Merge pull request 'Refactor ANSIBLE Folder' (#1 ) from hbaxter into master

Reviewed-on: #1
2025-07-04 10:35:28 +00:00
37 changed files with 279 additions and 554 deletions
--- a/.ansible-lint.yml
+++ b/.ansible-lint.yml
@ -1,2 +0,0 @@
 skip_list:
  - yaml[line-length]
--- a/ANSIBLE/group_vars/all/all.yml
+++ b/ANSIBLE/group_vars/all/all.yml
@ -1,6 +1,5 @@
 svc_acct_name: "ubuntu"
 svc_acct_keys: 
  - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMvM9FL5V14ciT6qOSMx4zk3+K7F1aXQh6YjO+KDu94q hbaxter@telos_digital"
-  - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtUHnAtmjQd62/4edYxOCCSviJW7Wjn7TD/6eSYrXtRY87v9bAKYrPbUgWTQL+jMLFGCPzRoQCsEt/BZKoVASYzj9EQAatXFczYiXQQaBHlCEcRwtxYV5A2vjkAAmElwYtYAE8aKxDhFWPIlceB4DZ6x5pzlsztnaZKsLEs6PavEZ6UH/ubou6wSoBOWvFU1TZB1qwBfqD6QlkXJmjz7+Ci1MJSJ8kSAo9lFSPtE98pMfLG/NFAlYJSh4g7+qj8ghIGPFJxmmaHdvw/8+H1nY6kV38q4UoSjv9wnNeG+eOm/Uk8sUC/K9F777APRA4L7MjUrWY0m2fX8rMH+bTU/B1mdW/6o+/ooNXDPIjb6eKNpVC1cS/bP1z8Ki72pg7nbf8GRe3vN9kDj53HsDDzQ2WssOy6kt4Pq6qzUrco//VYQozNrSTfdV98mz1OzEhrq8qONvKz6rvurkne7hbfAcf0SyHM6bi1whzuuNw0gaGu0IoDNpH7HQsIxksRgwvdC9DWKA9V23piafL40OLQhAW1uqpCgO942zCGzCMiEB5OdjY/MakNU9LoQ9VQ2bJGrwLWDvudpzvYeaT70LQpnU9AEiO9fewBfVeFHX/02dFAffShp1hWso76A7Y9v5UaPmPKp/kJlhpQfDvgd6UY1w/MhkAiou9K/wm7bu0fwwZFE= peter.edmond@telos.digital"
+  - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAtUHnAtmjQd62/4edYxOCCSviJW7Wjn7TD/6eSYrXtRY87v9bAKYrPbUgWTQL+jMLFGCPzRoQCsEt/BZKoVASYzj9EQAatXFczYiXQQaBHlCEcRwtxYV5A2vjkAAmElwYtYAE8aKxDhFWPIlceB4DZ6x5pzlsztnaZKsLEs6PavEZ6UH/ubou6wSoBOWvFU1TZB1qwBfqD6QlkXJmjz7+Ci1MJSJ8kSAo9lFSPtE98pMfLG/NFAlYJSh4g7+qj8ghIGPFJxmmaHdvw/8+H1nY6kV38q4UoSjv9wnNeG+eOm/Uk8sUC/K9F777APRA4L7MjUrWY0m2fX8rMH+bTU/B1mdW/6o+/ooNXDPIjb6eKNpVC1cS/bP1z8Ki72pg7nbf8GRe3vN9kDj53HsDDzQ2WssOy6kt4Pq6qzUrco//VYQozNrSTfdV98mz1OzEhrq8qONvKz6rvurkne7hbfAcf0SyHM6bi1whzuuNw0gaGu0IoDNpH7HQsIxksRgwvdC9DWKA9V23piafL40OLQhAW1uqpCgO942zCGzCMiEB5OdjY/MakNU9LoQ9VQ2bJGrwLWDvudpzvYeaT70LQpnU9AEiO9fewBfVeFHX/02dFAffShp1hWso76A7Y9v5UaPmPKp/kJlhpQfDvgd6UY1w/MhkAiou9K/wm7bu0fwwZFE= telos@anothermouse.com"
  - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOnTW/kBQfw/ET5luVvHeWl/tFo1BAJk86UWOGxLbNi30sr4uo+xkNTUvKK2wL+6sRs1MVXH2qxTXa8wG4BfdEZBBOej3I8ci3Yl1fqQV8PB0c/GifP5W1Gj6oZSGvKDAOweV2nr6QUx1BhA9nqg0LZaLt1vaa2d+fgW3R5qT0QKKx5fKEBT95fsjUI99Gi4EAT/VYcmDo/aDyl6crKI+/YRn+0cuq0vLoRpF3rYtBMnqXCobchoooA1W+vZauVh/l5IzgQaN2tTaM9WU8qUUt8j8YaPGMFszX2iZoI1gylF/mSXqP7htxH4KCy0g2AOnnK+8QN6GwHIkOfG6lGu1t nataliia.bobrova.s@gmail.com "
 admin_email: "digital@telospartners.com"
--- a/ANSIBLE/group_vars/dev_roundcube/main.yml
+++ b/ANSIBLE/group_vars/dev_roundcube/main.yml
@ -1,85 +0,0 @@
 ---
 httpd_php: true
 httpd_tls_site_root: /srv/roundcube/roundcubemail-{{ roundcube_version }}/public_html
 httpd_optional_enabled_modules:
  - deflate
  - expires
  - headers
 httpd_tls_vhost_raw: |
  <IfModule mod_rewrite.c>
        Options +SymLinksIfOwnerMatch
        RewriteEngine On
        RewriteRule ^favicon\.ico$ skins/elastic/images/favicon.ico
        # security rules:
        # - deny access to files not containing a dot or starting with a dot
        #   in all locations except installer directory
        RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F]
        # - deny access to some locations
        RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|vendor|program\/(include|lib|localization|steps)) - [F]
        # - deny access to some documentation files
        RewriteRule /?(README.*|CHANGELOG.*|SECURITY.*|meta\.json|composer\..*|jsdeps.json)$ - [F]
        </IfModule>
        <IfModule mod_deflate.c>
        SetOutputFilter DEFLATE
        </IfModule>
        # prefer to brotli over gzip if brotli is available
        <IfModule mod_brotli.c>
        SetOutputFilter BROTLI_COMPRESS
        # some assets have been compressed, so no need to do it again
        SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|web[pm]|woff2?)$ no-brotli
        </IfModule>
        <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault "access plus 1 month"
        </IfModule>
        FileETag MTime Size
        <IfModule mod_autoindex.c>
        Options -Indexes
        </IfModule>
        <IfModule mod_headers.c>
        # Disable page indexing
        Header set X-Robots-Tag "noindex, nofollow"
        # replace 'merge' with 'append' for Apache < 2.2.9
        #Header merge Cache-Control public env=!NO_CACHE
        # Optional security headers
        # Only provides increased security if the browser supports those features
        # Be careful! Testing is required! They should be adjusted to your installation / user environment
        # HSTS - HTTP Strict Transport Security
        #Header always set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
        # HPKP - HTTP Public Key Pinning
        # Only template - fill with your values
        #Header always set Public-Key-Pins "max-age=3600; report-uri=\"\"; pin-sha256=\"\"; pin-sha256=\"\"" env=HTTPS
        # X-Xss-Protection
        # This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari (Webkit). 
        #Header set X-XSS-Protection "1; mode=block"
        # X-Frame-Options
        # The X-Frame-Options header (RFC), or XFO header, protects your visitors against clickjacking attacks
        # Already set by php code! Do not activate both options
        #Header set X-Frame-Options SAMEORIGIN
        # X-Content-Type-Options
        # It prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.
        #Header set X-Content-Type-Options "nosniff"
      </IfModule>
 mariadb_manage: true
 mariadb_users:
  - user: roundcube
    password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31383138383839383861303464383230363265323536636336306530316337333266373730643835
          6130356163343631616663666132346633346336333538650a303932343831386132326261313433
          61306462623666353831626136633633623331666338663239373236376464303338633364656364
          3333653363653838300a326662626333666135366130366466633466353366666235316633383135
          39323532623037656635356266666434333831363834646232373031336134626166666664653662
          6266313336656565303663353436626334313865313330303538
    priv: "'roundcubedb.*'': 'ALL,GRANT'"
 mariadb_databases: 
  - roundcubedb
 roundcube_db_dsnw: "mysql://roundcube:{{ mariadb_users[0].password }}@localhost/roundcubedb"
 # roundcube_db_dsnw: 'mysql://roundcube:pass@localhost/roundcubemail'
--- a/ANSIBLE/group_vars/ubuntu/all.yaml
+++ b/ANSIBLE/group_vars/ubuntu/all.yaml
@ -1 +0,0 @@
 php_user: ''
--- a/ANSIBLE/inventory/telos_digital.yml
+++ b/ANSIBLE/inventory/telos_digital.yml
@ -10,15 +10,3 @@ eoq:
 monitor:
  hosts:
    monitor.telos.digital:
 dev_roundcube:
  hosts:
    test-webmail.telos.digital:
      httpd_site_name: 'test-webmail.telos.digital'
      mariadb_root_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          63353366356333386164316433646431393932623666353235656666363833653339616162633765
          3738313666653431383936643035326338313935303065360a643135666638373235313532326135
          63376637646130373863383366313538623938656531376234616234336534356539306536356363
          3364323038316565300a646239646636386363373664323530623130663130653337363861313434
          61643933643263633363643436366261623934346339333032663935386135313264646637306464
          3438303435373562363163363939386565336535363165303639
--- a/ANSIBLE/roles/httpd/defaults/main.yml
+++ b/ANSIBLE/roles/httpd/defaults/main.yml
@ -1,36 +0,0 @@
 httpd_pkgs:
  - apache2
 httpd_pkgs_plugins: []
 httpd_site_name: 'default'
 httpd_site_root: '/var/www/html'
 httpd_default_enabled_modules:
  - ssl
 httpd_optional_enabled_modules: []
 httpd_tls_certbot: true
