diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b441558..6ceb572 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,24 +8,62 @@ on: workflow_dispatch: branches: [master] +env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + jobs: - test: + molecule: + name: Molecule Test runs-on: ubuntu-latest strategy: + fail-fast: false matrix: - image: - - "centos:7" - - "centos:8" - - "debian:10" - - "debian:11" - - "ubuntu:18.04" - - "ubuntu:20.04" + include: + - image: geerlingguy/docker-debian10-ansible:latest + command: /lib/systemd/systemd + - image: geerlingguy/docker-debian11-ansible:latest + command: /lib/systemd/systemd + - image: geerlingguy/docker-ubuntu2004-ansible:latest + - image: geerlingguy/docker-ubuntu2204-ansible:latest + - image: ghcr.io/artis3n/docker-almalinux8-ansible:latest + - image: geerlingguy/docker-rockylinux8-ansible:latest + - image: geerlingguy/docker-rockylinux9-ansible:latest steps: - uses: actions/checkout@v2 - uses: actions/setup-python@v2 with: python-version: "3.x" - - run: pip install -r requirements.txt - - run: molecule test + + - name: Install test dependencies + run: pip3 install ansible molecule molecule-docker + + - name: Run Molecule Test + run: molecule test + env: + MOLECULE_IMAGE: ${{ matrix.image }} + MOLECULE_COMMAND: ${{ matrix.command }} + + molecule-legacy: + name: Molecule Test Legacy OS + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + matrix: + include: + - image: geerlingguy/docker-centos7-ansible:latest + command: /usr/lib/systemd/systemd + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-python@v2 + with: + python-version: "3.x" + + - name: Install test dependencies + run: pip3 install ansible molecule molecule-docker + + - name: Run Molecule Test + run: molecule test env: MOLECULE_IMAGE: ${{ matrix.image }} + MOLECULE_COMMAND: ${{ matrix.command }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a5de656 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,19 @@ +repos: + - repo: https://github.com/ansible/ansible-lint.git + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint -v --force-color + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.13.11 diff --git a/README.md b/README.md index f4fd4ac..704780e 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build Status](https://travis-ci.org/inmotionhosting/ansible-role-php_fpm.png?branch=master)](https://travis-ci.org/inmotionhosting/ansible-role-php_fpm) [![GPL-3.0 License](https://img.shields.io/github/license/inmotionhosting/ansible-role-php_fpm.svg?color=blue)](https://github.com/inmotionhosting/ansible-role-php_fpm/blob/master/LICENSE) [![GitHub stars](https://img.shields.io/github/stars/inmotionhosting/ansible-role-php_fpm.svg)](https://github.com/inmotionhosting/ansible-role-php_fpm/stargazers) +![Ansible Molecule Pipeline](https://github.com/inmotionhosting/ansible-role-php_fpm/actions/workflows/main.yml/badge.svg) [![GPL-3.0 License](https://img.shields.io/github/license/inmotionhosting/ansible-role-php_fpm.svg?color=blue)](https://github.com/inmotionhosting/ansible-role-php_fpm/blob/master/LICENSE) [![GitHub stars](https://img.shields.io/github/stars/inmotionhosting/ansible-role-php_fpm.svg)](https://github.com/inmotionhosting/ansible-role-php_fpm/stargazers) # Ansible Role: PHP-FPM @@ -10,9 +10,11 @@ server-focused Linux distributions and aims to follow their deprecation policies. Additionally we will focus on supporting the latest two stable releases of each, which at the time of writing are as follows: -* CentOS 7, 8 -* Debian 10, 11 -* Ubuntu 18.04, 20.04 +* CentOS 7.x or later +* Debian 10 or later +* Ubuntu 20.04 LTS or later +* AlmaLinux 8.x or later +* RockyLinux 8.x or later ## Dependencies None. @@ -26,7 +28,6 @@ Available variables are listed below with