From 90522fe409f5b2976dcf850fc7dca63947b7c285 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Tue, 15 Feb 2022 16:00:13 +0100 Subject: [PATCH] Update to 2022-02-15 16:00 --- roles/kimai/defaults/main.yml | 87 +++++++++++++++++++++++++ roles/kimai/handlers/main.yml | 5 ++ roles/kimai/meta/main.yml | 9 +++ roles/kimai/tasks/archive_post.yml | 10 +++ roles/kimai/tasks/archive_pre.yml | 34 ++++++++++ roles/kimai/tasks/cleanup.yml | 9 +++ roles/kimai/tasks/conf.yml | 56 ++++++++++++++++ roles/kimai/tasks/directories.yml | 21 ++++++ roles/kimai/tasks/facts.yml | 47 +++++++++++++ roles/kimai/tasks/install.yml | 84 ++++++++++++++++++++++++ roles/kimai/tasks/main.yml | 13 ++++ roles/kimai/tasks/user.yml | 10 +++ roles/kimai/tasks/write_version.yml | 5 ++ roles/kimai/templates/env.j2 | 10 +++ roles/kimai/templates/httpd.conf.j2 | 31 +++++++++ roles/kimai/templates/local.yaml.j2 | 1 + roles/kimai/templates/logrotate.conf.j2 | 7 ++ roles/kimai/templates/perms.sh.j2 | 18 +++++ roles/kimai/templates/php.conf.j2 | 35 ++++++++++ roles/kimai/templates/post-backup.j2 | 4 ++ roles/kimai/templates/pre-backup.j2 | 13 ++++ roles/kimai/vars/RedHat-8.yml | 9 +++ 22 files changed, 518 insertions(+) create mode 100644 roles/kimai/defaults/main.yml create mode 100644 roles/kimai/handlers/main.yml create mode 100644 roles/kimai/meta/main.yml create mode 100644 roles/kimai/tasks/archive_post.yml create mode 100644 roles/kimai/tasks/archive_pre.yml create mode 100644 roles/kimai/tasks/cleanup.yml create mode 100644 roles/kimai/tasks/conf.yml create mode 100644 roles/kimai/tasks/directories.yml create mode 100644 roles/kimai/tasks/facts.yml create mode 100644 roles/kimai/tasks/install.yml create mode 100644 roles/kimai/tasks/main.yml create mode 100644 roles/kimai/tasks/user.yml create mode 100644 roles/kimai/tasks/write_version.yml create mode 100644 roles/kimai/templates/env.j2 create mode 100644 roles/kimai/templates/httpd.conf.j2 create mode 100644 roles/kimai/templates/local.yaml.j2 create mode 100644 roles/kimai/templates/logrotate.conf.j2 create mode 100644 roles/kimai/templates/perms.sh.j2 create mode 100644 roles/kimai/templates/php.conf.j2 create mode 100644 roles/kimai/templates/post-backup.j2 create mode 100644 roles/kimai/templates/pre-backup.j2 create mode 100644 roles/kimai/vars/RedHat-8.yml diff --git a/roles/kimai/defaults/main.yml b/roles/kimai/defaults/main.yml new file mode 100644 index 0000000..01667e8 --- /dev/null +++ b/roles/kimai/defaults/main.yml @@ -0,0 +1,87 @@ +--- + +# You can install several kimai instances on the same host +# just make sure to set a different instance id for each +# You can set it to a number or a simple string (no special chars) +kimai_id: 1 +# Kimai version to deploy +kimai_version: 1.17.1 + +# URL of the archive +kimai_archive_url: https://github.com/kevinpapst/kimai2/archive/refs/tags/{{ kimai_version }}.tar.gz +# Expected sha256 of the archive +kimai_archive_sha256: ceff0573591d2e5c70a679301caabe626d8545af5e987443c8155f633babcd0e + +# Directory where kimai will be installed +kimai_root_dir: /opt/kimai_{{ kimai_id }} +# Should ansible handle upgrades or only initial install +kimai_manage_upgrade: True + +# User under which PHP will run +# Will be created +kimai_php_user: php-kimai_{{ kimai_id }} +# PHP version under which kimai