From 6743d7cc66e5c6f1ce07deb8b62f4fc10f530169 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 17 Apr 2024 13:21:07 +0200 Subject: [PATCH] Move profile deployment to docker --- provision.yml | 1 + roles/profile/defaults/main.yml | 40 +--- roles/profile/handlers/main.yml | 9 +- roles/profile/tasks/install-branch.yml | 39 --- roles/profile/tasks/install-release.yml | 31 --- roles/profile/tasks/main.yml | 215 ++++++----------- .../templates/global_view_parameters.yml.j2 | 26 ++ .../{parameters.yaml.j2 => parameters.yml.j2} | 7 +- .../profile/templates/profile-pool-72.conf.j2 | 225 ------------------ roles/profile/templates/profile.conf.j2 | 53 ----- roles/profile/vars/main.yml | 11 +- 11 files changed, 131 insertions(+), 526 deletions(-) delete mode 100644 roles/profile/tasks/install-branch.yml delete mode 100644 roles/profile/tasks/install-release.yml create mode 100644 roles/profile/templates/global_view_parameters.yml.j2 rename roles/profile/templates/{parameters.yaml.j2 => parameters.yml.j2} (94%) delete mode 100644 roles/profile/templates/profile-pool-72.conf.j2 delete mode 100644 roles/profile/templates/profile.conf.j2 diff --git a/provision.yml b/provision.yml index 248c4f380..870b66a50 100644 --- a/provision.yml +++ b/provision.yml @@ -181,6 +181,7 @@ - { role: mujina-idp, tags: ["mujina-idp"] } - { role: oidc-playground, tags: ["oidc-playground"] } - { role: stats, tags: ["stats"] } + - { role: profile, tags: ["profile"] } - import_playbook: "{{ environment_dir }}/playbook.yml" diff --git a/roles/profile/defaults/main.yml b/roles/profile/defaults/main.yml index 208687a05..ad0c115d0 100644 --- a/roles/profile/defaults/main.yml +++ b/roles/profile/defaults/main.yml @@ -1,42 +1,21 @@ # Default variables used to configure Profile # These can be overwritten via group or extra vars -# Version of Profile that is installable by this role -# E.g. profile_version: x.y.z -profile_version: '' - -# Profile installer specific variables -profile_version_dir: "{{ profile_version | replace('/', '-') }}" -profile_branch_dir: "{{ openconext_builds_dir }}/OpenConext-profile-{{ profile_branch | replace('/', '-') }}" -profile_release_dir: "{{ openconext_releases_dir }}/OpenConext-profile-{{ profile_version_dir }}" -profile_build_path: "{{ openconext_builds_dir }}/OpenConext-profile-{{ profile_version_dir }}.tar.gz" -profile_download_url: "https://github.com/OpenConext/OpenConext-profile/releases/download/{{ profile_version }}/OpenConext-profile-{{ profile_version_dir }}.tar.gz" -profile_current_release_symlink: "{{ openconext_releases_dir }}/OpenConext-profile" - -# Domain under which profile can be found -profile_domain: profile.{{ base_domain }} - -# Cache and log paths -profile_symfony_cache_path: "/tmp/profile/symfony-cache/" -profile_symfony_log_path: "/var/log/profile" - # Secret used by application for adding entropy to security related operations profile_secret: secret - +engine_api_verify_ssl: true +profile_vhost_name: "profile.{{ base_domain }}" # Language code for user locale to be set by default # E.g. profile_default_locale: en profile_default_locale: en -# IP-address and domain of Engine API to enable Profile to send API calls -engine_api_verify_ssl: true - # Paths of public and private key used for sending SAML AuthnRequests -profile_saml_sp_publickey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer -profile_saml_sp_privatekey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem +profile_saml_sp_publickey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer +profile_saml_sp_privatekey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem # Paths of public and private key used for signing metadata -profile_saml_metadata_publickey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer -profile_saml_metadata_privatekey: ../vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem +profile_saml_metadata_publickey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_publickey.cer +profile_saml_metadata_privatekey: /var/www/html/vendor/surfnet/stepup-saml-bundle/src/Resources/keys/development_privatekey.pem # Domain under which EngineBlock can be found engine_domain: engine.