adapt role: the image should not be run as root, but with user with id 82.

Replaced `su` with `su -p` in `compose.yaml` to ensure the environment variables of the parent shell are preserved when running the messenger consumer.

defaults/main.yml

@@ -9,3 +9,50 @@ chill_image_redis: "redis"
 chill_image_rabbitmq: "rabbitmq:3-management-alpine"
 chill_image_relatorio: "registry.gitlab.com/champs-libres/public/relatorio-tornado/app:latest"
 traefik_image_traefik: "traefik:v3.2"
+
+# to install or not traefik as front-end
+traefik_install: true
+
+docker_secrets: []
+
+# default chill config for each environment
+default_chill:
+  chill_environment: main_env
+  add_postgres: false
+  chill_image_tag: v0.0.1-beta
+  host: 'devpms.samusocial.be'
+  tls_config: self_signed
+  expose_port: false # can be false, or the port number
+  # use rabbitmq as message broker. If not in use, it will be replaced by doctrine
+  rabbitmq_install: true
+  proxy_ips:
+    # 127.0.0.1 is always added
+    - 192.168.0.0/16
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+  chill_config:
+    # supplementary environment values to set in the in the env file
+    supplementary_environment_values: {}
+    trusted_hosts: 'devpms.samusocial.be '
+    database_host: '172.17.17.71'
+    database_port: '5432'
+    database_name: 'chilldev'
+    database_user: 'chilldev'
+    database_version: '15'
+    # database_password:
+    mailer_user: ''
+    mailer_host: 'smtp.example.com'
+    mailer_port: '25'
+    notification_host: 'https://devpms.samusocial.be '
+    notification_from_email: 'devpms@samusocial.be'
+    # app_secret:
+    # admin_password:
+    mailer_dsn: 'null://null'
+    mailer_url: 'null://null'
+    # jwt_passphrase:
+    # jwt_secret_key: '1234'
+    # jwt_public_key: '1234'
+    rabbitmq_user: 'chilldev'
+    # rabbitmq_password:
+    editor_server: 'https://collabora.champs-libres.be'
+    ovhcloud_dsn: 'null://null'

tasks/chill/main.yml

@@ -1,10 +1,10 @@
-- name: Debug task
-  ansible.builtin.debug:
-    var: item
+- name: Merge defaults with item
+  ansible.builtin.set_fact:
+    chill: "{{ default_chill | combine(item, recursive=True) }}"
 
 - name: Create directories to store compose project
   ansible.builtin.file:
-    path: "{{ install_dir }}/{{ item['chill_environment'] }}"
+    path: "{{ install_dir }}/{{ chill['chill_environment'] }}"
     state: directory
     mode: '0755'
     owner: "{{ as_user }}"
@@ -12,44 +12,45 @@
 - name: Add compose.yml file
   ansible.builtin.template:
     src: compose.yaml
-    dest: "{{ install_dir }}/{{ item['chill_environment'] }}/compose.yaml"
+    dest: "{{ install_dir }}/{{ chill['chill_environment'] }}/compose.yaml"
     owner: "{{ as_user }}"
     mode: '0444'
 
 - name: Add application environment file
   ansible.builtin.template:
     src: env_file.env
-    dest: "{{ install_dir }}/{{ item['chill_environment'] }}/env_file.env"
+    dest: "{{ install_dir }}/{{ chill['chill_environment'] }}/env_file.env"
     owner: "{{ as_user }}"
     mode: '0400'
 
 - name: Add postgresql environment file if need
   ansible.builtin.template:
     src: postgres.env
-    dest: "{{ install_dir }}/{{ item['chill_environment'] }}/postgres.env"
+    dest: "{{ install_dir }}/{{ chill['chill_environment'] }}/postgres.env"
     owner: "{{ as_user }}"
     mode: '0400'
 
 - name: Add rabbitmq environment file
   ansible.builtin.template:
     src: rabbitmq.env
-    dest: "{{ install_dir }}/{{ item['chill_environment'] }}/rabbitmq.env"
+    dest: "{{ install_dir }}/{{ chill['chill_environment'] }}/rabbitmq.env"
     owner: "{{ as_user }}"
     mode: '0400'
+  when: chill.rabbitmq_install
 
