diff --git a/roles/kimai/defaults/main.yml b/roles/kimai/defaults/main.yml
new file mode 100644
index 0000000..01667e8
--- /dev/null
+++ b/roles/kimai/defaults/main.yml
@@ -0,0 +1,87 @@
+---
+
+# You can install several kimai instances on the same host
+# just make sure to set a different instance id for each
+# You can set it to a number or a simple string (no special chars)
+kimai_id: 1
+# Kimai version to deploy
+kimai_version: 1.17.1
+
+# URL of the archive
+kimai_archive_url: https://github.com/kevinpapst/kimai2/archive/refs/tags/{{ kimai_version }}.tar.gz
+# Expected sha256 of the archive
+kimai_archive_sha256: ceff0573591d2e5c70a679301caabe626d8545af5e987443c8155f633babcd0e
+
+# Directory where kimai will be installed
+kimai_root_dir: /opt/kimai_{{ kimai_id }}
+# Should ansible handle upgrades or only initial install
+kimai_manage_upgrade: True
+
+# User under which PHP will run
+# Will be created
+kimai_php_user: php-kimai_{{ kimai_id }}
+# PHP version under which kimai will run
+kimai_php_version: 81
+# Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role
+# bookstack_php_fpm_pool: custom_kimai
+
+# If you want to configure the access to kimai on your main vhost
+# kimai_web_alias: /kimai
+# If not set, you'll need to create a dedicated vhost (see httpd_common role)
+kimai_web_alias: False
+kimai_public_url: http://{{ inventory_hostname }}
+# If you set kimai_src_ip, it'll be considered a list of trusted proxies
+kimai_src_ip: []
+
+# An app specific secret. If not defined, a random one will be created and stored under {{ kimai_root_dir }}/meta/ansible_secret_key
+# kimai_secret_key: S3cr3t.
+
+# Database settings
+kimai_db_server: "{{ mysql_server | default('localhost') }}"
+kimai_db_port: 3306
+kimai_db_name: kimai_{{ kimai_id }}
+kimai_db_user: kimai_{{ kimai_id }}
+# If the pass is not set, a random one will be created and store in {{ kimai_root_dir }}/meta/ansible_dbpass
+# kimai_db_pass: S3cr3t.
+
+# A default admin user will be created during installation
+# If its password isn't set, a random one will be configured and stored in {{ kimai_root_dir }}/meta/ansible_admin_pass
+# Note that this user is only created on first installed, and will not be checked or created again on next runs
+kimai_admin_user: admin@{{ ansible_domain }}
+# kimai_admin_pass÷ S3cr3t.
+
+# Custom configuration. Will be loaded in {{ kimai_root_dir }}/app/config/packages/local.yaml
+kimai_base_settings:
+ kimai:
+# Better to override kimai_extra_settings so future defaults will be merged with your custom settings.
+# For example, to set SAML auth (example working with Lemonldap::NG as SAML idp
+# kimai_extra_settings:
+# kimai:
+# saml:
+# activate: true
+# title: 'SSO'
+# mapping:
+# - { saml: $mail, kimai: email }
+# - { saml: $principal, kimai: username }
+# - { saml: $cn, kimai: alias }
+# roles:
+# attribute: groups
+# mapping:
+# - { saml: Role_Infra_Admin, kimai: ROLE_ADMIN }
+# - { saml: Projet, kimai: ROLE_TEAMLEAD }
+# connection:
+# idp:
+# entityId: 'https://sso.example.org/saml/metadata'
+# singleSignOnService:
+# url: 'https://sso.example.org/saml/singleSignOn'