their default values (you can also see | php_fpm_config_pool_path | Default: `/etc/php-fpm.d` | php_fpm_daemon | Default: `php-fpm` | php_request_slowlog_timeout | Default: `0` -| php_fpm_site_errorlog | Default: `/home/{{ system_user }}/logs/{{ site_domain | replace (".", "_") }}.php.error.log` | php_fpm_slowlog | Default: `/var/log/php-fpm/{{ system_user }}-slow.log` | php_fpm_socket_path | Default: `/var/run/php-fpm/{{ system_user }}.sock` | php_packages | The list of PHP packages to install. diff --git a/defaults/main.yml b/defaults/main.yml index 0ea159a..5de8af9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,7 +6,6 @@ php_config_ini_path: /etc/php.ini php_fpm_config_path: /etc/php-fpm.conf php_fpm_config_pool_path: /etc/php-fpm.d php_fpm_daemon: php-fpm -php_fpm_site_errorlog: /home/{{ system_user }}/logs/{{ site_domain | replace(".", "_") }}.php.error.log php_fpm_slowlog: /var/log/php-fpm/{{ system_user }}-slow.log php_fpm_socket_path: /var/run/php-fpm/{{ system_user }}.sock php_systemd_restart: false diff --git a/handlers/main.yml b/handlers/main.yml index 8bf1dfe..b2d25da 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,6 @@ --- -- name: restart php-fpm - systemd: - daemon_reload: yes +- name: Restart php-fpm + ansible.builtin.systemd: + daemon_reload: true name: "{{ php_fpm_daemon }}" state: restarted diff --git a/meta/main.yml b/meta/main.yml index c169ce5..e3a4758 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,21 +5,22 @@ galaxy_info: description: Modular Ansible Role for deploying and configuring PHP-FPM company: InMotion Hosting license: GPLv3 - min_ansible_version: 2.8 + min_ansible_version: "2.9" platforms: - name: EL versions: - - 7 - - 8 + - "7" + - "8" + - "9" - name: Debian versions: - - stretch - buster + - bullseye - name: Ubuntu versions: - - bionic - focal + - jammy galaxy_tags: - web diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2 deleted file mode 100644 index 189a2dc..0000000 --- a/molecule/default/Dockerfile.j2 +++ /dev/null @@ -1,36 +0,0 @@ -{% if item.registry is defined %} -FROM {{ item.registry.url }}/{{ item.image }} -{% else %} -FROM {{ item.image }} -{% endif %} - -RUN if [ "$(command -v apt)" ]; then \ - apt update && \ - apt install -y --no-install-recommends --no-install-suggests \ - ca-certificates openssh-client openssh-server openssl python3 \ - sudo systemd && \ - apt autoremove -y && \ - apt clean -y; \ - elif [ "$(command -v dnf)" ]; then \ - dnf install -y ca-certificates hostname openssh openssh-server \ - openssl python3 sudo systemd which && \ - dnf autoremove -y && \ - dnf clean all; \ - elif [ "$(command -v yum)" ]; then \ - yum install -y ca-certificates hostname openssh openssh-server \ - openssl python3 sudo systemd which && \ - yum autoremove -y && \ - yum clean all; \ - fi - -RUN rm -rf /lib/systemd/system/{*getty*,systemd*udev*} && \ - cp /bin/true /sbin/agetty && \ - echo "Defaults !requiretty" >> /etc/sudoers - -VOLUME ["/sys/fs/cgroup"] - -{% if "centos" in item.image %} -CMD ["/usr/lib/systemd/systemd"] -{% else %} -CMD ["/lib/systemd/systemd"] -{% endif %} diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 8c93b57..5cd5178 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,6 +1,14 @@ --- - name: Converge hosts: all + + pre_tasks: + - name: Update apt cache (on Debian). + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + when: ansible_os_family == 'Debian' + vars: system_user: example roles: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index bc237ac..cb77be4 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,24 +6,24 @@ driver: name: docker platforms: - - name: "molecule-ansible-role-php_fpm" - image: "${MOLECULE_IMAGE:-centos:8}" - command: "" - privileged: true + - name: "molecule-ansible-role-mysql" + image: ${MOLECULE_IMAGE:-geerlingguy/docker-ubuntu2204-ansible:latest} + command: ${MOLECULE_DOCKER_COMMAND:-""} volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true + pre_build_image: true provisioner: - name: ansible + name: "ansible" config_options: defaults: - callback_enabled: timer - internal_poll_interval: "0.01" + callbacks_enabled: "profile_tasks, timer" + internal_poll_interval: 0.01 nocows: 1 + stdout_callback: "yaml" var_compression_level: 9 - diff: - always: true - log: true verifier: name: ansible diff --git a/requirements.txt b/requirements.txt index 45097fe..17f4026 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,4 @@ # requirements.txt -ansible==4.5.0 -molecule==3.4.0 -molecule-docker==1.0.2 +ansible-lint +pre-commit diff --git a/tasks/facts.yml b/tasks/facts.yml index ab0daaa..d93294a 100644 --- a/tasks/facts.yml +++ b/tasks/facts.yml @@ -8,18 +8,18 @@ - name: Set installed PHP version vars: package: php-fpm - set_fact: + ansible.builtin.set_fact: php_version_installed: "{{ ansible_facts.packages[package][0].version.split('.')[0:2] | join('.') }}" php_version_installed_flat: "{{ ansible_facts.packages[package][0].version.split('.')[0:2] | join('.') | replace('.', '') }}" when: - package in ansible_facts.packages.keys() - name: Include Debian vars - include_vars: "debian.yml" + ansible.builtin.include_vars: "debian.yml" when: ansible_os_family|lower == "debian" - name: Set lists of required variables - set_fact: + ansible.builtin.set_fact: php_required_strings: - php_version - php_version_flat @@ -35,7 +35,6 @@ - php_conf_soap_wsdl_cache_dir - php_fpm_config_pool_path - php_fpm_socket_path - - php_fpm_site_errorlog - php_fpm_slowlog php_required_ints: - php_ini_rlimit_files @@ -51,7 +50,7 @@ - php_ini_zlib_output_compression_level - name: Check required PHP variables (strings) - fail: + ansible.builtin.fail: msg: | Invalid value for variable for '{{ item }}': {{ lookup('vars', item) }} @@ -63,7 +62,7 @@ with_items: "{{ php_required_strings }}" - name: Check required PHP variables (integers) - fail: + ansible.builtin.fail: msg: | Invalid value for variable for '{{ item }}': {{ lookup('vars', item) }} @@ -75,7 +74,7 @@ with_items: "{{ php_required_ints }}" - name: Check required PHP variables (php_packages) - fail: + ansible.builtin.fail: msg: | Invalid value for variable for 'php_packages': {{ php_packages }} @@ -86,21 +85,21 @@ or php_packages == 0 - name: Set and sanitize dependent RedHat vars - set_fact: + ansible.builtin.set_fact: apache_config_path: /etc/httpd/conf.d when: - ansible_os_family|lower == "redhat" - apache_config_path is undefined - name: Set and sanitize dependent Debian vars - set_fact: + ansible.builtin.set_fact: apache_config_path: /etc/apache2/conf-enabled when: - ansible_os_family|lower == "debian" - apache_config_path is undefined - name: Check variable 'systemd_restart_setting' - fail: + ansible.builtin.fail: msg: | Invalid value for variable 'systemd_restart_setting': '{{ systemd_restart_setting }}' @@ -120,13 +119,13 @@ and systemd_restart) - name: Set PHP switcher - set_fact: + ansible.builtin.set_fact: php_version_switch: true when: - php_version_installed is defined - php_version != php_version_installed - name: Remove php-sodium when PHP 5.6 - set_fact: + ansible.builtin.set_fact: php_packages: "{{ php_packages | reject('search', 'php-sodium') | list }}" when: php_version == '5.6' diff --git a/tasks/main.yml b/tasks/main.yml index efebded..6d76e5c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Set and sanitize facts - include_tasks: facts.yml + ansible.builtin.include_tasks: facts.yml - name: Setup package repositories - include_tasks: "packages/{{ ansible_os_family|lower }}.yml" + ansible.builtin.include_tasks: "packages/{{ ansible_os_family | lower }}.yml" - name: Remove PHP packages (if version changing) - package: + ansible.builtin.package: name: "{{ php_packages }}" state: absent when: @@ -14,17 +14,20 @@ - php_version_switch - name: Install PHP packages - package: + ansible.builtin.package: name: "{{ php_packages }}" state: present - name: Ensure directories exist - file: + ansible.builtin.file: path: /var/run/php state: directory + owner: root + group: root + mode: "0750" - name: Ensure PHP session directory permissions - file: + ansible.builtin.file: path: /var/lib/php/session state: directory owner: root @@ -32,45 +35,45 @@ mode: "1733" - name: Configure php.ini - template: + ansible.builtin.template: src: etc/php.ini.j2 dest: "{{ php_config_ini_path }}" owner: root group: root mode: "0644" - notify: restart php-fpm + notify: Restart php-fpm - name: Configure rlimit_files in php-fpm.conf - lineinfile: + ansible.builtin.lineinfile: path: "{{ php_fpm_config_path }}" regexp: "^;rlimit_files.*" line: rlimit_files = {{ php_ini_rlimit_files }} - notify: restart php-fpm + notify: Restart php-fpm - name: Check if Apache dirs are present - stat: + ansible.builtin.stat: path: "{{ apache_config_path }}" register: apache - name: Configure Apache PHP settings - template: + ansible.builtin.template: src: etc/httpd/conf.d/php.conf.j2 dest: "{{ apache_config_path }}/php.conf" owner: root group: root mode: "0644" - notify: restart php-fpm + notify: Restart php-fpm when: apache.stat.exists - name: Include systemd restart configuration - include: systemd.yml + ansible.builtin.include_tasks: systemd.yml when: >- ( php_systemd_restart|default(False) or systemd_restart|default(False) ) and systemd_restart_setting is defined - name: Start and enable php-fpm service - service: + ansible.builtin.service: name: "{{ php_fpm_daemon }}" state: started enabled: true diff --git a/tasks/packages/debian.yml b/tasks/packages/debian.yml index a7952cc..05696ea 100644 --- a/tasks/packages/debian.yml +++ b/tasks/packages/debian.yml @@ -1,38 +1,39 @@ --- - name: (Debian) Install required repo management packages - apt: + ansible.builtin.apt: name: - apt-transport-https - ca-certificates - gpg - python3-apt - software-properties-common + - gpg-agent cache_valid_time: "3600" force_apt_get: true state: present update_cache: true - name: (Debian) Add sury.org repo signing key - apt_key: + ansible.builtin.apt_key: url: https://packages.sury.org/php/apt.gpg state: present - name: (Debian) Add sury.org PHP repo - apt_repository: + ansible.builtin.apt_repository: repo: >- deb https://packages.sury.org/php/ - {{ ansible_distribution_release.split(" ")[0]|lower }} main + {{ ansible_distribution_release.split(" ")[0] | lower }} main state: present - when: ansible_distribution|lower == "debian" + when: ansible_distribution | lower == "debian" - name: (Ubuntu) Add sury.org PHP repo - apt_repository: + ansible.builtin.apt_repository: repo: ppa:ondrej/php state: present - when: ansible_distribution|lower == "ubuntu" + when: ansible_distribution | lower == "ubuntu" - name: (Debian) Update APT cache - apt: + ansible.builtin.apt: force_apt_get: true cache_valid_time: "3600" state: present diff --git a/tasks/packages/redhat.yml b/tasks/packages/redhat.yml index 7fecbc0..71409ce 100644 --- a/tasks/packages/redhat.yml +++ b/tasks/packages/redhat.yml @@ -1,57 +1,64 @@ --- - name: (RedHat) Install repository management packages - package: + ansible.builtin.package: name: - epel-release - yum-utils state: present - name: (RedHat) Add Remi repository GPG key - rpm_key: + ansible.builtin.rpm_key: state: present key: "https://rpms.remirepo.net/RPM-GPG-KEY-{{ target }}" vars: target: >- - {{ "remi" if version|int == 7 - else "remi2018" }} + {{ "remi2021" if version | int == 9 + else ("remi2018" if