 httpd_tls_auto_redirect: true
 httpd_tls_certbot_additonal_args: ''
 httpd_tls_site_root:
 httpd_tls_vhost_default: true
 httpd_tls_vhost_raw: ''
 httpd_php: false
 httpd_php_version: 8.3
 httpd_php_socket: '/run/php/php{{ httpd_php_version }}-fpm.sock'
 httpd_php_pkgs:
  - php
  - php-fpm
  - php-cli
  - php-mysql
  - php-curl
  - php-gd
  - php-mbstring
  - php-xml
  - php-zip
 httpd_php_enabled_modules:
  - proxy_fcgi
  - setenvif
  - php{{ httpd_php_version }}
--- a/ANSIBLE/roles/httpd/handlers/main.yml
+++ b/ANSIBLE/roles/httpd/handlers/main.yml
@ -9,7 +9,3 @@
    name: apache2
    state: restarted
 - name: Restart PHP-FPM
  service:
    name: php{{ httpd_php_version }}-fpm
    state: restarted
--- a/ANSIBLE/roles/httpd/tasks/httpd_certbot_tls.yml
+++ b/ANSIBLE/roles/httpd/tasks/httpd_certbot_tls.yml
@ -1,20 +0,0 @@
 ---
 - name: Install Certbot and Apache plugin
  ansible.builtin.apt:
    name:
      - certbot
      - python3-certbot-apache
    state: present
 - name: Ensure Apache is running and enabled
  ansible.builtin.service:
    name: apache2
    state: started
    enabled: true
 - name: Obtain Let's Encrypt certificate using certbot
  ansible.builtin.command: >
    certbot --apache -n --agree-tos --redirect
    -d {{ httpd_site_name }}
    --email {{ admin_email }} {{ httpd_tls_certbot_additonal_args }}
  args:
    creates: "/etc/letsencrypt/live/{{ httpd_site_name }}/fullchain.pem"
--- a/ANSIBLE/roles/httpd/tasks/httpd_default_config.yml
+++ b/ANSIBLE/roles/httpd/tasks/httpd_default_config.yml
@ -1,31 +0,0 @@
 ---
 - name: Create index.html
  ansible.builtin.template:
    src: httpd/index.html.j2
    dest: "{{ httpd_site_root }}/index.html"
    owner: www-data
    group: www-data
    mode: '0644'
 - name: Create Apache virtual host config
  ansible.builtin.template:
    src: httpd/vhost.conf.j2
    dest: "/etc/apache2/sites-available/{{ httpd_site_name }}.conf"
    owner: www-data
    group: www-data
    mode: '0644'
  notify: Reload Apache
 - name: "Enable http site {{ httpd_site_name }}"
  ansible.builtin.command: "a2ensite {{ httpd_site_name }}"
  args:
    creates: "/etc/apache2/sites-enabled/{{ httpd_site_name }}.conf"
  notify: Reload Apache
 - name: Enable modules
  ansible.builtin.command: " a2enmod {{ item }}"
  args:
    creates: "/etc/apache2/mods-enabled/{{ item }}*"
  loop: "{{ httpd_default_enabled_modules + httpd_optional_enabled_modules }}"
  notify: Reload Apache
--- a/ANSIBLE/roles/httpd/tasks/httpd_install.yml
+++ b/ANSIBLE/roles/httpd/tasks/httpd_install.yml
@ -1,21 +0,0 @@
 ---
 - name: Install Apache2 and plugins
  ansible.builtin.apt:
    name: "{{ httpd_pkgs + httpd_pkgs_plugins }}"
    state: present
    update_cache: true
 - name: Ensure site root exists
  ansible.builtin.file:
    path: "{{ httpd_site_root }}"
    state: directory
    owner: www-data
    group: www-data
    mode: '0755'
 - name: Ensure Apache is running and enabled
  ansible.builtin.service:
    name: apache2
    state: started
    enabled: true
--- a/ANSIBLE/roles/httpd/tasks/httpd_vhost_tls.yml
+++ b/ANSIBLE/roles/httpd/tasks/httpd_vhost_tls.yml
@ -1,19 +0,0 @@
 ---
 - name: "Disable Certbot autocreated {{ httpd_site_name }}-le-ssl"
  ansible.builtin.command: "a2dissite {{ httpd_site_name }}-le-ssl"
  args:
    removes: "/etc/apache2/sites-enabled/{{ httpd_site_name }}-le-ssl.conf"
  notify: Reload Apache
 - name: Create Apache TLS virtual host config
  ansible.builtin.template:
    src: httpd/tls_vhost.conf.j2
    dest: "/etc/apache2/sites-available/{{ httpd_site_name }}_tls.conf"
    owner: www-data
    group: www-data
    mode: '0644'
  notify: Reload Apache
 - name: "Enable http site {{ httpd_site_name }}_tls"
  ansible.builtin.command: "a2ensite {{ httpd_site_name }}_tls"
  args:
    creates: "/etc/apache2/sites-enabled/{{ httpd_site_name }}_tls.conf"
  notify: Reload Apache
