debops.php default variables

Custom APT package repositories

php__version_preference

List of APT package names which are scanned to check available PHP versions. The first found package wins. The php5 packages are not supported.

php__version_preference: [ 'php7.4', 'php7.3', 'php', 'php5.6' ]
php__sury

Enable custom APT repositories of Ondřej Surý, Debian and Ubuntu PHP package maintainer. You can enable these repositories to install PHP 7.0 on Debian Jessie. See PHP packages provided by Ondřej Surý for more details.

php__sury: '{{ ansible_local.php.sury
                | d(ansible_distribution_release in ["stretch", "trusty", "xenial"]) | bool }}'
php__sury_apt_key_id

The OpenPGP key used to sign Ondřej Surý APT repository, dependent on the current OS distribution.

php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
php__sury_apt_repo

APT repository URL to Ondřej Surý repository, dependent on the current OS distribution.

php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
php__sury_apt_key_id_map

YAML dictionary map of OpenPGP key ids used to sign APT repository information, dependent on the OS distribution.

php__sury_apt_key_id_map:
  'Debian':
    - id: '1505 8500 A023 5D97 F5D1  0063 B188 E2B6 95BD 4743'
      repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
      state: '{{ "present" if php__sury | bool else "absent" }}'

    # Key replaced due to security concerns
    # Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
    - id: 'DF3D 585D B8F0 EB65 8690  A554 AC0E 4758 4A7A 714D'
      state: 'absent'

  'Ubuntu':
    - id: '14AA 40EC 0831 7567 56D7  F66C 4F4E A0AA E526 7A6C'
      repo: 'ppa:ondrej/php'
      state: '{{ "present" if php__sury | bool else "absent" }}'
php__sury_apt_repo_map

YAML dictionary map of APT repository URLs, dependent on the OS distribution.

php__sury_apt_repo_map:
  'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
  'Ubuntu': 'ppa:ondrej/php'

APT package installation

The role uses a special filtering for APT package names to ensure support for different PHP versions. PHP APT packages are named in the format:

php<version>-<suffix>

For the automatic filter to work, all you need to do to install a package is to specify the <suffix> part. See php__packages for more details.

php__server_api_packages

List of PHP Server API packages to install. This list is checked against to enable certain parts of the role if needed. It should contain only the names of the SAPI packages.

php__server_api_packages: [ 'cli', 'fpm' ]
php__base_packages

Install set of standard PHP packages.

php__base_packages:
  - '{{ "php" + php__version }}'
  - 'curl'
  - 'gd'
  - '{{ [] if php__composer_upstream_enabled | bool else "composer" }}'
  - '{{ "mcrypt"
        if (php__version is version_compare("7.2", "<"))
        else [] }}'
php__packages

List of additional "global" APT packages to install.

php__packages: []
php__group_packages

List of APT packages for a group of hosts (only one group is supported).

php__group_packages: []
php__host_packages

List of APT packages to install on a specific host.

php__host_packages: []
php__dependent_packages

List of APT packages to install, requested by a role dependency.

php__dependent_packages: []
php__combined_packages

List of all PHP packages requested for installation passed to the filter script as a string of arguments for further processing.

php__combined_packages: '{{ (lookup("flattened",
                             php__server_api_packages
                             + php__base_packages
                             + php__packages
                             + php__group_packages
                             + php__host_packages
                             + php__dependent_packages).split(",")
                            | difference(php__included_packages))
                            | join(" ") }}'
php__reset

Can be temporally set to True to reevaluate the preferred PHP version and remove older PHP versions on the next Ansible run. Note that this option is not idempotent. It will reset on every role run.

php__reset: False
php__included_packages

List of PHP packages which are shipped with the standard PHP distribution. This variable is used to abstract packaging differences between different PHP repositories or releases. If you use a custom APT package for PHP, you might need to adjust this list for proper package resolution.

php__included_packages: '{{ php__php_included_packages
                            if php__sury
                            else (php__release_included_map[ansible_distribution_release]
                                  | d(php__php_included_packages)) }}'
php__release_included_map

Configuration dictionary mapping distribution releases to different PHP packaging configurations. Also see php__included_packages.

