apache_user) to group admin
  user:
    name: "{{ apache_user }}"
    groups: admin
    state: present
    createhome: no
 - name: Create Apache dir /var/log/{{ apache_service }}
  file:
    path: "/var/log/{{ apache_service }}"
    mode: 0755
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    state: directory
 - name: Enable Apache systemd service ({{ apache_service }})
  service:
    name: "{{ apache_service }}"
    enabled: yes
 - name: Create /library/www/html/info directory for http://box/info offline docs
  file:
    path: "{{ doc_root }}/info"
    mode: 0755
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    state: directory
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -1,206 +1,6 @@
- name: 'Install 3 packages: apache2, php{{ php_version }}, php{{ php_version }}-curl (debian)'
+- include_tasks: install.yml
  package:
    #name: [u'apache2', u'php{{ php_version }}', u'php{{ php_version }}-curl']    # FAILS ('u' for Unicode strings)
    #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
    name:
      - apache2
      - "php{{ php_version }}"
      - "php{{ php_version }}-curl"
    state: present
  when: is_debian | bool
  tags:
-    - download
+    - base
 - name: 'Install 2 packages: apache2, php (ubuntu)'
  package:
    #name: [u'apache2', u'php']    # FAILS ('u' for Unicode strings)
    #name: ['apache2', 'php']      # WORKS
    name:
      - apache2
      - php
    state: present
  when: is_ubuntu | bool
  tags:
    - download
 # 2019-05-30: It's interesting that http://box.lan/admin and everything seems
 # to work even without php{{ php_version }}-sqlite3 as confirmed on Ubuntu
 # 16.04 (SEE PR #1697).  And likely all others?  @tim-moody writes "I think
 # we decided that because sqlite3 and php are part of the base install the
 # connector should be too."
 #
 # We might *try* deprecating this here as we transition beyond {raspbian-9,
 # debian-9, ubuntu-18} in coming months to verify that roles/osm-vector-maps
 # is the only role that needs it?
 #
 # Legacy Comment: SQLite3 no longer included in another package
 - name: Install php{{ php_version }}-sqlite3 (raspbian-9+ or debian-9+ or ubuntu-18+)
  package:
    name: "php{{ php_version }}-sqlite3"
  #when: is_raspbian_9 or is_debian_9 or is_ubuntu_18
  when: is_debuntu and (not is_debian_8) and (not is_ubuntu_16)
  #when: (is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18
 - name: 'Install 4 packages: httpd, mod_authnz_external, php, php-curl (redhat)'
  package:
    #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external']    # FAILS ('u' for Unicode strings)
    #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external']        # WORKS
    name:
      - httpd
      - mod_authnz_external
      - php
      - php-curl
    state: present
  when: is_redhat | bool
  tags:
    - download
 - name: Install Apache's 010-iiab.conf & proxy_ajp.conf into /etc/apache2/sites-available, from templates
  template:
    backup: yes
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: root
    mode: 0644
  with_items:
    - { src: '010-iiab.conf.j2', dest: '/etc/{{ apache_config_dir }}/010-iiab.conf' }
    - { src: 'proxy_ajp.conf.j2', dest: '/etc/{{ apache_config_dir }}/proxy_ajp.conf' }
    #- { src: 'php.ini.j2', dest: '/etc/php.ini', mode: '0644' }    # @jvonau suggests removing this in https://github.com/iiab/iiab/issues/1147
 # For schools that use WordPress/Nextcloud/Moodle intensively.  iiab/iiab#1147
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
 - name: Enact high limits in /etc/php/{{ php_version }}/{{ apache_service }}/php.ini if using WordPress/Nextcloud/Moodle intensively
  lineinfile:
    path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  when: apache_high_php_limits | bool
  with_items:
    - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
    - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
    - { regexp: '^memory_limit', line: 'memory_limit = 256M    ; default is 128M / Nextcloud requests 512M' }
    - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
    - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
 # remove symlinks for mpm-event, replace with mpm-prefork
 - name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu)
  file:
    path: "/etc/apache2/mods-enabled/{{ item }}"
    state: absent
  with_items:
    - mpm_event.conf
    - mpm_event.load
  when: is_debuntu | bool
 - name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
  file:
    src: "/etc/apache2/mods-available/{{ item }}"
    path: "/etc/apache2/mods-enabled/{{ item }}"
    state: link
  with_items:
    - mpm_prefork.conf
    - mpm_prefork.load
  when: is_debuntu | bool
 #- name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)'
