From 00170127d99907fe5dc200906fc70eeba27b4485 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 12 Sep 2018 15:31:52 +0200
Subject: [PATCH] Add Nginx support to evoadmin-mail role

---
 webapps/evoadmin-mail/defaults/main.yml       |  1 +
 .../files/pool.evoadmin-mail.conf             | 14 +++++
 webapps/evoadmin-mail/handlers/main.yml       | 10 ++++
 .../tasks/{web.yml => apache.yml}             |  2 +-
 webapps/evoadmin-mail/tasks/main.yml          |  6 +-
 webapps/evoadmin-mail/tasks/nginx.yml         | 35 ++++++++++++
 webapps/evoadmin-mail/tasks/user.yml          |  7 +++
 ...il.conf.j2 => apache_evoadminmail.conf.j2} |  0
 .../templates/nginx_evoadminmail.conf.j2      | 56 +++++++++++++++++++
 9 files changed, 129 insertions(+), 2 deletions(-)
 create mode 100644 webapps/evoadmin-mail/files/pool.evoadmin-mail.conf
 rename webapps/evoadmin-mail/tasks/{web.yml => apache.yml} (97%)
 create mode 100644 webapps/evoadmin-mail/tasks/nginx.yml
 rename webapps/evoadmin-mail/templates/{evoadminmail.conf.j2 => apache_evoadminmail.conf.j2} (100%)
 create mode 100644 webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2

diff --git a/webapps/evoadmin-mail/defaults/main.yml b/webapps/evoadmin-mail/defaults/main.yml
index 000be699..b0652522 100644
--- a/webapps/evoadmin-mail/defaults/main.yml
+++ b/webapps/evoadmin-mail/defaults/main.yml
@@ -11,6 +11,7 @@ evoadminmail_scripts_dir: /usr/share/scripts/
 evoadminmail_host: "evoadminmail.{{ ansible_fqdn }}"
 
 evoadminmail_enable_vhost: True
+evoadminmail_webserver: apache
 
 evoadminmail_tpl_servername: "{{ ansible_fqdn }}"
 evoadminmail_tpl_address:  "{{ ansible_default_ipv4.address }}"
diff --git a/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf
new file mode 100644
index 00000000..096e199f
--- /dev/null
+++ b/webapps/evoadmin-mail/files/pool.evoadmin-mail.conf
@@ -0,0 +1,14 @@
+[evoadmin-mail]
+
+user = www-evoadmin-mail
+group = evoadmin-mail
+
+listen = /run/php/php7.0-evoadmin-mail-fpm.sock
+
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+
+pm = ondemand
+pm.max_children = 25
+
diff --git a/webapps/evoadmin-mail/handlers/main.yml b/webapps/evoadmin-mail/handlers/main.yml
index 6866dc8b..236d93bf 100644
--- a/webapps/evoadmin-mail/handlers/main.yml
+++ b/webapps/evoadmin-mail/handlers/main.yml
@@ -3,3 +3,13 @@
   service:
     name: apache2
     state: reloaded
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: reload php-fpm
+  service:
+    name: php7.0-fpm 
+    state: reload 
diff --git a/webapps/evoadmin-mail/tasks/web.yml b/webapps/evoadmin-mail/tasks/apache.yml
similarity index 97%
rename from webapps/evoadmin-mail/tasks/web.yml
rename to webapps/evoadmin-mail/tasks/apache.yml
index e7d915a3..b9c33383 100644
--- a/webapps/evoadmin-mail/tasks/web.yml
+++ b/webapps/evoadmin-mail/tasks/apache.yml
@@ -11,7 +11,7 @@
 
 - name: Install evoadminmail VHost
   template:
-    src: evoadminmail.conf.j2
+    src: apache_evoadminmail.conf.j2
     dest: /etc/apache2/sites-available/evoadminmail.conf
   notify: reload apache2
 
diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml
index 0647bbcb..7d54c322 100644
--- a/webapps/evoadmin-mail/tasks/main.yml
+++ b/webapps/evoadmin-mail/tasks/main.yml
@@ -8,7 +8,11 @@
 
 - include: ssl.yml
 
-- include: web.yml
+- include: apache.yml
+  when: evoadminmail_webserver == "apache"
+
+- include: nginx.yml
+  when: evoadminmail_webserver == "nginx"
 
