debops.php default variables
Sections
Custom APT package repositories
- php__version_preference
List of APT package names which are scanned to check available PHP versions.
The first found package wins. The php5
packages are not supported.
php__version_preference: [ 'php7.4', 'php7.3', 'php', 'php5.6' ]
- php__sury
Enable custom APT repositories of Ondřej Surý, Debian and Ubuntu PHP package maintainer. You can enable these repositories to install PHP 7.0 on Debian Jessie. See PHP packages provided by Ondřej Surý for more details.
php__sury: '{{ ansible_local.php.sury
| d(ansible_distribution_release in ["stretch", "trusty", "xenial"]) | bool }}'
- php__sury_apt_key_id
The OpenPGP key used to sign Ondřej Surý APT repository, dependent on the current OS distribution.
php__sury_apt_key_id: '{{ php__sury_apt_key_id_map[ansible_distribution] }}'
- php__sury_apt_repo
APT repository URL to Ondřej Surý repository, dependent on the current OS distribution.
php__sury_apt_repo: '{{ php__sury_apt_repo_map[ansible_distribution] }}'
- php__sury_apt_key_id_map
YAML dictionary map of OpenPGP key ids used to sign APT repository information, dependent on the OS distribution.
php__sury_apt_key_id_map:
'Debian':
- id: '1505 8500 A023 5D97 F5D1 0063 B188 E2B6 95BD 4743'
repo: 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
state: '{{ "present" if php__sury | bool else "absent" }}'
# Key replaced due to security concerns
# Ref: https://www.patreon.com/posts/dpa-new-signing-25451165
- id: 'DF3D 585D B8F0 EB65 8690 A554 AC0E 4758 4A7A 714D'
state: 'absent'
'Ubuntu':
- id: '14AA 40EC 0831 7567 56D7 F66C 4F4E A0AA E526 7A6C'
repo: 'ppa:ondrej/php'
state: '{{ "present" if php__sury | bool else "absent" }}'
- php__sury_apt_repo_map
YAML dictionary map of APT repository URLs, dependent on the OS distribution.
php__sury_apt_repo_map:
'Debian': 'deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main'
'Ubuntu': 'ppa:ondrej/php'
APT package installation
The role uses a special filtering for APT package names to ensure support for different PHP versions. PHP APT packages are named in the format:
php<version>-<suffix>
For the automatic filter to work, all you need to do to install a package is
to specify the <suffix>
part. See php__packages for more
details.
- php__server_api_packages
List of PHP Server API packages to install. This list is checked against to enable certain parts of the role if needed. It should contain only the names of the SAPI packages.
php__server_api_packages: [ 'cli', 'fpm' ]
- php__base_packages
Install set of standard PHP packages.
php__base_packages:
- '{{ "php" + php__version }}'
- 'curl'
- 'gd'
- '{{ [] if php__composer_upstream_enabled | bool else "composer" }}'
- '{{ "mcrypt"
if (php__version is version_compare("7.2", "<"))
else [] }}'
- php__packages
List of additional "global" APT packages to install.
php__packages: []
- php__group_packages
List of APT packages for a group of hosts (only one group is supported).
php__group_packages: []
- php__host_packages
List of APT packages to install on a specific host.
php__host_packages: []
- php__dependent_packages
List of APT packages to install, requested by a role dependency.
php__dependent_packages: []
- php__combined_packages
List of all PHP packages requested for installation passed to the filter script as a string of arguments for further processing.
php__combined_packages: '{{ (lookup("flattened",
php__server_api_packages
+ php__base_packages
+ php__packages
+ php__group_packages
+ php__host_packages
+ php__dependent_packages).split(",")
| difference(php__included_packages))
| join(" ") }}'
- php__reset
Can be temporally set to True
to reevaluate the preferred PHP version and
remove older PHP versions on the next Ansible run.
