initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/apache_php/defaults/main.yml
+++ b/roles/apache_php/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+
+apache_phpfpm_php: "{{ 'php7.4' if ansible_distribution_release == 'focal' else 'php7.4' }}"
+
+apache_phpfpm_etc_dir: "{{ '/etc/php/7.4/fpm' if ansible_distribution_release == 'focal' else '/etc/php/7.4/fpm' }}"
+
+apache_phpfpm_max_workers: 30
+apache_phpfpm_timeout: 120
+
+apache_phpfpm_php_settings:
+  short_open_tag: on
+  display_errors: off
+
+apache_phpfpm_php_admin_settings:
+  log_errors: on
+  error_log: /var/log/php-fpm.$pool.log
+  memory_limit: 512M
+  open_basedir: /srv/www:/var/www:/opt:/usr/share:/var/lib/{{ apache_phpfpm_php }}:/var/lib/php:/dev:/tmp:/var/log/kc:/var/spool/asterisk
+
+apache_phpfpm_xcache_size: 128M
+
--- a/roles/apache_php/handlers/main.yml
+++ b/roles/apache_php/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Reload PHP-FPM
+  service: name={{ apache_phpfpm_php }}-fpm state=reloaded
+
--- a/roles/apache_php/meta/main.yml
+++ b/roles/apache_php/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - apache
--- a/roles/apache_php/tasks/main.yml
+++ b/roles/apache_php/tasks/main.yml
@@ -0,0 +1,65 @@
+---
+
+- name: Install PHP packages
+  apt:
+    pkg:
+      - "{{ apache_phpfpm_php }}-fpm"
+      - php-apcu
+      # check_php-fpm nagios plugin dependencies:
+      - libany-moose-perl
+      - libjson-perl
+      - libjson-xs-perl
+    state: present
+  tags: packages
+
+- name: Disable Apache modules
+  apache2_module: name="{{ item }}" state=absent force=yes
+  with_items:
+    - "{{ apache_phpfpm_php }}"
+  notify: Restart Apache
+  tags: configs
+
+- name: Enable Apache modules
+  apache2_module: name="{{ item }}" state=present force=yes
+  with_items:
+    - proxy_fcgi
+  notify: Restart Apache
+  tags: configs
+
+- name: Ensure mod-php is not installed
+  apt:
+    pkg:
+      - libapache2-mod-{{ apache_phpfpm_php }}
+      - "{{ apache_phpfpm_php }}-cgi"
+    state: absent
+    purge: yes
+  notify: Restart Apache
+  tags: packages
+
+- name: Install Apache other configs
+  template: src="etc_apache2_conf-available_php-fpm.conf.j2" dest="/etc/apache2/conf-available/{{ apache_phpfpm_php }}-fpm.conf"
+  notify: Reload Apache
+  tags: configs
+
+- name: Install PHP-FPM pool config
+  template: src=etc_php_fpm_pool.d_www.conf.j2 dest={{ apache_phpfpm_etc_dir }}/pool.d/www.conf
+  notify: Reload PHP-FPM
+  tags: configs
+
+- name: Install the FGCI client script
+  template: src=usr_local_bin_fcgi-client dest=/usr/local/bin/fcgi-client mode=0755
+
+- name: Enable PHP-FPM
+  file: dest=/etc/apache2/conf-enabled/{{ apache_phpfpm_php }}-fpm.conf src=../conf-available/{{ apache_phpfpm_php }}-fpm.conf state=link
+  notify: Reload Apache
+  tags: configs
+
+- name: Ensure PHP-FPM is running
+  service: name={{ apache_phpfpm_php }}-fpm state=started enabled=yes
+  tags: configs
+
+- name: Register the php-fpm service in Consul
+  template: dest=/etc/consul.d/service-php-fpm.hcl src=etc_consul.d_service-php-fpm.hcl.j2
+  when: apache_consul_service
+  notify: Reload consul
+  tags: configs
--- a/roles/apache_php/templates/etc_apache2_conf-available_php-fpm.conf.j2
+++ b/roles/apache_php/templates/etc_apache2_conf-available_php-fpm.conf.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+<Proxy "unix:/run/php/{{ apache_phpfpm_php }}-fpm.sock|fcgi://{{ apache_phpfpm_php }}-fpm">
+        ProxySet max={{ apache_phpfpm_max_workers // 2 - 1 }}
+        ProxySet timeout={{ apache_phpfpm_timeout }}
+        ProxySet retry=0
+</Proxy>
+
+<FilesMatch "\.php$">
