Refactor and tidy the role (#10)

* Move apparmor to separate yaml file * Add switch for apparmor * Remove Leap 15.3 from molecule * Fix the CI
2024-05-18 22:51:15 +00:00 · 2023-02-03 13:07:14 +01:00 · 2023-02-03 13:07:14 +01:00 · e7a01655b3
parent 8037666487
commit e7a01655b3
8 changed files with 63 additions and 56 deletions
--- a/README.md
+++ b/README.md
@ -17,6 +17,7 @@ Due to the very different php configuration on Debian/Ubuntu I'm not planning to
 |-------|-------------|---------|
 | `configure_php_ini` | Configrue the `php.ini` file | `true` |
 | `configure_php_fpm` | Configure php-fpm configuration files  | `true` |
+| `configure_apparmor` | Configure apparmor configuration files  | `false` |
 | `enable_php_fpm` | Enable `php-fpm` service | `true` |
 | `apcu_enable` | Enable the [APCu](https://www.php.net/manual/en/book.apcu.php) cache | `false` |
 | `apcu_shm_size` | APCu cache size | `32M` |
@ -106,4 +107,4 @@ First try to set the `php-fpm` AppArmor profile to complain and check if this re

    # aa-complain /etc/apparmor.d/php-fpm

-If so, you can use the `yast apparmor` module of YaST to modify the `php-fpm` module to allow access to your php files. Then you can set AppArmor back to enforce.
+If so, you can use the `yast apparmor` module of YaST to modify the `php-fpm` module to allow access to your php files. Then you can set AppArmor back to enforce.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -3,6 +3,7 @@

 configure_php_ini: true
 configure_php_fpm: true
+configure_apparmor: false
 enable_php_fpm: true

 # The pool to configure
--- a/molecule/default/Dockerfile.leap15_3
+++ b/molecule/default/Dockerfile.leap15_3
@ -1,7 +0,0 @@
-FROM registry.opensuse.org/opensuse/leap:15.3
-
-# Install systemd and development tools, clear cache
-RUN zypper in -y systemd systemd-sysvinit firewalld python3 python3-firewall curl && rm -rf /var/cache/* && rm -f /etc/machine-id /var/lib/dbus/machine-id
-
-# Start container with systemd
-ENTRYPOINT ["/usr/sbin/init"]
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@ -15,6 +15,16 @@
      include_role:
        name: "geekoops-php-fpm"
    ## Setup test enviroment
+    # Smoke test for nginx
+    - name: Deploy index.html
+      copy:
+        content: |
+          This page is a stub.
+        dest: "{{www_dir}}/index.html"
+        group: "root"
+        owner: "root"
+        mode: 0644
+      register: deployed
    # We setup phpinfo.php and configure nginx to use php for *.php files
    - name: Deploy phpinfo script
      copy:
@ -31,13 +41,13 @@
              server {
                  listen 80 default_server;
                  listen [::]:80 default_server;
-                  root {{ www_dir }};
-                  index index.php index.html index.htm;
+                  root "{{ www_dir }}";
+                  index index.html index.htm;
                  location / {
                      try_files $uri $uri/ =404;
                  }
                  location ~ \.php$ {
-                      fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
+                      fastcgi_pass   unix:/run/php-fpm/www.sock;
                      fastcgi_index  index.php;
                      fastcgi_param  SCRIPT_FILENAME $request_filename;
                      include        fastcgi_params;
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@ -4,23 +4,12 @@ dependency:
 driver:
  name: docker
 platforms:
-  - name: leap15_3
-    image: registry.opensuse.org/opensuse/leap:15.3
-    dockerfile: Dockerfile.leap15_3
-    command: ${MOLECULE_DOCKER_COMMAND:-"/usr/sbin/init"}
-    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-    tmpfs:
-      - /run
-      - /tmp
  - name: leap15_4
    image: registry.opensuse.org/opensuse/leap:15.4
    dockerfile: Dockerfile.leap15_4
    command: ${MOLECULE_DOCKER_COMMAND:-"/usr/sbin/init"}
    privileged: true
-    volumes:
-      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    cgroupns: host
    tmpfs:
      - /run
      - /tmp
@ -28,14 +17,6 @@ provisioner:
  name: ansible
  inventory:
    host_vars:
-      leap15_3:
-        www_dir: "/srv/www/htdocs"
-        vhosts_dir: "/etc/nginx/vhosts.d"
-        phpgroup: www
-        phpuser: wwwrun
-        nginxuser: nginx
-        nginxgroup: nginx
-        deploy_nginx_config: true
      leap15_4:
        www_dir: "/srv/www/htdocs"
        vhosts_dir: "/etc/nginx/vhosts.d"
@ -46,7 +27,3 @@ provisioner:
        deploy_nginx_config: true
 verifier:
  name: testinfra
-  lint:
-    name: flake8
-lint: |
-  yamllint -d "{extends: relaxed, rules: {line-length: {max: disabled}}}" .
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@ -6,9 +6,22 @@ import testinfra.utils.ansible_runner
 import os