{{ base_domain }} @@ -46,10 +25,8 @@ engine_profile_idp_entityid: https://{{ engine_domain }}/authentication/idp/meta # URL for remote identity provider's single sign on engine_profile_idp_sso_url: https://{{ engine_domain }}/authentication/idp/single-sign-on - -profile_fpm_user: profile -profile_fpm_port: 802 - +# Certificate containting the public SAML signing key of the reomote IDP +engine_profile_idp_certificate: "/var/www/html/config/openconext/certs/{{ profile_eb_saml_public_key }}" profile_info_request_email: "{{ support_email }}" profile_lifecycle_enabled: false @@ -63,4 +40,3 @@ profile_manage_provision_samlsp_metadata_url: "https://profile.{{ base_domain }} profile_manage_provision_samlsp_sp_cert: "" profile_manage_provision_samlsp_trusted_proxy: false profile_manage_provision_samlsp_sign: false - diff --git a/roles/profile/handlers/main.yml b/roles/profile/handlers/main.yml index 8a2235003..0e6bf345f 100644 --- a/roles/profile/handlers/main.yml +++ b/roles/profile/handlers/main.yml @@ -1,5 +1,6 @@ --- -- name: restart php72-fpm - service: - name: php72-php-fpm - state: restarted +- name: restart profile + community.docker.docker_container: + name: profile + state: started + restart: true diff --git a/roles/profile/tasks/install-branch.yml b/roles/profile/tasks/install-branch.yml deleted file mode 100644 index ab28a4c84..000000000 --- a/roles/profile/tasks/install-branch.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ profile_release_dir }}" - register: profile_dir - -- name: Checkout profile branch - git: - repo: https://github.com/OpenConext/OpenConext-profile.git - dest: "{{ profile_branch_dir }}" - version: "{{ profile_branch }}" - force: yes - register: profile_gitclone - -- name: Make release - command: "./makeRelease.sh {{ profile_branch }}" - environment: - HOME: "{{ openconext_builds_dir }}" - args: - chdir: "{{ profile_branch_dir }}" - when: - - profile_gitclone.changed or not profile_dir.stat.exists - -- name: Unpack current version - unarchive: - src: "{{ openconext_builds_dir }}/Releases/OpenConext-profile-{{ profile_branch | replace('/', '_') }}.tar.gz" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - profile_gitclone.changed or not profile_dir.stat.exists - -- name: Activate new Profile branch - file: - src: "{{ openconext_releases_dir }}/OpenConext-profile-{{ profile_branch | replace('/', '_') }}" - dest: "{{ profile_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" diff --git a/roles/profile/tasks/install-release.yml b/roles/profile/tasks/install-release.yml deleted file mode 100644 index 9aa5a7f5a..000000000 --- a/roles/profile/tasks/install-release.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: Check if target dir exists - stat: - path: "{{ profile_current_release_symlink }}" - follow: no - register: profile_dir - -- name: Download current version - get_url: - url: "{{ profile_download_url }}" - dest: "{{ profile_build_path }}" - register: profile_download - -- name: Unpack current version - unarchive: - src: "{{ profile_build_path }}" - dest: "{{ openconext_releases_dir }}" - copy: no - when: - - profile_download.changed or profile_dir.stat.lnk_source != profile_release_dir - -- name: Activate new Profile release - file: - src: "{{ profile_release_dir }}" - dest: "{{ profile_current_release_symlink }}" - state: link - notify: - - "restart httpd" - - "restart php72-fpm" - when: - - profile_download.changed or profile_dir.stat.lnk_source != profile_release_dir diff --git a/roles/profile/tasks/main.yml b/roles/profile/tasks/main.yml index 5401b873b..df91dce0e 100644 --- a/roles/profile/tasks/main.yml +++ b/roles/profile/tasks/main.yml @@ -1,170 +1,113 @@ --- -- name: Add group {{ profile_fpm_user }} - group: - name: "{{ profile_fpm_user }}" +- name: Add group {{ appname }} + ansible.builtin.group: + name: "{{ appname }}" state: present + register: profile_guid -- name: Add user {{ profile_fpm_user }} - user: - name: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - createhome: no +- name: Add user {{ appname }} + ansible.builtin.user: + name: "{{ appname }}" + group: "{{ appname }}" + createhome: false state: present + register: profile_uid -- name: Create directory for vhosts to store PHP sessions - file: - path: "{{ php_session_dir}}/profile" +- name: Create some dirs + ansible.builtin.file: state: directory - owner: "{{ profile_fpm_user }}" + dest: "{{ item }}" + owner: root group: root - mode: 0770 - -- name: Include install-release.yml - include_tasks: install-release.yml - when: profile_branch is not defined or profile_branch == '' - -- name: Include install-branch.yml - include_tasks: install-branch.yml - when: profile_branch is defined and profile_branch != '' - -- name: Create the cache dir for Symfony - file: - path: "{{ profile_symfony_cache_path }}" - state: directory - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - -- name: Create the log dir for Symfony - file: - path: "{{ profile_symfony_log_path }}" - state: directory - owner: "{{ profile_fpm_user }}" - group: '{{ profile_fpm_user }}' - recurse: yes - -- name: Place parameters.yaml - template: - src: "{{ item }}.j2" - dest: "{{ profile_current_release_symlink }}/config/legacy/{{ item }}" - mode: 0644 + mode: "0755" with_items: - - parameters.yaml + - "{{ current_release_config_dir_name }}" + - "{{ current_release_config_dir_name }}/certs" + - "{{ current_release_config_dir_name }}/translations/overrides" + +- name: Put parameters YAML config + ansible.builtin.template: + src: "{{ item }}.yml.j2" + dest: "{{ current_release_config_dir_name }}/{{ item }}.yaml" + mode: "0640" + group: "{{ appname }}" + with_items: + - parameters + - global_view_parameters notify: - - "restart php72-fpm" - -- name: Instantiate global_view_parameters.yml.dist - command: mv global_view_parameters.yaml.dist global_view_parameters.yaml - args: - chdir: "{{ profile_current_release_symlink }}/config/legacy/" - creates: "{{ profile_current_release_symlink }}/config/legacy/global_view_parameters.yaml" + - restart {{ appname }} + +- name: Install the engineblock certificate + ansible.builtin.copy: + src: "{{ inventory_dir }}/files/certs/{{ profile_eb_saml_public_key }}" + dest: "{{ current_release_config_dir_name }}/certs/{{ profile_eb_saml_public_key }}" + mode: "0644" + owner: root + group: root - name: Check presence of language specific overrides - local_action: stat path="{{ inventory_dir }}/files/profile/overrides/" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/profile/overrides/" + delegate_to: localhost register: overrides_present become: false -# Can be removed after 2022-01-01 -- name: Check for wrongly created overrides file (not dir) - stat: - path: "{{ profile_current_release_symlink }}/translations/overrides" - register: overridesisfile - -# Can be removed after 2022-01-01 -- name: Clean up wrongly created overrides file (not dir) - file: - path: "{{ profile_current_release_symlink }}/translations/overrides" - state: absent - when: overrides_present.stat.exists and overridesisfile.stat.exists and overridesisfile.stat.isdir == False - - name: Copy language specific overrides - template: + ansible.builtin.template: src: "{{ item }}" - dest: "{{ profile_current_release_symlink }}/translations/overrides/" + dest: "{{ current_release_config_dir_name }}/translations/overrides/" when: overrides_present.stat.exists with_fileglob: - "{{ inventory_dir }}/files/profile/overrides/*" notify: - - "restart php72-fpm" + - "restart {{ appname }}" - name: Check if we have a custom favicon - local_action: stat path="{{ inventory_dir }}/files/favicon.ico" + ansible.builtin.stat: + path: "{{ inventory_dir }}/files/favicon.ico" + delegate_to: localhost register: customfavicon become: false - name: Install environment specific favicon - copy: + ansible.builtin.copy: src: "{{ inventory_dir }}/files/favicon.ico" - dest: "{{ profile_current_release_symlink }}/public/" + dest: "{{ current_release_config_dir_name }}/images/" + owner: root + group: root + mode: "0644" when: customfavicon.stat.exists -- name: Create the symfony cache - command: php72 bin/console cache:clear --env={{ profile_apache_symfony_environment }} --no-debug - args: - chdir: "{{ profile_current_release_symlink }}/" - when: - - not develop - changed_when: false - -- name: Make sure cache dir has correct permissions - file: - path: "{{ profile_current_release_symlink }}/var/cache" - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - changed_when: false - -- name: Make sure log dir has correct permissions - file: - path: "{{ profile_current_release_symlink }}/var/log" - owner: "{{ profile_fpm_user }}" - group: "{{ profile_fpm_user }}" - recurse: yes - changed_when: false - -- name: Install Apache vhost - template: - src: "{{ item }}.j2" - dest: "/etc/httpd/conf.d/{{ item }}" - with_items: - - profile.conf - notify: - - "restart httpd" - -- name: clean up old php-fpm 5.6 config - file: - path: "/etc/php-fpm.d/profile-pool.conf" - state: absent - -- name: php-fpm 72 config - template: - src: "{{ item }}.j2" - dest: "/etc/opt/remi/php72/php-fpm.d/{{ item }}" - with_items: - - profile-pool-72.conf - notify: - - "restart php72-fpm" - -- name: clean up profile <3.0 config - file: - path: "/etc/openconext/profile.yml" - state: absent +- name: Create the container + community.docker.docker_container: + name: "{{ appname }}" + image: ghcr.io/openconext/openconext-profile/profile:{{ profile_version }} + etc_hosts: + host.docker.internal: host-gateway + pull: true + restart_policy: "always" + networks: + - name: "loadbalancer" + labels: + traefik.http.routers.profile.rule: "Host(`{{ profile_vhost_name }}`)" + traefik.http.routers.profile.tls: "true" + traefik.enable: "true" + env: + APACHE_UID: "#{{ profile_uid.uid }}" + APACHE_GUID: "#{{ profile_guid.gid }}" + APP_ENV: prod + HTTPD_CSP: "{{ httpd_csp.strict_with_static_img }}" + mounts: + - source: /opt/openconext/profile + target: /var/www/html/config/openconext + type: bind + - source: /opt/openconext/profile/images/favicon.ico + target: /var/www/html/public/favicon.ico + type: bind - name: Include the role manage_provision_entities to provision profile to Manage - include_role: + ansible.builtin.include_role: name: manage_provision_entities - vars: + vars: entity_type: saml20_sp - -# Remove all dirs, but keep the current version and from the rest the most recent one. -- name: Clean up old releases - shell: ls -td {{ openconext_releases_dir }}/OpenConext-profile-* | grep -v $(readlink {{ profile_current_release_symlink }}) | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_releases - changed_when: '"removed" in clean_releases.stdout' - -# Remove all tarballs, but keep the current version and from the rest the most recent one. -- name: Clean up old builds - shell: ls -td {{ openconext_builds_dir }}/OpenConext-profile-* {{ openconext_builds_dir }}/Releases/ | grep -v {{ profile_build_path }} | tail -n +2 | xargs --no-run-if-empty rm -rv - register: clean_builds - changed_when: '"removed" in clean_builds.stdout' diff --git a/roles/profile/templates/global_view_parameters.yml.j2 b/roles/profile/templates/global_view_parameters.yml.j2 new file mode 100644 index 000000000..f39839b42 --- /dev/null +++ b/roles/profile/templates/global_view_parameters.yml.j2 @@ -0,0 +1,26 @@ +# This file is auto-generated during the composer install +parameters: + help_url: + en: 'https://support.surfconext.nl/help-profile-en' + nl: 'https://support.surfconext.nl/help-profile-nl' + pt: 'https://support.surfconext.nl/help-profile-en' + privacy_url: + en: 'https://support.surfconext.nl/privacy-en' + nl: 'https://support.surfconext.nl/privacy-nl' + pt: 'https://support.surfconext.nl/privacy-en' + terms_of_service_url: + en: 'https://support.surfconext.nl/terms-en' + nl: 'https://support.surfconext.nl/terms-nl' + pt: 'https://support.surfconext.nl/terms-en' + platform_url: + en: 'https://www.surfconext.nl/en' + nl: 'https://www.surfconext.nl' + pt: 'https://www.surfconext.nl/en' + profile_explanation_image_path: + en: build/images/profile_home_en.png + nl: build/images/profile_home_nl.png + pt: build/images/profile_home_pt.png + attribute_information_url: + en: 'https://support.surfconext.nl/attributes-en' + nl: 'https://support.surfconext.nl/attributes-nl' + pt: 'https://support.surfconext.nl/attributes-en' diff --git a/roles/profile/templates/parameters.yaml.j2 b/roles/profile/templates/parameters.yml.j2 similarity index 94% rename from roles/profile/templates/parameters.yaml.j2 rename to roles/profile/templates/parameters.yml.j2 index 8459f9e2c..6f427dd1d 100644 --- a/roles/profile/templates/parameters.yaml.j2 +++ b/roles/profile/templates/parameters.yml.j2 @@ -1,5 +1,8 @@ parameters: - secret: '{{ profile_secret }}' + app_env: prod + app_debug: false + app_secret: {{ profile_secret }} + secret: {{ profile_secret }} locales: [en, nl] default_locale: {{ profile_default_locale }} open_conext_locale_cookie_key: lang @@ -38,7 +41,7 @@ parameters: attribute_aggregation_orcid_logo_path: 'build/images/orcid.png' attribute_aggregation_orcid_connect_url: 'https://link.{{ base_domain }}/orcid?redirectUrl=https://profile.{{ base_domain }}/my-connections' - mailer_url: 'smtp://localhost:25' + mailer_url: 'smtp://{{ smtp_host }}:25' attribute_support_email_from: '{{ noreply_email }}' attribute_support_email_to: '{{ engine_idp_debugging_email_address }}' diff --git a/roles/profile/templates/profile-pool-72.conf.j2 b/roles/profile/templates/profile-pool-72.conf.j2 deleted file mode 100644 index f8d7690a9..000000000 --- a/roles/profile/templates/profile-pool-72.conf.j2 +++ /dev/null @@ -1,225 +0,0 @@ -; Create a new pool named profile. -[profile] - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses on a -; specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. - -; Use unix socket -listen = /var/run/php-fpm/profile-pool-72.sock -; Set listen(2) backlog. A value of '-1' means unlimited. -; Default Value: -1 -;listen.backlog = -1 - -; List of ipv4 addresses of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -listen.allowed_clients = 127.0.0.1 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. -; Default Values: user and group are set as the running user -; mode is set to 0666 -listen.owner = apache -listen.group = apache -listen.mode = 0640 - -; Unix user/group of processes -; Note: The user is mandatory. If the group is not set, the default user's group -; will be used. -user = {{ profile_fpm_user }} -group = {{ profile_fpm_user }} - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives: -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; Note: This value is mandatory. -pm = ondemand - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes to be created when pm is set to 'dynamic'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. -; Note: Used when pm is set to either 'static' or 'dynamic' -; Note: This value is mandatory. -pm.max_children = 20 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 -;pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -;pm.max_spare_servers = 5 - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -pm.max_requests = 300 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. By default, the status page shows the following -; information: -; accepted conn - the number of request accepted by the pool; -; pool - the name of the pool; -; process manager - static or dynamic; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes. -; The values of 'idle processes', 'active processes' and 'total processes' are -; updated each second. The value of 'accepted conn' is updated in real time. -; Example output: -; accepted conn: 12073 -; pool: www -; process manager: static -; idle processes: 35 -; active processes: 65 -; total processes: 100 -; By default the status page output is formatted as text/plain. Passing either -; 'html' or 'json' as a query string will return the corresponding output -; syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -pm.status_path = /status - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -slowlog = /var/log/php-fpm/www-slow.log - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. This value must be an absolute path. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Default Value: no -;catch_workers_output = yes - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; exectute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -php_admin_value[error_log] = /var/log/php-fpm/profile-error.log -php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 128M - -; Set session path to a directory owned by process user -php_value[session.save_handler] = files -php_value[session.save_path] = {{ php_session_dir }}/profile -php_value[disable_functions] = {{ php_disabled_functions }} diff --git a/roles/profile/templates/profile.conf.j2 b/roles/profile/templates/profile.conf.j2 deleted file mode 100644 index dece65bc8..000000000 --- a/roles/profile/templates/profile.conf.j2 +++ /dev/null @@ -1,53 +0,0 @@ -{% if apache_app_listen_address.profile is defined %} -Listen {{ apache_app_listen_address.profile }}:{{ loadbalancing.profile.port }} - -{% else %} - -{% endif %} - ServerName {{ profile_domain }} - ServerAdmin {{ admin_email }} - - DocumentRoot {{ profile_current_release_symlink }}/public - - SetEnv APP_ENV {{ profile_apache_symfony_environment }} - SetEnv HTTPS on - - - Require all granted - - Options -MultiViews - RewriteEngine On - RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^(.*)$ index.php [QSA,L] - - - Header always set Referrer-Policy "strict-origin-when-cross-origin" - Header always set Content-Security-Policy "{{ httpd_csp.strict_with_static_img }}" - - # Proxy the requests to FPM - ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php-fpm/profile-pool-72.sock|fcgi://localhost/{{ profile_current_release_symlink }}/public/$1 - - ErrorLog "|/usr/bin/logger -S 32k -p local3.err -t 'Apache-PROFILE'" - CustomLog "|/usr/bin/logger -S 32k -p local3.info -t 'Apache-PROFILE'" combined - {% if haproxy_backend_tls %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/backend.{{ base_domain }}.pem - SSLCertificateKeyFile {{ tls.cert_private_path }}/backend.{{ base_domain }}.key - Include ssl_backend.conf - {% endif %} - - {% if apache_app_listen_address.all is defined %} - SSLEngine on - SSLCertificateFile {{ tls.cert_path }}/{{ tls_star_cert }} - SSLCertificateKeyFile {{ tls.cert_private_path }}/{{ tls_star_cert_key }} - SSLCertificateChainFile {{ tls.cert_path_ca }}/{{ tls_ca }} - Include ssl_backend.conf - {% endif %} - - ExpiresActive on - ExpiresByType font/* "access plus 1 year" - ExpiresByType image/* "access plus 6 months" - ExpiresByType text/css "access plus 1 year" - ExpiresByType text/js "access plus 1 year" - - diff --git a/roles/profile/vars/main.yml b/roles/profile/vars/main.yml index fcd768a4f..96e501593 100644 --- a/roles/profile/vars/main.yml +++ b/roles/profile/vars/main.yml @@ -1,8 +1,11 @@ +appname: "profile" +current_release_config_dir_name: "/opt/openconext/{{ appname }}" + manage_provision_samlsp_client_id: "{{ profile_manage_provision_samlsp_client_id }}" -manage_provision_samlsp_name_en: "{{ profile_manage_provision_samlsp_name_en }}" -manage_provision_samlsp_description_en: "{{ profile_manage_provision_samlsp_description_en }}" -manage_provision_samlsp_acs_location: "{{ profile_manage_provision_samlsp_acs_location }}" -manage_provision_samlsp_metadata_url: "{{ profile_manage_provision_samlsp_metadata_url }}" +manage_provision_samlsp_name_en: "{{ profile_manage_provision_samlsp_name_en }}" +manage_provision_samlsp_description_en: "{{ profile_manage_provision_samlsp_description_en }}" +manage_provision_samlsp_acs_location: "{{ profile_manage_provision_samlsp_acs_location }}" +manage_provision_samlsp_metadata_url: "{{ profile_manage_provision_samlsp_metadata_url }}" manage_provision_samlsp_sp_cert: "{{ profile_manage_provision_samlsp_sp_cert }}" manage_provision_samlsp_trusted_proxy: "{{ profile_manage_provision_samlsp_trusted_proxy }}" manage_provision_samlsp_sign: "{{ profile_manage_provision_samlsp_sign }}"