 - name: Create directory for storing configuration
   ansible.builtin.file:
-    path: "{{ install_dir }}/{{ item['chill_environment'] }}/config/prod"
+    path: "{{ install_dir }}/{{ chill['chill_environment'] }}/config/prod"
     state: directory
-    owner: "{{ as_user }}"
-    mode: '0400'
+    owner: "82"
+    mode: '0500'
 
 - name: Copy configuration files
   ansible.builtin.template:
     src: "config/prod/{{ file }}"
-    dest: "{{ install_dir }}/{{ item['chill_environment'] }}/config/prod/{{ file }}"
-    owner: "{{ as_user }}"
-    mode: '0444'
+    dest: "{{ install_dir }}/{{ chill['chill_environment'] }}/config/prod/{{ file }}"
+    owner: "82"
+    mode: '0400'
   loop:
     - lexik_jwt_authentication.yaml
     - messenger.yaml
@@ -61,7 +62,7 @@
 
 - name: Create directory for storing data
   ansible.builtin.file:
-    path: "{{ doc_storage_dir }}/{{ item['chill_environment'] }}"
+    path: "{{ doc_storage_dir }}/{{ chill['chill_environment'] }}"
     owner: "82"
     group: "82"
     mode: '0766'
@@ -71,6 +72,6 @@
 #
 # - name: Ensure systemd timer for cronjob is up
 #   ansible.builtin.systemd_service:
-#     name: "chill-cronjob@{{ item['chill_environment'] }}.timer"
+#     name: "chill-cronjob@{{ chill['chill_environment'] }}.timer"
 #     state: restarted
 #     enabled: true

tasks/chill/self_signed.yml

@@ -1,18 +1,18 @@
 
 - name: Create directory for storing certificates
   ansible.builtin.file:
-    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}"
+    path: "/var/traefik/certs/chill/{{ chill['chill_environment'] }}"
     state: directory
     owner: "{{ as_user }}"
     mode: '0400'
 
 - name: Create private key
   community.crypto.openssl_privatekey:
-    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
+    path: "/var/traefik/certs/chill/{{ chill['chill_environment'] }}/key.pem"
 
 - name: Create self signed certificate
   community.crypto.x509_certificate:
-    privatekey_path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/key.pem"
-    path: "/var/traefik/certs/chill/{{ item['chill_environment'] }}/cert.pem"
+    privatekey_path: "/var/traefik/certs/chill/{{ chill['chill_environment'] }}/key.pem"
+    path: "/var/traefik/certs/chill/{{ chill['chill_environment'] }}/cert.pem"
     provider: selfsigned
 

tasks/main.yml

@@ -13,10 +13,6 @@
     docker_install_compose_plugin: true
     docker_add_repo: true
 
-- name: Print all available facts
-  ansible.builtin.debug:
-    var: ansible_facts
-
 - name: Authenticate against private docker registry
   community.docker.docker_login:
     registry_url: "{{ registry_url }}"
@@ -60,6 +56,7 @@
 
 - name: Install traefik
   ansible.builtin.include_tasks: traefik.yml
+  when: traefik_install
 
 - name: Install systemd services
   ansible.builtin.template:
@@ -72,6 +69,8 @@
   loop:
     - chill-cronjob@.service
     - chill-cronjob@.timer
+    - chill-send-sms@.service
+    - chill-send-sms@.timer
   loop_control:
     loop_var: file
 