+        SetEnvIf ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+        SetHandler "proxy:fcgi://{{ apache_phpfpm_php }}-fpm"
+</FilesMatch>
--- a/roles/apache_php/templates/etc_consul.d_service-php-fpm.hcl.j2
+++ b/roles/apache_php/templates/etc_consul.d_service-php-fpm.hcl.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+service {
+	name = "php-fpm"
+	port = 443
+}
--- a/roles/apache_php/templates/etc_default_prometheus-phpfpm-exporter.j2
+++ b/roles/apache_php/templates/etc_default_prometheus-phpfpm-exporter.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+ARGS= \
+  --phpfpm.socket-directories=/run/php \
+  --phpfpm.status-path=/_fpm/status
--- a/roles/apache_php/templates/etc_nagios_nrpe.d_check_php-fpm.cfg.j2
+++ b/roles/apache_php/templates/etc_nagios_nrpe.d_check_php-fpm.cfg.j2
@@ -0,0 +1,2 @@
+# {{ ansible_managed }}
+command[check_php-fpm]={{ nagios_nrpe_tools_dir }}/plugins/check_php-fpm -s /run/php/{{ apache_phpfpm_php }}-fpm.sock -w active_workers:{{ (apache_phpfpm_max_workers * 80 / 100)|int }} -c active_workers:{{ (apache_phpfpm_max_workers * 90 / 100)|int }}
--- a/roles/apache_php/templates/etc_php_fpm_pool.d_www.conf.j2
+++ b/roles/apache_php/templates/etc_php_fpm_pool.d_www.conf.j2
@@ -0,0 +1,85 @@
+; {{ ansible_managed }}
+
+[www]
+
+;prefix = /path/to/pools/$pool
+
+user = www-data
+group = www-data
+
+listen = /run/php/{{ apache_phpfpm_php }}-fpm.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0660
+;listen.allowed_clients = 127.0.0.1
+
+; process.priority = -19
+
+pm = dynamic
+pm.max_children = {{ apache_phpfpm_max_workers }}
+pm.start_servers = 3
+pm.min_spare_servers = 2
+pm.max_spare_servers = 7
+;pm.process_idle_timeout = 10s
+pm.max_requests = {{ apache_phpfpm_max_requests | default(50000) }}
+
+pm.status_path = /_fpm/status
+ping.path = /_fpm/ping
+ping.response = pong
+
+;access.log = /var/log/{{ apache_phpfpm_php }}-fpm.$pool.access.log
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;slowlog = /var/log/{{ apache_phpfpm_php }}-fpm.$pool.slow.log
+;request_slowlog_timeout = 10s
+
+;request_terminate_timeout = 0
+
+;rlimit_files = 1024
+;rlimit_core = 0
+
+;chroot =
+chdir = /
+
+;catch_workers_output = yes
+;clear_env = no
+
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+{% for key, value in apache_phpfpm_php_admin_settings|dictsort %}
+{% if value in (True,False) %}
+php_admin_flag[{{ key }}] = {{ 'on' if value else 'off' }}
+{% else %}
+php_admin_value[{{ key }}] = {{ value }}
+{% endif %}
+{% endfor %}
+
+{% for key, value in apache_phpfpm_php_settings|dictsort %}
+{% if value in (True,False) %}
+php_flag[{{ key }}] = {{ 'on' if value else 'off' }}
+{% else %}
+php_value[{{ key }}] = {{ value }}
+{% endif %}
+{% endfor %}
--- a/roles/apache_php/templates/etc_php_mods-available_xcache.ini.j2
+++ b/roles/apache_php/templates/etc_php_mods-available_xcache.ini.j2
@@ -0,0 +1,88 @@
+; {{ ansible_managed }}
+; configuration for php Xcache module
+
+[xcache-common]
+;; non-Windows example:
+extension = xcache.so
+;; Windows example:
+; extension = php_xcache.dll
+
+[xcache.admin]
+xcache.admin.enable_auth = On
+; Configure this to use admin pages
+; xcache.admin.user = "mOo"
+; xcache.admin.pass = md5($your_password)
+; xcache.admin.pass = ""
+xcache.admin.user = "admin"
+xcache.admin.pass = "726be9b7e6dea1ed28c70800d68be36c"
+
+[xcache]
+; ini only settings, all the values here is default unless explained
+
+; select low level shm implemenation
+xcache.shm_scheme =        "mmap"
+; to disable: xcache.size=0
+; to enable : xcache.size=64M etc (any size > 0) and your system mmap allows