--- a/ANSIBLE/roles/httpd/tasks/main.yml
+++ b/ANSIBLE/roles/httpd/tasks/main.yml
@ -1,14 +1,59 @@
 ---
 - name: Install Apache2
  apt:
    name: apache2
    state: present
    update_cache: yes
 - name: Install Certbot and Apache plugin
  apt:
    name:
      - certbot
      - python3-certbot-apache
    state: present
 - name: Ensure site root exists
  file:
    path: "{{ site_root }}"
    state: directory
    owner: www-data
    group: www-data
    mode: '0755'
 - name: Create index.html
  template:
    src: index.html.j2
    dest: "{{ site_root }}/index.html"
    owner: www-data
    group: www-data
    mode: '0644'
 - name: Create Apache virtual host config
  template:
    src: vhost.conf.j2
    dest: /etc/apache2/sites-available/{{ site_name }}.conf
  notify: Reload Apache
 - name: Enable site
  command: a2ensite {{ site_name }}
  notify: Reload Apache
 - name: Enable SSL module
  command: a2enmod ssl
  notify: Reload Apache
 - name: Ensure Apache is running and enabled
  service:
    name: apache2
    state: started
    enabled: yes
 - name: Obtain Let's Encrypt certificate using certbot
  command: >
    certbot --apache -n --agree-tos --redirect
    -d {{ site_name }}
    --email {{ admin_email }}
  args:
    creates: /etc/letsencrypt/live/{{ site_name }}/fullchain.pem
 - name: Apache2 Install
  ansible.builtin.include_tasks: httpd_install.yml
 - name: Apache2 Default Config
  ansible.builtin.include_tasks: httpd_default_config.yml
 - name: Certbot TLS
  when: httpd_tls_certbot
  ansible.builtin.include_tasks: httpd_certbot_tls.yml
 - name: PHP Application
  when: httpd_php
  ansible.builtin.include_tasks: php.yml
 - name: TLS Enabled Site
  ansible.builtin.include_tasks: httpd_vhost_tls.yml
--- a/ANSIBLE/roles/httpd/tasks/php.yml
+++ b/ANSIBLE/roles/httpd/tasks/php.yml
@ -1,31 +0,0 @@
 ---
 - name: Install PHP, PHP-FPM, and common extensions
  ansible.builtin.apt:
    name: "{{ httpd_php_pkgs }}"
    state: present
    update_cache: true
 - name: Enable Apache modules for PHP-FPM
  ansible.builtin.command: a2enmod {{ item }}
  args:
    creates: "/etc/apache2/mods-enabled/{{ item }}*"
  loop: "{{ httpd_php_enabled_modules }}"
  notify: Reload Apache
  ignore_errors: true  # in case some modules aren't available
  register: httpd_php_modules_errors
 - name: Ensure PHP-FPM service is running
  ansible.builtin.service:
    name: php{{ httpd_php_version }}-fpm
    state: started
    enabled: true
  when: httpd_php_version is defined
 - name: Deploy custom PHP-FPM pool config
  ansible.builtin.template:
    src: php/www.conf.j2
    dest: /etc/php/{{ httpd_php_version }}/fpm/pool.d/www.conf
    owner: root
    group: root
    mode: '0644'
  notify: Restart PHP-FPM
--- a/ANSIBLE/roles/httpd/templates/httpd/index.html.j2
+++ b/ANSIBLE/roles/httpd/templates/httpd/index.html.j2
@ -1,12 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <title>Welcome to {{ httpd_site_name }}</title>
 </head>
 <body>
    <h1>Welcome to {{ httpd_site_name }}</h1>
    <p>This site is served from: {{ httpd_site_root }}</p>
 </body>
 </html>
--- a/ANSIBLE/roles/httpd/templates/httpd/tls_vhost.conf.j2
+++ b/ANSIBLE/roles/httpd/templates/httpd/tls_vhost.conf.j2
@ -1,33 +0,0 @@
 <IfModule mod_ssl.c>
  <VirtualHost *:443>
    # General vhost config
    ServerName {{ httpd_site_name }}
    DocumentRoot {{ httpd_tls_site_root }}
    #TLS Config
    SSLCertificateFile /etc/letsencrypt/live/{{ httpd_site_name }}/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/{{ httpd_site_name }}/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    # Standardised Access & error Logging locations
    ErrorLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_error.log
    CustomLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_access.log combined
 {% if httpd_tls_vhost_default %}
    <Directory {{ httpd_tls_site_root }} >