templates/compose.yaml

@@ -1,41 +1,59 @@
+# This file is managed by ansible. Do not edit it by hand
+
 services:
     frontend:
-        image: {{ registry_url }}/{{ registry_project }}/{{ chill_image_nginx_name }}:{{ item.chill_image_tag }}
+        image: {{ registry_url }}/{{ registry_project }}/{{ chill_image_nginx_name }}:{{ chill.chill_image_tag }}
         links:
             - app:php
+
+        {% if traefik_install %}
         labels:
             - "traefik.enable=true"
             - "traefik.docker.network=traefik"
-            - "traefik.http.routers.frontend-{{ item.chill_environment }}.rule=Host(`{{ item.host }}`)"
-            - "traefik.http.routers.frontend-{{ item.chill_environment }}.entrypoints=websecure"
-            {%+ if item.tls_config == 'self_signed' +%}
-            - "traefik.http.routers.frontend-{{ item.chill_environment }}.tls=true"
+            - "traefik.http.routers.frontend-{{ chill.chill_environment }}.rule=Host(`{{ chill.host }}`)"
+            - "traefik.http.routers.frontend-{{ chill.chill_environment }}.entrypoints=websecure"
+            {%+ if chill.tls_config == 'self_signed' +%}
+            - "traefik.http.routers.frontend-{{ chill.chill_environment }}.tls=true"
             {%+ endif +%}
-            {%+ if item.expose_port is not false +%}
-            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.rule=PathPrefix(`/`)"
-            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.entrypoints=chill{{ item.chill_environment }}"
-            {%+ if item.tls_config == 'self_signed' +%}
-            - "traefik.http.routers.frontend-exp-{{ item.chill_environment }}.tls=true"
+            {%+ if chill.expose_port is not false +%}
+            - "traefik.http.routers.frontend-exp-{{ chill.chill_environment }}.rule=PathPrefix(`/`)"
+            - "traefik.http.routers.frontend-exp-{{ chill.chill_environment }}.entrypoints=chill{{ chill.chill_environment }}"
+            {%+ if chill.tls_config == 'self_signed' +%}
+            - "traefik.http.routers.frontend-exp-{{ chill.chill_environment }}.tls=true"
             {%+ endif +%}
             {%+ endif +%}
+        {% endif %}
+
+      {% if chill.expose_port is not false +%}
+        ports:
+          - "{{ chill.expose_port }}:80"
+      {%+ endif %}
+
         networks:
+
+            {% if traefik_install %}
             - traefik
+            {% endif %}
+
             - default
         restart: always
 
     app: &defaultApp
-        image: {{ registry_url }}/{{ registry_project }}/{{ chill_image_php_name }}:{{ item.chill_image_tag }}
+        image: {{ registry_url }}/{{ registry_project }}/{{ chill_image_php_name }}:{{ chill.chill_image_tag }}
         env_file:
             - env_file.env
         volumes:
             - './config/prod:/var/www/app/config/packages/prod:ro'
             - '/var/log/chill:/var/www/app/var/log:rw'
-            - '{{ doc_storage_dir }}/{{ item['chill_environment'] }}:/var/storage:rw'
+            - '{{ doc_storage_dir }}/{{ chill['chill_environment'] }}:/var/storage:rw'
         links:
             - redis
             - relatorio
+            {% if chill.rabbitmq_install +%}
             - rabbitmq
-            {% if item.add_postgres -%}
+            {%+ endif %}
+
+            {% if chill.add_postgres -%}
             - database
             {%- endif %}
 
@@ -46,6 +64,8 @@ services:
     consumer:
         <<: *defaultApp
         entrypoint: "/usr/bin/env"
+        environment:
+            CLEAR_CACHE: "false" # pre-generating the cache cause issue with permissions on the cache directory.
         command:
             - "/bin/bash"
             - "-c"
@@ -53,12 +73,7 @@ services:
               sleep 3 && bin/console cache:clear &&
               while ! [ -f /tmp/kill_me ];
               do
-              su -s /bin/bash -c 'php -d memory_limit=2G bin/console messenger:consume priority async --limit=20 --time-limit=600 -v' "$PHP_FPM_USER";
-              rc=$?;
-              if [ $rc -ne 0 ]; then
-                echo "Consumer exited with status $rc. Stopping container.";
-                exit $rc;
-              fi
+              php -d memory_limit=2G bin/console messenger:consume priority async --limit=40 --time-limit=600 -v;
               done;
         pre_stop:
             - command:
@@ -72,7 +87,7 @@ services:
         command: ["bin/console", "chill:cron-job:execute", "-v"]
         restart: "no"
 
-  {% if item.add_postgres %}
+  {% if chill.add_postgres %}
 
     database:
         image: "{{ database_image }}"
@@ -124,6 +139,7 @@ services:
 #            rabbitmq:
 #                condition: service_healthy
 