will run +kimai_php_version: 81 +# Or you can specify here the name of a custom PHP FPM pool. See the httpd_php role +# bookstack_php_fpm_pool: custom_kimai + +# If you want to configure the access to kimai on your main vhost +# kimai_web_alias: /kimai +# If not set, you'll need to create a dedicated vhost (see httpd_common role) +kimai_web_alias: False +kimai_public_url: http://{{ inventory_hostname }} +# If you set kimai_src_ip, it'll be considered a list of trusted proxies +kimai_src_ip: [] + +# An app specific secret. If not defined, a random one will be created and stored under {{ kimai_root_dir }}/meta/ansible_secret_key +# kimai_secret_key: S3cr3t. + +# Database settings +kimai_db_server: "{{ mysql_server | default('localhost') }}" +kimai_db_port: 3306 +kimai_db_name: kimai_{{ kimai_id }} +kimai_db_user: kimai_{{ kimai_id }} +# If the pass is not set, a random one will be created and store in {{ kimai_root_dir }}/meta/ansible_dbpass +# kimai_db_pass: S3cr3t. + +# A default admin user will be created during installation +# If its password isn't set, a random one will be configured and stored in {{ kimai_root_dir }}/meta/ansible_admin_pass +# Note that this user is only created on first installed, and will not be checked or created again on next runs +kimai_admin_user: admin@{{ ansible_domain }} +# kimai_admin_pass÷ S3cr3t. + +# Custom configuration. Will be loaded in {{ kimai_root_dir }}/app/config/packages/local.yaml +kimai_base_settings: + kimai: +# Better to override kimai_extra_settings so future defaults will be merged with your custom settings. +# For example, to set SAML auth (example working with Lemonldap::NG as SAML idp +# kimai_extra_settings: +# kimai: +# saml: +# activate: true +# title: 'SSO' +# mapping: +# - { saml: $mail, kimai: email } +# - { saml: $principal, kimai: username } +# - { saml: $cn, kimai: alias } +# roles: +# attribute: groups +# mapping: +# - { saml: Role_Infra_Admin, kimai: ROLE_ADMIN } +# - { saml: Projet, kimai: ROLE_TEAMLEAD } +# connection: +# idp: +# entityId: 'https://sso.example.org/saml/metadata' +# singleSignOnService: +# url: 'https://sso.example.org/saml/singleSignOn' +# x509cert: 'MIICsDCCAZigAwIBAgIEAE11GTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQBDA9zc28ubGFwaW9sZS5vcmcwHhcNMjEwMzE1MTExMzMyWhcNNDEwMzEwMTExMzMyWjAaMRgwFgYDVQQDDA9zc28ubGFwaW9sZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+sPo4pned1vg9IoHVhHoPVeWEKOsYet1NL9eZu5mBI1gg6J+ffiv0Exy+FuISdaRoqPijeUX32TZlgk8cIleANH/Q+FFdsVdqBtpo4Oh5kozT+Ztr6UFcc6rRVOlmFnp4J3A3xUnumBABAeCKu6htA6oxe1NUh+wEs38BakMHlrSThJRODtZPo7jTcI9ZXHRnTpo2CQU5KxIXw2aHo6mmVH6/BGkU8m0OoRAfqJe9zLDnUYOP6cJckEwED6IcaXF1eXdXIRhhBn7Awmob/xoOYh+TzrY3OCLRQ/LZ3zvv0sTi8k4RU2ne3Bi54aVOEXYo4X45vEDt8akzDYjhyrNVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAG5G/Zp4g+0znft8mB42XYRxHqT1DCCdgkWL8j6JgVixQO8IP+yDFcHi+DUwhC1YfMqtlfD1V/kr9t/QA38v7PsZz7N6mCmwQv2LIbHMsfq7bF7NGQl//50cPmKRfuJgMc7Qh479XKJKUkdo4q5xLMlJGI+hnou3Wi2dcMLgp042Ws+ZOTUaRVOZJ2NGeNJ/18z6kME0MNNL/ytp0bP+2lbAPUNyDmVDDxDa7/Xz87onfQpzs8rNyO2QpCHjVNyRFpdzb2K4j9IUCqKWl8NTVnCx0hAgspOKAIXKsy8UUR4FOyypmIHU4Z1gU7US2KRrCnnmC1U0ogUZC4FXzNfLetA=' +# sp: +# entityId: 'https://temps.example.org/auth/saml/metadata' +# assertionConsumerService: +# url: 'https://temps.example.org/auth/saml/acs' +# baseurl: https://temps.example.org/auth/saml +# strict: true +# debug: true + +kimai_extra_settings: {} +kimai_settings: "{{ kimai_base_settings | combine(kimai_extra_settings, recursive=True) }}" diff --git a/roles/kimai/handlers/main.yml b/roles/kimai/handlers/main.yml new file mode 100644 index 0000000..b5a2f8e --- /dev/null +++ b/roles/kimai/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: clear kimai cache + command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:reload --env=prod + become_user: "{{ kimai_php_user }}" diff --git a/roles/kimai/meta/main.yml b/roles/kimai/meta/main.yml new file mode 100644 index 0000000..c58735b --- /dev/null +++ b/roles/kimai/meta/main.yml @@ -0,0 +1,9 @@ +--- + +allow_duplicates: True +dependencies: + - role: mkdir + - role: httpd_php + - role: mysql_server + when: kimai_db_server in ['localhost', '127.0.0.1'] + - role: composer diff --git a/roles/kimai/tasks/archive_post.yml b/roles/kimai/tasks/archive_post.yml new file mode 100644 index 0000000..02ca509 --- /dev/null +++ b/roles/kimai/tasks/archive_post.yml @@ -0,0 +1,10 @@ +--- + +- name: Compress previous version + command: tar cf {{ kimai_root_dir }}/archives/{{ kimai_current_version }}.tar.zst ./ --use-compress-program=zstd + args: + chdir: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}" + warn: False + environment: + ZSTD_CLEVEL: 10 + tags: kimai diff --git a/roles/kimai/tasks/archive_pre.yml b/roles/kimai/tasks/archive_pre.yml new file mode 100644 index 0000000..a593a12 --- /dev/null +++ b/roles/kimai/tasks/archive_pre.yml @@ -0,0 +1,34 @@ +--- + +- name: Create the archive dir + file: path={{ kimai_root_dir }}/archives/{{ kimai_current_version }} state=directory + tags: kimai + +- name: Archive current version + synchronize: + src: "{{ kimai_root_dir }}/app" + dest: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}/" + compress: False + delete: True + delegate_to: "{{ inventory_hostname }}" + tags: kimai + +- name: Install mariadb client + package: + name: + - mariadb + tags: kimai + +- name: Dump the database + mysql_db: + state: dump + name: "{{ kimai_db_name }}" + target: "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}/{{ kimai_db_name }}.sql.xz" + login_host: "{{ kimai_db_server }}" + login_user: "{{ kimai_db_user }}" + login_password: "{{ kimai_db_pass }}" + quick: True + single_transaction: True + environment: + XZ_OPT: -T0 + tags: kimai diff --git a/roles/kimai/tasks/cleanup.yml b/roles/kimai/tasks/cleanup.yml new file mode 100644 index 0000000..cbff514 --- /dev/null +++ b/roles/kimai/tasks/cleanup.yml @@ -0,0 +1,9 @@ +--- + +- name: Remove tmp and obsolete files + file: path={{ item }} state=absent + loop: + - "{{ kimai_root_dir }}/archives/{{ kimai_current_version }}" + - "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}" + - "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}.tar.gz" + tags: kimai diff --git a/roles/kimai/tasks/conf.yml b/roles/kimai/tasks/conf.yml new file mode 100644 index 0000000..3f05e39 --- /dev/null +++ b/roles/kimai/tasks/conf.yml @@ -0,0 +1,56 @@ +--- + +- import_tasks: ../includes/webapps_webconf.yml + vars: + - app_id: kimai_{{ kimai_id }} + - php_version: "{{ kimai_php_version }}" + - php_fpm_pool: "{{ kimai_php_fpm_pool | default('') }}" + tags: kimai + +- name: Deploy kimai configuration + template: src={{ item.src }} dest={{ item.dest }} group={{ kimai_php_user }} mode=640 + loop: + - src: env.j2 + dest: "{{ kimai_root_dir }}/app/.env" + - src: local.yaml.j2 + dest: "{{ kimai_root_dir }}/app/config/packages/local.yaml" + notify: clear kimai cache + tags: kimai + +- name: Deploy permission script + template: src=perms.sh.j2 dest={{ kimai_root_dir }}/perms.sh mode=755 + register: kimai_perm_script + tags: kimai + +- name: Apply permissions + command: "{{ kimai_root_dir }}/perms.sh" + when: kimai_perm_script.changed or kimai_install_mode != 'none' + tags: kimai + +- when: kimai_install_mode == 'install' + block: + + - name: Init the database + command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:install -n + + - name: Create initial admin user + shell: echo {{ kimai_admin_pass | quote }} | /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:user:create username {{ kimai_admin_user | quote }} ROLE_SUPER_ADMIN + + become_user: "{{ kimai_php_user }}" + tags: kimai + +- when: kimai_install_mode == 'upgrade' + block: + + - name: Update the database + command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:update -n + + - name: Clear kimai cache + command: /bin/php{{ kimai_php_version }} {{ kimai_root_dir }}/app/bin/console kimai:reload --env=prod + + become_user: "{{ kimai_php_user }}" + tags: kimai + +- name: Setup logrotate + template: src=logrotate.conf.j2 dest=/etc/logrotate.d/kimai_{{ kimai_id | string }} + tags: kimai diff --git a/roles/kimai/tasks/directories.yml b/roles/kimai/tasks/directories.yml new file mode 100644 index 0000000..1d779d4 --- /dev/null +++ b/roles/kimai/tasks/directories.yml @@ -0,0 +1,21 @@ +--- + +- name: Create directories + file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: "{{ kimai_root_dir }}" + - dir: "{{ kimai_root_dir }}/app" + - dir: "{{ kimai_root_dir }}/tmp" + owner: "{{ kimai_php_user }}" + mode: 700 + - dir: "{{ kimai_root_dir }}/sessions" + owner: "{{ kimai_php_user }}" + mode: 700 + - dir: "{{ kimai_root_dir }}/meta" + mode: 700 + - dir: "{{ kimai_root_dir }}/backup" + mode: 700 + - dir: "{{ kimai_root_dir }}/data" + owner: "{{ kimai_php_user }}" + mode: 700 + tags: kimai diff --git a/roles/kimai/tasks/facts.yml b/roles/kimai/tasks/facts.yml new file mode 100644 index 0000000..51c703e --- /dev/null +++ b/roles/kimai/tasks/facts.yml @@ -0,0 +1,47 @@ +--- + +# Load distribution specific variables +- include_vars: "{{ item }}" + with_first_found: + - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ role_path }}/vars/{{ ansible_distribution }}.yml" + - "{{ role_path }}/vars/{{ ansible_os_family }}.yml" + tags: kimai + +# Detect installed version (if any) +- block: + - import_tasks: ../includes/webapps_set_install_mode.yml + vars: + - root_dir: "{{ kimai_root_dir }}" + - version: "{{ kimai_version }}" + - set_fact: kimai_install_mode={{ (install_mode == 'upgrade' and not kimai_manage_upgrade) | ternary('none',install_mode) }} + - set_fact: kimai_current_version={{ current_version | default('') }} + tags: kimai + +# Create a random pass for the DB if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ kimai_root_dir }}/meta/ansible_dbpass" + - set_fact: kimai_db_pass={{ rand_pass }} + when: kimai_db_pass is not defined + tags: kimai + +# Create a random app secret if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ kimai_root_dir }}/meta/ansible_secret_key" + - set_fact: kimai_secret_key={{ rand_pass }} + when: kimai_secret_key is not defined + tags: kimai + +# Create a random admin pass if needed +- block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ kimai_root_dir }}/meta/ansible_admin_pass" + - set_fact: kimai_admin_pass={{ rand_pass }} + when: kimai_admin_pass is not defined + tags: kimai diff --git a/roles/kimai/tasks/install.yml b/roles/kimai/tasks/install.yml new file mode 100644 index 0000000..fdb3e61 --- /dev/null +++ b/roles/kimai/tasks/install.yml @@ -0,0 +1,84 @@ +--- + +- name: Install dependencies + package: name={{ kimai_packages }} + tags: kimai + +- when: kimai_install_mode != 'none' + block: + - name: Download kimai + get_url: + url: "{{ kimai_archive_url }}" + dest: "{{ kimai_root_dir }}/tmp" + checksum: sha256:{{ kimai_archive_sha256 }} + register: kimai_dl_archive + retries: 3 + delay: 5 + until: kimai_dl_archive is not failed + + - name: Extract the archive + unarchive: + src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}.tar.gz" + dest: "{{ kimai_root_dir }}/tmp" + remote_src: True + + - name: Move kimai to its final dir + synchronize: + src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}/" + dest: "{{ kimai_root_dir }}/app/" + delete: True + compress: False + rsync_opts: + - '--exclude=/var' + delegate_to: "{{ inventory_hostname }}" + + - name: Populate data directories + synchronize: + src: "{{ kimai_root_dir }}/tmp/kimai2-{{ kimai_version }}/var/" + dest: "{{ kimai_root_dir }}/data/" + compress: False + delegate_to: "{{ inventory_hostname }}" + + - name: Link data directories + file: src={{ kimai_root_dir }}/data dest={{ kimai_root_dir }}/app/var state=link + + - name: Install PHP libs with composer + composer: + command: install + working_dir: "{{ kimai_root_dir }}/app" + executable: /bin/php{{ kimai_php_version }} + + - name: Install LDAP auth support + composer: + command: require + arguments: laminas/laminas-ldap + working_dir: "{{ kimai_root_dir }}/app" + + environment: + php: /bin/php{{ kimai_php_version }} + tags: kimai + +- import_tasks: ../includes/webapps_create_mysql_db.yml + vars: + - db_name: "{{ kimai_db_name }}" + - db_user: "{{ kimai_db_user }}" + - db_server: "{{ kimai_db_server }}" + - db_port: "{{ kimai_db_port }}" + - db_pass: "{{ kimai_db_pass }}" + tags: kimai + +- name: Set correct SELinux context + sefcontext: + target: "{{ kimai_root_dir }}(/.*)?" + setype: httpd_sys_content_t + state: present + when: ansible_selinux.status == 'enabled' + tags: kimai + +- name: Install pre/post backup hooks + template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/kimai_{{ kimai_id }} mode=700 + loop: + - pre + - post + tags: kimai + diff --git a/roles/kimai/tasks/main.yml b/roles/kimai/tasks/main.yml new file mode 100644 index 0000000..c87b01b --- /dev/null +++ b/roles/kimai/tasks/main.yml @@ -0,0 +1,13 @@ +--- + +- include: user.yml +- include: directories.yml +- include: facts.yml +- include: archive_pre.yml + when: kimai_install_mode == 'upgrade' +- include: install.yml +- include: conf.yml +- include: write_version.yml +- include: archive_post.yml + when: kimai_install_mode == 'upgrade' +- include: cleanup.yml diff --git a/roles/kimai/tasks/user.yml b/roles/kimai/tasks/user.yml