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    {% if httpd_php %}
        <FilesMatch \.php$>
             SetHandler "proxy:unix:{{ httpd_php_socket }}|fcgi://localhost/"
        </FilesMatch>
    {% endif %}
    </Directory>
 {% endif %}
 {% if httpd_tls_vhost_raw != '' %}
    {{ httpd_tls_vhost_raw }}
 {% endif %}
  </VirtualHost>
 </IfModule>
--- a/ANSIBLE/roles/httpd/templates/httpd/vhost.conf.j2
+++ b/ANSIBLE/roles/httpd/templates/httpd/vhost.conf.j2
@ -1,14 +0,0 @@
 <VirtualHost *:80>
    ServerName {{ httpd_site_name }}
    DocumentRoot {{ httpd_site_root }}
    <Directory {{ httpd_site_root }}>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_error.log
    CustomLog ${APACHE_LOG_DIR}/{{ httpd_site_name }}_access.log combined
 </VirtualHost>
--- a/ANSIBLE/roles/httpd/templates/index.html.j2
+++ b/ANSIBLE/roles/httpd/templates/index.html.j2
@ -0,0 +1,12 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <title>Welcome to {{ site_name }}</title>
 </head>
 <body>
    <h1>Welcome to {{ site_name }}</h1>
    <p>This site is served from: {{ site_root }}</p>
 </body>
 </html>
--- a/ANSIBLE/roles/httpd/templates/vhost.conf.j2
+++ b/ANSIBLE/roles/httpd/templates/vhost.conf.j2
@ -0,0 +1,14 @@
 <VirtualHost *:80>
    ServerName {{ site_name }}
    DocumentRoot {{ site_root }}
    <Directory {{ site_root }}>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/{{ site_name }}_error.log
    CustomLog ${APACHE_LOG_DIR}/{{ site_name }}_access.log combined
 </VirtualHost>
--- a/ANSIBLE/roles/httpd_with_php/handlers/main.yml
+++ b/ANSIBLE/roles/httpd_with_php/handlers/main.yml
@ -0,0 +1,16 @@
 ---
 - name: Reload Apache
  service:
    name: apache2
    state: reloaded
 - name: Restart Apache
  service:
    name: apache2
    state: restarted
 - name: Restart PHP-FPM
  service:
    name: php{{ php_version }}-fpm
    state: restarted
--- a/ANSIBLE/roles/httpd_with_php/tasks/main.yml
+++ b/ANSIBLE/roles/httpd_with_php/tasks/main.yml
@ -0,0 +1,59 @@
 ---
 - name: Install Apache2
  apt:
    name: apache2
    state: present
    update_cache: yes
 - name: Install Certbot and Apache plugin
  apt:
    name:
      - certbot
      - python3-certbot-apache
    state: present
 - name: Ensure site root exists
  file:
    path: "{{ site_root }}"
    state: directory
    owner: www-data
    group: www-data
    mode: '0755'
 - name: Create index.html
  template:
    src: index.html.j2
    dest: "{{ site_root }}/index.html"
    owner: www-data
    group: www-data
    mode: '0644'
 - name: Create Apache virtual host config
  template:
    src: vhost.conf.j2
    dest: /etc/apache2/sites-available/{{ site_name }}.conf
  notify: Reload Apache
 - name: Enable site
  command: a2ensite {{ site_name }}
  notify: Reload Apache
 - name: Enable SSL module
  command: a2enmod ssl
  notify: Reload Apache
 - name: Ensure Apache is running and enabled
  service:
    name: apache2
    state: started
    enabled: yes
 - name: Obtain Let's Encrypt certificate using certbot
  command: >
    certbot --apache -n --agree-tos --redirect
    -d {{ site_name }}
    --email {{ admin_email }}
  args:
    creates: /etc/letsencrypt/live/{{ site_name }}/fullchain.pem
 - import_tasks: php.yml
--- a/ANSIBLE/roles/httpd_with_php/tasks/php.yml
+++ b/ANSIBLE/roles/httpd_with_php/tasks/php.yml
@ -0,0 +1,42 @@
 ---
 - name: Install PHP, PHP-FPM, and common extensions
  apt:
    name:
      - php
      - php-fpm
      - php-cli
      - php-mysql
      - php-curl
      - php-gd
      - php-mbstring
      - php-xml
      - php-zip
    state: present
    update_cache: yes
 - name: Enable Apache modules for PHP-FPM
  command: a2enmod {{ item }}
  loop:
    - proxy_fcgi
    - setenvif
    - php{{ php_version }}  # or php8.1 depending on your distro
  notify: Reload Apache
  ignore_errors: yes  # in case some modules aren't available