+    {% if chill.rabbitmq_install +%}
     rabbitmq:
         image: "{{ chill_image_rabbitmq }}"
         env_file:
@@ -136,8 +152,13 @@ services:
         networks:
             - default
         restart: always
+   {% endif %}
 
 networks:
+
+    {% if traefik_install %}
     traefik:
         external: true
+    {% endif %}
+
     default:

templates/config/prod/chill_doc_store.yaml

@@ -1,3 +1,4 @@
+# this file is managed by ansible. Do not edit it by hand
 chill_doc_store:
     use_driver: local_storage
     local_storage:

templates/config/prod/framework.yaml

@@ -1,5 +1,11 @@
+# this file is managed by ansible. Do not edit it by hand
+
 framework:
+    {% if traefik_install +%}
     trusted_proxies: '127.0.0.1,REMOTE_ADDR{% for ip in traefik_trusted_ips|default([]) %},{{ ip }}{% endfor %}'
+    {%+ else %}
+    trusted_proxies: '127.0.0.1,{% for ip in chill.proxy_ips %}{{ ip }}{% if not loop.last %},{% endif %}{% endfor %}'
+    {%+ endif %}
     trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto', 'x-forwarded-port']
 
 parameters:

templates/config/prod/lexik_jwt_authentication.yaml

@@ -1,3 +1,4 @@
+# this file is managed by ansible. Do not edit it by hand
 lexik_jwt_authentication:
     # in production, the secret must be located in an environment variable
     # for converting the file to a raw variable, use this command:

templates/config/prod/messenger.yaml

@@ -1,6 +1,8 @@
+# this file is managed by ansible. Do not edit it by hand
 framework:
     messenger:
         transports:
+            {% if chill.rabbitmq_install +%}
             async:
                 dsn: '%env(RABBITMQ_URL)%/async'
                 options:
@@ -11,5 +13,9 @@ framework:
                         async: ~
                     auto_setup: true
             priority: '%env(RABBITMQ_URL)%/priority'
+            {% else +%}
+            async: 'doctrine://default'
+            priority: 'doctrine://default'
+            {% endif +%}
             failed: 'doctrine://default?queue_name=failed'
-            sync: 'sync://'
+            sync: 'sync://'

templates/config/prod/monolog.yaml

@@ -1,19 +1,41 @@
+# this file is managed by ansible. Do not edit it by hand
+
+#
+# NOTE: the ansible-role-chill will also configure a rule for logrotate, so,
+# we do not need to configure log rotation here
+#
+
 parameters:
-    log_prefix: {{ item.chill_environment }}
+  log_prefix: '{{ chill.chill_environment }}'
 monolog:
-    handlers:
-        default_log:
-            type: stream
-            path: "%kernel.logs_dir%/privacy-%log_prefix%.log"
-            level: info
-            channels: ['chill']
-        chill_log:
-            type: stream
-            path: "%kernel.logs_dir%/default-%log_prefix%.log"
-            level: info
-            channels: ['!event', '!doctrine', '!console', '!chill']
-        console:
-            type: console
-            process_psr_3_messages: false
-            channels: ['!event', '!doctrine', '!console']
-            bubble: false
+  # make a "notifier" channel available
+  channels: ['notifier']
+  handlers:
+    notifier_log:
+      type: stream
+      path: "%kernel.logs_dir%/notifier-%log_prefix%.log"
+      level: info
+      channels: [ 'notifier' ]
+    errors_log:
+      type: stream
+      path: "%kernel.logs_dir%/error-%log_prefix%.log"
+      level: error
+    privacy_log:
+      type: stream
+      path: "%kernel.logs_dir%/privacy-%log_prefix%.log"
+      level: info
+      channels: [ 'chill' ]
+    default_log:
+      type: stream
+      path: "%kernel.logs_dir%/default-%log_prefix%.log"
+      level: info
+      channels: [ '!event', '!doctrine', '!console', '!chill', '!deprecation']
+    deprecation_log:
+      type: 'null'
+      channels: [ 'deprecation' ]
+    console:
+      type: console
+      process_psr_3_messages: false
+      level: error
+      channels: [ '!event', '!doctrine', '!console', '!deprecation']
+      bubble: true