new file mode 100644 index 0000000..63da7cc --- /dev/null +++ b/roles/kimai/tasks/user.yml @@ -0,0 +1,10 @@ +--- + +- name: Create system user account + user: + name: "{{ kimai_php_user }}" + comment: "PHP FPM for kimai {{ kimai_id }}" + system: True + shell: /sbin/nologin + home: "{{ kimai_root_dir }}" + tags: kimai diff --git a/roles/kimai/tasks/write_version.yml b/roles/kimai/tasks/write_version.yml new file mode 100644 index 0000000..ccfc3cc --- /dev/null +++ b/roles/kimai/tasks/write_version.yml @@ -0,0 +1,5 @@ +--- + +- name: Write current version + copy: content={{ kimai_version }} dest={{ kimai_root_dir }}/meta/ansible_version + tags: kimai diff --git a/roles/kimai/templates/env.j2 b/roles/kimai/templates/env.j2 new file mode 100644 index 0000000..28f057e --- /dev/null +++ b/roles/kimai/templates/env.j2 @@ -0,0 +1,10 @@ +# for MySQL "serverVersion=5.7" and for MariaDB "serverVersion=mariadb-10.5.8" +DATABASE_URL=mysql://{{ kimai_db_user }}:{{ kimai_db_pass | urlencode | regex_replace('/','%2F') }}@{{ kimai_db_server }}:{{ kimai_db_port }}/{{ kimai_db_name }}?charset=utf8&serverVersion=mariadb-10.5.8 +MAILER_FROM=kimai-no-replay@{{ ansible_domain }} +MAILER_URL=smtp://localhost:25?encryption=&auth_mode= +APP_ENV=prod +APP_SECRET={{ kimai_secret_key }} +CORS_ALLOW_ORIGIN=^https?://localhost(:[0-9]+)?$ +{% if kimai_src_ip is defined and kimai_src_ip | length > 0 %} +TRUSTED_PROXIES={{ kimai_src_ip | join(',') }} +{% endif %} diff --git a/roles/kimai/templates/httpd.conf.j2 b/roles/kimai/templates/httpd.conf.j2 new file mode 100644 index 0000000..2a7f4d3 --- /dev/null +++ b/roles/kimai/templates/httpd.conf.j2 @@ -0,0 +1,31 @@ +{% if kimai_web_alias is defined and kimai_web_alias != False %} +Alias /{{ kimai_web_alias | regex_replace('^/','') }} {{ kimai_root_dir }}/app/public +{% else %} +# No alias defined, create a vhost to access it +{% endif %} + + + AllowOverride All + Options FollowSymLinks +{% if kimai_src_ip is defined and kimai_src_ip | length > 0 %} + Require ip {{ kimai_src_ip | join(' ') }} +{% else %} + Require all granted +{% endif %} + + SetHandler "proxy:unix:/run/php-fpm/{{ kimai_php_fpm_pool | default('kimai_' + kimai_id | string) }}.sock|fcgi://localhost" + + + RewriteEngine On + + FallbackResource /index.php + + + Require all denied + + + + + + FallbackResource disabled + diff --git a/roles/kimai/templates/local.yaml.j2 b/roles/kimai/templates/local.yaml.j2 new file mode 100644 index 0000000..6e91900 --- /dev/null +++ b/roles/kimai/templates/local.yaml.j2 @@ -0,0 +1 @@ +{{ kimai_settings | to_nice_yaml(indent=4) }} diff --git a/roles/kimai/templates/logrotate.conf.j2 b/roles/kimai/templates/logrotate.conf.j2 new file mode 100644 index 0000000..cfc6dd3 --- /dev/null +++ b/roles/kimai/templates/logrotate.conf.j2 @@ -0,0 +1,7 @@ +{{ kimai_root_dir }}/data/log/*.log { + daily + rotate 90 + compress + missingok + su {{ kimai_php_user }} {{ kimai_php_user }} +} diff --git a/roles/kimai/templates/perms.sh.j2 b/roles/kimai/templates/perms.sh.j2 new file mode 100644 index 0000000..9aef581 --- /dev/null +++ b/roles/kimai/templates/perms.sh.j2 @@ -0,0 +1,18 @@ +#!