php__release_included_map:
  stretch:  '{{ php__php_included_packages }}'
  buster:   '{{ php__php_included_packages }}'
  bullseye: '{{ php__php_included_packages }}'
  sid:      '{{ php__php_included_packages }}'
  trusty:   '{{ php__php5_included_packages }}'
  xenial:   '{{ php__php_included_packages }}'
  zesty:    '{{ php__php_included_packages }}'
  bionic:   '{{ php__php_included_packages }}'
  focal:    '{{ php__php_included_packages }}'
  groovy:    '{{ php__php_included_packages }}'
php__php5_included_packages

PHP packages usually part of the php5/php5-common packaging.

php__php5_included_packages: '{{ php__common_included_packages
                                 + ["bcmath", "bz2", "dba", "dom", "ereg",
                                    "mbstring", "mhash", "SimpleXML", "soap",
                                    "wddx", "xml", "xmlreader", "xmlwriter",
                                    "zip"] }}'
php__php_included_packages

PHP packages usually part of the php/php-common (PHP 7.x) packaging.

php__php_included_packages: '{{ php__common_included_packages
                                + ["sysvsem", "sysvshm"] }}'
php__common_included_packages

PHP packages usually part of the php/php-common packaging.

php__common_included_packages:
  - 'calendar'
  - 'ctype'
  - 'date'
  - 'exif'
  - 'fileinfo'
  - 'filter'
  - 'ftp'
  - 'gettext'
  - 'hash'
  - 'iconv'
  - 'libxml'
  - 'openssl'
  - 'pcntl'
  - 'pcre'
  - 'PDO'
  - 'Phar'
  - 'posix'
  - 'Reflection'
  - 'session'
  - 'shmop'
  - 'sockets'
  - 'SPL'
  - 'standard'
  - 'sysvmsg'
  - 'tokenizer'
  - 'zlib'

PHP Composer support

php__composer_upstream_enabled

Enable or disable installation of the composer command from upstream. The composer package in older OS releases might not work as expected. If upstream installation is disabled, the composer APT package will be installed instead.

php__composer_upstream_enabled: '{{ True
                                    if (ansible_distribution_release in
                                        ["stretch", "trusty", "xenial",
                                         "bionic", "focal"])
                                    else False }}'
php__composer_upstream_version

The version of the PHP Composer release to install from upstream. Remember to update the watch file and the SHA256 checksum on changes.

php__composer_upstream_version: '1.8.5'
php__composer_upstream_checksum

The SHA256 checksum of the PHP Composer release selected for installation.

php__composer_upstream_checksum: 'sha256:23b29b1a921b56db3c12ba531752dffcfaa3de0fcece3e54974e06990e46bbf9'
php__composer_upstream_url

The URL to the PHP Composer binary which should be installed.

php__composer_upstream_url: '{{ "https://github.com/composer/composer/releases/download/"
                                + php__composer_upstream_version + "/composer.phar" }}'
php__composer_upstream_dest

The absolute path of the PHP Composer binary destination file.

php__composer_upstream_dest: '/usr/local/bin/composer'

Global php.ini configuration

php__production

This variable determines if the php.ini configuration will be configured towards "production" systems (don't display errors), or "development" systems (display all errors).

php__production: True
php__ini_cgi_fix_pathinfo

Enable or disable cgi.fix_pathinfo option in PHP. This is highly dependent on the used webserver (nginx should have the option disabled, apache2 needs it to be enabled).

php__ini_cgi_fix_pathinfo: False
php__ini_max_execution_time

Specify default maximum execution time, in seconds.

php__ini_max_execution_time: '30'
php__ini_max_input_time

Specify default maximum input time, in seconds.

php__ini_max_input_time: '60'
php__ini_memory_limit

Specify maximum memory limit for PHP processes, in megabytes.

php__ini_memory_limit: '128M'
php__ini_post_max_size

Specify maximum size of the POST data, in megabytes.

php__ini_post_max_size: '8M'
php__ini_file_uploads

Enable or disable file uploading in PHP applications.

php__ini_file_uploads: True
php__ini_upload_max_filesize

Specify maximum size of uploaded files, in megabytes.