templates/env_file.env

@@ -1,3 +1,4 @@
+# This file is managed by ansible. Do not edit it by hand
 APP_ENV=prod
 APP_DEBUG=false
 TRUSTED_PROXIES=10.0.0.0/8,192.168.0.0/16,172.16.0.0/16
@@ -7,39 +8,45 @@ REDIS_PORT=6379
 REDIS_URL=redis://redis:6379
 RELATORIO_HOST=relatorio
 RELATORIO_PORT=8888
-TRUSTED_HOSTS={{ item.chill_config.trusted_hosts }}
-DATABASE_HOST={{ item.chill_config.database_host }}
-DATABASE_PORT={{ item.chill_config.database_port }}
-DATABASE_NAME={{ item.chill_config.database_name }}
-DATABASE_USER={{ item.chill_config.database_user }}
-DATABASE_VERSION={{ item.chill_config.database_version }}
+TRUSTED_HOSTS={{ chill.chill_config.trusted_hosts }}
+DATABASE_HOST={{ chill.chill_config.database_host }}
+DATABASE_PORT={{ chill.chill_config.database_port }}
+DATABASE_NAME={{ chill.chill_config.database_name }}
+DATABASE_USER={{ chill.chill_config.database_user }}
+DATABASE_VERSION={{ chill.chill_config.database_version }}
 LOCALE=fr
 MAILER_PROTOCOL=smtp
-MAILER_USER={{ item.chill_config.mailer_user }}
-MAILER_HOST={{ item.chill_config.mailer_host }}
-MAILER_PORT={{ item.chill_config.mailer_port }}
-NOTIFICATION_HOST={{ item.chill_config.notification_host }}
-NOTIFICATION_FROM_EMAIL={{ item.chill_config.notification_from_email }}
+MAILER_USER={{ chill.chill_config.mailer_user }}
+MAILER_HOST={{ chill.chill_config.mailer_host }}
+MAILER_PORT={{ chill.chill_config.mailer_port }}
+NOTIFICATION_HOST={{ chill.chill_config.notification_host }}
+NOTIFICATION_FROM_EMAIL={{ chill.chill_config.notification_from_email }}
 ASYNC_UPLOAD_TEMP_URL_BASE_PATH=
 ASYNC_UPLOAD_TEMP_URL_CONTAINER=
 ASYNC_UPLOAD_TEMP_URL_KEY=
 DEFAULT_CARRIER_CODE=FR
-APP_SECRET={{ item.chill_config.app_secret }}
-ADMIN_PASSWORD={{ item.chill_config.admin_password }}
-{% if item.chill_config.admin_password_1 is defined -%}
-ADMIN_PASSWORD_1={{ item.chill_config.admin_password_1 }}
+APP_SECRET={{ chill.chill_config.app_secret }}
+ADMIN_PASSWORD={{ chill.chill_config.admin_password }}
+{% if chill.chill_config.admin_password_1 is defined -%}
+ADMIN_PASSWORD_1={{ chill.chill_config.admin_password_1 }}
 {% endif -%}
-{% if item.chill_config.admin_password_2 is defined -%}
-ADMIN_PASSWORD_2={{ item.chill_config.admin_password_2 }}
+{% if chill.chill_config.admin_password_2 is defined -%}
+ADMIN_PASSWORD_2={{ chill.chill_config.admin_password_2 }}
 {% endif -%}
-{% if item.chill_config.admin_password_3 is defined -%}
-ADMIN_PASSWORD_3={{ item.chill_config.admin_password_3 }}
+{% if chill.chill_config.admin_password_3 is defined -%}
+ADMIN_PASSWORD_3={{ chill.chill_config.admin_password_3 }}
 {% endif -%}
-MAILER_DSN={{ item.chill_config.mailer_dsn }}
-MAILER_URL={{ item.chill_config.mailer_url }}
-JWT_PASSPHRASE={{ item.chill_config.jwt_passphrase }}
-JWT_SECRET_KEY={{ item.chill_config.jwt_secret_key }}
-JWT_PUBLIC_KEY={{ item.chill_config.jwt_public_key }}
-RABBITMQ_URL=amqp://{{ item.chill_config.rabbitmq_user }}:{{ item.chill_config.rabbitmq_password }}@rabbitmq/%2f
-DATABASE_URL=postgres://{{ item.chill_config.database_user }}:{{ item.chill_config.database_password }}@{% if item.add_postgres %}database:5432{% else %}{{ item.chill_config.database_host }}{% endif %}/{{ item.chill_config.database_name }}?sslmode=prefer&charset=utf8&serverVersion={{ item.chill_config.database_version }}
-EDITOR_SERVER={{ item.chill_config.editor_server }}
+MAILER_DSN={{ chill.chill_config.mailer_dsn }}
+MAILER_URL={{ chill.chill_config.mailer_url }}
+JWT_PASSPHRASE={{ chill.chill_config.jwt_passphrase }}
+JWT_SECRET_KEY={{ chill.chill_config.jwt_secret_key }}
+JWT_PUBLIC_KEY={{ chill.chill_config.jwt_public_key }}
+{% if chill.rabbitmq_install %}
+RABBITMQ_URL=amqp://{{ chill.chill_config.rabbitmq_user }}:{{ chill.chill_config.rabbitmq_password }}@rabbitmq/%2f
+{% endif %}
+DATABASE_URL=postgres://{{ chill.chill_config.database_user }}:{{ chill.chill_config.database_password }}@{% if chill.add_postgres %}database:5432{% else %}{{ chill.chill_config.database_host }}{% endif %}/{{ chill.chill_config.database_name }}?sslmode=prefer&charset=utf8&serverVersion={{ chill.chill_config.database_version }}
+EDITOR_SERVER={{ chill.chill_config.editor_server }}
+OVHCLOUD_DSN={{ chill.chill_config.ovhcloud_dsn }}
+{% for k, v in chill.chill_config.supplementary_environment_values.items() %}
+{{ k }}="{{ v }}"
+{% endfor %}

