debops.php default variables¶
Sections
Custom APT package repositories¶
-
php__version_preference¶
List of APT package names which are scanned to check available PHP versions.
The first found package wins. The php5 packages are not supported.
php__version_preference: [ 'php7.4', 'php7.3', 'php', 'php5.6' ]
-
php__sury¶
Enable custom APT repositories of Ondřej Surý, Debian and Ubuntu PHP package maintainer. You can enable these repositories to install PHP 7.0 on Debian Jessie. See PHP packages provided by Ondřej Surý for more details.
php__sury: '{{ ansible_local.php.sury
|d(ansible_distribution_release in [ "jessie", "stretch", "trusty", "xenial" ]) | bool }}'
-
php__sury_apt_key_id¶
The OpenPGP key used to sign Ondřej Surý APT repository, dependent on the current OS distribution.
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
-
php__sury_apt_repo¶
APT repository URL to Ondřej Surý repository, dependent on the current OS distribution.
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
-
php__sury_apt_key_id_map¶
YAML dictionary map of OpenPGP key ids used to sign APT repository information, dependent on the OS distribution.
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury|bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
'Ubuntu':
- id: '14AA 40EC 0831 7567 56D7 F66C 4F4E A0AA E526 7A6C'
repo: 'ppa:ondrej/php'
state: '{{ "present" if php__sury|bool else "absent" }}'
-
php__sury_apt_repo_map¶
YAML dictionary map of APT repository URLs, dependent on the OS distribution.
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
APT package installation¶
The role uses a special filtering for APT package names to ensure support for different PHP versions. PHP APT packages are named in the format:
php<version>-<suffix>
For the automatic filter to work, all you need to do to install a package is
to specify the <suffix> part. See php__packages for more
details.
-
php__server_api_packages¶
List of PHP Server API packages to install. This list is checked against to enable certain parts of the role if needed. It should contain only the names of the SAPI packages.
php__server_api_packages: [ 'cli', 'fpm' ]
-
php__base_packages¶
Install set of standard PHP packages.
php__base_packages:
- '{{ "php" + php__version }}'
- 'curl'
- 'gd'
- '{{ [] if php__composer_upstream_enabled|bool else "composer" }}'
- '{{ "mcrypt"
if (php__version is version_compare("7.2","<"))
else [] }}'
-
php__packages¶
List of additional "global" APT packages to install.
php__packages: []
-
php__group_packages¶
List of APT packages for a group of hosts (only one group is supported).
php__group_packages: []
-
php__host_packages¶
List of APT packages to install on a specific host.
php__host_packages: []
-
php__dependent_packages¶
List of APT packages to install, requested by a role dependency.
php__dependent_packages: []
-
php__combined_packages¶
List of all PHP packages requested for installation passed to the filter script as a string of arguments for further processing.
php__combined_packages: '{{ (lookup("flattened",
php__server_api_packages
+ php__base_packages
+ php__packages
+ php__group_packages
+ php__host_packages
+ php__dependent_packages).split(",")
| difference(php__included_packages))
| join(" ") }}'
-
php__reset¶
Can be temporally set to True to reevaluate the preferred PHP version and
remove older PHP versions on the next Ansible run.
Note that this option is not idempotent. It will reset on every role run.
php__reset: False
-
php__included_packages¶
List of PHP packages which are shipped with the standard PHP distribution. This variable is used to abstract packaging differences between different PHP repositories or releases. If you use a custom APT package for PHP, you might need to adjust this list for proper package resolution.
php__included_packages: '{{ php__php_included_packages
if php__sury
else (php__release_included_map[ansible_distribution_release]
| d(php__php_included_packages)) }}'
-
php__release_included_map¶
Configuration dictionary mapping distribution releases to different PHP
packaging configurations. Also see php__included_packages.
