Switch from git submodules to Ansible Galaxy for role management

.ansible-lint

@@ -0,0 +1,25 @@
+---
+skip_list:
+  - 'meta-no-info'
+  - var-naming[no-role-prefix]
+
+warn_list:
+  - package-latest
+  - unnamed-task
+
+exclude_paths:
+  - group_vars/secrets.*
+  - roles/dehydrated
+  - roles/mailhog
+  - roles/postgresql
+  - roles/mail
+  - roles/mariadb
+  - roles/nginx
+  - roles/elasticsearch
+  - roles/oauth2_proxy
+  - roles/php
+  - roles/redis
+  - roles/supervisord
+  - roles/system
+  - roles/apache
+  - roles/solr

.envrc

@@ -1,5 +1,21 @@
 #!/bin/bash
-export PATH="${PWD}/venv/bin:${PATH}"
-export COT_IMAGE="fnkr/cot:ansible-$(awk -F '==' '{ if ($1 == "ansible") print $2 }' requirements.txt)"
-export COT_NET=host
-export COT_ENV_ANSIBLE_FORCE_COLOR=true
+
+if [ ! -f venv/bin/activate ]
+then
+	echo "Creating virtual environment"
+	python3 -m venv venv >/dev/null
+fi
+
+if [ -f venv/bin/activate ]
+then
+	echo "Activating virtual environment"
+	. venv/bin/activate
+fi
+
+if [ -f venv/bin/pip3 ]
+then
+	echo "Installing requirements"
+	venv/bin/pip3 install --upgrade pip >/dev/null 2>&1
+	venv/bin/pip3 install -r requirements.txt >/dev/null 2>&1
+	ansible-galaxy install -r requirements.yml >/dev/null 2>&1
+fi

.gitignore

@@ -6,3 +6,18 @@
 /venv/
 inventory_dev.ini
 host_vars/vpro*
+roles/apache
+roles/dehydrated
+roles/elasticsearch
+roles/mail
+roles/mailhog
+roles/mariadb
+roles/nginx
+roles/oauth2_proxy
+roles/php
+roles/postgresql
+roles/redis
+roles/solr
+roles/supervisord
+roles/system
+vault_password_file

.gitmodules

@@ -1,42 +0,0 @@
-[submodule "roles/dehydrated"]
-	path = roles/dehydrated
-	url = https://github.com/punktDe/ansible-proserver-dehydrated.git
-[submodule "roles/mariadb"]
-	path = roles/mariadb
-	url = https://github.com/punktDe/ansible-proserver-mariadb.git
-[submodule "roles/elasticsearch"]
-	path = roles/elasticsearch
-	url = https://github.com/punktDe/ansible-proserver-elasticsearch.git
-[submodule "roles/mail"]
-	path = roles/mail
-	url = https://github.com/punktDe/ansible-proserver-mail.git
-[submodule "roles/redis"]
-	path = roles/redis
-	url = https://github.com/punktDe/ansible-proserver-redis.git
-[submodule "roles/nginx"]
-	path = roles/nginx
-	url = https://github.com/punktDe/ansible-proserver-nginx.git
-[submodule "roles/mailhog"]
-	path = roles/mailhog
-	url = https://github.com/punktDe/ansible-proserver-mailhog.git
-[submodule "roles/php"]
-	path = roles/php
-	url = https://github.com/punktDe/ansible-proserver-php.git
-[submodule "roles/oauth2_proxy"]
-	path = roles/oauth2_proxy
-	url = https://github.com/punktDe/ansible-proserver-oauth2-proxy.git
-[submodule "roles/supervisord"]
-	path = roles/supervisord
-	url = https://github.com/punktDe/ansible-proserver-supervisord.git
-[submodule "roles/postgresql"]
-	path = roles/postgresql
-	url = https://github.com/punktDe/ansible-proserver-postgresql.git
-[submodule "roles/apache"]
-	path = roles/apache
-	url = https://github.com/punktDe/ansible-proserver-apache
-[submodule "roles/system"]
-	path = roles/system
-	url = https://github.com/punktDe/ansible-proserver-system
-[submodule "roles/solr"]
-	path = roles/solr
-	url = https://github.com/punktDe/ansible-proserver-solr

.pre-commit-config.yaml

@@ -0,0 +1,7 @@
+---
+repos:
+  - repo: https://github.com/ansible/ansible-lint.git
+    rev: v6.22.1
+    hooks:
+      - id: ansible-lint
+        files: \.(yaml|yml)$