 - name: Ensure PHP-FPM service is running
  service:
    name: php{{ php_version }}-fpm
    state: started
    enabled: yes
  when: php_version is defined
 - name: Deploy custom PHP-FPM pool config
  template:
    src: www.conf.j2
    dest: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
    owner: root
    group: root
    mode: '0644'
  notify: Restart PHP-FPM
--- a/ANSIBLE/roles/httpd_with_php/templates/index.html.j2
+++ b/ANSIBLE/roles/httpd_with_php/templates/index.html.j2
@ -0,0 +1,12 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <title>Welcome to {{ site_name }}</title>
 </head>
 <body>
    <h1>Welcome to {{ site_name }}</h1>
    <p>This site is served from: {{ site_root }}</p>
 </body>
 </html>
--- a/ANSIBLE/roles/httpd_with_php/templates/vhost.conf.j2
+++ b/ANSIBLE/roles/httpd_with_php/templates/vhost.conf.j2
@ -0,0 +1,14 @@
 <VirtualHost *:80>
    ServerName {{ site_name }}
    DocumentRoot {{ site_root }}
    <Directory {{ site_root }}>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/{{ site_name }}_error.log
    CustomLog ${APACHE_LOG_DIR}/{{ site_name }}_access.log combined
 </VirtualHost>
--- a/ANSIBLE/roles/httpd_with_php/templates/www.conf.j2
+++ b/ANSIBLE/roles/httpd_with_php/templates/www.conf.j2
@ -3,7 +3,7 @@
 user = www-data
 group = www-data
-listen = {{ httpd_php_socket }}
+listen = /run/php/php{{ php_version }}-fpm.sock
 listen.owner = www-data
 listen.group = www-data
@ -20,7 +20,7 @@ chdir = /
 ; Logging
 catch_workers_output = yes
 ; Uncomment for more detailed error logging
-; php_admin_value[error_log] = /var/log/php{{ httpd_php_version }}-fpm.log
+; php_admin_value[error_log] = /var/log/php{{ php_version }}-fpm.log
 ; php_admin_flag[log_errors] = on
 ; Additional PHP configuration values
--- a/ANSIBLE/roles/mariadb/defaults/main.yml
+++ b/ANSIBLE/roles/mariadb/defaults/main.yml
@ -1,5 +1,2 @@
 ---
 # defaults file for roles/mariadb
 mariadb_manage: false
 mariadb_users: []
 mariadb_databases: []
--- a/ANSIBLE/roles/mariadb/tasks/create_dbs.yml
+++ b/ANSIBLE/roles/mariadb/tasks/create_dbs.yml
@ -1,9 +0,0 @@
 ---
 - name: Try to create databases
  community.mysql.mysql_db:
    login_user: root
    login_password: "{{ mariadb_root_password }}"
    login_unix_socket: /run/mysqld/mysqld.sock
    name: "{{ item }}"
    state: present
  loop: "{{ mariadb_databases }}"
--- a/ANSIBLE/roles/mariadb/tasks/create_users.yml
+++ b/ANSIBLE/roles/mariadb/tasks/create_users.yml
@ -1,12 +0,0 @@
 #
 ---
 - name: Create Database users
  community.mysql.mysql_user:
    column_case_sensitive: false
    login_password: "{{ mariadb_root_password }}"
 #    logon_user: "root"
    login_unix_socket: /run/mysqld/mysqld.sock
    name: "{{ item.user }}"
    password: "{{ item.password }}"
    priv: "{{ item.priv }}"
  loop: "{{ mariadb_users }}"
--- a/ANSIBLE/roles/mariadb/tasks/install_initilise.yml
+++ b/ANSIBLE/roles/mariadb/tasks/install_initilise.yml
@ -1,48 +0,0 @@
 ---
 - name: Install MariaDB server and client
  ansible.builtin.apt:
    name:
      - mariadb-server
      - mariadb-client
    state: present
    update_cache: true
 - name: Ensure PyMySQL is installed
  ansible.builtin.apt:
    name: python3-pymysql
    state: present
 - name: Ensure MariaDB is running and enabled
  ansible.builtin.service:
    name: mariadb
    state: started
    enabled: true
 - name: Try to connect to MariaDB with root password
  ansible.builtin.shell: |
    mysql -u root -p'{{ mariadb_root_password }}' -e "SELECT 1;"
  register: mysql_root_status
  failed_when: false
  changed_when: false
 - name:  Value of mysql_root_status
  ansible.builtin.debug:
    msg: "{{mysql_root_status}}"
 - name: Set MariaDB root password if not already set
  community.mysql.mysql_user:
    name: root
    host: "{{ item }}"
    password: "{{ mariadb_root_password }}"
    login_unix_socket: /run/mysqld/mysqld.sock