php__release_included_map:
wheezy: '{{ php__php5_included_packages }}'
jessie: '{{ php__php5_included_packages }}'
stretch: '{{ php__php_included_packages }}'
buster: '{{ php__php_included_packages }}'
bullseye: '{{ php__php_included_packages }}'
sid: '{{ php__php_included_packages }}'
trusty: '{{ php__php5_included_packages }}'
xenial: '{{ php__php_included_packages }}'
zesty: '{{ php__php_included_packages }}'
bionic: '{{ php__php_included_packages }}'
focal: '{{ php__php_included_packages }}'
groovy: '{{ php__php_included_packages }}'
-
php__php5_included_packages¶
PHP packages usually part of the php5/php5-common packaging.
php__php5_included_packages: '{{ php__common_included_packages
+ [ "bcmath", "bz2", "dba", "dom", "ereg",
"mbstring", "mhash", "SimpleXML", "soap",
"wddx", "xml", "xmlreader", "xmlwriter",
"zip" ] }}'
-
php__php_included_packages¶
PHP packages usually part of the php/php-common (PHP 7.x) packaging.
php__php_included_packages: '{{ php__common_included_packages
+ [ "sysvsem", "sysvshm" ] }}'
-
php__common_included_packages¶
PHP packages usually part of the php/php-common packaging.
php__common_included_packages:
- 'calendar'
- 'ctype'
- 'date'
- 'exif'
- 'fileinfo'
- 'filter'
- 'ftp'
- 'gettext'
- 'hash'
- 'iconv'
- 'libxml'
- 'openssl'
- 'pcntl'
- 'pcre'
- 'PDO'
- 'Phar'
- 'posix'
- 'Reflection'
- 'session'
- 'shmop'
- 'sockets'
- 'SPL'
- 'standard'
- 'sysvmsg'
- 'tokenizer'
- 'zlib'
PHP Composer support¶
-
php__composer_upstream_enabled¶
Enable or disable installation of the composer command from
upstream. The composer package in older OS releases might not work as
expected. If upstream installation is disabled, the composer APT package
will be installed instead.
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
[ "wheezy", "jessie", "stretch",
"precise", "trusty", "xenial", "bionic", "focal" ])
else False }}'
-
php__composer_upstream_version¶
The version of the PHP Composer release to install from upstream. Remember to update the watch file and the SHA256 checksum on changes.
php__composer_upstream_version: '1.8.5'
-
php__composer_upstream_checksum¶
The SHA256 checksum of the PHP Composer release selected for installation.
php__composer_upstream_checksum: 'sha256:23b29b1a921b56db3c12ba531752dffcfaa3de0fcece3e54974e06990e46bbf9'
-
php__composer_upstream_url¶
The URL to the PHP Composer binary which should be installed.
php__composer_upstream_url: '{{ "https://github.com/composer/composer/releases/download/"
+ php__composer_upstream_version + "/composer.phar" }}'
-
php__composer_upstream_dest¶
The absolute path of the PHP Composer binary destination file.
php__composer_upstream_dest: '/usr/local/bin/composer'
Global php.ini configuration¶
-
php__production¶
This variable determines if the php.ini configuration will be
configured towards "production" systems (don't display errors), or
"development" systems (display all errors).
php__production: True
-
php__ini_cgi_fix_pathinfo¶
Enable or disable cgi.fix_pathinfo option in PHP. This is highly
dependent on the used webserver (nginx should have the option disabled,
apache2 needs it to be enabled).
php__ini_cgi_fix_pathinfo: False
-
php__ini_max_execution_time¶
Specify default maximum execution time, in seconds.
php__ini_max_execution_time: '30'
-
php__ini_max_input_time¶
Specify default maximum input time, in seconds.
php__ini_max_input_time: '60'
-
php__ini_memory_limit¶
Specify maximum memory limit for PHP processes, in megabytes.
php__ini_memory_limit: '128M'
-
php__ini_post_max_size¶
Specify maximum size of the POST data, in megabytes.
php__ini_post_max_size: '8M'
-
php__ini_file_uploads¶
Enable or disable file uploading in PHP applications.
php__ini_file_uploads: True
-
php__ini_upload_max_filesize¶
Specify maximum size of uploaded files, in megabytes.
php__ini_upload_max_filesize: '{{ php__ini_post_max_size }}'
-
php__ini_max_file_uploads¶
Specify maximum number of files uploaded at once.
php__ini_max_file_uploads: '20'
-
php__ini_default_charset¶
Specify default charset used in PHP environment.
php__ini_default_charset: 'UTF-8'
-
php__ini_allow_url_fopen¶
Enable or disable access to remote URLs in PHP applications.
php__ini_allow_url_fopen: True
-
php__ini_date_timezone¶
Configure the PHP timezone. This variable uses configuration provided by the debops.core.
php__ini_date_timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
Configuration added to php.ini¶
The role uses custom php.ini configuration files managed by Ansible. See
php__configuration for more details.
