diff --git a/hosts.yml b/hosts.yml index bb2cc6e..708d173 100644 --- a/hosts.yml +++ b/hosts.yml @@ -10,3 +10,13 @@ nginx_cluster: vars: ansible_user: ansible + nginx_cluster_access_ip: + - 10.10.10.254 + nginx_cluster_open_ports: + - 80 + - 443 + - 8443 + nginx_cluster_sebool: + - httpd_can_network_connect + - httpd_can_network_relay + - httpd_unified diff --git a/roles/nginx_cluster/defaults/main.yml b/roles/nginx_cluster/defaults/main.yml index 273ca29..f62de18 100644 --- a/roles/nginx_cluster/defaults/main.yml +++ b/roles/nginx_cluster/defaults/main.yml @@ -10,6 +10,21 @@ nginx_cluser_sync_site_dir: "/var/www/html" nginx_cluser_sync_config_dir: "/etc/nginx" nginx_cluser_sync_php_config_dir: "/etc/php.d" +nginx_cluster_php_version: 8.3 +nginx_cluster_access_ip: "" +nginx_cluster_open_ports: + - 80 + - 443 +nginx_cluster_sebool: "" + +nginx_cluster_aditional_packages: + - php-ldap + - php-bcmath + - php-gd + - php-zip + - php-intl + - php-imagick + nginx_cluser_lsyncd_mode: "rsyncssh" nginx_cluser_lsyncd_delay: "0" nginx_cluser_lsyncd_rsync_times: "true" diff --git a/roles/nginx_cluster/handlers/main.yml b/roles/nginx_cluster/handlers/main.yml index 8e04ee0..0925288 100644 --- a/roles/nginx_cluster/handlers/main.yml +++ b/roles/nginx_cluster/handlers/main.yml @@ -10,6 +10,11 @@ name: lsyncd state: restarted +- name: Reload firewalld + service: + name: firewalld + state: reloaded + - name: Restart SSH service: name: sshd diff --git a/roles/nginx_cluster/tasks/firewall.yml b/roles/nginx_cluster/tasks/firewall.yml new file mode 100644 index 0000000..2aa8007 --- /dev/null +++ b/roles/nginx_cluster/tasks/firewall.yml @@ -0,0 +1,11 @@ +--- +# file: roles/nginx_cluster/tasks/firewall.yml + +- name: "Enable firewall rule to Access IP" + firewalld: + rich_rule: 'rule family="ipv4" source address="{{ access_ip }}" port port="{{ item }}" protocol="tcp" accept' + permanent: yes + state: enabled + immediate: yes + notify: Reload firewalld + loop: "{{ nginx_cluster_open_ports }}" diff --git a/roles/nginx_cluster/tasks/main.yml b/roles/nginx_cluster/tasks/main.yml index 5071aca..ce12f08 100644 --- a/roles/nginx_cluster/tasks/main.yml +++ b/roles/nginx_cluster/tasks/main.yml @@ -7,6 +7,19 @@ state: present disable_gpg_check: True when: ansible_distribution == 'RedHat' or ansible_distribution == 'AlmaLinux' or ansible_distribution == 'Rocky' + tags: packages + +- name: Install remi RPM + package: + name: https://rpms.remirepo.net/enterprise/remi-release-9.rpm + state: present + disable_gpg_check: True + tags: packages + +- name: Enable DNF module for php + shell: "dnf module enable -y php:remi-{{ nginx_cluster_php_version }}" + register: dnf_module_enable + changed_when: "'Nothing to do' not in dnf_module_enable.stdout" - name: Install prereq packages package: @@ -16,6 +29,20 @@ - php-mysqlnd - lsyncd state: latest + tags: packages + +- name: Install additional packages + package: + name: "{{ item }}" + state: latest + loop: "{{ nginx_cluster_aditional_packages }}" + tags: packages + +- name: Create a symbolic link for host cert + file: + src: "/etc/ssl/{{ ansible_hostname }}" + dest: "/etc/ssl/host" + state: link - name: Create temp directory file: @@ -67,6 +94,22 @@ dest: "/etc/lsyncd.conf" notify: Restart lsyncd +- name: Allow web server to listen on tcp port + seport: + ports: "{{ item }}" + proto: tcp + setype: http_port_t + state: present + loop: "{{ nginx_cluster_open_ports }}" + +- name: Set selinux flags + seboolean: + name: "{{ item }}" + state: true + persistent: true + loop: "{{ nginx_cluster_sebool }}" + when: nginx_cluster_sebool != "" + - name: Start and enable lsyncd service: name: lsyncd @@ -84,3 +127,20 @@ name: php-fpm state: started enabled: yes + +- name: Enable firewall for access IPs + include_tasks: firewall.yml + loop: "{{ nginx_cluster_access_ip }}" + loop_control: + loop_var: access_ip + when: nginx_cluster_access_ip != "" + +- name: Enable firewall rules + firewalld: + port: "{{ item }}/tcp" + permanent: yes + immediate: yes + state: enabled + notify: Reload firewalld + loop: "{{ nginx_cluster_open_ports }}" + when: nginx_cluster_access_ip == ""