+xcache.size  =               {{ apache_phpfpm_xcache_size }}
+; set to cpu count (cat /proc/cpuinfo |grep -c processor)
+xcache.count =                 2
+; just a hash hints, you can always store count(items) > slots
+xcache.slots =                8K
+; ttl of the cache item, 0=forever
+xcache.ttl   =                 0
+; interval of gc scanning expired items, 0=no scan, other values is in seconds
+xcache.gc_interval =           0
+
+; same as aboves but for variable cache
+xcache.var_size  =            64M
+xcache.var_count =             1
+xcache.var_slots =            8K
+; default value for $ttl parameter of xcache_*() functions
+xcache.var_ttl   =             0
+; hard limit ttl that cannot be exceed by xcache_*() functions. 0=unlimited
+xcache.var_maxttl   =          0
+xcache.var_gc_interval =     300
+
+; mode:0, const string specified by xcache.var_namespace
+; mode:1, $_SERVER[xcache.var_namespace]
+; mode:2, uid or gid (specified by xcache.var_namespace)
+xcache.var_namespace_mode =    0
+xcache.var_namespace =        ""
+
+; N/A for /dev/zero
+xcache.readonly_protection = Off
+; for *nix, xcache.mmap_path is a file path, not directory. (auto create/overwrite)
+; Use something like "/tmp/xcache" instead of "/dev/*" if you want to turn on ReadonlyProtection
+; different process group of php won't share the same /tmp/xcache
+; for win32, xcache.mmap_path=anonymous map name, not file path
+xcache.mmap_path =    "/dev/zero"
+
+
+; Useful when XCache crash. leave it blank(disabled) or "/tmp/phpcore/" (writable by php)
+xcache.coredump_directory =   ""
+; Windows only. leave it as 0 (default) until you're told by XCache dev
+xcache.coredump_type =         0
+
+; disable cache after crash
+xcache.disable_on_crash =    Off
+
+; enable experimental documented features for each release if available
+xcache.experimental =        Off
+
+; per request settings. can ini_set, .htaccess etc
+xcache.cacher =               On
+xcache.stat   =               On
+xcache.optimizer =           Off
+
+[xcache.coverager]
+; enabling this feature will impact performance
+; enabled only if xcache.coverager == On && xcache.coveragedump_directory == "non-empty-value"
+
+; per request settings. can ini_set, .htaccess etc
+; enable coverage data collecting and xcache_coverager_start/stop/get/clean() functions
+xcache.coverager =          Off
+xcache.coverager_autostart =  On
+
+; set in php ini file only
+; make sure it's readable (open_basedir is checked) by coverage viewer script
+xcache.coveragedump_directory = ""
--- a/roles/apache_php/templates/usr_local_bin_fcgi-client
+++ b/roles/apache_php/templates/usr_local_bin_fcgi-client
@@ -0,0 +1,46 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use Pod::Usage;
+use Getopt::Long;
+use IO::Socket;
+use IO::Socket::UNIX;
+use lib '/usr/local/lib/nagios/plugins';
+use FCGI::Client;
+
+GetOptions(
+    'h|help' => \my $help,
+) or pod2usage();
+pod2usage() if $help;
+pod2usage() if @ARGV < 2;
+my ($fcgi_file, $uri, $query_string) = @ARGV;
+
+my $sock = IO::Socket::UNIX->new(
+    Type => SOCK_STREAM(),
+    Peer => $fcgi_file
+) or die $!;
+
+my $client = FCGI::Client::Connection->new( sock => $sock );
+my ( $stdout, $stderr ) = $client->request(
+    +{
+        REQUEST_METHOD  => 'GET',
+        REQUEST_URI     => $uri,
+        SCRIPT_FILENAME => "/a/b/c$uri",
+        SCRIPT_NAME     => $uri,
+        QUERY_STRING   => $query_string || '',
+    },
+    ''
+);
+print STDERR $stderr if $stderr;
+print $stdout;
+
+__END__
+
+=head1 NAME
+
+fcgi-client -
+
+=head1 SYNOPSIS
+
+    $ fcgi-client foo.fcgi URI [foo=bar&hoge=fuga]