 #  command: a2enmod {{ item }}
 #  with_items:
 #    - proxy
 #    - proxy_html
 #    - headers
 #    - rewrite
 #  when: is_debuntu | bool
 #
 # NOTE: activity-server/tasks/main.yml runs "a2enmod expires"
 # NOTE: awstats/tasks/install.yml      runs "a2enmod cgi"
 # NOTE: nodered/tasks/main.yml uses apache2_module to install "proxy_wstunnel"
 # 2019-10-07: proxy_http is definitely essential!  (ARE THE OTHER 4 BELOW REALLY NEEDED ?)
 - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc--if debuntu)'
  apache2_module:
    name: "{{ item }}"
  with_items:
    - headers
    - proxy
    - proxy_html
    - proxy_http
    - rewrite
  when: is_debuntu | bool
 - name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/010-iiab.conf"
    path: /etc/apache2/sites-enabled/010-iiab.conf
    state: link
  when: is_debuntu | bool
 - name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/apache2/000-default.conf    # Not nec on Raspbian.  Is this really still needed elsewhere?
    - /etc/apache2/sites-enabled/000-default.conf
  when: is_debuntu | bool
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
  file:
    path: "/var/run/{{ apache_user }}"
    mode: 0755
    owner: root
    group: root
    state: directory
 - name: 'Create group: admin'
  group:
    name: admin
    state: present
 - name: Add user {{ apache_user }} (from variable apache_user) to group admin
  user:
    name: "{{ apache_user }}"
    groups: admin
    state: present
    createhome: no
 - name: Create Apache dir /var/log/{{ apache_service }}
  file:
    path: "/var/log/{{ apache_service }}"
    mode: 0755
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    state: directory
 - name: Enable Apache systemd service ({{ apache_service }})
  service:
    name: "{{ apache_service }}"
    enabled: yes
 - name: Create /library/www/html/info directory for http://box/info offline docs
  file:
    path: "{{ doc_root }}/info"
    mode: 0755
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    state: directory
 # SEE https://github.com/iiab/iiab/issues/1143 as the old roles/osm playbook is rarely used as of late 2018 (if anybody still uses roles/osm, they can overwrite osm.conf using the original osm playbook, or in other ways)
 - name: Install /etc/{{ apache_config_dir }}/osm.conf for http://box/maps (all OS's)
  copy:
    src: osm.conf
    dest: "/etc/{{ apache_config_dir }}"
    owner: root
    group: root
    mode: 0644
    backup: yes
 - name: Symlink /etc/apache2/sites-enabled/osm.conf to /etc/{{ apache_config_dir }}/osm.conf (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/osm.conf"
    path: /etc/apache2/sites-enabled/osm.conf
    #path: "/etc/{{ apache_service }}/sites-enabled/osm.conf"
    state: link
  when: is_debuntu | bool
 - include_tasks: html.yml
  tags:
@ -216,21 +16,3 @@
    src: refresh-wiki-docs.sh
    dest: /usr/bin/iiab-refresh-wiki-docs
    mode: 0755
 - name: Give {{ apache_user }} (per variable apache_user) permission to poweroff, installing /etc/sudoers.d/020_apache_poweroff from template
  template:
    src: 020_apache_poweroff.j2
    dest: /etc/sudoers.d/020_apache_poweroff
    mode: 0755
  when: apache_allow_sudo | bool
 - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
  file:
    path: /etc/sudoers.d/020_apache_poweroff
    state: absent
  when: not apache_allow_sudo
 - name: Restart Apache systemd service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"
    state: restarted
		`@ -0,0 +1 @@`
							`- include_tasks: roles/httpd/tasks/enable.yml`