admin/e-cosplay
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ansible): Améliore déploiement et permissions

Browse Source 
Corrige gestion des permissions, ajout d'ACL, optimise cache.
This commit is contained in:
Serreau Jovann
2025-07-17 11:36:14 +02:00
parent 624dcbba25
commit d7f1fa0479
1 changed files with 78 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
ansible/playbook.yml
View File

@@ -1,23 +1,21 @@
# Fichier: install_php_83_symfony_pgsql.yml
- name: Deploy application
hosts: webservers # Cible les hôtes définis dans le groupe 'webservers' de votre inventaire
become: true # Nécessite des privilèges root pour exécuter les tâches
gather_facts: true # Utile pour obtenir des informations sur le système, comme l'OS
hosts: webservers
become: true
gather_facts: true
# Il est recommandé de définir les variables sensibles comme les mots de passe
# dans un fichier vault chiffré (ansible-vault).
vars:
db_name: "mainframe"
db_user: "mainframe"
db_password: "mainframe"
redis_password: "mainframe"
redis_port: "20100"
# Assurez-vous que 'path' est définie dans votre inventaire ou comme extra-var
# Exemple: path: /var/www/mainframe/app
tasks:
- name: Installer le support ACL pour corriger les permissions de 'become_user'
# Le paquet 'acl' est nécessaire pour qu'Ansible puisse définir des permissions
# granulaires sur les fichiers temporaires lorsqu'il passe à un utilisateur non-root.
ansible.builtin.apt:
name: acl
state: present
@@ -25,7 +23,6 @@
when: ansible_os_family == "Debian"
- name: Installation des dépendances pour le module Ansible PostgreSQL
# Installe python3-psycopg2, nécessaire pour que les modules Ansible puissent communiquer avec PostgreSQL.
ansible.builtin.apt:
name: python3-psycopg2
state: present
@@ -33,33 +30,30 @@
when: ansible_os_family == "Debian"
- name: Installation de PHP 8.3 et PHP 8.3-FPM avec les dépendances
# Installe PHP 8.3, PHP-FPM et toutes les extensions nécessaires pour Symfony,
# ainsi que le support Redis, Imagemagick, FFmpeg et PostgreSQL.
ansible.builtin.apt:
name:
- php8.3
- php8.3-fpm
- php8.3-cli
- php8.3-common
- php8.3-mysql # Driver MySQL/MariaDB
- php8.3-pgsql # Support pour PostgreSQL
- php8.3-xml # Pour XML, SOAP, etc.
- php8.3-mbstring # Pour la manipulation de chaînes de caractères multi-octets
- php8.3-zip # Pour la manipulation des archives ZIP
- php8.3-intl # Pour l'internationalisation
- php8.3-gd # Pour la manipulation d'images (GD Library)
- php8.3-curl # Pour faire des requêtes HTTP
- php8.3-pdo # Pour les connexions à la base de données via PDO
- php8.3-opcache # Pour l'optimisation des performances de PHP
- php8.3-bcmath # Pour les fonctions mathématiques de précision arbitraire
- php8.3-redis # Support pour la base de données en mémoire Redis
- php8.3-imagick # Pour la manipulation d'images via ImageMagick
- ffmpeg # Outil en ligne de commande pour la manipulation audio/vidéo
- php8.3-mysql
- php8.3-pgsql
- php8.3-xml
- php8.3-mbstring
- php8.3-zip
- php8.3-intl
- php8.3-gd
- php8.3-curl
- php8.3-pdo
- php8.3-opcache
- php8.3-bcmath
- php8.3-redis
- php8.3-imagick
- ffmpeg
state: present
when: ansible_os_family == "Debian"
- name: Démarrage et activation du service PHP 8.3 FPM
# S'assure que le service PHP 8.3 FPM est démarré et configuré pour démarrer au boot.
ansible.builtin.systemd:
name: php8.3-fpm
state: started
@@ -67,7 +61,6 @@
when: ansible_os_family == "Debian"
- name: Créer le fichier .env.local avec les secrets de production
# Crée le fichier .env.local avec les variables d'environnement pour la production.
ansible.builtin.copy:
content: |
APP_ENV=prod
@@ -80,36 +73,61 @@
dest: "{{ path }}/.env.local"
when: ansible_os_family == "Debian"
- name: Creates directory
# --- Initial creation of essential directories with correct ownership ---
# These directories should exist before composer runs, but composer might create subdirs.
- name: Ensure app/var and public/media directories exist with correct owner/group
ansible.builtin.file:
path: "{{path}}/var"
owner: www-data
path: "{{ item }}"
owner: bot # Assuming 'bot' is your deployment user
group: www-data
mode: 0777
mode: '0775' # Allow 'bot' and 'www-data' to read/write/execute
state: directory
recurse: yes # Important to ensure subdirectories created by previous deploys also get permissions
loop:
- "{{ path }}/var"
- "{{ path }}/var/log" # Specific for log, though var/log might be created by composer later
- "{{ path }}/public/media" # For uploads
- name: Creates directory log
ansible.builtin.file:
path: "{{path}}/var/log"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Creates directory log
ansible.builtin.file:
path: "{{path}}/public/media"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Exécuter 'composer install' dans le répertoire de l'application
# Installe les dépendances PHP de production.
ansible.builtin.command: composer install --no-dev --optimize-autoloader
become: false
become: false # Run as the connection user (e.g., 'bot')
args:
chdir: "{{ path }}" # La variable 'path' doit être définie dans votre inventaire ou en extra-vars.
chdir: "{{ path }}"
when: ansible_os_family == "Debian"
# --- POST-COMPOSER PERMISSION FIXES ---
# This is crucial because composer creates var/cache as the `become: false` user
- name: Set correct permissions for Symfony cache and logs directories
ansible.builtin.file:
path: "{{ item }}"
owner: bot
group: www-data
mode: '0775' # rwx for owner and group, rx for others
state: directory
recurse: yes # Apply to all contents
loop:
- "{{ path }}/var/cache"
- "{{ path }}/var/log"
# For web-writable directories created by the app itself (e.g., uploads), you might set ACLs
# or chown to www-data and then your user gets access via group membership.
# Alternative for cache/log permissions using ACLs (more robust for mixed ownership)
# This requires 'acl' package installed (which you already do).
# Use this if 'bot' needs to own, but www-data needs to write.
- name: Set ACLs for Symfony cache and logs (recommended for web-writable dirs)
ansible.builtin.acl:
path: "{{ item }}"
entity: www-data
etype: group
permissions: rwx
state: present
recursive: yes
default: yes # Apply default ACLs for new files/dirs within
loop:
- "{{ path }}/var/cache"
- "{{ path }}/var/log"
when: ansible_os_family == "Debian" # ACLs are Linux-specific
- name: Exécuter bun install dans le répertoire de l application
ansible.builtin.command: bun install
become: false
@@ -124,29 +142,6 @@
chdir: "{{ path }}"
when: ansible_os_family == "Debian"
- name: Creates directory
ansible.builtin.file:
path: "{{path}}/var"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Creates directory log
ansible.builtin.file:
path: "{{path}}/var/log"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Creates directory log
ansible.builtin.file:
path: "{{path}}/public/media"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Supervisor config
ansible.builtin.template:
src: supervisor.j2
@@ -154,19 +149,17 @@
mode: '0644'
- name: Reread Supervisor configuration
command: supervisorctl reread
ansible.builtin.command: supervisorctl reread
changed_when: true # Always mark as changed, as output is not always useful for idempotency
- name: Update Supervisor (add/remove updated programs)
command: supervisorctl update
ansible.builtin.command: supervisorctl update
changed_when: true
# --- Début de la section de purge Redis ---
- name: Purger la base de données Redis
# Exécute FLUSHALL pour vider toutes les clés de toutes les bases de données du serveur Redis.
# Utile pour s'assurer que le cache est propre après un déploiement.
ansible.builtin.command: "redis-cli -p {{ redis_port }} -a {{ redis_password }} FLUSHALL"
when: ansible_os_family == "Debian"
# --- Fin de la section de purge Redis ---
- name: Generate Caddy site configuration
ansible.builtin.template:
src: caddy.j2
@@ -174,7 +167,7 @@
mode: '0644'
- name: Reload Caddy to apply new configuration
systemd:
ansible.builtin.systemd:
name: caddy
state: reloaded
enabled: yes
@@ -185,52 +178,20 @@
args:
chdir: "{{ path }}"
when: ansible_os_family == "Debian"
- name: Creates directory media
ansible.builtin.file:
path: "{{path}}/public/media"
owner: www-data
group: www-data
mode: 0777
state: directory
- name: Creates directory media
ansible.builtin.file:
path: "{{path}}/public/media"
owner: bot
group: www-data
mode: 0777
state: directory
- name: Exécuter liip:imagine:cache:remove dans le répertoire de l application
ansible.builtin.command: php bin/console liip:imagine:cache:remove
become: false
args:
chdir: "{{ path }}"
- name: Creates directory media
ansible.builtin.file:
path: "{{path}}/public/media"
owner: www-data
group: www-data
mode: 0777
state: directory
when: ansible_os_family == "Debian"
- name: Creates directory
ansible.builtin.file:
path: "{{path}}/var"
owner: www-data
group: www-data
mode: 0777
state: directory
when: ansible_os_family == "Debian" # Added a when condition here, often missed
- name: Creates directory log
# Ensure final state of /public/media, if you want 'bot' to own it for uploads
- name: Final check for public/media ownership and permissions
ansible.builtin.file:
path: "{{path}}/var/log"
owner: www-data
path: "{{ path }}/public/media"
owner: bot
group: www-data
mode: 0777
state: directory
- name: Creates directory log
ansible.builtin.file:
path: "{{path}}/public/media"
owner: www-data
group: www-data
mode: 0777
mode: '0775' # Secure for owner/group write, others read/execute
state: directory
recurse: yes # Ensure all existing and newly created files also have these permissions