/bin/bash + +set -eo pipefail + +restorecon -R {{ kimai_root_dir }} +chown root:root {{ kimai_root_dir }} +chown -R root:root {{ kimai_root_dir }}/app/ +chmod 755 {{ kimai_root_dir }} +setfacl -R -k -b {{ kimai_root_dir }} +setfacl -m u:{{ kimai_php_user | default('apache') }}:rx,u:{{ httpd_user | default('apache') }}:x {{ kimai_root_dir }} +find {{ kimai_root_dir }}/app -type f -exec chmod 644 "{}" \; -type d -exec chmod 755 "{}" \; +chown root:{{ kimai_php_user }} {{ kimai_root_dir }}/app/.env {{ kimai_root_dir }}/app/config/packages/local.yaml +chmod 640 {{ kimai_root_dir }}/app/.env {{ kimai_root_dir }}/app/config/packages/local.yaml +chown -R {{ kimai_php_user }} {{ kimai_root_dir }}/data +chmod 700 {{ kimai_root_dir }}/data +setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ kimai_root_dir }}/app/public +find {{ kimai_root_dir }} -name .htaccess -exec chmod 644 "{}" \; + diff --git a/roles/kimai/templates/php.conf.j2 b/roles/kimai/templates/php.conf.j2 new file mode 100644 index 0000000..f47944e --- /dev/null +++ b/roles/kimai/templates/php.conf.j2 @@ -0,0 +1,35 @@ +[kimai_{{ kimai_id }}] + +listen.owner = root +listen.group = apache +listen.mode = 0660 +listen = /run/php-fpm/kimai_{{ kimai_id }}.sock +user = {{ kimai_php_user }} +group = {{ kimai_php_user }} +catch_workers_output = yes + +pm = dynamic +pm.max_children = 15 +pm.start_servers = 3 +pm.min_spare_servers = 3 +pm.max_spare_servers = 6 +pm.max_requests = 5000 +request_terminate_timeout = 5m + +php_flag[display_errors] = off +php_admin_flag[log_errors] = on +php_admin_value[error_log] = syslog +php_admin_value[memory_limit] = 256M +php_admin_value[session.save_path] = {{ kimai_root_dir }}/sessions +php_admin_value[upload_tmp_dir] = {{ kimai_root_dir }}/tmp +php_admin_value[sys_temp_dir] = {{ kimai_root_dir }}/tmp +php_admin_value[post_max_size] = 100M +php_admin_value[upload_max_filesize] = 100M +php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, escapeshellarg, escapeshellcmd +php_admin_value[open_basedir] = {{ kimai_root_dir }}:/usr/share/pear/:/usr/share/php/ +php_admin_value[max_execution_time] = 60 +php_admin_value[max_input_time] = 60 +php_admin_flag[allow_url_include] = off +php_admin_flag[allow_url_fopen] = off +php_admin_flag[file_uploads] = on +php_admin_flag[session.cookie_httponly] = on diff --git a/roles/kimai/templates/post-backup.j2 b/roles/kimai/templates/post-backup.j2 new file mode 100644 index 0000000..62cfeb2 --- /dev/null +++ b/roles/kimai/templates/post-backup.j2 @@ -0,0 +1,4 @@ +#!/bin/bash -e + +rm -f {{ kimai_root_dir }}/backup/*.sql.zst + diff --git a/roles/kimai/templates/pre-backup.j2 b/roles/kimai/templates/pre-backup.j2 new file mode 100644 index 0000000..4d270be --- /dev/null +++ b/roles/kimai/templates/pre-backup.j2 @@ -0,0 +1,13 @@ +#!/bin/sh +set -eo pipefail + +/usr/bin/mysqldump \ +{% if kimai_db_server not in ['localhost','127.0.0.1'] %} + --user={{ kimai_db_user | quote }} \ + --password={{ kimai_db_pass | quote }} \ + --host={{ kimai_db_server | quote }} \ + --port={{ kimai_db_port | quote }} \ +{% endif %} + --quick --single-transaction \ + --add-drop-table {{ kimai_db_name | quote }} | zstd -c > {{ kimai_root_dir }}/backup/{{ kimai_db_name }}.sql.zst + diff --git a/roles/kimai/vars/RedHat-8.yml b/roles/kimai/vars/RedHat-8.yml new file mode 100644 index 0000000..70e647e --- /dev/null +++ b/roles/kimai/vars/RedHat-8.yml @@ -0,0 +1,9 @@ +--- + +kimai_packages: + - mariadb + - tar + - rsync + - acl + - zstd + - git