+# x509cert: 'MIICsDCCAZigAwIBAgIEAE11GTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQBDA9zc28ubGFwaW9sZS5vcmcwHhcNMjEwMzE1MTExMzMyWhcNNDEwMzEwMTExMzMyWjAaMRgwFgYDVQQDDA9zc28ubGFwaW9sZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+sPo4pned1vg9IoHVhHoPVeWEKOsYet1NL9eZu5mBI1gg6J+ffiv0Exy+FuISdaRoqPijeUX32TZlgk8cIleANH/Q+FFdsVdqBtpo4Oh5kozT+Ztr6UFcc6rRVOlmFnp4J3A3xUnumBABAeCKu6htA6oxe1NUh+wEs38BakMHlrSThJRODtZPo7jTcI9ZXHRnTpo2CQU5KxIXw2aHo6mmVH6/BGkU8m0OoRAfqJe9zLDnUYOP6cJckEwED6IcaXF1eXdXIRhhBn7Awmob/xoOYh+TzrY3OCLRQ/LZ3zvv0sTi8k4RU2ne3Bi54aVOEXYo4X45vEDt8akzDYjhyrNVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG5G/Zp4g+0znft8mB42XYRxHqT1DCCdgkWL8j6JgVixQO8IP+yDFcHi+DUwhC1YfMqtlfD1V/kr9t/QA38v7PsZz7N6mCmwQv2LIbHMsfq7bF7NGQl//50cPmKRfuJgMc7Qh479XKJKUkdo4q5xLMlJGI+hnou3Wi2dcMLgp042Ws+ZOTUaRVOZJ2NGeNJ/18z6kME0MNNL/ytp0bP+2lbAPUNyDmVDDxDa7/Xz87onfQpzs8rNyO2QpCHjVNyRFpdzb2K4j9IUCqKWl8NTVnCx0hAgspOKAIXKsy8UUR4FOyypmIHU4Z1gU7US2KRrCnnmC1U0ogUZC4FXzNfLetA='
+# sp:
+# entityId: 'https://temps.example.org/auth/saml/metadata'
+# assertionConsumerService:
+# url: 'https://temps.example.org/auth/saml/acs'
+# baseurl: https://temps.example.org/auth/saml
+# strict: true
+# debug: true
+
+kimai_extra_settings: {}
+kimai_settings: "{{ kimai_base_settings | combine(kimai_extra_settings, recursive=True) }}"
diff --git a/roles/kimai/handlers/main.yml b/roles/kimai/handlers/main.yml
new file mode 100644
index 0000000..b5a2f8e
--- /dev/null
+++ b/roles/kimai/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: clear kimai cache
+ command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:reload --env=prod
+ become_user: "{{ kimai_php_user }}"
diff --git a/roles/kimai/meta/main.yml b/roles/kimai/meta/main.yml
new file mode 100644
index 0000000..c58735b
--- /dev/null
+++ b/roles/kimai/meta/main.yml
@@ -0,0 +1,9 @@
+---
+
+allow_duplicates: True
+dependencies:
+ - role: mkdir
+ - role: httpd_php
+ - role: mysql_server
+ when: kimai_db_server in ['localhost', '127.0.0.1']
+ - role: composer
diff --git a/roles/kimai/tasks/archive_post.yml b/roles/kimai/tasks/archive_post.yml
new file mode 100644
index 0000000..02ca509
--- /dev/null
+++ b/roles/kimai/tasks/archive_post.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Compress previous version
+ command: tar cf {{ kimai_root_dir }}/archives/{{ kimai_current_version }}.tar.zst ./ --use-compress-program=zstd
+ args:
+ chdir: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}"
+ warn: False
+ environment:
+ ZSTD_CLEVEL: 10
+ tags: kimai
diff --git a/roles/kimai/tasks/archive_pre.yml b/roles/kimai/tasks/archive_pre.yml
new file mode 100644
index 0000000..a593a12
--- /dev/null
+++ b/roles/kimai/tasks/archive_pre.yml
@@ -0,0 +1,34 @@
+---
+
+- name: Create the archive dir
+ file: path={{ kimai_root_dir }}/archives/{{ kimai_current_version }} state=directory
+ tags: kimai
+
+- name: Archive current version
+ synchronize:
+ src: "{{ kimai_root_dir }}/app"
+ dest: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}/"
+ compress: False
+ delete: True
+ delegate_to: "{{ inventory_hostname }}"
+ tags: kimai
+
+- name: Install mariadb client
+ package:
+ name:
+ - mariadb
+ tags: kimai
+
+- name: Dump the database
+ mysql_db:
+ state: dump
+ name: "{{ kimai_db_name }}"
+ target: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}/{{ kimai_db_name }}.sql.xz"
+ login_host: "{{ kimai_db_server }}"
+ login_user: "{{ kimai_db_user }}"
+ login_password: "{{ kimai_db_pass }}"
+ quick: True
+ single_transaction: True
+ environment:
+ XZ_OPT: -T0
+ tags: kimai
diff --git a/roles/kimai/tasks/cleanup.yml b/roles/kimai/tasks/cleanup.yml
