Create roles for symfony app and ssl certificate

ansible/roles/symfony-app/defaults/main.yml

@@ -0,0 +1,44 @@
+---
+app_name: ''
+
+
+# ПОЛЬЗОАВТЕЛЬ
+
+app_user: '{{ app_name }}'
+app_group: '{{ app_user }}'
+app_user_ssh_keys: []
+
+
+# ОКРУЖЕНИЕ
+
+# Переменные окружения приложения.
+# Необходимо указывать в виде пар ключ-значение,
+# где ключ - имя переменной (обычно в верхнем регистре).
+app_envs: {}
+
+
+# ВЕБ-СЕРВЕР
+
+app_directory: '/var/www/{{ app_name }}'
+app_domains: ['{{ app_name }}.loc']
+app_web_root: '/var/www/{{ app_name }}/current/web'
+app_web_listen: 'unix:/var/run/php-fpm-{{ app_name }}.sock'
+
+
+# СЕРТИФИКАТ
+
+app_cert: no
+app_cert_type: 'self-signed'
+app_cert_email: ''
+app_cert_directory: '/opt/ssl-certificates/{{ app_name }}'
+app_cert_certificate: '/opt/ssl-certificates/{{ app_name }}/ssl.crt'
+app_cert_key: '/opt/ssl-certificates/{{ app_name }}/ssl.key'
+app_dhparam_file: '/opt/ssl-certificates/{{ app_name }}/dhparam.pem'
+
+
+# PHP-FPM
+
+app_php_version: '{{ php_version | default("7.0") }}'
+app_fpool_name: '{{ app_name }}'
+app_fpool_listen: '/var/run/php-fpm-{{ app_name }}.sock'
+app_fpool_slowlog: '/var/www/{{ app_name }}/shared/logs/'

ansible/roles/symfony-app/tasks/main.yml

@@ -0,0 +1,67 @@
+---
+- name: 'Check app requirements for {{ app_name }}.'
+  fail:
+    msg: You must set app name.
+  when: not app_name
+
+- name: 'Create group "{{ app_group }}" for {{ app_name }}.'
+  group:
+    name: '{{ app_group }}'
+    state: present
+
+- name: 'Create user "{{ app_user }}" for {{ app_name }}.'
+  user:
+    name: '{{ app_user }}'
+    comment: '{{ app_name }} application owner'
+    group: '{{ app_group }}'
+    shell: /bin/bash
+
+- name: 'Set up user ssh keys for {{ app_name }}.'
+  authorized_key:
+    user: '{{ app_user }}'
+    key: '{{ item }}'
+    state: present
+  with_items: '{{ app_user_ssh_keys }}'
+
+- name: 'Set up system environment variables for {{ app_name }}.'
+  lineinfile:
+    dest: /etc/environment
+    regexp: '^{{ item.key }}='
+    line: '{{ item.key }}="{{ item.value }}"'
+  with_dict: '{{ app_envs }}'
+
+- name: 'Create ssl certificate for {{ app_name }}.'
+  include_role:
+    name: ssl-certificate
+    private: yes
+  vars:
+    cert_type: '{{ app_cert_type }}'
+    cert_name: '{{ app_name }}'
+    cert_email: '{{ app_cert_email }}'
+    cert_domains: '{{ app_domains }}'
+    cert_directory: '{{ app_cert_directory }}'
+    cert_key: '{{ app_cert_key }}'
+    cert_certificate: '{{ app_cert_certificate }}'
+    cert_dhparam: '{{ app_dhparam_file }}'
+  when: app_cert
+
+- name: 'Create web directory for {{ app_name }}.'
+  file:
+    state: directory
+    path: '{{ app_directory }}'
+    owner: '{{ app_user }}'
+    group: '{{ app_group }}'
+    recurse: yes
+  notify: restart nginx
+
+- name: 'Create nginx config for {{ app_name }}.'
+  template:
+    src: app.conf.j2
+    dest: '/etc/nginx/sites-enabled/{{ app_name }}.conf'
+  notify: restart nginx
+
+- name: 'Creates php-fpm pool config for {{ app_name }}.'
+  template:
+    src: fpm-pool.conf.j2
+    dest: '/etc/php/{{ app_php_version }}/fpm/pool.d/{{ app_name }}.conf'
+  notify: restart php-fpm

ansible/roles/symfony-app/templates/app.conf.j2

@@ -0,0 +1,50 @@
+server {
+    server_name {{ app_domains | join(" ") }};
+
+    {% if app_cert %}
+        listen 443 ssl http2 deferred;
+    {% else %}
+        listen 80;
+    {% endif %}
+
+    {% if app_cert %}
+        {% include './ssl.j2' %}
+    {% endif %}
+
+    root {{ app_web_root }};
+
+    location / {
+        # try to serve file directly, fallback to app.php
+        try_files $uri /app.php$is_args$args;
+    }
+
+    location ~ ^/app\.php(/|$) {
+        fastcgi_pass {{ app_web_listen }};
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+
+        # When you are using symlinks to link the document root to the
+        # current version of your application, you should pass the real
+        # application path instead of the path to the symlink to PHP
+        # FPM.
+        # Otherwise, PHP's OPcache may not properly detect changes to
+        # your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
+        # for more information).
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/app.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    error_log /var/log/nginx/{{ app_name }}_error.log;
+    access_log /var/log/nginx/{{ app_name }}_access.log;
+}

ansible/roles/symfony-app/templates/fpm-pool.conf.j2

@@ -0,0 +1,28 @@
+[{{ app_fpool_name }}]
+
+listen = {{ app_fpool_listen }}
+listen.allowed_clients = 127.0.0.1
+listen.backlog = -1
+
+user = {{ app_user }}
+group = {{ app_group }}
+
+; request_slowlog_timeout = 5s
+; slowlog = /var/log/php-fpm/slowlog-blog.log
+
+pm = dynamic
+pm.max_children = 4
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 200
+pm.status_path = /status
+
+request_terminate_timeout = 120s
+rlimit_files = 131072
+rlimit_core = unlimited
+catch_workers_output = yes
+
+{% for name, value in app_envs.iteritems() %}
+env[{{ name }}]={{ value }}
+{% endfor %}

ansible/roles/symfony-app/templates/ssl.j2

@@ -0,0 +1,15 @@
+ssl on;
+ssl_certificate         {{ app_cert_certificate }};
+ssl_certificate_key     {{ app_cert_key }};
+ssl_trusted_certificate {{ app_cert_certificate }};
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 5m;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ssl_dhparam {{ app_dhparam_file }};
+ssl_prefer_server_ciphers on;