php__ini_upload_max_filesize: '{{ php__ini_post_max_size }}'
php__ini_max_file_uploads

Specify maximum number of files uploaded at once.

php__ini_max_file_uploads: '20'
php__ini_default_charset

Specify default charset used in PHP environment.

php__ini_default_charset: 'UTF-8'
php__ini_allow_url_fopen

Enable or disable access to remote URLs in PHP applications.

php__ini_allow_url_fopen: True
php__ini_date_timezone

Configure the PHP timezone. This variable uses configuration provided by the debops.core.

php__ini_date_timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'

Configuration added to php.ini

The role uses custom php.ini configuration files managed by Ansible. See php__configuration for more details.

php__default_configuration

Default configuration of the php.ini added by the role.

php__default_configuration:

  - filename: '00-ansible'
    name: 'PHP'
    sections:

      - options: |
          max_execution_time =     {{ php__ini_max_execution_time }}
          max_input_time =         {{ php__ini_max_input_time }}
          memory_limit =           {{ php__ini_memory_limit }}
          error_reporting =        {{ (php__production | bool) | ternary('E_ALL & ~E_DEPRECATED & ~E_STRICT', 'E_ALL') }}
          display_errors =         {{ (php__production | bool) | ternary('Off', 'On') }}
          display_startup_errors = {{ (php__production | bool) | ternary('Off', 'On') }}
          {% if php__version is version_compare("7.2", "<") %}
          track_errors =           {{ (php__production | bool) | ternary('Off', 'On') }}
          {% endif %}
          post_max_size =          {{ php__ini_post_max_size }}
          default_charset =        {{ php__ini_default_charset }}
          file_uploads =           {{ (php__ini_file_uploads | bool) | ternary('On', 'Off') }}
          upload_max_filesize =    {{ php__ini_upload_max_filesize }}
          max_file_uploads =       {{ php__ini_max_file_uploads }}
          allow_url_fopen =        {{ (php__ini_allow_url_fopen | bool) | ternary('On', 'Off') }}

      - name: 'CGI'
        options: |
          cgi.fix_pathinfo =       {{ (php__ini_cgi_fix_pathinfo | bool) | ternary('1', '0') }}

      - name: 'Date'
        options: |
          date.timezone =          {{ php__ini_date_timezone }}

  - filename: '../cli/conf.d/30-memory_limit'
    name: 'PHP'
    options: |
      ; Don't limit memory for php-cli execution
      memory_limit = -1
php__configuration

Custom php.ini configuration added on all hosts in Ansible inventory.

php__configuration: []
php__group_configuration

Custom php.ini configuration added on a group of hosts in Ansible inventory.

php__group_configuration: []
php__host_configuration

Custom php.ini configuration added on specific hosts in Ansible inventory.

php__host_configuration: []
php__dependent_configuration

Custom php.ini configuration by other Ansible roles using dependent variables.

php__dependent_configuration: []

Global PHP-FPM configuration

php__fpm_privileged_group

What system group has privileged access to php-fpm service.

php__fpm_privileged_group: 'webadmins'
php__fpm_syslog

Enable or disable error logging to syslog. Currently the syslog logging in PHP has some issues: https://bugs.php.net/bug.php?id=67764

php__fpm_syslog: False
php__fpm_error_log

Path to the error.log file which is used by PHP-FPM to log error messages.

If it's set to syslog, error logs are sent to the local log daemon.

php__fpm_error_log: '{{ ("/var/log/php" + php__version + "-fpm.log")
                        if not php__fpm_syslog | bool else "syslog" }}'
php__fpm_syslog_ident

When syslog logging is enabled, specify the program identification string used by PHP-FPM. This should be one word string, without spaces.

php__fpm_syslog_ident: 'php-fpm'
php__fpm_syslog_facility

When syslog logging is enabled, specify the syslog facility to use.

php__fpm_syslog_facility: 'daemon'
php__fpm_log_level

When syslog logging is enabled, specify the log level used by PHP-FPM.