new file mode 100644
index 0000000..cbff514
--- /dev/null
+++ b/roles/kimai/tasks/cleanup.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Remove tmp and obsolete files
+ file: path={{ item }} state=absent
+ loop:
+ - "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}"
+ - "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}"
+ - "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}.tar.gz"
+ tags: kimai
diff --git a/roles/kimai/tasks/conf.yml b/roles/kimai/tasks/conf.yml
new file mode 100644
index 0000000..3f05e39
--- /dev/null
+++ b/roles/kimai/tasks/conf.yml
@@ -0,0 +1,56 @@
+---
+
+- import_tasks: ../includes/webapps_webconf.yml
+ vars:
+ - app_id: kimai_{{ kimai_id }}
+ - php_version: "{{ kimai_php_version }}"
+ - php_fpm_pool: "{{ kimai_php_fpm_pool | default('') }}"
+ tags: kimai
+
+- name: Deploy kimai configuration
+ template: src={{ item.src }} dest={{ item.dest }} group={{ kimai_php_user }} mode=640
+ loop:
+ - src: env.j2
+ dest: "{{ kimai_root_dir }}/app/.env"
+ - src: local.yaml.j2
+ dest: "{{ kimai_root_dir }}/app/config/packages/local.yaml"
+ notify: clear kimai cache
+ tags: kimai
+
+- name: Deploy permission script
+ template: src=perms.sh.j2 dest={{ kimai_root_dir }}/perms.sh mode=755
+ register: kimai_perm_script
+ tags: kimai
+
+- name: Apply permissions
+ command: "{{ kimai_root_dir }}/perms.sh"
+ when: kimai_perm_script.changed or kimai_install_mode != 'none'
+ tags: kimai
+
+- when: kimai_install_mode == 'install'
+ block:
+
+ - name: Init the database
+ command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:install -n
+
+ - name: Create initial admin user
+ shell: echo {{ kimai_admin_pass | quote }} | /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:user:create username {{ kimai_admin_user | quote }} ROLE_SUPER_ADMIN
+
+ become_user: "{{ kimai_php_user }}"
+ tags: kimai
+
+- when: kimai_install_mode == 'upgrade'
+ block:
+
+ - name: Update the database
+ command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:update -n
+
+ - name: Clear kimai cache
+ command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:reload --env=prod
+
+ become_user: "{{ kimai_php_user }}"
+ tags: kimai
+
+- name: Setup logrotate
+ template: src=logrotate.conf.j2 dest=/etc/logrotate.d/kimai_{{ kimai_id | string }}
+ tags: kimai
diff --git a/roles/kimai/tasks/directories.yml b/roles/kimai/tasks/directories.yml
new file mode 100644
index 0000000..1d779d4
--- /dev/null
+++ b/roles/kimai/tasks/directories.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Create directories
+ file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+ loop:
+ - dir: "{{ kimai_root_dir }}"
+ - dir: "{{ kimai_root_dir }}/app"
+ - dir: "{{ kimai_root_dir }}/tmp"
+ owner: "{{ kimai_php_user }}"
+ mode: 700
+ - dir: "{{ kimai_root_dir }}/sessions"
+ owner: "{{ kimai_php_user }}"
+ mode: 700
+ - dir: "{{ kimai_root_dir }}/meta"
+ mode: 700
+ - dir: "{{ kimai_root_dir }}/backup"
+ mode: 700
+ - dir: "{{ kimai_root_dir }}/data"
+ owner: "{{ kimai_php_user }}"
+ mode: 700
+ tags: kimai
diff --git a/roles/kimai/tasks/facts.yml b/roles/kimai/tasks/facts.yml
new file mode 100644
index 0000000..51c703e
--- /dev/null
+++ b/roles/kimai/tasks/facts.yml
@@ -0,0 +1,47 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+ - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+ - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+ - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+ tags: kimai
