Adding configuration options

hosts.yml

@@ -10,3 +10,13 @@ nginx_cluster:
 
   vars:
     ansible_user: ansible
+    nginx_cluster_access_ip: 
+      - 10.10.10.254
+    nginx_cluster_open_ports: 
+      - 80
+      - 443
+      - 8443
+    nginx_cluster_sebool:
+      - httpd_can_network_connect
+      - httpd_can_network_relay
+      - httpd_unified

roles/nginx_cluster/defaults/main.yml

@@ -10,6 +10,21 @@ nginx_cluser_sync_site_dir: "/var/www/html"
 nginx_cluser_sync_config_dir: "/etc/nginx"
 nginx_cluser_sync_php_config_dir: "/etc/php.d"
 
+nginx_cluster_php_version: 8.3
+nginx_cluster_access_ip: ""
+nginx_cluster_open_ports: 
+  - 80
+  - 443
+nginx_cluster_sebool: ""
+
+nginx_cluster_aditional_packages:
+  - php-ldap
+  - php-bcmath
+  - php-gd
+  - php-zip
+  - php-intl
+  - php-imagick
+
 nginx_cluser_lsyncd_mode: "rsyncssh"
 nginx_cluser_lsyncd_delay: "0"
 nginx_cluser_lsyncd_rsync_times: "true"

roles/nginx_cluster/handlers/main.yml

@@ -10,6 +10,11 @@
     name: lsyncd
     state: restarted
 
+- name: Reload firewalld
+  service: 
+    name: firewalld
+    state: reloaded
+
 - name: Restart SSH
   service: 
     name: sshd

roles/nginx_cluster/tasks/firewall.yml

@@ -0,0 +1,11 @@
+---
+# file: roles/nginx_cluster/tasks/firewall.yml 
+
+- name: "Enable firewall rule to Access IP"
+  firewalld:
+    rich_rule: 'rule family="ipv4" source address="{{ access_ip }}" port port="{{ item }}" protocol="tcp" accept'
+    permanent: yes
+    state: enabled
+    immediate: yes
+  notify: Reload firewalld
+  loop: "{{ nginx_cluster_open_ports }}"

roles/nginx_cluster/tasks/main.yml

@@ -7,6 +7,19 @@
     state: present
     disable_gpg_check: True
   when: ansible_distribution == 'RedHat' or ansible_distribution == 'AlmaLinux' or ansible_distribution == 'Rocky'
+  tags: packages
+
+- name: Install remi RPM
+  package:
+    name: https://rpms.remirepo.net/enterprise/remi-release-9.rpm
+    state: present
+    disable_gpg_check: True
+  tags: packages
+
+- name: Enable DNF module for php
+  shell: "dnf module enable -y php:remi-{{ nginx_cluster_php_version }}"
+  register: dnf_module_enable
+  changed_when: "'Nothing to do' not in dnf_module_enable.stdout"
 
 - name: Install prereq packages
   package:
@@ -16,6 +29,20 @@
       - php-mysqlnd
       - lsyncd
     state: latest
+  tags: packages
+
+- name: Install additional packages
+  package:
+    name: "{{ item }}"
+    state: latest
+  loop: "{{ nginx_cluster_aditional_packages }}"
+  tags: packages
+    
+- name: Create a symbolic link for host cert
+  file:
+    src: "/etc/ssl/{{ ansible_hostname }}"
+    dest: "/etc/ssl/host"
+    state: link
 
 - name: Create temp directory
   file:
@@ -67,6 +94,22 @@
     dest: "/etc/lsyncd.conf"
   notify: Restart lsyncd
 
+- name: Allow web server to listen on tcp port
+  seport:
+    ports: "{{ item }}"
+    proto: tcp
+    setype: http_port_t
+    state: present
+  loop: "{{ nginx_cluster_open_ports }}"
+
+- name: Set selinux flags
+  seboolean:
+    name: "{{ item }}"
+    state: true
+    persistent: true
+  loop: "{{ nginx_cluster_sebool }}"
+  when: nginx_cluster_sebool != ""
+
 - name: Start and enable lsyncd
   service:
     name: lsyncd
@@ -84,3 +127,20 @@
     name: php-fpm
     state: started
     enabled: yes
+
+- name: Enable firewall for access IPs
+  include_tasks: firewall.yml
+  loop: "{{ nginx_cluster_access_ip }}"
+  loop_control:
+    loop_var: access_ip
+  when: nginx_cluster_access_ip != ""
+
+- name: Enable firewall rules
+  firewalld:
+    port: "{{ item }}/tcp"
+    permanent: yes
+    immediate: yes
+    state: enabled
+  notify: Reload firewalld
+  loop: "{{ nginx_cluster_open_ports }}"
+  when: nginx_cluster_access_ip == ""