Note that this option is not idempotent. It will reset on every role run.
php__reset: False
- php__included_packages
List of PHP packages which are shipped with the standard PHP distribution. This variable is used to abstract packaging differences between different PHP repositories or releases. If you use a custom APT package for PHP, you might need to adjust this list for proper package resolution.
php__included_packages: '{{ php__php_included_packages
if php__sury
else (php__release_included_map[ansible_distribution_release]
| d(php__php_included_packages)) }}'
- php__release_included_map
Configuration dictionary mapping distribution releases to different PHP
packaging configurations. Also see php__included_packages
.
php__release_included_map:
stretch: '{{ php__php_included_packages }}'
buster: '{{ php__php_included_packages }}'
bullseye: '{{ php__php_included_packages }}'
sid: '{{ php__php_included_packages }}'
trusty: '{{ php__php5_included_packages }}'
xenial: '{{ php__php_included_packages }}'
zesty: '{{ php__php_included_packages }}'
bionic: '{{ php__php_included_packages }}'
focal: '{{ php__php_included_packages }}'
groovy: '{{ php__php_included_packages }}'
- php__php5_included_packages
PHP packages usually part of the php5/php5-common packaging.
php__php5_included_packages: '{{ php__common_included_packages
+ ["bcmath", "bz2", "dba", "dom", "ereg",
"mbstring", "mhash", "SimpleXML", "soap",
"wddx", "xml", "xmlreader", "xmlwriter",
"zip"] }}'
- php__php_included_packages
PHP packages usually part of the php/php-common (PHP 7.x) packaging.
php__php_included_packages: '{{ php__common_included_packages
+ ["sysvsem", "sysvshm"] }}'
- php__common_included_packages
PHP packages usually part of the php/php-common packaging.
php__common_included_packages:
- 'calendar'
- 'ctype'
- 'date'
- 'exif'
- 'fileinfo'
- 'filter'
- 'ftp'
- 'gettext'
- 'hash'
- 'iconv'
- 'libxml'
- 'openssl'
- 'pcntl'
- 'pcre'
- 'PDO'
- 'Phar'
- 'posix'
- 'Reflection'
- 'session'
- 'shmop'
- 'sockets'
- 'SPL'
- 'standard'
- 'sysvmsg'
- 'tokenizer'
- 'zlib'
PHP Composer support
- php__composer_upstream_enabled
Enable or disable installation of the composer command from
upstream. The composer
package in older OS releases might not work as
expected. If upstream installation is disabled, the composer
APT package
will be installed instead.
php__composer_upstream_enabled: '{{ True
if (ansible_distribution_release in
["stretch", "trusty", "xenial",
"bionic", "focal"])
else False }}'
- php__composer_upstream_version
The version of the PHP Composer release to install from upstream. Remember to update the watch file and the SHA256 checksum on changes.
php__composer_upstream_version: '1.8.5'
- php__composer_upstream_checksum
The SHA256 checksum of the PHP Composer release selected for installation.
php__composer_upstream_checksum: 'sha256:23b29b1a921b56db3c12ba531752dffcfaa3de0fcece3e54974e06990e46bbf9'
- php__composer_upstream_url
The URL to the PHP Composer binary which should be installed.
php__composer_upstream_url: '{{ "https://github.com/composer/composer/releases/download/"
+ php__composer_upstream_version + "/composer.phar" }}'
- php__composer_upstream_dest
The absolute path of the PHP Composer binary destination file.
php__composer_upstream_dest: '/usr/local/bin/composer'
Global php.ini configuration
- php__production
This variable determines if the php.ini
configuration will be
configured towards "production" systems (don't display errors), or
"development" systems (display all errors).
php__production: True
- php__ini_cgi_fix_pathinfo
Enable or disable cgi.fix_pathinfo
option in PHP. This is highly
dependent on the used webserver (nginx should have the option disabled,
apache2
needs it to be enabled).
php__ini_cgi_fix_pathinfo: False
- php__ini_max_execution_time
Specify default maximum execution time, in seconds.
php__ini_max_execution_time: '30'
- php__ini_max_input_time
Specify default maximum input time, in seconds.
php__ini_max_input_time: '60'
- php__ini_memory_limit
Specify maximum memory limit for PHP processes, in megabytes.
php__ini_memory_limit: '128M'
- php__ini_post_max_size
Specify maximum size of the POST data, in megabytes.
php__ini_post_max_size: '8M'
- php__ini_file_uploads
Enable or disable file uploading in PHP applications.
php__ini_file_uploads: True
- php__ini_upload_max_filesize
Specify maximum size of uploaded files, in megabytes.