+
+# Detect installed version (if any)
+- block:
+ - import_tasks: ../includes/webapps_set_install_mode.yml
+ vars:
+ - root_dir: "{{ kimai_root_dir }}"
+ - version: "{{ kimai_version }}"
+ - set_fact: kimai_install_mode={{ (install_mode == 'upgrade' and not kimai_manage_upgrade) | ternary('none',install_mode) }}
+ - set_fact: kimai_current_version={{ current_version | default('') }}
+ tags: kimai
+
+# Create a random pass for the DB if needed
+- block:
+ - import_tasks: ../includes/get_rand_pass.yml
+ vars:
+ - pass_file: "{{ kimai_root_dir }}/meta/ansible_dbpass"
+ - set_fact: kimai_db_pass={{ rand_pass }}
+ when: kimai_db_pass is not defined
+ tags: kimai
+
+# Create a random app secret if needed
+- block:
+ - import_tasks: ../includes/get_rand_pass.yml
+ vars:
+ - pass_file: "{{ kimai_root_dir }}/meta/ansible_secret_key"
+ - set_fact: kimai_secret_key={{ rand_pass }}
+ when: kimai_secret_key is not defined
+ tags: kimai
+
+# Create a random admin pass if needed
+- block:
+ - import_tasks: ../includes/get_rand_pass.yml
+ vars:
+ - pass_file: "{{ kimai_root_dir }}/meta/ansible_admin_pass"
+ - set_fact: kimai_admin_pass={{ rand_pass }}
+ when: kimai_admin_pass is not defined
+ tags: kimai
diff --git a/roles/kimai/tasks/install.yml b/roles/kimai/tasks/install.yml
new file mode 100644
index 0000000..fdb3e61
--- /dev/null
+++ b/roles/kimai/tasks/install.yml
@@ -0,0 +1,84 @@
+---
+
+- name: Install dependencies
+ package: name={{ kimai_packages }}
+ tags: kimai
+
+- when: kimai_install_mode != 'none'
+ block:
+ - name: Download kimai
+ get_url:
+ url: "{{ kimai_archive_url }}"
+ dest: "{{ kimai_root_dir }}/tmp"
+ checksum: sha256:{{ kimai_archive_sha256 }}
+ register: kimai_dl_archive
+ retries: 3
+ delay: 5
+ until: kimai_dl_archive is not failed
+
+ - name: Extract the archive
+ unarchive:
+ src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}.tar.gz"
+ dest: "{{ kimai_root_dir }}/tmp"
+ remote_src: True
+
+ - name: Move kimai to its final dir
+ synchronize:
+ src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}/"
+ dest: "{{ kimai_root_dir }}/app/"
+ delete: True
+ compress: False
+ rsync_opts:
+ - '--exclude=/var'
+ delegate_to: "{{ inventory_hostname }}"
+
+ - name: Populate data directories
+ synchronize:
+ src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}/var/"
+ dest: "{{ kimai_root_dir }}/data/"
+ compress: False
+ delegate_to: "{{ inventory_hostname }}"
+
+ - name: Link data directories
+ file: src={{ kimai_root_dir }}/data dest={{ kimai_root_dir }}/app/var state=link
+
+ - name: Install PHP libs with composer
+ composer:
+ command: install
+ working_dir: "{{ kimai_root_dir }}/app"
+ executable: /bin/php{{ kimai_php_version }}
+
+ - name: Install LDAP auth support
+ composer:
+ command: require
+ arguments: laminas/laminas-ldap
+ working_dir: "{{ kimai_root_dir }}/app"
+
+ environment:
+ php: /bin/php{{ kimai_php_version }}
+ tags: kimai
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+ vars:
+ - db_name: "{{ kimai_db_name }}"
+ - db_user: "{{ kimai_db_user }}"
+ - db_server: "{{ kimai_db_server }}"
+ - db_port: "{{ kimai_db_port }}"
+ - db_pass: "{{ kimai_db_pass }}"
+ tags: kimai
+
+- name: Set correct SELinux context
+ sefcontext:
+ target: "{{ kimai_root_dir }}(/.*)?"
