diff --git a/roles/lemonldap_ng/defaults/main.yml b/roles/lemonldap_ng/defaults/main.yml index c135287..3e570f4 100644 --- a/roles/lemonldap_ng/defaults/main.yml +++ b/roles/lemonldap_ng/defaults/main.yml @@ -7,6 +7,11 @@ llng_manager: False # Either httpd or nginx llng_server: httpd +# When using nginx, you can choose between fastcgi or uwsgi +# uwsgi is faster but doesn't handle UTF-8 in the portal +# so default is fastcgi. This setting has not effet when llng_server == 'httpd' +llng_engine: fastcgi + llng_portal_vhost: auth.{{ ansible_domain }} llng_api_vhost: sso-api.{{ ansible_domain }} llng_manager_vhost: sso-manager.{{ ansible_domain }} @@ -62,5 +67,5 @@ llng_handler_db_user: lemonldapnghandler # llng_db_pass: s3cr3t. # llng_handler_db_pass -# Number of llng-fastcgi-server workers. The upstream default is 7 which is often too much -llng_fcgi_workers: 6 +# Number of llng-fastcgi-server or uwsgi workers. The upstream default is 7 but you might need to adjust to your load +llng_workers: 6 diff --git a/roles/lemonldap_ng/files/logos/element.png b/roles/lemonldap_ng/files/logos/element.png new file mode 100644 index 0000000..1580cc4 Binary files /dev/null and b/roles/lemonldap_ng/files/logos/element.png differ diff --git a/roles/lemonldap_ng/handlers/main.yml b/roles/lemonldap_ng/handlers/main.yml index 7c607bb..dd1d661 100644 --- a/roles/lemonldap_ng/handlers/main.yml +++ b/roles/lemonldap_ng/handlers/main.yml @@ -3,5 +3,8 @@ - include: ../httpd_common/handlers/main.yml - include: ../nginx/handlers/main.yml -- name: restart llng-fastcgi-server - service: name=llng-fastcgi-server state=restarted +- name: restart llng + service: name={{ (llng_server == 'nginx') | ternary((llng_engine == 'uwsgi') | ternary('llng-uwsgi', 'llng-fastcgi-server'), 'httpd') }} state=restarted + +- name: reload llng + service: name={{ (llng_server == 'nginx') | ternary((llng_engine == 'uwsgi') | ternary('llng-uwsgi', 'llng-fastcgi-server'), 'httpd') }} state={{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('reloaded', 'restarted') }} diff --git a/roles/lemonldap_ng/tasks/main.yml b/roles/lemonldap_ng/tasks/main.yml index 423f9a7..b7d8388 100644 --- a/roles/lemonldap_ng/tasks/main.yml +++ b/roles/lemonldap_ng/tasks/main.yml @@ -45,7 +45,7 @@ - name: Deploy Lemonldap::NG main configuration template: src=lemonldap-ng.ini.j2 dest=/etc/lemonldap-ng/lemonldap-ng.ini group=apache mode=640 - notify: restart {{ (llng_server == 'nginx') | ternary('llng-fastcgi-server','httpd') }} + notify: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('reload', 'restart') }} {{ (llng_server == 'nginx') | ternary('llng', 'httpd') }}" tags: web - name: Deploy Lemonldap::NG migration configuration @@ -120,26 +120,40 @@ when: llng_portal == True tags: web -- when: llng_server == 'nginx' - block: - - name: Deploy custom llng-fastcgi-server unit - template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service - notify: restart llng-fastcgi-server - register: llng_fastcgi_unit +- name: Deploy custom llng-fastcgi-server unit + template: src=llng-fastcgi-server.service.j2 dest=/etc/systemd/system/llng-fastcgi-server.service + notify: restart llng + register: llng_fastcgi_unit + tags: web - - name: Reload systemd - systemd: daemon_reload=True +- name: Deploy llng-fastcgi-server config + template: src=llng-fastcgi-server.j2 dest=/etc/default/llng-fastcgi-server + notify: restart llng + tags: web - - name: Deploy llng-fastcgi-server config - template: src=llng-fastcgi-server.j2 dest=/etc/default/llng-fastcgi-server - notify: restart llng-fastcgi-server +- name: Deploy llng-uwsgi unit + template: src=llng-uwsgi.service.j2 dest=/etc/systemd/system/llng-uwsgi.service + notify: restart llng + register: llng_uwsgi_unit + tags: web + +- name: Reload systemd + systemd: daemon_reload=True + when: llng_fastcgi_unit.changed or llng_uwsgi_unit.changed tags: web - name: Handle Fast CGI server service: name: llng-fastcgi-server - state: "{{ (llng_server == 'nginx') | ternary('started','stopped') }}" - enabled: "{{ (llng_server == 'nginx') | ternary(True,False) }}" + state: "{{ (llng_server == 'nginx' and llng_engine == 'fastcgi') | ternary('started', 'stopped') }}" + enabled: "{{ (llng_server == 'nginx' and llng_engine == 'fastcgi') | ternary(True, False) }}" + tags: web + +- name: Handle uWSGI server + service: + name: llng-uwsgi + state: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary('started', 'stopped') }}" + enabled: "{{ (llng_server == 'nginx' and llng_engine == 'uwsgi') | ternary(True, False) }}" tags: web - name: Set correct SELinux context for Lemonldap::NG files diff --git a/roles/lemonldap_ng/templates/llng-fastcgi-server.j2 b/roles/lemonldap_ng/templates/llng-fastcgi-server.j2 index de47cd6..831d371 100644 --- a/roles/lemonldap_ng/templates/llng-fastcgi-server.j2 +++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.j2 @@ -1,6 +1,6 @@ USER=apache GROUP=apache -NPROC={{ llng_fcgi_workers }} +NPROC={{ llng_workers }} SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid PERL_LWP_ENV_PROXY={{ llng_reload_use_proxy | ternary('1','0') }} diff --git a/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2 b/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2 index d569f16..2a2fdf0 100644 --- a/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2 +++ b/roles/lemonldap_ng/templates/llng-fastcgi-server.service.j2 @@ -15,7 +15,7 @@ PrivateDevices=yes ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes -MemoryLimit={{ llng_fcgi_workers * 250 }}M +MemoryLimit={{ llng_workers * 250 }}M Restart=on-failure StartLimitInterval=0 RestartSec=1 diff --git a/roles/lemonldap_ng/templates/llng-uwsgi.service.j2 b/roles/lemonldap_ng/templates/llng-uwsgi.service.j2 new file mode 100644 index 0000000..5d5151f --- /dev/null +++ b/roles/lemonldap_ng/templates/llng-uwsgi.service.j2 @@ -0,0 +1,44 @@ +[Unit] +Description=uWSGI server for Lemonldap::NG websso system +After=network.target + +[Service] +Type=simple +RuntimeDirectory=llng-uwsgi +PIDFile=/run/llng-uwsgi/llng-uwsgi.pid +User=apache +# So we can restrict the socket to 660 +Group=nginx +# So we can read /etc/lemonldap-ng/lemonldap-ng.ini +SupplementaryGroups=apache +WorkingDirectory=/usr/share/lemonldap-ng/llng-server +ExecStart=/usr/sbin/uwsgi \ + --plugin psgi \ + --psgi llng-server.psgi \ + --plugin systemd_logger \ + --logger systemd \ + --socket /run/llng-uwsgi/llng-uwsgi.sock \ + --chmod-socket=660 \ + --master \ + --workers {{ llng_workers }} \ + --max-worker-lifetime 604800 \ + --max-requests 100000 \ + --disable-logging \ + --harakiri 30 \ + --buffer-size 65535 \ + --limit-post 0 \ + --safe-pidfile /run/llng-uwsgi/llng-uwsgi.pid \ + --die-on-term +ExecReload=kill -HUP $MAINPID +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes +MemoryLimit={{ llng_workers * 250 }}M +Restart=on-failure +StartLimitInterval=0 +RestartSec=1 + +[Install] +WantedBy=multi-user.target diff --git a/roles/lemonldap_ng/templates/nginx_handler.conf.j2 b/roles/lemonldap_ng/templates/nginx_handler.conf.j2 index a437b62..83c0337 100644 --- a/roles/lemonldap_ng/templates/nginx_handler.conf.j2 +++ b/roles/lemonldap_ng/templates/nginx_handler.conf.j2 @@ -3,7 +3,13 @@ location /llng-reload { allow {{ ip }}; {% endfor %} deny all; +{% if llng_engine == 'fastcgi' %} include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE reload; +{% elif llng_engine == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_param LLTYPE reload; +{% endif %} } diff --git a/roles/lemonldap_ng/templates/nginx_manager.conf.j2 b/roles/lemonldap_ng/templates/nginx_manager.conf.j2 index 329ae81..80c3aa3 100644 --- a/roles/lemonldap_ng/templates/nginx_manager.conf.j2 +++ b/roles/lemonldap_ng/templates/nginx_manager.conf.j2 @@ -23,12 +23,20 @@ server { } location ~ ^(?/.*\.psgi)(?:$|/) { +{% if llng_engine == 'fastcgi' %} include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE manager; + fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; +{% elif llng_engine == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_param LLTYPE psgi; + uwsgi_param SCRIPT_FILENAME $document_root$sc; + uwsgi_param SCRIPT_NAME $sc; +{% endif %} } location / { diff --git a/roles/lemonldap_ng/templates/nginx_portal.conf.j2 b/roles/lemonldap_ng/templates/nginx_portal.conf.j2 index a046ed2..690653d 100644 --- a/roles/lemonldap_ng/templates/nginx_portal.conf.j2 +++ b/roles/lemonldap_ng/templates/nginx_portal.conf.j2 @@ -23,20 +23,26 @@ server { } location ~ ^(?