diff --git a/ansible/group_vars/all/vars.yml b/ansible/group_vars/all/vars.yml index 30b9bec6e..6e0969ce5 100644 --- a/ansible/group_vars/all/vars.yml +++ b/ansible/group_vars/all/vars.yml @@ -9,7 +9,7 @@ canonical_hostname: "{{ inventory_hostname }}" tmp_dir: "/tmp" -# the upload limit for php-fpm and nginx in megabytes +# the upload limit for nginx in megabytes upload_limit: 30 slack_notifications: diff --git a/ansible/group_vars/all/websites.yml b/ansible/group_vars/all/websites.yml index c58ae1650..8e5f0b194 100644 --- a/ansible/group_vars/all/websites.yml +++ b/ansible/group_vars/all/websites.yml @@ -91,14 +91,6 @@ websites: state: "present" authenticated: true - - name: "phpmyadmin.{{ canonical_hostname }}" - user: "phpmyadmin" - alternative_names: - - "pma.{{ canonical_hostname }}" - # You have to remove the task include of phpmyadmin.yml to remove this - # completely - state: "absent" - - name: "pretix.{{ canonical_hostname }}" custom_config: true alternative_names: diff --git a/ansible/main.yml b/ansible/main.yml index 074bfc72b..4d9092ef1 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -30,8 +30,6 @@ tags: "backups" - role: "nginx" tags: "nginx" - - role: "php" - tags: "php" - role: "node" tags: "node" - role: "certbot" @@ -91,3 +89,4 @@ # one can easily restore the role by reverting the following PRs: # # - execut: #475 +# - php: #474 diff --git a/ansible/roles/backups/templates/backup-to-s3.sh.j2 b/ansible/roles/backups/templates/backup-to-s3.sh.j2 index 8ddb3268f..ba02decb2 100755 --- a/ansible/roles/backups/templates/backup-to-s3.sh.j2 +++ b/ansible/roles/backups/templates/backup-to-s3.sh.j2 @@ -79,12 +79,11 @@ case "${SOURCE}" in S3PATH="${SOURCE}" FILE_NAME="${FILE_TITLE}.tar.gz" - # phpMyAdmin and SODI directories excluded because no other + # SODI directories excluded because no other # committee can write to these folders and they are deployed from \ # git anyway. # Pretix's virtualenv is excluded as it only contains binaries. upload_backup_to_s3 < <(tar \ - --exclude='var/www/phpmyadmin.{{ canonical_hostname }}' \ --exclude='var/www/sodi.{{ canonical_hostname }}' \ --exclude='var/www/pretix/venv' \ -c -f - -C / var/www \ diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index a00052399..037f983d2 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -29,7 +29,6 @@ dest: "/etc/nginx/includes/{{ item }}" loop: - "block-cert-validation-path.conf" - - "php-parameters.conf" - "security-headers.conf" notify: "reload nginx" diff --git a/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 b/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 deleted file mode 100644 index ed8956455..000000000 --- a/ansible/roles/nginx/templates/includes/php-parameters.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -# {{ ansible_managed }} - -location ~ \.php$ { - try_files $uri =404; - fastcgi_split_path_info ^(.+\.php)(/+)$; - fastcgi_pass unix:/var/run/php/php-fpm-$server_name.sock; - fastcgi_index index.php; - - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - - fastcgi_param SCRIPT_FILENAME $request_filename; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param REQUEST_URI $request_uri; - fastcgi_param DOCUMENT_URI $document_uri; - fastcgi_param DOCUMENT_ROOT $document_root; - fastcgi_param SERVER_PROTOCOL $server_protocol; - - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param REMOTE_PORT $remote_port; - fastcgi_param SERVER_ADDR $server_addr; - fastcgi_param