+ setype: httpd_sys_content_t
+ state: present
+ when: ansible_selinux.status == 'enabled'
+ tags: kimai
+
+- name: Install pre/post backup hooks
+ template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/kimai_{{ kimai_id }} mode=700
+ loop:
+ - pre
+ - post
+ tags: kimai
+
diff --git a/roles/kimai/tasks/main.yml b/roles/kimai/tasks/main.yml
new file mode 100644
index 0000000..c87b01b
--- /dev/null
+++ b/roles/kimai/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+ when: kimai_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: write_version.yml
+- include: archive_post.yml
+ when: kimai_install_mode == 'upgrade'
+- include: cleanup.yml
diff --git a/roles/kimai/tasks/user.yml b/roles/kimai/tasks/user.yml
new file mode 100644
index 0000000..63da7cc
--- /dev/null
+++ b/roles/kimai/tasks/user.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Create system user account
+ user:
+ name: "{{ kimai_php_user }}"
+ comment: "PHP FPM for kimai {{ kimai_id }}"
+ system: True
+ shell: /sbin/nologin
+ home: "{{ kimai_root_dir }}"
+ tags: kimai
diff --git a/roles/kimai/tasks/write_version.yml b/roles/kimai/tasks/write_version.yml
new file mode 100644
index 0000000..ccfc3cc
--- /dev/null
+++ b/roles/kimai/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write current version
+ copy: content={{ kimai_version }} dest={{ kimai_root_dir }}/meta/ansible_version
+ tags: kimai
diff --git a/roles/kimai/templates/env.j2 b/roles/kimai/templates/env.j2
new file mode 100644
index 0000000..28f057e
--- /dev/null
+++ b/roles/kimai/templates/env.j2
@@ -0,0 +1,10 @@
+# for MySQL "serverVersion=5.7" and for MariaDB "serverVersion=mariadb-10.5.8"
+DATABASE_URL=mysql://{{ kimai_db_user }}:{{ kimai_db_pass | urlencode | regex_replace('/','%2F') }}@{{ kimai_db_server }}:{{ kimai_db_port }}/{{ kimai_db_name }}?charset=utf8&serverVersion=mariadb-10.5.8
+MAILER_FROM=kimai-no-replay@{{ ansible_domain }}
+MAILER_URL=smtp://localhost:25?encryption=&auth_mode=
+APP_ENV=prod
+APP_SECRET={{ kimai_secret_key }}
+CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$
+{% if kimai_src_ip is defined and kimai_src_ip | length > 0 %}
+TRUSTED_PROXIES={{ kimai_src_ip | join(',') }}
+{% endif %}
diff --git a/roles/kimai/templates/httpd.conf.j2 b/roles/kimai/templates/httpd.conf.j2
new file mode 100644
index 0000000..2a7f4d3
--- /dev/null
+++ b/roles/kimai/templates/httpd.conf.j2
@@ -0,0 +1,31 @@
+{% if kimai_web_alias is defined and kimai_web_alias != False %}
+Alias /{{ kimai_web_alias | regex_replace('^/','') }} {{ kimai_root_dir }}/app/public
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+
+ AllowOverride All
+ Options FollowSymLinks
+{% if kimai_src_ip is defined and kimai_src_ip | length > 0 %}
+ Require ip {{ kimai_src_ip | join(' ') }}
+{% else %}
+ Require all granted
+{% endif %}
+
+ SetHandler "proxy:unix:/run/php-fpm/{{ kimai_php_fpm_pool | default('kimai_' + kimai_id | string) }}.sock|fcgi://localhost"
+
+
+ RewriteEngine On
+
+ FallbackResource /index.php
+
+
+ Require all denied
+
+
+
+
+
+ FallbackResource disabled
+
diff --git a/roles/kimai/templates/local.yaml.j2 b/roles/kimai/templates/local.yaml.j2
new file mode 100644
index 0000000..6e91900
--- /dev/null
+++ b/roles/kimai/templates/local.yaml.j2
@@ -0,0 +1 @@
+{{ kimai_settings | to_nice_yaml(indent=4) }}
diff --git a/roles/kimai/templates/logrotate.conf.j2 b/roles/kimai/templates/logrotate.conf.j2