-
php__default_configuration¶
Default configuration of the php.ini added by the role.
php__default_configuration:
- filename: '00-ansible'
name: 'PHP'
sections:
- options: |
max_execution_time = {{ php__ini_max_execution_time }}
max_input_time = {{ php__ini_max_input_time }}
memory_limit = {{ php__ini_memory_limit }}
error_reporting = {{ (php__production|bool)|ternary('E_ALL & ~E_DEPRECATED & ~E_STRICT', 'E_ALL') }}
display_errors = {{ (php__production|bool)|ternary('Off', 'On') }}
display_startup_errors = {{ (php__production|bool)|ternary('Off', 'On') }}
{% if php__version is version_compare("7.2","<") %}
track_errors = {{ (php__production|bool)|ternary('Off', 'On') }}
{% endif %}
post_max_size = {{ php__ini_post_max_size }}
default_charset = {{ php__ini_default_charset }}
file_uploads = {{ (php__ini_file_uploads|bool)|ternary('On', 'Off') }}
upload_max_filesize = {{ php__ini_upload_max_filesize }}
max_file_uploads = {{ php__ini_max_file_uploads }}
allow_url_fopen = {{ (php__ini_allow_url_fopen|bool)|ternary('On','Off') }}
- name: 'CGI'
options: |
cgi.fix_pathinfo = {{ (php__ini_cgi_fix_pathinfo|bool)|ternary('1','0') }}
- name: 'Date'
options: |
date.timezone = {{ php__ini_date_timezone }}
- filename: '../cli/conf.d/30-memory_limit'
name: 'PHP'
options: |
; Don't limit memory for php-cli execution
memory_limit = -1
-
php__configuration¶
Custom php.ini configuration added on all hosts in Ansible inventory.
php__configuration: []
-
php__group_configuration¶
Custom php.ini configuration added on a group of hosts in Ansible
inventory.
php__group_configuration: []
-
php__host_configuration¶
Custom php.ini configuration added on specific hosts in Ansible
inventory.
php__host_configuration: []
-
php__dependent_configuration¶
Custom php.ini configuration by other Ansible roles using dependent
variables.
php__dependent_configuration: []
Global PHP-FPM configuration¶
-
php__fpm_privileged_group¶
What system group has privileged access to php-fpm service.
php__fpm_privileged_group: 'webadmins'
-
php__fpm_syslog¶
Enable or disable error logging to syslog. Currently the syslog
logging in PHP has some issues: https://bugs.php.net/bug.php?id=67764
php__fpm_syslog: False
-
php__fpm_error_log¶
Path to the error.log file which is used by PHP-FPM to log error
messages.
If it's set to syslog, error logs are sent to the local log daemon.
php__fpm_error_log: '{{ ("/var/log/php" + php__version + "-fpm.log")
if not php__fpm_syslog|bool else "syslog" }}'
-
php__fpm_syslog_ident¶
When syslog logging is enabled, specify the program identification string
used by PHP-FPM. This should be one word string, without spaces.
php__fpm_syslog_ident: 'php-fpm'
-
php__fpm_syslog_facility¶
When syslog logging is enabled, specify the syslog facility to use.
php__fpm_syslog_facility: 'daemon'
-
php__fpm_log_level¶
When syslog logging is enabled, specify the log level used by PHP-FPM.
php__fpm_log_level: 'notice'
-
php__fpm_emergency_restart_threshold¶
Specify number of PHP-FPM child processes that exit with errors during a given interval (see below) that will trigger an automatic restart of the master PHP-FPM process.