templates/logrotate/chill

@@ -1,17 +1,17 @@
-/var/log/chill/default-*.log {
+/var/log/chill/*.log {
   su php-fpm php-fpm
-  rotate 90
   daily
   compress
   missingok
   notifempty
+  copytruncate
+  rotate 90
 }
 
-/var/log/apt/privacy-*.log {
-  su php-fpm php-fpm
+/var/log/chill/privacy-*.log {
   rotate 180
-  daily
-  compress
-  missingok
-  notifempty
+}
+
+/var/log/chill/notifier-*.log {
+  rotate 800
 }

templates/postgres.env

@@ -1,3 +1,4 @@
+# this file is managed by ansible. Do not edit it by hand
 POSTGRES_DB={{ item.chill_config.database_name }}
 POSTGRES_USER={{ item.chill_config.database_user }}
 POSTGRES_PASSWORD={{ item.chill_config.database_password }}

templates/rabbitmq.env

@@ -1,2 +1,3 @@
+# this file is managed by ansible. Do not edit it by hand.
 RABBITMQ_DEFAULT_USER={{ item.chill_config.rabbitmq_user }}
 RABBITMQ_DEFAULT_PASS={{ item.chill_config.rabbitmq_password }}

templates/systemd/chill-send-sms@.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Execute send-short-messages for chill with environment %i
+
+[Service]
+User={{ as_user }}
+ExecStart=/usr/bin/docker compose --file {{ install_dir }}/%i/compose.yaml run cron bin/console chill:calendar:send-short-messages
+Type=simple
+# execute maximum 30 minutes
+RuntimeMaxSec=1800

templates/systemd/chill-send-sms@.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run chill send-sms hourly 7:00–18:00 at minute 0
+
+[Timer]
+Unit=chill-send-sms@%i.service
+OnCalendar=*-*-* 7..18:00:00
+Persistent=true
+RandomizedDelaySec=60
+
+[Install]
+WantedBy=timers.target

templates/traefik-compose.yaml

@@ -1,3 +1,4 @@
+# this file is managed by ansible. Do not edit it by hand.
 services:
   reverse-proxy:
     # The official v3 Traefik docker image