new file mode 100644
index 0000000..cfc6dd3
--- /dev/null
+++ b/roles/kimai/templates/logrotate.conf.j2
@@ -0,0 +1,7 @@
+{{ kimai_root_dir }}/data/log/*.log {
+ daily
+ rotate 90
+ compress
+ missingok
+ su {{ kimai_php_user }} {{ kimai_php_user }}
+}
diff --git a/roles/kimai/templates/perms.sh.j2 b/roles/kimai/templates/perms.sh.j2
new file mode 100644
index 0000000..9aef581
--- /dev/null
+++ b/roles/kimai/templates/perms.sh.j2
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -eo pipefail
+
+restorecon -R {{ kimai_root_dir }}
+chown root:root {{ kimai_root_dir }}
+chown -R root:root {{ kimai_root_dir }}/app/
+chmod 755 {{ kimai_root_dir }}
+setfacl -R -k -b {{ kimai_root_dir }}
+setfacl -m u:{{ kimai_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:x {{ kimai_root_dir }}
+find {{ kimai_root_dir }}/app -type f -exec chmod 644 "{}" \; -type d -exec chmod 755 "{}" \;
+chown root:{{ kimai_php_user }} {{ kimai_root_dir }}/app/.env {{ kimai_root_dir }}/app/config/packages/local.yaml
+chmod 640 {{ kimai_root_dir }}/app/.env {{ kimai_root_dir }}/app/config/packages/local.yaml
+chown -R {{ kimai_php_user }} {{ kimai_root_dir }}/data
+chmod 700 {{ kimai_root_dir }}/data
+setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ kimai_root_dir }}/app/public
+find {{ kimai_root_dir }} -name .htaccess -exec chmod 644 "{}" \;
+
diff --git a/roles/kimai/templates/php.conf.j2 b/roles/kimai/templates/php.conf.j2
new file mode 100644
index 0000000..f47944e
--- /dev/null
+++ b/roles/kimai/templates/php.conf.j2
@@ -0,0 +1,35 @@
+[kimai_{{ kimai_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/kimai_{{ kimai_id }}.sock
+user = {{ kimai_php_user }}
+group = {{ kimai_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 256M
+php_admin_value[session.save_path] = {{ kimai_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ kimai_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ kimai_root_dir }}/tmp
+php_admin_value[post_max_size] = 100M
+php_admin_value[upload_max_filesize] = 100M
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ kimai_root_dir }}:/usr/share/pear/:/usr/share/php/
+php_admin_value[max_execution_time] = 60
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on
diff --git a/roles/kimai/templates/post-backup.j2 b/roles/kimai/templates/post-backup.j2
new file mode 100644
index 0000000..62cfeb2
--- /dev/null
+++ b/roles/kimai/templates/post-backup.j2
@@ -0,0 +1,4 @@
+#!/bin/bash -e
+
+rm -f {{ kimai_root_dir }}/backup/*.sql.zst
+
diff --git a/roles/kimai/templates/pre-backup.j2 b/roles/kimai/templates/pre-backup.j2
new file mode 100644
index 0000000..4d270be
--- /dev/null
+++ b/roles/kimai/templates/pre-backup.j2
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -eo pipefail
+
+/usr/bin/mysqldump \
+{% if kimai_db_server not in ['localhost','127.0.0.1'] %}
+ --user={{ kimai_db_user | quote }} \
+ --password={{ kimai_db_pass | quote }} \
+ --host={{ kimai_db_server | quote }} \
+ --port={{ kimai_db_port | quote }} \
+{% endif %}
+ --quick --single-transaction \
+ --add-drop-table {{ kimai_db_name | quote }} | zstd -c > {{ kimai_root_dir }}/backup/{{ kimai_db_name }}.sql.zst
+
diff --git a/roles/kimai/vars/RedHat-8.yml b/roles/kimai/vars/RedHat-8.yml
new file mode 100644
index 0000000..70e647e
--- /dev/null
+++ b/roles/kimai/vars/RedHat-8.yml
@@ -0,0 +1,9 @@
+---
+
+kimai_packages:
+ - mariadb
+ - tar
+ - rsync
+ - acl
+ - zstd
+ - git