 - name: enable evoadmin-mail link in default site index
   lineinfile:
diff --git a/webapps/evoadmin-mail/tasks/nginx.yml b/webapps/evoadmin-mail/tasks/nginx.yml
new file mode 100644
index 00000000..b942c024
--- /dev/null
+++ b/webapps/evoadmin-mail/tasks/nginx.yml
@@ -0,0 +1,35 @@
+---
+
+- name: "Set custom values for PHP config (Debian 9 or later)"
+  ini_file:
+    dest: /etc/php/7.0/fpm/conf.d/zzz-evolinux-custom.ini
+    section: PHP
+    option: "disable_functions"
+    value: "shell-exec,system,passthru,putenv,popen,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority"
+  notify: reload nginx
+  when: ansible_distribution_major_version | version_compare('9', '>=')
+
+- name: Copy php-fpm evoadmin-mail pool
+  copy:
+    src: pool.evoadmin-mail.conf
+    dest: /etc/php/7.0/fpm/pool.d/evoadmin-mail.conf
+  notify: reload php-fpm
+
+- name: Install evoadminmail VHost
+  template:
+    src: nginx_evoadminmail.conf.j2
+    dest: /etc/nginx/sites-available/evoadminmail.conf
+  notify: reload nginx
+
+- name: Active evoadminmail VHost     
+  file:
+    src: "/etc/nginx/sites-available/evoadminmail.conf"
+    dest: "/etc/nginx/sites-enabled/evoadminmail.conf"
+    state: link
+  notify: reload nginx
+  when: evoadminmail_enable_vhost
+
+- name: Disable evoadminmail vhost
+  command: "unlink /etc/nginx/sites-enabled/evoadminmail.conf"
+  notify: reload nginx
+  when: not evoadminmail_enable_vhost
diff --git a/webapps/evoadmin-mail/tasks/user.yml b/webapps/evoadmin-mail/tasks/user.yml
index 5ec87f78..a45d09ec 100644
--- a/webapps/evoadmin-mail/tasks/user.yml
+++ b/webapps/evoadmin-mail/tasks/user.yml
@@ -29,6 +29,13 @@
     createhome: no
   when: ansible_distribution_major_version | version_compare('9', '>=')
 
+- name: Add www-data to app's group
+  user:
+    name: 'www-data'           
+    groups: "{{ evoadminmail_username }}"
+    append: yes                
+  when: evoadminmail_webserver == "nginx"
+
 - name: Install Git
   apt:
     name: git
diff --git a/webapps/evoadmin-mail/templates/evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2
similarity index 100%
rename from webapps/evoadmin-mail/templates/evoadminmail.conf.j2
rename to webapps/evoadmin-mail/templates/apache_evoadminmail.conf.j2
diff --git a/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2 b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2
new file mode 100644
index 00000000..b3502d17
--- /dev/null
+++ b/webapps/evoadmin-mail/templates/nginx_evoadminmail.conf.j2
@@ -0,0 +1,56 @@
+server {
+    listen [::]:80;
+    listen 80;
+    server_name {{ evoadminmail_host }};
+
+    return 301 https://{{ evoadminmail_host }}$request_uri;
+} 
+server {
+    listen 443 ssl;            
+    # listen [::]:80 default_server ipv6only=on; ## listen for ipv6 
+  
+    ssl_certificate /etc/ssl/certs/{{ evoadminmail_host }}.crt;
+    ssl_certificate_key /etc/ssl/private/{{ evoadminmail_host }}.key;
+  
+    server_name {{ evoadminmail_host }};
+    index index.php; 
+  
+    access_log  /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log;
+    
+    root {{ evoadminmail_document_root }}/htdocs/;
+    
+    location / {
+        index  index.html index.htm;    
+    }   
+        
+    location ~ \.php$ {        
+        fastcgi_pass   unix:/run/php/php7.0-evoadmin-mail-fpm.sock;  
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+    }   
+        
+    location /fpm-status {     
+        fastcgi_pass   unix:/run/php/php7.0-evoadmin-mail-fpm.sock;  
+        fastcgi_index  index.php;       
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        allow 127.0.0.1;
+{% for ip in nginx_additional_ipaddr_whitelist_ips %}
+        allow {{ ip }};
+{% endfor %}
+        deny all;
+    }
+
+    location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+{% for ip in nginx_additional_ipaddr_whitelist_ips %}
+        allow {{ ip }};
+{% endfor %}
+        deny all;
+    }
+
+}