php__fpm_log_level: 'notice'
php__fpm_emergency_restart_threshold

Specify number of PHP-FPM child processes that exit with errors during a given interval (see below) that will trigger an automatic restart of the master PHP-FPM process.

php__fpm_emergency_restart_threshold: '0'
php__fpm_emergency_restart_interval

Specify the interval which is used to determine number of PHP-FPM child processes that exit with errors.

php__fpm_emergency_restart_interval: '0'
php__fpm_process_control_timeout

Specify maximum wait time the master PHP-FPM process waits for a reaction on the signals sent to the child processes.

php__fpm_process_control_timeout: '0'
php__fpm_process_max

Maximum number of PHP-FPM child processes.

php__fpm_process_max: '128'

PHP-FPM pool defaults

These configuration variables are used as default values in PHP-FPM pool configuration. They can be specified as the keys of the YAML dictionaries that define specific PHP-FPM pool configuration, after removing the php__fpm_ prefix from the variable name.

php__fpm_listen_owner

The system user that will be the owner of the PHP-FPM socket. This should be the username of the webserver account, so that it can use the socket to communicate with the PHP-FPM process. This account needs to exist before the PHP-FPM process is started (the www-data account is created by default on Debian/Ubuntu systems).

php__fpm_listen_owner: 'www-data'
php__fpm_listen_group

The system group that will be the primary group of the PHP-FPM socket. This should be the group that the webserver belongs to, so that it can use the socket to communicate with the PHP-FPM process. This group needs to exist before the PHP-FPM process is started (the www-data group is created by default on Debian/Ubuntu systems).

php__fpm_listen_group: 'www-data'
php__fpm_listen_mode

The default permissions applied to the PHP-FPM pool sockets.

php__fpm_listen_mode: '0660'
php__fpm_listen_backlog

The default limit for socket connection backlog. If you tune this parameter, you should also consider sysctl parameters net.ipv4.tcp_max_syn_backlog, net.ipv4.ip_local_port_range, net.ipv4.tcp_tw_reuse and net.core.somaxconn.

php__fpm_listen_backlog: '511'
php__fpm_pm

Select the default way the PHP-FPM master process will manage pool child processes. Possible values: static, dynamic, ondemand.

php__fpm_pm: 'ondemand'
php__fpm_pm_max_children

Maximum number of child processes in a PHP-FPM pool for any management mode.

php__fpm_pm_max_children: '{{ ansible_processor_vcpus }}'
php__fpm_pm_start_servers

The number of pool child processes created at startup, used by the dynamic management mode.

php__fpm_pm_start_servers: '{{ ansible_processor_cores }}'
php__fpm_pm_min_spare_servers

Number of minimum idle spare servers that should be kept around, used by the dynamic management mode.

php__fpm_pm_min_spare_servers: '1'
php__fpm_pm_max_spare_servers

Number of maximum idle spare servers that should be kept around, used by the dynamic management mode.

php__fpm_pm_max_spare_servers: '{{ php__fpm_pm_max_children }}'
php__fpm_pm_process_idle_timeout

Timeout in seconds for the PHP-FPM pool child processes, used by the ondemand management mode.

php__fpm_pm_process_idle_timeout: '10s'
php__fpm_pm_max_requests

Maximum number of requests after which PHP-FPM pool child processes will be respawned.

php__fpm_pm_max_requests: '500'
php__fpm_pm_status

Enable or disable pool status page in all PHP-FPM pools. You might need to configure the webserver to allow access to this page as well.

php__fpm_pm_status: False
php__fpm_pm_status_path

The URL path of the pool status page. It needs to start with /, the .php prefix is discouraged to not create issues with passing the request to the PHP-FPM process.

php__fpm_pm_status_path: '/status.php'
php__fpm_ping_path

The URL path of the "ping" request for all PHP-FPM pools.

php__fpm_ping_path: '/ping.php'
php__fpm_ping_response

A string that defines the expected response of the "ping" request.

php__fpm_ping_response: 'pong'
php__fpm_access_log

Enable or disable request log in /var/log/php5,7.0-fpm/$pool_access.log for all PHP-FPM pools.

php__fpm_access_log: False
php__fpm_request_terminate_timeout

Specify maximum request time after which the worker process will be killed.