SERVER_PORT $server_port; - fastcgi_param SERVER_NAME $server_name; - - fastcgi_param HTTPS $https if_not_empty; - fastcgi_param HTTP_PROXY ""; - - # PHP only, required if PHP was built with --enable-force-cgi-redirect - fastcgi_param REDIRECT_STATUS 200; -} diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index ec178dc8c..81f280644 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -30,7 +30,8 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - # Added this for phpMyAdmin + # Added this for phpMyAdmin. + # phpMyAdmin was removed but this line not, just to be sure server_names_hash_bucket_size 128; charset UTF-8; diff --git a/ansible/roles/php/handlers/main.yml b/ansible/roles/php/handlers/main.yml deleted file mode 100644 index c88dec3e5..000000000 --- a/ansible/roles/php/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: "reload php" - ansible.builtin.service: - name: "php7.4-fpm" - state: "reloaded" diff --git a/ansible/roles/php/tasks/main.yml b/ansible/roles/php/tasks/main.yml deleted file mode 100644 index 6e06f552f..000000000 --- a/ansible/roles/php/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: "install php-fpm" - ansible.builtin.apt: - name: "php-fpm" - state: "present" - -- name: "create directories for onfailure overrides for php-fpm" - ansible.builtin.file: - path: "/etc/systemd/system/php7.4-fpm.service.d" - state: "directory" - -- name: "copy onfailure override for php-fpm" - ansible.builtin.template: - src: "onfailure.conf.j2" - dest: "/etc/systemd/system/php7.4-fpm.service.d/onfailure.conf" - notify: "systemctl daemon-reload" - -- name: "copy general configuration for php" - ansible.builtin.template: - src: "php.ini.j2" - dest: "/etc/php/7.4/fpm/php.ini" - notify: "reload php" - -- name: "delete default php-fpm pool" - ansible.builtin.file: - path: "/etc/php/7.4/fpm/pool.d/www.conf" - state: "absent" - notify: "reload php" - -- name: "template php-fpm pool configurations" - ansible.builtin.template: - src: "pool-template.conf.j2" - dest: "/etc/php/7.4/fpm/pool.d/pool-{{ item.name }}.conf" - loop: - - name: "digidecs.{{ canonical_hostname }}" - user: "digidecs" - - name: "indievelopment.{{ canonical_hostname }}" - user: "indievelopment" - notify: "reload php" diff --git a/ansible/roles/php/templates/php.ini.j2 b/ansible/roles/php/templates/php.ini.j2 deleted file mode 100644 index c57d72495..000000000 --- a/ansible/roles/php/templates/php.ini.j2 +++ /dev/null @@ -1,352 +0,0 @@ -; {{ ansible_managed }} - -[PHP] - -;;;;;;;;;;;;;;;;;;;; -; Language Options ; -;;;;;;;;;;;;;;;;;;;; - -; Enable the PHP scripting language engine under Apache. -; http://php.net/engine -engine = On - -; http://php.net/short-open-tag -short_open_tag = Off - -; The number of significant digits displayed in floating point numbers. -; http://php.net/precision -precision = 14 - -; http://php.net/output-buffering -output_buffering = 4096 - -; http://php.net/zlib.output-compression -zlib.output_compression = Off - -; http://php.net/implicit-flush -implicit_flush = Off - -unserialize_callback_func = - -serialize_precision = 17 - - -; http://php.net/disable-functions -disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority, - -; http://php.net/disable-classes -disable_classes = - -; http://php.net/zend.enable-gc -zend.enable_gc = On - -;;;;;;;;;;;;;;;;; -; Miscellaneous ; -;;;;;;;;;;;;;;;;; - -; http://php.net/expose-php -expose_php = Off - -;;;;;;;;;;;;;;;;;;; -; Resource Limits ; -;;;;;;;;;;;;;;;;;;; - -; http://php.net/max-execution-time -max_execution_time = 30 - -; http://php.net/max-input-time -max_input_time = 60 - -; http://php.net/memory-limit -memory_limit = 128M - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Error handling and logging ; -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - -; http://php.net/display-errors -display_errors = Off - -; http://php.net/display-startup-errors -display_startup_errors = Off - -; http://php.net/log-errors -log_errors = On - -; http://php.net/log-errors-max-len -log_errors_max_len = 1024 - -; http://php.net/ignore-repeated-errors -ignore_repeated_errors = Off - -; http://php.net/ignore-repeated-source -ignore_repeated_source = Off - -; http://php.net/report-memleaks -report_memleaks = On - -; This setting is on by default. -;report_zend_debug = 0 - -; http://php.net/track-errors -track_errors = Off - -; http://php.net/html-errors -html_errors = On - - -;;;;;;;;;;;;;;;;; -; Data Handling ; -;;;;;;;;;;;;;;;;; - -; http://php.net/variables-order -variables_order = "GPCS" - -; http://php.net/request-order -request_order = "GP" - -; http://php.net/register-argc-argv -register_argc_argv = Off - -; http://php.net/auto-globals-jit -auto_globals_jit = On - -; http://php.net/enable-post-data-reading -;enable_post_data_reading = Off - -; http://php.net/post-max-size -post_max_size = {{ upload_limit }}M - -; http://php.net/auto-prepend-file -auto_prepend_file = - -; http://php.net/auto-append-file -auto_append_file = - -; http://php.net/default-mimetype -default_mimetype = "text/html" - -; http://php.net/default-charset -default_charset = "UTF-8" - -;;;;;;;;;;;;;;;;;;;;;;;;; -; Paths and Directories ; -;;;;;;;;;;;;;;;;;;;;;;;;; - -; http://php.net/doc-root -doc_root = - -; http://php.net/user-dir -user_dir = - -; http://php.net/enable-dl -enable_dl = Off - -;;;;;;;;;;;;;;;; -; File Uploads ; -;;;;;;;;;;;;;;;; - -; http://php.net/file-uploads -file_uploads = On - -; http://php.net/upload-max-filesize -upload_max_filesize = {{ upload_limit }}M - -max_file_uploads = 20 - -;;;;;;;;;;;;;;;;;; -; Fopen wrappers ; -;;;;;;;;;;;;;;;;;; - -; http://php.net/allow-url-fopen -allow_url_fopen = On - -; http://php.net/allow-url-include -allow_url_include = Off - -; http://php.net/default-socket-timeout -default_socket_timeout = 60 - -;;;;;;;;;;;;;;;;;;;;;; -; Dynamic Extensions ; -;;;;;;;;;;;;;;;;;;;;;; - -;;;;;;;;;;;;;;;;;;; -; Module Settings ; -;;;;;;;;;;;;;;;;;;; - -[CLI Server] -cli_server.color = On - -[Date] -[filter] -[iconv] -[intl] -[sqlite3] -[Pcre] -[Pdo] - -[Phar] -[mail function] -SMTP = localhost -smtp_port = 25 -mail.add_x_header = On - -[SQL] -; http://php.net/sql.safe-mode -sql.safe_mode = Off - -[ODBC] - -; http://php.net/odbc.allow-persistent -odbc.allow_persistent = On - -; http://php.net/odbc.check-persistent -odbc.check_persistent = On - -; http://php.net/odbc.max-persistent -odbc.max_persistent = -1 - -; http://php.net/odbc.max-links -odbc.max_links = -1 - -; http://php.net/odbc.defaultlrl -odbc.defaultlrl = 4096 - -; http://php.net/odbc.defaultbinmode -odbc.defaultbinmode = 1 - -[Interbase] -; Allow or prevent persistent links. -ibase.allow_persistent = 1 - -; Maximum number of persistent links. -1 means no limit. -ibase.max_persistent = -1 - -; Maximum number of links (persistent + non-persistent). -1 means no limit. -ibase.max_links = -1 - -; Default timestamp format. -ibase.timestampformat = "%Y-%m-%d %H:%M:%S" - -; Default date format. -ibase.dateformat = "%Y-%m-%d" - -; Default time format. -ibase.timeformat = "%H:%M:%S" - -[OCI8] - -[PostgreSQL] -pgsql.allow_persistent = On -pgsql.auto_reset_persistent = Off -pgsql.max_persistent = -1 -pgsql.max_links = -1 -pgsql.ignore_notice = 0 -pgsql.log_notice = 0 - -[bcmath] -bcmath.scale = 0 - -[browscap] -;browscap = extra/browscap.ini - -[Session] -session.save_handler = files -; https://wiki.php.net/rfc/strict_sessions -session.use_strict_mode = 0 - -; http://php.net/session.use-cookies -session.use_cookies = 1 - -; http://php.net/session.cookie-secure -;session.cookie_secure = - -; http://php.net/session.use-only-cookies -session.use_only_cookies = 1 - -; http://php.net/session.name -session.name = PHPSESSID - -; http://php.net/session.auto-start -session.auto_start = 0 - -; http://php.net/session.cookie-lifetime -session.cookie_lifetime = 0 - -; http://php.net/session.cookie-path -session.cookie_path = / - -; http://php.net/session.cookie-domain -session.cookie_domain = - -; http://php.net/session.cookie-httponly -session.cookie_httponly = - -; http://php.net/session.serialize-handler -session.serialize_handler = php -; http://php.net/session.gc-probability -session.gc_probability = 1 - -; http://php.net/session.gc-divisor -session.gc_divisor = 1000 - -; http://php.net/session.gc-maxlifetime -session.gc_maxlifetime = 1440 - -; http://php.net/session.referer-check -session.referer_check = - -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; http://php.net/session.cache-limiter -session.cache_limiter = nocache - -; http://php.net/session.cache-expire -session.cache_expire = 180 - -; http://php.net/session.use-trans-sid -session.use_trans_sid = 0 - -; http://php.net/session.hash-function -session.hash_function = 0 - -; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 - -; http://php.net/url-rewriter.tags -url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" - -[Assertion] -; http://php.net/zend.assertions -zend.assertions = -1 - -[COM] -[mbstring] -[gd] -[exif] -[Tidy] -; http://php.net/tidy.clean-output -tidy.clean_output = Off -[soap] -; http://php.net/soap.wsdl-cache-enabled -soap.wsdl_cache_enabled=1 -; http://php.net/soap.wsdl-cache-dir -soap.wsdl_cache_dir="{{ tmp_dir }}" -; http://php.net/soap.wsdl-cache-ttl -soap.wsdl_cache_ttl=86400 -soap.wsdl_cache_limit = 5 - -[sysvshm] -[ldap] -ldap.max_links = -1 -[mcrypt] -[dba] -[opcache] -; Prevent leaking data between php-fpm pools -; https://ma.ttias.be/mitigating-phps-long-standing-issue-opcache-leaking-sensitive-data/ -opcache.validate_permission = 1 -opcache.validate_root = 1 - -[openssl] diff --git a/ansible/roles/php/templates/pool-template.conf.j2 b/ansible/roles/php/templates/pool-template.conf.j2 deleted file mode 100644 index 9c28bea9a..000000000 --- a/ansible/roles/php/templates/pool-template.conf.j2 +++ /dev/null @@ -1,19 +0,0 @@ -; {{ ansible_managed }} - -[{{ item.name }}] -user = {{ item.user }} -group = {{ item.user }} -listen = /var/run/php/php-fpm-{{ item.name }}.sock -listen.owner = www-data -listen.group = www-data -php_admin_value[disable_functions] = exec,passthru,shell_exec,system -php_admin_flag[allow_url_fopen] = off -pm = dynamic -pm.max_children = 5 -pm.start_servers = 2 -pm.min_spare_servers = 1 -pm.max_spare_servers = 3 -catch_workers_output = yes - -; Would be nice, but not very straightforward to implement -; chroot = /var/www/{{ item.user }}/{{ item.name }}