php__ini_upload_max_filesize: '{{ php__ini_post_max_size }}'
- php__ini_max_file_uploads
Specify maximum number of files uploaded at once.
php__ini_max_file_uploads: '20'
- php__ini_default_charset
Specify default charset used in PHP environment.
php__ini_default_charset: 'UTF-8'
- php__ini_allow_url_fopen
Enable or disable access to remote URLs in PHP applications.
php__ini_allow_url_fopen: True
- php__ini_date_timezone
Configure the PHP timezone. This variable uses configuration provided by the debops.core.
php__ini_date_timezone: '{{ ansible_local.tzdata.timezone | d("Etc/UTC") }}'
Configuration added to php.ini
The role uses custom php.ini
configuration files managed by Ansible. See
php__configuration for more details.
- php__default_configuration
Default configuration of the php.ini
added by the role.
php__default_configuration:
- filename: '00-ansible'
name: 'PHP'
sections:
- options: |
max_execution_time = {{ php__ini_max_execution_time }}
max_input_time = {{ php__ini_max_input_time }}
memory_limit = {{ php__ini_memory_limit }}
error_reporting = {{ (php__production | bool) | ternary('E_ALL & ~E_DEPRECATED & ~E_STRICT', 'E_ALL') }}
display_errors = {{ (php__production | bool) | ternary('Off', 'On') }}
display_startup_errors = {{ (php__production | bool) | ternary('Off', 'On') }}
{% if php__version is version_compare("7.2", "<") %}
track_errors = {{ (php__production | bool) | ternary('Off', 'On') }}
{% endif %}
post_max_size = {{ php__ini_post_max_size }}
default_charset = {{ php__ini_default_charset }}
file_uploads = {{ (php__ini_file_uploads | bool) | ternary('On', 'Off') }}
upload_max_filesize = {{ php__ini_upload_max_filesize }}
max_file_uploads = {{ php__ini_max_file_uploads }}
allow_url_fopen = {{ (php__ini_allow_url_fopen | bool) | ternary('On', 'Off') }}
- name: 'CGI'
options: |
cgi.fix_pathinfo = {{ (php__ini_cgi_fix_pathinfo | bool) | ternary('1', '0') }}
- name: 'Date'
options: |
date.timezone = {{ php__ini_date_timezone }}
- filename: '../cli/conf.d/30-memory_limit'
name: 'PHP'
options: |
; Don't limit memory for php-cli execution
memory_limit = -1
- php__configuration
Custom php.ini
configuration added on all hosts in Ansible inventory.
php__configuration: []
- php__group_configuration
Custom php.ini
configuration added on a group of hosts in Ansible
inventory.
php__group_configuration: []
- php__host_configuration
Custom php.ini
configuration added on specific hosts in Ansible
inventory.
php__host_configuration: []
- php__dependent_configuration
Custom php.ini
configuration by other Ansible roles using dependent
variables.
php__dependent_configuration: []
Global PHP-FPM configuration
- php__fpm_privileged_group
What system group has privileged access to php-fpm service.
php__fpm_privileged_group: 'webadmins'
- php__fpm_syslog
Enable or disable error logging to syslog
. Currently the syslog
logging in PHP has some issues: https://bugs.php.net/bug.php?id=67764
php__fpm_syslog: False
- php__fpm_error_log
Path to the error.log
file which is used by PHP-FPM to log error
messages.
If it's set to syslog
, error logs are sent to the local log daemon.
php__fpm_error_log: '{{ ("/var/log/php" + php__version + "-fpm.log")
if not php__fpm_syslog | bool else "syslog" }}'
- php__fpm_syslog_ident
When syslog
logging is enabled, specify the program identification string
used by PHP-FPM. This should be one word string, without spaces.
php__fpm_syslog_ident: 'php-fpm'
- php__fpm_syslog_facility
When syslog
logging is enabled, specify the syslog
facility to use.
php__fpm_syslog_facility: 'daemon'
- php__fpm_log_level
When syslog
logging is enabled, specify the log level used by PHP-FPM.