php__fpm_request_terminate_timeout: '{{ php__ini_max_execution_time }}'
php__fpm_rlimit_files

Specify maximum number of opened file descriptors.

php__fpm_rlimit_files: '1024'
php__fpm_rlimit_core

Specify maximum size of the core files.

php__fpm_rlimit_core: '0'
php__fpm_catch_workers_output

If enabled, redirect stdout and stderr streams of the worker processes to the main error.log file. Might impact performance.

php__fpm_catch_workers_output: False
php__fpm_security_limit_extensions

List of file extensions which are considered to be PHP scripts by the interpreter.

php__fpm_security_limit_extensions:  [ '.php' ]
php__fpm_clear_env

If enabled, the PHP-FPM pool will clear the child process environment before adding the specified environment variables.

php__fpm_clear_env: False
php__fpm_environment

A YAML dictionary with environment variables that should be set in all PHP-FPM pools on all hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.

php__fpm_environment: {}
php__fpm_group_environment

A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a group of hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.

php__fpm_group_environment: {}
php__fpm_host_environment

A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a specific hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.

php__fpm_host_environment: {}

PHP-FPM pools

Lists of PHP-FPM pools managed by the debops.php role. Each PHP-FPM pool is defined as a YAML dictionary. See php__pools for more details.

php__default_pools

List of default PHP-FPM pools configured on all hosts. At least 1 pool is required at all times, otherwise the service will not start properly.

php__default_pools: [ '{{ php__pool_www_data }}' ]
php__pools

List of PHP-FPM pools configured on all hosts in Ansible inventory.

php__pools: []
php__group_pools

List of PHP-FPM pools configured on a group of hosts in Ansible inventory.

php__group_pools: []
php__host_pools

List of PHP-FPM pools configured on specific hosts in Ansible inventory.

php__host_pools: []
php__dependent_pools

List of PHP-FPM pools configured by other Ansible roles using dependent variables.

php__dependent_pools: []
php__pool_www_data

The default PHP-FPM pool for the www-data system account.

php__pool_www_data:
  name: 'www-data'

Configuration for other Ansible roles

php__apt_preferences__dependent_list

Configuration of the debops.apt_preferences role.

php__apt_preferences__dependent_list:

  - package: '*'
    pin: 'origin "packages.sury.org"'
    priority: '100'
    reason: "Don't upgrade software automatically using packages from external repository"
    role: 'debops.php'
    suffix: '_packages_sury_org'
    state: '{{ "present" if php__sury | bool else "absent" }}'

  - packages: [ 'php', 'php5', 'php5*', 'php7*', 'dh-php', 'php-*',
                'libpcre2-8-0', 'libpcre3', 'libzip4', 'libpcre16-3',
                'libpcre32-3', 'libpcrecpp0v5', 'libpcre3-dev',
                'libapache2-mod-php', 'libapache2-mod-php*',
                'libsodium23' ]
    pin: 'origin "packages.sury.org"'
    priority: '500'
    reason: 'Prefer PHP packages from the same repository for consistency'
    role: 'debops.php'
    suffix: '_packages_sury_org'
    state: '{{ "present" if php__sury | bool else "absent" }}'
php__keyring__dependent_apt_keys

Configuration for the debops.keyring Ansible role.

php__keyring__dependent_apt_keys:

  - '{{ php__sury_apt_key_id }}'
php__logrotate__dependent_config

Configuration of the debops.logrotate role.

php__logrotate__dependent_config:

  - filename: 'php{{ php__version }}-fpm'
    divert: True
    logs:
      - '/var/log/php{{ php__version }}-fpm.log'
      - '/var/log/php{{ php__version }}-fpm/*.log'
    options: |
      create 0660 root adm
      rotate 12
      missingok
      weekly
      notifempty
      compress
      delaycompress
    postrotate: |
      {% if php__long_version is version_compare("5.5", "<") %}
      invoke-rc.d php{{ php__version }}-fpm reopen-logs > /dev/null
      {% else %}
      {{ php__logrotate_lib_base }}/php{{ php__version }}-fpm-reopenlogs
      {% endif %}