.yamllint

@@ -0,0 +1,15 @@
+---
+extends: default
+
+rules:
+  line-length: disable
+  truthy:
+    allowed-values: ['true', 'false', 'yes', 'no']
+  comments:
+    min-spaces-from-content: 1
+  braces:
+    min-spaces-inside: 0
+    max-spaces-inside: 1
+
+ignore: |
+  .cache

README.md

@@ -45,10 +45,10 @@ You can choose which web server to install by adding your host to the respective
 
 ## Getting Started
 
-**1)** Clone this repository and submodules
+**1)** Clone this repository
 
 ```bash
-git clone --recurse-submodules https://github.com/punktDe/ansible-proserver-template.git
+git clone https://github.com/punktDe/ansible-proserver-template.git
 cd ansible-proserver-template
 ```
 
@@ -57,10 +57,13 @@ cd ansible-proserver-template
 ```bash
 python3 -m venv venv
 venv/bin/pip install -r requirements.txt
-source .envrc  # Hint: Install Direnv (direnv.net) to do this automatically in the future.
+source .envrc 
+ansible-galaxy install -r requirements.yml
 ```
 
-**3)** Adapt Ansible configuration
+You can also use [direnv](https://direnv.net/) to automatically activate the virtual environment and install dependencies when you enter the project folder.
+
+**4)** Adapt Ansible configuration
 
 Basically there are two files, that define the services and configuration for your proServer instance:
 
@@ -85,6 +88,16 @@ mv host_vars_examples/neos/* host_vars/
 
 Then replace at least any occurrence of `vpro0000` with your proServer ID(s).
 
+## Secret management
+
+We recommend using [bitwarden-cli](https://bitwarden.com/help/cli/) to manage secrets.
+
+After setting up the CLI client, replace the placeholder in `vault_password_file_example` with the name of the password in your Bitwarden vault, and rename the file to `vault_password_file`.
+
+It's also possible to use another password manager or a secret management system, as long as it can output the secret in plaintext.
+
+Alternatively, you can remove the executable bit from `vault_password_file` and put your vault password in clear text. However, this is not recommended.
+
 ## Start provisioning of your proServer
 
 ```bash

ansible.cfg

@@ -1,6 +1,7 @@
 [defaults]
 hash_behaviour = merge
 inventory = inventory.ini
+roles_path = ./roles
 
 gathering = smart
 fact_caching = jsonfile

host_vars/development.yaml

@@ -58,7 +58,7 @@ mariadb:
       privileges:
         typo3: "typo3-dev.*:all"
 
-#postgresql:
+# postgresql:
 #  # The dictionary keys ("neos") will not be used by the role (except for the owner field, read the comment below).
 #  # This way you can use Ansible's variable precedence to define a default and override it if needed. For example,
 #  # you could define a default database name and password for your app in group vars and override it in host vars.

host_vars_examples/neos/production.yaml

@@ -12,7 +12,7 @@ dehydrated:
   # The certificate will automatically be issued and updated, you only need to use it in your nginx configuration
   # (see roles/neos/templates/nginx/http.d/neos.conf.j2 for example).
   domains:
-    #Common_Name: ['Subject', 'Alternative', 'Names']
+    # Common_Name: ['Subject', 'Alternative', 'Names']
     vpro0000.proserver.punkt.de: []
 
 nginx:

host_vars_examples/neos/staging.yaml

@@ -12,7 +12,7 @@ dehydrated:
   # The certificate will automatically be issued and updated, you only need to use it in your nginx configuration
   # (see roles/neos/templates/nginx/http.d/neos.conf.j2 for example).
   domains:
-    #Common_Name: ['Subject', 'Alternative', 'Names']
+    # Common_Name: ['Subject', 'Alternative', 'Names']
     vpro0000.proserver.punkt.de: []
 
 nginx:

host_vars_examples/typo3/production.yaml

@@ -12,7 +12,7 @@ dehydrated:
   # The certificate will automatically be issued and updated, you only need to use it in your nginx configuration
   # (see roles/typo3/templates/nginx/http.d/typo3.conf.j2 for example).
   domains:
-    #Common_Name: ['Subject', 'Alternative', 'Names']
+    # Common_Name: ['Subject', 'Alternative', 'Names']
     vpro0000.proserver.punkt.de: []
 
 nginx:

host_vars_examples/typo3/staging.yaml

@@ -12,7 +12,7 @@ dehydrated:
   # The certificate will automatically be issued and updated, you only need to use it in your nginx configuration
   # (see roles/typo3/templates/nginx/http.d/typo3.conf.j2 for example).
   domains:
-    #Common_Name: ['Subject', 'Alternative', 'Names']
+    # Common_Name: ['Subject', 'Alternative', 'Names']
     vpro0000.proserver.punkt.de: []
 
 nginx:

playbook.yaml

@@ -49,8 +49,6 @@
   tags:
     - solr
 
-
-
 ################################################################################
 # Applications                                                                 #
 ################################################################################
@@ -63,7 +61,7 @@
     - mailhog
 
 - name: TYPO3
-  hosts: 
+  hosts:
     - typo3
     - typo3_test
   become: yes
@@ -73,7 +71,7 @@
     - typo3
 
 - name: Neos
-  hosts: 
+  hosts:
     - neos
     - neos_test
   become: yes

requirements.yml

@@ -0,0 +1,46 @@
+---
+collections:
+  - name: https://github.com/ansible-collections/community.general
+    type: git
+  - name: https://github.com/ansible-collections/community.crypto
+    type: git
+  - name: https://github.com/ansible-collections/ansible.posix
+    type: git
+
+roles:
+  - name: apache
+    src: https://github.com/punktDe/ansible-proserver-apache
+    version: "1.0"
+  - name: dehydrated
+    src: https://github.com/punktDe/ansible-proserver-dehydrated
+    version: "1.0.1"
+  - name: elasticsearch
+    src: https://github.com/punktDe/ansible-proserver-elasticsearch
+  - name: mail
+    src: https://github.com/punktDe/ansible-proserver-mail
+  - name: mailhog
+    src: https://github.com/punktDe/ansible-proserver-mailhog
+  - name: mariadb
+    src: https://github.com/punktDe/ansible-proserver-mariadb
+  - name: nginx
+    src: https://github.com/punktDe/ansible-proserver-nginx
+    version: "1.1.0"
+  - name: oauth2_proxy
+    src: https://github.com/punktDe/ansible-proserver-oauth2-proxy
+    version: "1.0.1"
+  - name: php
+    src: https://github.com/punktDe/ansible-proserver-php
+    version: "1.0.1"
+  - name: postgresql
+    src: https://github.com/punktDe/ansible-proserver-postgresql
+    version: "1.0.1"
+  - name: redis
+    src: https://github.com/punktDe/ansible-proserver-redis
+  - name: solr
+    src: https://github.com/punktDe/ansible-proserver-solr
+    version: "1.1.0"
+  - name: supervisord
+    src: https://github.com/punktDe/ansible-proserver-supervisord
+  - name: system
+    src: https://github.com/punktDe/ansible-proserver-system
+    version: "1.5.0"

roles/neos/templates/nginx/http.d/neos.conf.j2

@@ -1,22 +1,40 @@
 server {
-    {% if dehydrated|cert_exists(neos.domain) -%}
-    listen 0.0.0.0:443 ssl http2;
-    listen [::]:443 ssl http2;
-    {% if ansible_local.proserver.routing.with_gate64 -%}
-    listen [::1]:57 ssl http2 proxy_protocol;
-    {%- endif %}
-    {% else %}
     listen 0.0.0.0:80;
     listen [::]:80;
-    {% if ansible_local.proserver.routing.with_gate64 -%}
+    {% if ansible_local.proserver|default(none) and ansible_local.proserver.routing.with_gate64 -%}
     listen [::1]:87 proxy_protocol;
     {%- endif %}
-    {% endif %}
+
+    server_name {{ neos.domain }};
+
+    root /var/null;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    include {{ nginx.prefix.config }}/include/letsencrypt.conf;
+}
+
+{% if dehydrated|cert_exists(neos.domain) %}
+server {
+    # nginx < 1.25.1
+    listen 0.0.0.0:443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    # nginx >= 1.25.1
+    # listen 0.0.0.0:443 ssl;
+    # listen [::]:443 ssl;
+    # http2 on;
+
+    {% if ansible_local.proserver.routing.with_gate64 -%}
+    listen [::1]:57 ssl proxy_protocol;
+    {%- endif %}
 
     server_name {{ neos.domain }};
 
     root {{ neos.prefix.current_release }}/Web;
-    index index.php;
+    index index.php index html;
     charset utf-8;
 
     location / {
@@ -37,9 +55,10 @@ server {
         fastcgi_pass unix:/var/run/php-fpm/php-fpm.socket;
     }
 
-    {% if dehydrated|cert_exists(neos.domain) %}
+
     ssl_certificate {{ dehydrated|cert_fullchain(neos.domain) }};
     ssl_certificate_key {{ dehydrated|cert_privkey(neos.domain) }};
     include {{ nginx.prefix.config }}/https_params.conf;
-    {% endif %}
+
 }
+{% endif %}