Create roles for symfony app and ssl certificate

ansible/roles/ssl-certificate/defaults/main.yml

@@ -0,0 +1,24 @@
+---
+# Required, allowed: self-signed, letsencrypt
+cert_type: 'self-signed'
+
+# Required, name for ssl-certificate configuration
+cert_name: ''
+
+# Required: domain owner email
+cert_email: ''
+
+# Required: domains for lets encrypt certificate creation
+cert_domains: []
+
+# Parameters to store generated keys
+cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
+cert_key: '{{ cert_directory }}/ssl.key'
+cert_request: '{{ cert_directory }}/ssl.csr'
+cert_certificate: '{{ cert_directory }}/ssl.crt'
+
+# DH parameters
+cert_dhparam: '/etc/nginx/dhparam.pem'
+cert_dhparam_n: 2048
+
+cert_le_webroot_path: /var/www/letsencrypt

ansible/roles/ssl-certificate/tasks/letsencrypt.yml

@@ -0,0 +1,33 @@
+---
+- name: Check required parameters.
+  fail:
+    msg: You must set up domain and email.
+  when: not cert_domains or not cert_email
+
+- name: Create letsencrypt web root directory.
+  file:
+    name: '{{ cert_le_webroot_path }}'
+    state: directory
+
+- name: Copy notes acme server config.
+  template:
+    src: vhost.conf.j2
+    dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf"
+
+- name: Restart nginx.
+  service:
+    name: nginx
+    state: restarted
+
+- name: Configure Lest Encrypt certificate.
+  include_role:
+    name: thefinn93.ansible-letsencrypt
+    private: yes
+  vars:
+    letsencrypt_webroot_path: '{{ cert_le_webroot_path }}'
+    letsencrypt_email: '{{ cert_email }}'
+    letsencrypt_cert_domains: '{{ cert_domains }}'
+    letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
+    ssl_certificate: '{{ cert_certificate }}'
+    ssl_certificate_key: '{{ cert_key }}'
+  when: False

ansible/roles/ssl-certificate/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+- name: Ensure certificate storage exists.
+  file:
+    path: '{{ cert_directory }}'
+    state: directory
+
+- include: self-signed.yml
+  when: cert_type == 'self-signed'
+
+- include: letsencrypt.yml
+  when: cert_type == 'letsencrypt'
+
+- name: Generate dhparams.
+  shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
+  args:
+    creates: '{{ cert_dhparam }}'

ansible/roles/ssl-certificate/tasks/self-signed.yml

@@ -0,0 +1,33 @@
+---
+- name: Check certificate params.
+  fail:
+    msg: You must setup certificate file params.
+  when: not cert_certificate or not cert_key
+
+- name: Generate self signed ssl key.
+  shell: |
+    openssl genrsa \
+      -aes256 \
+      -passout pass:client11 \
+      -out {{ cert_directory }}/ssl.pass.key \
+      1024
+
+    openssl rsa \
+      -passin pass:client11 \
+      -in {{ cert_directory }}/ssl.pass.key \
+      -out {{ cert_key }}
+
+    openssl req \
+      -new \
+      -key {{ cert_key }} \
+      -out {{ cert_request }} \
+      -subj "/CN=localhost"
+
+    openssl x509 \
+      -req \
+      -days 365 \
+      -in {{ cert_request }} \
+      -signkey {{ cert_key }} \
+      -out {{ cert_certificate }}
+  args:
+    creates: '{{ cert_certificate }}'

ansible/roles/ssl-certificate/templates/vhost.conf.j2

@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name {{ cert_domains|join(' ') }};
+
+    location /.well-known {
+        root {{ cert_le_webroot_path }};
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}

ansible/roles/symfony-app/defaults/main.yml

@@ -0,0 +1,44 @@
+---
+app_name: ''
+
+
+# ПОЛЬЗОАВТЕЛЬ
+
+app_user: '{{ app_name }}'
+app_group: '{{ app_user }}'
+app_user_ssh_keys: []
+
+
+# ОКРУЖЕНИЕ
+
+# Переменные окружения приложения.
+# Необходимо указывать в виде пар ключ-значение,
+# где ключ - имя переменной (обычно в верхнем регистре).
+app_envs: {}
+
+
+# ВЕБ-СЕРВЕР
+
+app_directory: '/var/www/{{ app_name }}'
+app_domains: ['{{ app_name }}.loc']
+app_web_root: '/var/www/{{ app_name }}/current/web'
+app_web_listen: 'unix:/var/run/php-fpm-{{ app_name }}.sock'
+
+
+# СЕРТИФИКАТ
+
+app_cert: no
+app_cert_type: 'self-signed'
+app_cert_email: ''
+app_cert_directory: '/opt/ssl-certificates/{{ app_name }}'
+app_cert_certificate: '/opt/ssl-certificates/{{ app_name }}/ssl.crt'
+app_cert_key: '/opt/ssl-certificates/{{ app_name }}/ssl.key'
+app_dhparam_file: '/opt/ssl-certificates/{{ app_name }}/dhparam.pem'
+
+
+# PHP-FPM
+
+app_php_version: '{{ php_version | default("7.0") }}'
+app_fpool_name: '{{ app_name }}'
+app_fpool_listen: '/var/run/php-fpm-{{ app_name }}.sock'
+app_fpool_slowlog: '/var/www/{{ app_name }}/shared/logs/'