    check_implicit_admin: true
    state: present
  loop:
    - localhost
 #    - 127.0.0.1
 #    - ::1
  when: mysql_root_status.rc != 0
 - name: Check MariaDB root password is set
  ansible.builtin.debug:
    msg: "MariaDB root password is already set, skipping reset"
  when: mysql_root_status.rc == 0
--- a/ANSIBLE/roles/mariadb/tasks/main.yml
+++ b/ANSIBLE/roles/mariadb/tasks/main.yml
@ -1,8 +1,45 @@
- name: Mariadb Install & Init
+---
-  ansible.builtin.include_tasks: install_initilise.yml
+- name: Install MariaDB server and client
- name: Mariadb db create
+  apt:
-  when: mariadb_manage
+    name:
-  ansible.builtin.include_tasks: create_dbs.yml
+      - mariadb-server
- name: Mariadb users create
+      - mariadb-client
-  when: mariadb_manage
+    state: present
-  ansible.builtin.include_tasks: create_users.yml
+    update_cache: yes
 - name: Ensure PyMySQL is installed
  apt:
    name: python3-pymysql
    state: present
 - name: Ensure MariaDB is running and enabled
  service:
    name: mariadb
    state: started
    enabled: true
 - name: Try to connect to MariaDB with root password
  shell: |
    mysql -u root -p'{{ mariadb_root_password }}' -e "SELECT 1;"
  register: mysql_root_status
  failed_when: false
  changed_when: false
 - name: Set MariaDB root password if not already set
  mysql_user:
    name: root
    host: "{{ item }}"
    password: "{{ mariadb_root_password }}"
    login_unix_socket: /run/mysqld/mysqld.sock
    check_implicit_admin: true
    state: present
  loop:
    - localhost
    - 127.0.0.1
    - ::1
  when: mysql_root_status.rc != 0
 - debug:
    msg: "MariaDB root password is already set, skipping reset"
  when: mysql_root_status.rc == 0
--- a/ANSIBLE/roles/roundcube/defaults/main.yml
+++ b/ANSIBLE/roles/roundcube/defaults/main.yml
@ -1,14 +0,0 @@
 ---
 roundcube_version: '1.6.11'
 roundcube_version_sha256: 'sha256:a230e432065555bfa27bea3fcf4ac672f2359ef28ad84f5945ea3ccf702e7466'
 roundcube_user: 'www-data'
 roundcube_db_dsnw: 'mysql://roundcube:pass@localhost/roundcubemail'
 roundcube_imap_host: 'localhost:143'
 roundcube_smtp_host: 'localhost:587'
 roundcube_support_url: 'support@test.com'
 roundcube_product_name: 'Webmail'
 roundcube_des_key: 'rcmail-!24ByteDESkey*Str'
 roundcube_skin: 'elastic'
 roundcube_enabled_plugins:
  - archive
  - zipdownload
--- a/ANSIBLE/roles/roundcube/tasks/main.yml
+++ b/ANSIBLE/roles/roundcube/tasks/main.yml
@ -1,5 +0,0 @@
 ---
 - name: Load Roundcube Release
  ansible.builtin.include_tasks: roundcube-release.yml
 - name: Congigure Roundcube
  ansible.builtin.include_tasks: roundcube-config.yml
--- a/ANSIBLE/roles/roundcube/tasks/roundcube-config.yml
+++ b/ANSIBLE/roles/roundcube/tasks/roundcube-config.yml
@ -1,12 +0,0 @@
 ---
 - name: Configure Roundcube config.inc.php
  ansible.builtin.template:
    src: config/config.inc.php.j2
    dest: "{{ roundcube_base_dir }}/roundcubemail-{{ roundcube_version }}/config/config.inc.php"
    mode: '640'
    owner: "{{ roundcube_user }}"
 - name: Remove Roundcube Installer Dir
  ansible.builtin.file:
    dest: "{{ roundcube_base_dir }}/roundcubemail-{{ roundcube_version }}/installer/"
    state: absent
--- a/ANSIBLE/roles/roundcube/tasks/roundcube-release.yml
+++ b/ANSIBLE/roles/roundcube/tasks/roundcube-release.yml
@ -1,22 +0,0 @@
 ---
 - name: Download Roundcube Archive from GitHub Released Page
  ansible.builtin.get_url:
    url: "https://github.com/roundcube/roundcubemail/releases/download/{{ roundcube_version }}/roundcubemail-{{ roundcube_version }}-complete.tar.gz"
    dest: "/opt/roundcube_{{ roundcube_version }}.tar.gz"
    checksum: "{{ roundcube_version_sha256 }}"
    mode: '644'
    force: false
 - name: Ensure Roundcube Base Dir exsists
  ansible.builtin.file:
    dest: "{{ roundcube_base_dir }}"
    mode: '0755'
    state: 'directory'
 - name: Unarchive Roundcube release