/.*\.psgi)(?:$|/) { +{% if llng_engine == 'fastcgi' %} include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; - +{% elif llng_engine == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_param LLTYPE psgi; + uwsgi_param SCRIPT_FILENAME $document_root$sc; + uwsgi_param SCRIPT_NAME $sc; +{% endif %} {% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %} map $ssl_client_s_dn $ssl_client_s_dn_cn { default ""; ~/CN=(?[^/]+) $CN; } - fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; + {{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; {% endif %} } @@ -82,12 +88,20 @@ server { {% endif %} location ~ /index.psgi/(adminSessions|sessions|config|notification) { +{% if llng_engine == 'fastcgi' %} include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_param LLTYPE psgi; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_split_path_info ^(.*\.psgi)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; +{% elif llng_engine == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_param LLTYPE psgi; + uwsgi_param SCRIPT_FILENAME $document_root$sc; + uwsgi_param SCRIPT_NAME $sc; +{% endif %} {% for ip in llng_api_src_ip %} allow {{ ip }}; {% endfor %} diff --git a/roles/lemonldap_ng/vars/RedHat-7.yml b/roles/lemonldap_ng/vars/RedHat-7.yml index 33652ff..bddc092 100644 --- a/roles/lemonldap_ng/vars/RedHat-7.yml +++ b/roles/lemonldap_ng/vars/RedHat-7.yml @@ -4,6 +4,8 @@ llng_common_packages: - lemonldap-ng-conf - perl-Cache-Cache - lemonldap-ng-fastcgi-server + - uwsgi-plugin-psgi + - uwsgi-logger-systemd llng_portal_packages: - python-passlib diff --git a/roles/lemonldap_ng/vars/RedHat-8.yml b/roles/lemonldap_ng/vars/RedHat-8.yml index 1101f8d..0e05092 100644 --- a/roles/lemonldap_ng/vars/RedHat-8.yml +++ b/roles/lemonldap_ng/vars/RedHat-8.yml @@ -5,6 +5,8 @@ llng_common_packages: - perl-Cache-Cache - lemonldap-ng-fastcgi-server - python3-mysql + - uwsgi-plugin-psgi + - uwsgi-logger-systemd llng_portal_packages: - python3-passlib diff --git a/roles/matrix_synapse/defaults/main.yml b/roles/matrix_synapse/defaults/main.yml index dbf058f..7c2d080 100644 --- a/roles/matrix_synapse/defaults/main.yml +++ b/roles/matrix_synapse/defaults/main.yml @@ -1,7 +1,7 @@ --- # Synapse version to deploy -synapse_version: 1.52.0 +synapse_version: 1.53.0 # Should ansible handle Synapse upgrades ? If false, only initial install will be done synapse_manage_upgrade: True diff --git a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 index 482a895..9a64972 100644 --- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 +++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 @@ -78,22 +78,30 @@ server { {% if vhost.auth == 'llng' or vhost.auth == 'llng_basic' %} ## lmauth endpoint for llng authentication location = /lmauth { +{% if llng_engine | default('fastcgi') == 'fastcgi' %} internal; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # Drop post datas fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; - # Keep original hostname fastcgi_param HOST $http_host; - # Keep original request (LLNG server will received /llauth) - fastcgi_param X_ORIGINAL_URI $request_uri; + fastcgi_param X_ORIGINAL_URI $request_uri; # Use bigger buffers (see GLPI #49915) fastcgi_buffers 16 32k; fastcgi_buffer_size 64k; +{% elif llng_engine | default('fastcgi') == 'uwsgi' %} + include /etc/nginx/uwsgi_params; + uwsgi_pass unix:/run/llng-uwsgi/llng-uwsgi.sock; + uwsgi_pass_request_body off; + uwsgi_param CONTENT_LENGTH ""; + uwsgi_param HOST $http_host; + uwsgi_param X_ORIGINAL_URI $request_uri; + uwsgi_buffers 16 32k; + uwsgi_buffer_size 64k; +{% endif %} {% if vhost.auth == 'llng_basic' %} # Use basic auth on this vhost - fastcgi_param VHOSTTYPE AuthBasic; + {{ (llng_engine == 'uwsgi') | ternary('uwsgi', 'fastcgi') }}_param VHOSTTYPE AuthBasic; {% endif %} } {% endif %}