version | int == 8 + else ("remi" if version | int == 7 + else "remi2023")) }} version: "{{ ansible_distribution_major_version }}" - name: (RedHat) Add Remi repository - package: - name: >- - https://rpms.remirepo.net/enterprise/remi-release- - {{- ansible_distribution_major_version }}.rpm - state: present + ansible.builtin.package: + name: https://rpms.remirepo.net/enterprise/remi-release-{{- ansible_distribution_major_version }}.rpm + +# FIXME: Find a better way to enable a repo prior to installing packages +# FIXME: Idempotence is broken on this task. Anything we can hook onto? +- name: (RedHat 9) Enable CRB repository + ansible.builtin.raw: dnf config-manager --set-enabled crb + when: ansible_distribution_major_version == "9" and ansible_os_family == "RedHat" + changed_when: result.rc > 0 + register: result # FIXME: Find a better way to enable a repo prior to installing packages # FIXME: Idempotence is broken on this task. Anything we can hook onto? - name: (RedHat) Disable current Remi PHP repository (if version changing) - raw: "{{ command }}{{ target }}" + ansible.builtin.raw: "{{ command }}{{ target }}" changed_when: result.rc > 0 register: result vars: command: >- - {{ "yum-config-manager --disable remi-php" if version|int == 7 + {{ "yum-config-manager --disable remi-php" if version | int == 7 else "dnf module enable -y php:remi-" }} target: >- - {{ php_version_installed_flat if version|int == 7 + {{ php_version_installed_flat if version | int == 7 else php_version_installed }} version: "{{ ansible_distribution_major_version }}" when: - - php_version_switch|default(false) + - php_version_switch | default(false) - php_version_switch is defined # FIXME: Find a better way to enable a repo prior to installing packages # FIXME: Idempotence is broken on this task. Anything we can hook onto? - name: (RedHat) Enable Remi PHP repository - raw: "{{ command }}{{ target }}" + ansible.builtin.raw: "{{ command }}{{ target }}" changed_when: result.rc > 0 register: result vars: command: >- - {{ "yum-config-manager --enable remi-php" if version|int == 7 + {{ "yum-config-manager --enable remi-php" if version | int == 7 else "dnf module enable -y php:remi-" }} target: >- - {{ php_version_flat if version|int == 7 + {{ php_version_flat if version | int == 7 else php_version }} version: "{{ ansible_distribution_major_version }}" diff --git a/tasks/systemd.yml b/tasks/systemd.yml index d5ab53b..e9c6c0d 100644 --- a/tasks/systemd.yml +++ b/tasks/systemd.yml @@ -1,23 +1,26 @@ --- - name: Gather package facts - package_facts: + ansible.builtin.package_facts: manager: auto - name: Set and sanitize systemd version facts - set_fact: + ansible.builtin.set_fact: systemd_version: >- {{ ansible_facts.packages['systemd'][0].version }} - name: Creates service directory - file: + ansible.builtin.file: path: /etc/systemd/system/{{ php_fpm_daemon }}.service.d state: directory + owner: root + group: root + mode: "0750" - name: Create service file - template: + ansible.builtin.template: src: etc/systemd/restart.conf.j2 dest: /etc/systemd/system/{{ php_fpm_daemon }}.service.d/restart.conf owner: root group: root mode: "0600" - notify: restart php-fpm + notify: Restart php-fpm diff --git a/vars/debian.yml b/vars/debian.yml index 4c2b147..680fd09 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -3,7 +3,6 @@ php_config_ini_path: /etc/php/{{ php_version }}/fpm/php.ini php_fpm_config_path: /etc/php/{{ php_version }}/fpm/php-fpm.conf php_fpm_config_pool_path: /etc/php/{{ php_version }}/fpm/pool.d php_fpm_daemon: php{{ php_version }}-fpm -php_fpm_site_errorlog: /var/log/php{{ php_version }}-fpm-{{ system_user }}-error.log php_fpm_slowlog: /var/log/php{{ php_version }}-fpm-slow.log php_fpm_socket_path: /var/run/php/{{ system_user }}.sock