ansible/roles/symfony-app/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: 'Check app requirements for {{ app_name }}.'
+  fail:
+    msg: You must set app name.
+  when: not app_name
+
+- name: 'Create group "{{ app_group }}" for {{ app_name }}.'
+  group:
+    name: '{{ app_group }}'
+    state: present
+
+- name: 'Create user "{{ app_user }}" for {{ app_name }}.'
+  user:
+    name: '{{ app_user }}'
+    comment: '{{ app_name }} application owner'
+    group: '{{ app_group }}'
+    shell: /bin/bash
+
+- name: 'Set up user ssh keys for {{ app_name }}.'
+  authorized_key:
+    user: '{{ app_user }}'
+    key: '{{ item }}'
+    state: present
+  with_items: '{{ app_user_ssh_keys }}'
+
+- name: 'Set up system environment variables for {{ app_name }}.'
+  lineinfile:
+    dest: /etc/environment
+    regexp: '^{{ item.key }}='
+    line: '{{ item.key }}="{{ item.value }}"'
+  with_dict: '{{ app_envs }}'
+
+- name: 'Create ssl certificate for {{ app_name }}.'
+  include_role:
+    name: ssl-certificate
+    private: yes
+  vars:
+    cert_type: '{{ app_cert_type }}'
+    cert_name: '{{ app_name }}'
+    cert_email: '{{ app_cert_email }}'
+    cert_domains: '{{ app_domains }}'
+    cert_directory: '{{ app_cert_directory }}'
+    cert_key: '{{ app_cert_key }}'
+    cert_certificate: '{{ app_cert_certificate }}'
+    cert_dhparam: '{{ app_dhparam_file }}'
+  when: app_cert
+
+- name: 'Create web directory for {{ app_name }}.'
+  file:
+    state: directory
+    path: '{{ app_directory }}'
+    owner: '{{ app_user }}'
+    group: '{{ app_group }}'
+    recurse: yes
+  notify: restart nginx
+
+- name: 'Create nginx config for {{ app_name }}.'
+  template:
+    src: app.conf.j2
+    dest: '/etc/nginx/sites-enabled/{{ app_name }}.conf'
+  notify: restart nginx
+
+- name: 'Creates php-fpm pool config for {{ app_name }}.'
+  template:
+    src: fpm-pool.conf.j2
+    dest: '/etc/php/{{ app_php_version }}/fpm/pool.d/{{ app_name }}.conf'
+  notify: restart php-fpm

ansible/roles/symfony-app/templates/app.conf.j2

@@ -0,0 +1,50 @@
+server {
+    server_name {{ app_domains | join(" ") }};
+
+    {% if app_cert %}
+        listen 443 ssl http2 deferred;
+    {% else %}
+        listen 80;
+    {% endif %}
+
+    {% if app_cert %}
+        {% include './ssl.j2' %}
+    {% endif %}
+
+    root {{ app_web_root }};
+
+    location / {
+        # try to serve file directly, fallback to app.php
+        try_files $uri /app.php$is_args$args;
+    }
+
+    location ~ ^/app\.php(/|$) {
+        fastcgi_pass {{ app_web_listen }};
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/app.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    error_log /var/log/nginx/{{ app_name }}_error.log;
+    access_log /var/log/nginx/{{ app_name }}_access.log;
+}

ansible/roles/symfony-app/templates/fpm-pool.conf.j2

@@ -0,0 +1,28 @@
+[{{ app_fpool_name }}]
+
+listen = {{ app_fpool_listen }}
+listen.allowed_clients = 127.0.0.1
+listen.backlog = -1
+
+user = {{ app_user }}
+group = {{ app_group }}
+
+; request_slowlog_timeout = 5s
+; slowlog = /var/log/php-fpm/slowlog-blog.log
+
+pm = dynamic
+pm.max_children = 4
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 200
+pm.status_path = /status
+
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+{% for name, value in app_envs.iteritems() %}
+env[{{ name }}]={{ value }}
+{% endfor %}

ansible/roles/symfony-app/templates/ssl.j2

@@ -0,0 +1,15 @@
+ssl on;
+ssl_certificate         {{ app_cert_certificate }};
+ssl_certificate_key     {{ app_cert_key }};
+ssl_trusted_certificate {{ app_cert_certificate }};
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ssl_dhparam {{ app_dhparam_file }};
+ssl_prefer_server_ciphers on;