php__fpm_log_level: 'notice'
- php__fpm_emergency_restart_threshold
Specify number of PHP-FPM child processes that exit with errors during a given interval (see below) that will trigger an automatic restart of the master PHP-FPM process.
php__fpm_emergency_restart_threshold: '0'
- php__fpm_emergency_restart_interval
Specify the interval which is used to determine number of PHP-FPM child processes that exit with errors.
php__fpm_emergency_restart_interval: '0'
- php__fpm_process_control_timeout
Specify maximum wait time the master PHP-FPM process waits for a reaction on the signals sent to the child processes.
php__fpm_process_control_timeout: '0'
- php__fpm_process_max
Maximum number of PHP-FPM child processes.
php__fpm_process_max: '128'
PHP-FPM pool defaults
These configuration variables are used as default values in PHP-FPM pool
configuration. They can be specified as the keys of the YAML dictionaries
that define specific PHP-FPM pool configuration, after removing the
php__fpm_
prefix from the variable name.
- php__fpm_listen_owner
The system user that will be the owner of the PHP-FPM socket. This should be
the username of the webserver account, so that it can use the socket to
communicate with the PHP-FPM process. This account needs to exist before the
PHP-FPM process is started (the www-data
account is created by default on
Debian/Ubuntu systems).
php__fpm_listen_owner: 'www-data'
- php__fpm_listen_group
The system group that will be the primary group of the PHP-FPM socket. This
should be the group that the webserver belongs to, so that it can use the
socket to communicate with the PHP-FPM process. This group needs to exist
before the PHP-FPM process is started (the www-data
group is created by
default on Debian/Ubuntu systems).
php__fpm_listen_group: 'www-data'
- php__fpm_listen_mode
The default permissions applied to the PHP-FPM pool sockets.
php__fpm_listen_mode: '0660'
- php__fpm_listen_backlog
The default limit for socket connection backlog. If you tune this
parameter, you should also consider sysctl parameters
net.ipv4.tcp_max_syn_backlog
, net.ipv4.ip_local_port_range
,
net.ipv4.tcp_tw_reuse
and net.core.somaxconn
.
php__fpm_listen_backlog: '511'
- php__fpm_pm
Select the default way the PHP-FPM master process will manage pool child
processes. Possible values: static
, dynamic
, ondemand
.
php__fpm_pm: 'ondemand'
- php__fpm_pm_max_children
Maximum number of child processes in a PHP-FPM pool for any management mode.
php__fpm_pm_max_children: '{{ ansible_processor_vcpus }}'
- php__fpm_pm_start_servers
The number of pool child processes created at startup, used by the
dynamic
management mode.
php__fpm_pm_start_servers: '{{ ansible_processor_cores }}'
- php__fpm_pm_min_spare_servers
Number of minimum idle spare servers that should be kept around, used by the
dynamic
management mode.
php__fpm_pm_min_spare_servers: '1'
- php__fpm_pm_max_spare_servers
Number of maximum idle spare servers that should be kept around, used by the
dynamic
management mode.
php__fpm_pm_max_spare_servers: '{{ php__fpm_pm_max_children }}'
- php__fpm_pm_process_idle_timeout
Timeout in seconds for the PHP-FPM pool child processes, used by the
ondemand
management mode.
php__fpm_pm_process_idle_timeout: '10s'
- php__fpm_pm_max_requests
Maximum number of requests after which PHP-FPM pool child processes will be respawned.
php__fpm_pm_max_requests: '500'
- php__fpm_pm_status
Enable or disable pool status page in all PHP-FPM pools. You might need to configure the webserver to allow access to this page as well.
php__fpm_pm_status: False
- php__fpm_pm_status_path
The URL path of the pool status page. It needs to start with /
, the
.php
prefix is discouraged to not create issues with passing the request
to the PHP-FPM process.
php__fpm_pm_status_path: '/status.php'
- php__fpm_ping_path
The URL path of the "ping" request for all PHP-FPM pools.
php__fpm_ping_path: '/ping.php'
- php__fpm_ping_response
A string that defines the expected response of the "ping" request.
php__fpm_ping_response: 'pong'
- php__fpm_access_log
Enable or disable request log in /var/log/php5,7.0-fpm/$pool_access.log
for all PHP-FPM pools.
php__fpm_access_log: False
- php__fpm_request_terminate_timeout
Specify maximum request time after which the worker process will be killed.
php__fpm_request_terminate_timeout: '{{ php__ini_max_execution_time }}'
- php__fpm_rlimit_files
Specify maximum number of opened file descriptors.
php__fpm_rlimit_files: '1024'
- php__fpm_rlimit_core
Specify maximum size of the core
files.
php__fpm_rlimit_core: '0'
- php__fpm_catch_workers_output
If enabled, redirect stdout
and stderr
streams of the worker
processes to the main error.log
file. Might impact performance.
php__fpm_catch_workers_output: False
- php__fpm_security_limit_extensions
List of file extensions which are considered to be PHP scripts by the interpreter.
php__fpm_security_limit_extensions: [ '.php' ]
- php__fpm_clear_env
If enabled, the PHP-FPM pool will clear the child process environment before adding the specified environment variables.
php__fpm_clear_env: False
- php__fpm_environment
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on all hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_environment: {}
- php__fpm_group_environment
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a group of hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_group_environment: {}
- php__fpm_host_environment
A YAML dictionary with environment variables that should be set in all PHP-FPM pools on a specific hosts in Ansible inventory. Each key of the dictionary is a variable name, and its value is the variable value.
php__fpm_host_environment: {}
PHP-FPM pools
Lists of PHP-FPM pools managed by the debops.php
role. Each PHP-FPM pool
is defined as a YAML dictionary. See php__pools for more details.
- php__default_pools
List of default PHP-FPM pools configured on all hosts. At least 1 pool is required at all times, otherwise the service will not start properly.
php__default_pools: [ '{{ php__pool_www_data }}' ]
- php__pools
List of PHP-FPM pools configured on all hosts in Ansible inventory.
php__pools: []
- php__group_pools
List of PHP-FPM pools configured on a group of hosts in Ansible inventory.
php__group_pools: []
- php__host_pools
List of PHP-FPM pools configured on specific hosts in Ansible inventory.
php__host_pools: []
- php__dependent_pools
List of PHP-FPM pools configured by other Ansible roles using dependent variables.
php__dependent_pools: []
- php__pool_www_data
The default PHP-FPM pool for the www-data
system account.
php__pool_www_data:
name: 'www-data'
Configuration for other Ansible roles
- php__apt_preferences__dependent_list
Configuration of the debops.apt_preferences role.
php__apt_preferences__dependent_list:
- package: '*'
pin: 'origin "packages.sury.org"'
priority: '100'
reason: "Don't upgrade software automatically using packages from external repository"
role: 'debops.php'
suffix: '_packages_sury_org'
state: '{{ "present" if php__sury | bool else "absent" }}'
- packages: [ 'php', 'php5', 'php5*', 'php7*', 'dh-php', 'php-*',
'libpcre2-8-0', 'libpcre3', 'libzip4', 'libpcre16-3',
'libpcre32-3', 'libpcrecpp0v5', 'libpcre3-dev',
'libapache2-mod-php', 'libapache2-mod-php*',
'libsodium23' ]
pin: 'origin "packages.sury.org"'
priority: '500'
reason: 'Prefer PHP packages from the same repository for consistency'
role: 'debops.php'
suffix: '_packages_sury_org'
state: '{{ "present" if php__sury | bool else "absent" }}'
- php__keyring__dependent_apt_keys
Configuration for the debops.keyring Ansible role.
php__keyring__dependent_apt_keys:
- '{{ php__sury_apt_key_id }}'
- php__logrotate__dependent_config
Configuration of the debops.logrotate role.
php__logrotate__dependent_config:
- filename: 'php{{ php__version }}-fpm'
divert: True
logs:
- '/var/log/php{{ php__version }}-fpm.log'
- '/var/log/php{{ php__version }}-fpm/*.log'
options: |
create 0660 root adm
rotate 12
missingok
weekly
notifempty
compress
delaycompress
postrotate: |
{% if php__long_version is version_compare("5.5", "<") %}
invoke-rc.d php{{ php__version }}-fpm reopen-logs > /dev/null
{% else %}
{{ php__logrotate_lib_base }}/php{{ php__version }}-fpm-reopenlogs
{% endif %}