 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
- 
+
+# Check if the service is enabled and running
+def test_php_active(host):
+	php_fpm = host.service("php-fpm")
+	assert php_fpm.is_running
+	assert php_fpm.is_enabled
+
+# Smoketest for nginx
+def test_nginx(host):
+	cmd = host.run("curl -v --fail http://127.0.0.1/")
+	assert 'HTTP/1.1 200 OK' in cmd.stderr
+	assert "This page is a stub" in cmd.stdout
+
+# Check if we can access the phpinfo.php
 def test_phpinfo(host):
-	cmd = host.run("curl -v http://127.0.0.1/phpinfo.php")
+	cmd = host.run("curl -v --fail http://127.0.0.1/phpinfo.php")
 	assert 'HTTP/1.1 200 OK' in cmd.stderr
 	assert "PHP Version" in cmd.stdout
 	assert "php-fpm" in cmd.stdout
--- a/tasks/apparmor.yml
+++ b/tasks/apparmor.yml
@ -0,0 +1,21 @@
+---
+
+- name: Ensure AppArmor knows about our new config file, the socket, and some log files it tries to create
+  ansible.builtin.blockinfile:
+    path: /etc/apparmor.d/local/php-fpm
+    marker: "# {mark} ANSIBLE MANAGED BLOCK {{php_fpm_pool}}"
+    state: present
+    block: |
+      /var/log/php-fpm/{{php_fpm_pool}}.access.log rw,
+      /var/log/php-fpm/{{php_fpm_pool}}.log.slow rw,
+      /var/log/{{php_fpm_pool}}.log rw,
+      @{run}/php{,-fpm}/{{php_fpm_pool}}.pid rw,
+      @{run}/{{php_fpm_pool}}.pid rw,
+      @{run}/php{,-fpm}/{{php_fpm_pool}}.sock rwlk,
+  tags: ['apparmor']
+
+- name: Ensure AppArmor is reloaded
+  systemd:
+    name: apparmor
+    state: restarted
+  tags: ['apparmor']
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -4,6 +4,8 @@
 - name: include distribution specific vars
  include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml"

+## Install and configure php ###################################################
+
 - name: Ensure php packages are installed
  package:
    name: "{{ packages }}"
@ -43,32 +45,21 @@
  tags: ['php-fpm']
  when: configure_php_fpm == true

- name: Ensure AppArmor knows about our new config file, the socket, and some log files it tries to create
-  ansible.builtin.blockinfile:
-    path: /etc/apparmor.d/local/php-fpm
-    marker: "# {mark} ANSIBLE MANAGED BLOCK {{php_fpm_pool}}"
-    state: present
-    block: |
-      /var/log/php-fpm/{{php_fpm_pool}}.access.log rw,
-      /var/log/php-fpm/{{php_fpm_pool}}.log.slow rw,
-      /var/log/{{php_fpm_pool}}.log rw,
-      @{run}/php{,-fpm}/{{php_fpm_pool}}.pid rw,
-      @{run}/{{php_fpm_pool}}.pid rw,
-      @{run}/php{,-fpm}/{{php_fpm_pool}}.sock rwlk,
-
- name: create log directory for php-fpm
+- name: Create log directory for php-fpm
  ansible.builtin.file:
    path: "/var/log/php-fpm/"
    state: directory
    mode: '0755'
    group: 'www'
    owner: 'wwwrun'
+  tags: ['php-fpm']

- name: Ensure AppArmor is reloaded
-  systemd:
-    name: apparmor
-    state: restarted
-    enabled: true
+## Additional tasks ############################################################
+
+- include_tasks: apparmor.yml
+  when: configure_apparmor
+
+## Finalize steps ##############################################################

 - name: Ensure php-fpm is enabled
  systemd: