From 9d03496f024a61bbed166bb56b53c5f8985e49ac Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@holzmarkt.com>
Date: Fri, 17 Jan 2025 17:30:53 +0100
Subject: [PATCH] Initial commit

---
 README.md                      |  3 +++
 defaults/main.yml              | 30 ++++++++++++++++++++++++
 tasks/main.yml                 |  6 +++++
 tasks/tenant.yml               | 42 ++++++++++++++++++++++++++++++++++
 templates/php-fpm-pool.conf.j2 |  6 +++++
 5 files changed, 87 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/tenant.yml
 create mode 100644 templates/php-fpm-pool.conf.j2

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..beedb6a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,3 @@
+# Setup users and php-fpm pool for multi-tenant web hosting
+
+Requires [nginx](https://git.notandy.de/ansible/roles/nginx) role in the same block!
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..bdb26d0
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,30 @@
+php_tenants: {}
+# <tenant>:
+#   # user/group get's called "www-<tenant>"
+#   # homedir is /srv/www/<tenant>
+#   # www-data get's "www-<tenant>" additional group to acces data in homedir
+#   mariadb_databases:
+#     <dbname>: {mariadb options ...} # db is called "www-<tenant>-db"
+#   fpm_pool:
+#     <pool option>: ...
+
+php_tenants_fpm_pool_defaults:
+  # Overwritten in template:
+  #user: www-{{ tenant.name }}
+  #group: www-{{ tenant.name }}
+  #listen: /run/php/php{{ php_version }}-fpm-{{ tenant.name }}.sock
+  #'php_admin_value[syslog.ident]': php-fpm-{{tenant.name}}
+
+  listen.owner: www-data
+  listen.group: www-data
+  listen.mode: '0660'
+  pm: dynamic
+  pm.max_children: 50
+  pm.start_servers: 2
+  pm.min_spare_servers: 2
+  pm.max_spare_servers: 3
+  'env[HOSTNAME]': '$HOSTNAME'
+  'env[PATH]': /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  'env[TMP]': /tmp
+  'env[TMPDIR]': /tmp
+  'env[TEMP]': /tmp
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..c29b2f7
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: Setup tenants
+  loop: "{{ php_tenants|dict2items(key_name='name', value_name='options') }}"
+  loop_control:
+    loop_var: tenant
+  include_tasks:
+    file: tenant.yml
diff --git a/tasks/tenant.yml b/tasks/tenant.yml
new file mode 100644
index 0000000..90d563c
--- /dev/null
+++ b/tasks/tenant.yml
@@ -0,0 +1,42 @@
+- name: 'Create group www-{{ tenant.name }}'
+  ansible.builtin.group:
+    name: 'www-{{ tenant.name }}'
+
+- name: 'Create user www-{{ tenant.name }}'
+  ansible.builtin.user:
+    name: 'www-{{ tenant.name }}'
+    group: 'www-{{ tenant.name }}'
+    home: '/srv/www/{{ tenant.name }}'
+    shell: /bin/bash
+
+- name: 'Add user www-data to group www-{{ tenant.name }}'
+  ansible.builtin.user:
+    name: 'www-data'
+    system: true
+    append: true
+    groups: 'www-{{ tenant.name }}'
+
+# php_version and "restart php-fpm" handler from nginx role
+- name: 'Create php pool www-{{ tenant.name }}'
+  ansible.builtin.template:
+    dest: "/etc/php/{{ php_version }}/fpm/pool.d/www-{{ tenant.name }}.conf"
+    src: php-fpm-pool.conf.j2
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart php-fpm
+
+- name: 'Create MariaDB DBs for {{ tenant.name }}'
+  loop: '{{ tenant.options.mariadb_databases|d({})|dict2items }}'
+  community.mysql.mysql_db:
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+    name: 'www-{{ tenant.name }}-{{ item.key }}'
+    collation: "{{ item.value.collation | default('utf8mb4_unicode_ci') }}"
+    encoding: "{{ item.value.encoding | default('utf8mb4') }}"
+
+- name: 'Create MariaDB user www-{{ tenant.name }}'
+  community.mysql.mysql_user:
+    name: 'www-{{ tenant.name }}'
+    priv: 'www-{{ tenant.name }}-%.*:ALL PRIVILEGES'
+    plugin: unix_socket
diff --git a/templates/php-fpm-pool.conf.j2 b/templates/php-fpm-pool.conf.j2
new file mode 100644
index 0000000..6849e67
--- /dev/null
+++ b/templates/php-fpm-pool.conf.j2
@@ -0,0 +1,6 @@
+[www-{{ tenant.name }}]
+{% set options = php_tenants_fpm_pool_defaults|combine(tenant.options.fpm_pool|d({}), {'user': 'www-'+tenant.name, 'group': 'www-'+tenant.name, 'listen': '/run/php/php'+php_version+'-fpm-'+tenant.name+'.sock', 'php_admin_value[syslog.ident]': 'php-fpm-'+tenant.name}, recursive=true) %}
+
+{% for key, value in options.items() %}
+{{ key }} = {{ value }}
+{% endfor %}