<===
2026-02-27 11:41:56
- name: RHEL8 + Remi: httpd + PHP 8.0 + self-signed SSL
hosts: web
become: yes
vars:
php_module_stream: "php:remi-8.0"
php_packages:
- php
- php-cli
- php-mysqlnd
- php-gd
- php-xml
- php-mbstring
- php-json
- php-intl
- php-opcache
- php-zip
ssl_cert_dir: /etc/pki/tls/certs
ssl_key_dir: /etc/pki/tls/private
ssl_cert: "{{ ssl_cert_dir }}/httpd-selfsigned.crt"
ssl_key: "{{ ssl_key_dir }}/httpd-selfsigned.key"
ssl_cn: "localhost" # при необходимости подставь FQDN
tasks:
- name: Reset default PHP module
# сброс стандартного модуля php
ansible.builtin.command: dnf module reset php -y
args:
warn: false
register: php_reset
changed_when: "'Nothing to do' not in php_reset.stdout"
- name: Enable PHP 8.0 module from Remi
ansible.builtin.command: dnf module enable {{ php_module_stream }} -y
args:
warn: false
register: php_enable
changed_when: "'Nothing to do' not in php_enable.stdout"
- name: Install httpd, mod_ssl and PHP 8.0 packages
ansible.builtin.dnf:
name:
- httpd
- mod_ssl # SSL модуль для Apache[web:6]
- "{{ php_packages }}"
state: present
- name: Ensure httpd is started and enabled
ansible.builtin.systemd:
name: httpd
state: started
enabled: true
- name: Verify that system php is 8.0.x
ansible.builtin.command: php -v
register: php_version
changed_when: false
- name: Fail if system php is not 8.0
ansible.builtin.fail:
msg: "System php is not 8.0.x: {{ php_version.stdout_lines | default([]) }}"
when: php_version.stdout is not search('^PHP 8\.0\.')
- name: Create test PHP file
ansible.builtin.copy:
dest: /var/www/html/info.php
mode: '0644'
content: |
<?php phpinfo();
# ===== SSL =====
- name: Ensure SSL directories exist
ansible.builtin.file:
path: "{{ item.path }}"
state: directory
owner: root
group: root
mode: "{{ item.mode }}"
loop:
- { path: "{{ ssl_cert_dir }}", mode: "0755" }
- { path: "{{ ssl_key_dir }}", mode: "0700" }
- name: Generate self-signed certificate and key with openssl
ansible.builtin.command: >
openssl req -x509 -nodes -days 365
-newkey rsa:2048
-keyout {{ ssl_key }}
-out {{ ssl_cert }}
-subj /CN={{ ssl_cn }}
args:
creates: "{{ ssl_cert }}"
notify: Restart httpd
# ===== Apache vhosts =====
- name: Configure HTTP vhost with redirect to HTTPS
ansible.builtin.copy:
dest: /etc/httpd/conf.d/00-http-redirect.conf
mode: "0644"
content: |
<VirtualHost *:80>
ServerName {{ ssl_cn }}
DocumentRoot /var/www/html
Redirect permanent / https://{{ ssl_cn }}/
</VirtualHost>
notify: Restart httpd
- name: Configure default SSL vhost
ansible.builtin.copy:
dest: /etc/httpd/conf.d/ssl.conf
mode: "0644"
content: |
Listen 443 https
<VirtualHost _default_:443>
ServerName {{ ssl_cn }}
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile {{ ssl_cert }}
SSLCertificateKeyFile {{ ssl_key }}
<Directory "/var/www/html">
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
notify: Restart httpd
# ===== firewalld =====
- name: Ensure firewalld is installed
ansible.builtin.dnf:
name: firewalld
state: present
- name: Ensure firewalld is running and enabled
ansible.builtin.service:
name: firewalld
state: started
enabled: true
- name: Open HTTP service in firewalld
ansible.posix.firewalld:
service: http
zone: public
permanent: true
immediate: true
state: enabled
when: ansible_facts.services['firewalld.service'].state == 'running'
- name: Open HTTPS service in firewalld
ansible.posix.firewalld:
service: https
zone: public
permanent: true
immediate: true
state: enabled
when: ansible_facts.services['firewalld.service'].state == 'running'
handlers:
- name: Restart httpd
ansible.builtin.systemd:
name: httpd
state: restarted
Back to list