php__fpm_emergency_restart_threshold: '0'
-
php__fpm_emergency_restart_interval¶
Specify the interval which is used to determine number of PHP-FPM child processes that exit with errors.
php__fpm_emergency_restart_interval: '0'
-
php__fpm_process_control_timeout¶
Specify maximum wait time the master PHP-FPM process waits for a reaction on the signals sent to the child processes.
php__fpm_process_control_timeout: '0'
-
php__fpm_process_max¶
Maximum number of PHP-FPM child processes.
php__fpm_process_max: '128'
PHP-FPM pool defaults¶
These configuration variables are used as default values in PHP-FPM pool
configuration. They can be specified as the keys of the YAML dictionaries
that define specific PHP-FPM pool configuration, after removing the
php__fpm_ prefix from the variable name.
-
php__fpm_listen_owner¶
The system user that will be the owner of the PHP-FPM socket. This should be
the username of the webserver account, so that it can use the socket to
communicate with the PHP-FPM process. This account needs to exist before the
PHP-FPM process is started (the www-data account is created by default on
Debian/Ubuntu systems).
php__fpm_listen_owner: 'www-data'
-
php__fpm_listen_group¶
The system group that will be the primary group of the PHP-FPM socket. This
should be the group that the webserver belongs to, so that it can use the
socket to communicate with the PHP-FPM process. This group needs to exist
before the PHP-FPM process is started (the www-data group is created by
default on Debian/Ubuntu systems).
php__fpm_listen_group: 'www-data'
-
php__fpm_listen_mode¶
The default permissions applied to the PHP-FPM pool sockets.
php__fpm_listen_mode: '0660'
-
php__fpm_listen_backlog¶
The default limit for socket connection backlog. If you tune this
parameter, you should also consider sysctl parameters
net.ipv4.tcp_max_syn_backlog, net.ipv4.ip_local_port_range,
net.ipv4.tcp_tw_reuse and net.core.somaxconn.
php__fpm_listen_backlog: '511'
-
php__fpm_pm¶
Select the default way the PHP-FPM master process will manage pool child
processes. Possible values: static, dynamic, ondemand.
php__fpm_pm: 'ondemand'
-
php__fpm_pm_max_children¶
Maximum number of child processes in a PHP-FPM pool for any management mode.
php__fpm_pm_max_children: '{{ ansible_processor_vcpus }}'
-
php__fpm_pm_start_servers¶
The number of pool child processes created at startup, used by the
dynamic management mode.
php__fpm_pm_start_servers: '{{ ansible_processor_cores }}'
-
php__fpm_pm_min_spare_servers¶
Number of minimum idle spare servers that should be kept around, used by the
dynamic management mode.
php__fpm_pm_min_spare_servers: '1'
-
php__fpm_pm_max_spare_servers¶
Number of maximum idle spare servers that should be kept around, used by the
dynamic management mode.
php__fpm_pm_max_spare_servers: '{{ php__fpm_pm_max_children }}'
-
php__fpm_pm_process_idle_timeout¶
Timeout in seconds for the PHP-FPM pool child processes, used by the
ondemand management mode.
php__fpm_pm_process_idle_timeout: '10s'
-
php__fpm_pm_max_requests¶
Maximum number of requests after which PHP-FPM pool child processes will be respawned.
php__fpm_pm_max_requests: '500'
-
php__fpm_pm_status¶
Enable or disable pool status page in all PHP-FPM pools. You might need to configure the webserver to allow access to this page as well.
php__fpm_pm_status: False
-
php__fpm_pm_status_path¶
The URL path of the pool status page. It needs to start with /, the
.php prefix is discouraged to not create issues with passing the request
to the PHP-FPM process.
php__fpm_pm_status_path: '/status.php'
-
php__fpm_ping_path¶
The URL path of the "ping" request for all PHP-FPM pools.
php__fpm_ping_path: '/ping.php'
-
php__fpm_ping_response¶
A string that defines the expected response of the "ping" request.
php__fpm_ping_response: 'pong'
-
php__fpm_access_log¶
Enable or disable request log in /var/log/php5,7.0-fpm/$pool_access.log
for all PHP-FPM pools.
php__fpm_access_log: False
-
php__fpm_request_terminate_timeout¶
Specify maximum request time after which the worker process will be killed.
php__fpm_request_terminate_timeout: '{{ php__ini_max_execution_time }}'
-
php__fpm_rlimit_files¶
Specify maximum number of opened file descriptors.
php__fpm_rlimit_files: '1024'
-
php__fpm_rlimit_core¶
Specify maximum size of the core files.
php__fpm_rlimit_core: '0'
-
php__fpm_catch_workers_output¶
If enabled, redirect stdout and stderr streams of the worker
processes to the main error.log file. Might impact performance.
php__fpm_catch_workers_output: False
-
php__fpm_security_limit_extensions¶
List of file extensions which are considered to be PHP scripts by the interpreter.
php__fpm_security_limit_extensions: [ '.php' ]
-
php__fpm_clear_env¶
If enabled, the PHP-FPM pool will clear the child process environment before adding the specified environment variables.
php__fpm_clear_env: False
-
php__fpm_environment¶
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on all hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_environment: {}
-
php__fpm_group_environment¶
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a group of hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_group_environment: {}
-
php__fpm_host_environment¶
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a specific hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_host_environment: {}
PHP-FPM pools¶
Lists of PHP-FPM pools managed by the debops.php role. Each PHP-FPM pool
is defined as a YAML dictionary. See php__pools for more details.
-
php__default_pools¶
List of default PHP-FPM pools configured on all hosts. At least 1 pool is required at all times, otherwise the service will not start properly.
php__default_pools: [ '{{ php__pool_www_data }}' ]
-
php__pools¶
List of PHP-FPM pools configured on all hosts in Ansible inventory.
php__pools: []
-
php__group_pools¶
List of PHP-FPM pools configured on a group of hosts in Ansible inventory.
php__group_pools: []
-
php__host_pools¶
List of PHP-FPM pools configured on specific hosts in Ansible inventory.
php__host_pools: []
-
php__dependent_pools¶
List of PHP-FPM pools configured by other Ansible roles using dependent variables.
php__dependent_pools: []
-
php__pool_www_data¶
The default PHP-FPM pool for the www-data system account.
php__pool_www_data:
name: 'www-data'
Configuration for other Ansible roles¶
-
php__apt_preferences__dependent_list¶
Configuration of the debops.apt_preferences role.
php__apt_preferences__dependent_list:
- package: '*'
pin: 'origin "packages.sury.org"'
priority: '100'
reason: "Don't upgrade software automatically using packages from external repository"
role: 'debops.php'
suffix: '_packages_sury_org'
state: '{{ "present" if php__sury|bool else "absent" }}'
- packages: [ 'php', 'php5', 'php5*', 'php7*', 'dh-php', 'php-*',
'libpcre2-8-0', 'libpcre3', 'libzip4', 'libpcre16-3',
'libpcre32-3', 'libpcrecpp0v5', 'libpcre3-dev',
'libapache2-mod-php', 'libapache2-mod-php*',
'libsodium23' ]
pin: 'origin "packages.sury.org"'
priority: '500'
reason: 'Prefer PHP packages from the same repository for consistency'
role: 'debops.php'
suffix: '_packages_sury_org'
state: '{{ "present" if php__sury|bool else "absent" }}'
-
php__keyring__dependent_apt_keys¶
Configuration for the debops.keyring Ansible role.
php__keyring__dependent_apt_keys:
- '{{ php__sury_apt_key_id }}'
-
php__logrotate__dependent_config¶
Configuration of the debops.logrotate role.
php__logrotate__dependent_config:
- filename: 'php{{ php__version }}-fpm'
divert: True
logs:
- '/var/log/php{{ php__version }}-fpm.log'
- '/var/log/php{{ php__version }}-fpm/*.log'
options: |
create 0660 root adm
rotate 12
missingok
weekly
notifempty
compress
delaycompress
postrotate: |
{% if php__long_version is version_compare("5.5","<") %}
invoke-rc.d php{{ php__version }}-fpm reopen-logs > /dev/null
{% else %}
{{ php__logrotate_lib_base }}/php{{ php__version }}-fpm-reopenlogs
{% endif %}