  ansible.builtin.unarchive:
    src: "/opt/roundcube_{{ roundcube_version }}.tar.gz"
    dest: "{{ roundcube_base_dir }}"
    creates: "{{ roundcube_base_dir }}/roundcubemail-{{ roundcube_version }}"
    owner: "{{ roundcube_user }}"
    group: "{{ roundcube_user }}"
    remote_src: true
--- a/ANSIBLE/roles/roundcube/templates/config/config.inc.php.j2
+++ b/ANSIBLE/roles/roundcube/templates/config/config.inc.php.j2
@ -1,67 +0,0 @@
 <?php
 /*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
 */
 $config = [];
 // Database connection string (DSN) for read+write operations
 // Format (compatible with PEAR MDB2): db_provider://user:password@host/database
 // Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
 // For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
 // NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
 //       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
 $config['db_dsnw'] = '{{ roundcube_db_dsnw }}';
 // IMAP host chosen to perform the log-in.
 // See defaults.inc.php for the option description.
 $config['imap_host'] = '{{ roundcube_imap_host }}';
 // SMTP server host (for sending mails).
 // See defaults.inc.php for the option description.
 $config['smtp_host'] = '{{ roundcube_smtp_host }}';
 // SMTP username (if required) if you use %u as the username Roundcube
 // will use the current username for login
 $config['smtp_user'] = '%u';
 // SMTP password (if required) if you use %p as the password Roundcube
 // will use the current user's password for login
 $config['smtp_pass'] = '%p';
 // provide an URL where a user can get support for this Roundcube installation
 // PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
 $config['support_url'] = '{{ roundcube_support_url }}';
 // Name your service. This is displayed on the login screen and in the window title
 $config['product_name'] = '{{ roundcube_product_name }}';
 // This key is used to encrypt the users imap password which is stored
 // in the session record. For the default cipher method it must be
 // exactly 24 characters long.
 // YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
 $config['des_key'] = '{{ roundcube_des_key }}';
 // List of active plugins (in plugins/ directory)
 $config['plugins'] = [
 {% for plugin in roundcube_enabled_plugins %}
    '{{ plugin }}',
 {% endfor %}
 ];
 // skin name: folder from skins/
 $config['skin'] = '{{ roundcube_skin }}';
--- a/ANSIBLE/roles/roundcube/vars/main.yml
+++ b/ANSIBLE/roles/roundcube/vars/main.yml
@ -1,2 +0,0 @@
 ---
 roundcube_base_dir: "/srv/roundcube"
--- a/ANSIBLE/roles/svc_acct/tasks/main.yml
+++ b/ANSIBLE/roles/svc_acct/tasks/main.yml
@ -8,7 +8,7 @@
 - name: Wheel Group
  when: ansible_facts['os_family'] == "RedHat"
  ansible.builtin.user:
-    name: "{{ svc_acct_name }}"
+    name: servicelink
    groups: wheel
    append: true
 - name: Sudo Group
@ -17,13 +17,13 @@
    name: "{{ svc_acct_name }}"
    groups: sudo
    append: true
- name: "Make sudo passwordless for {{ svc_acct_name }}"
+- name: Make servicelink sudo Passwordless
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    state: present
    line: "{{ svc_acct_name }}  ALL=(ALL)       NOPASSWD: ALL"
    validate: /usr/sbin/visudo -cf %s
- name: "Create or fix ~/.ssh dir"
+- name: "Make .ssh  dir"
  ansible.builtin.file:
    path: "/home/{{ svc_acct_name }}/.ssh/"
    state: directory
@ -37,7 +37,7 @@
    owner: "{{ svc_acct_name }}"
    group: "{{ svc_acct_name }}"
    mode: "0600"
- name: Add Publickeys
+- name: Add Publickey
  ansible.builtin.lineinfile:
    path: "/home//{{ svc_acct_name }}/.ssh/authorized_keys"
    line: "{{ item }}"
--- a/ANSIBLE/roundcube.yml
+++ b/ANSIBLE/roundcube.yml
@ -1,10 +0,0 @@
 ---
 - name: Install http php and mariadb
  hosts: dev_roundcube
  become: true
  gather_facts: true
  roles:
    - httpd
    - roundcube
    - mariadb
 #    - svc_acct