Initialize an eZ Publish demo environment using Ansible and Vagrant

playbook.yml

---
- hosts: front
  sudo: yes
  roles:
    - GMaissa.ezpublish5
    - kosssi.composer
  tasks:
    - name: Debian | Disable default vhost
      shell: a2dissite default
      notify: Restart Apache
      when: ansible_os_family == "Debian"
      ignore_errors: yes

    - name: Install eZ Publish dependencies
      shell: SYMFONY_ENV={{ ezpublish_environment }} composer install -n
      args:
        chdir: "{{ ezpublish_apache_vhost.root }}"

    - name: Dump eZ Publish assets on none prod environments
      shell: php ezpublish/console assetic:dump --env={{ ezpublish_environment }} -n
      args:
        chdir: "{{ ezpublish_apache_vhost.root }}"
      when: ezpublish_environment != 'prod'

    - name: Fix permissions on ezpublish dirs
      file: path={{ ezpublish_apache_vhost.root }}/{{ item }}
            group={{ ezpublish_apache.group }}
            state=directory
            mode=0775
            recurse=yes
      with_items:
        - ezpublish/cache
        - ezpublish/config
        - ezpublish/logs
        - ezpublish_legacy/design
        - ezpublish_legacy/extension
        - ezpublish_legacy/settings

    - name: fix permissions on legacy var dir
      file: path={{ ezpublish_apache_vhost.root }}/ezpublish_legacy/var
            owner={{ ezpublish_apache.user }}
            group={{ ezpublish_apache.group }}
            state=directory
            mode=0775
            recurse=yes

    - name: Set php session save handler
      replace: dest={{ ezpublish_php_apache_ini_path }}/php.ini
               regexp='session.save_handler =.*'
               replace='session.save_handler=memcached'
      notify: Restart Apache

    - name: Set php session save path
      replace: dest={{ ezpublish_php_apache_ini_path }}/php.ini
               regexp=';session.save_path =.*'
               replace='session.save_path="127.0.0.1:11211"'
      notify: Restart Apache
  vars:
    # eZ Publish configuration
    ezpublish_apache_port: 81
    ezpublish_apache_vhost:
      filename: ezpublish.conf
      enabled: yes
      listen: '*:81'
      root: /var/www/ezpublish
      name: ezpublish.local
      aliases:
        - bo.ezpublish.local
    ezpublish_trusted_proxies: 127.0.0.1
    ezpublish_environment: dev
    ezpublish_debug_mode: 1
    ezpublish_download: true
    ezpublish_version: v2014.11.1

    # Composer configuration
    #composer_github_oauth: YOUR_GITHUB_TOKEN


- hosts: database
  sudo: yes
  roles:
    - geerlingguy.mysql
  vars:
    # MySQL configuration
    mysql_bind_address: '127.0.0.1'
    mysql_server_id: ""
    mysql_innodb_log_file_size: "5M"
    mysql_databases:
      - name: ez_test
        encoding: utf8
        collation: latin1_general_ci
        collation: utf8_general_ci
    mysql_users:
      - name: ezpublish
        host: "localhost"
        password: ezpublish
        priv: "ez_test.*:ALL"


- hosts: reverseproxy
  sudo: yes
  roles:
    - geerlingguy.varnish
  vars:
    # Varnish configuration
    varnish_default_vcl_template_path: varnish-4.vcl.j2
    varnish_storage: "malloc,256M"
    varnish_backends:
      ezpublish:
        host: 127.0.0.1
        port: 81


- hosts: cache
  sudo: yes
  roles:
    - GMaissa.common
  vars:
    common_packages:
      - memcached

requirements.yml

---
- src: https://github.com/GMaissa/ansible-role-common
  version: master
  name: GMaissa.common

- src: https://github.com/GMaissa/ansible-role-ezpublish5
  version: master
  name: GMaissa.ezpublish5

- src: kosssi.composer

- src: geerlingguy.varnish

- src: geerlingguy.mysql

Vagrantfile

# -*- mode: ruby -*-
# vi: set ft=ruby :

# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  # Debian test box
  config.vm.box = "puphpet/debian75-x64"

  config.hostmanager.enabled = true
  config.hostmanager.manage_host = true
  config.hostmanager.ignore_private_ip = false
  config.hostmanager.include_offline = true

  config.vm.define 'ezpublish' do |ez|
    ez.vm.hostname = 'ezpublish.local'
    ez.vm.network :private_network, ip: '192.168.56.191'
    ez.vm.provision "ansible" do |ansible|
      ansible.groups     = {
        "front"          => ["ezpublish"],
        "database"       => ["ezpublish"],
        "reverseproxy"   => ["ezpublish"],
        "cache"          => ["ezpublish"],
      }
      ansible.playbook   = "playbook.yml"
    end
  end
end

varnish-4.vcl.j2

// Varnish 4 style - eZ 5.4+ / 2014.09+
// Complete VCL example

vcl 4.0;

// Our Backend - Assuming that web server is listening on port 80
// Replace the host to fit your setup
{% for key, value in varnish_backends.iteritems() %}
backend {{ key }} {
    .host = "{{ value.host }}";
    .port = "{{ value.port }}";
}
{% endfor %}

// ACL for invalidators IP
acl invalidators {
    "127.0.0.1";
    "192.168.56.0"/16;
}

// ACL for debuggers IP
acl debuggers {
    "127.0.0.1";
    "192.168.56.0"/16;
}

import directors;

sub vcl_init {
    new ezbacks = directors.round_robin();
    {% for key, value in varnish_backends.iteritems() %}
    ezbacks.add_backend({{ key }});
    {% endfor%}
}

// Called at the beginning of a request, after the complete request has been received
sub vcl_recv {

    // Set the backend
    set req.backend_hint = ezbacks.backend();

    // Advertise Symfony for ESI support
    set req.http.Surrogate-Capability = "abc=ESI/1.0";

    // Add a unique header containing the client address (only for master request)
    // Please note that /_fragment URI can change in Symfony configuration
    if (!req.url ~ "^/_fragment") {
        if (req.http.x-forwarded-for) {
            set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
        } else {
            set req.http.X-Forwarded-For = client.ip;
        }
    }

    // Trigger cache purge if needed
    call ez_purge;

    // Don't cache requests other than GET and HEAD.
    if (req.method != "GET" && req.method != "HEAD") {
        return (pass);
    }

    // Normalize the Accept-Encoding headers
    if (req.http.Accept-Encoding) {
        if (req.http.Accept-Encoding ~ "gzip") {
            set req.http.Accept-Encoding = "gzip";
        } elsif (req.http.Accept-Encoding ~ "deflate") {
            set req.http.Accept-Encoding = "deflate";
        } else {
            unset req.http.Accept-Encoding;
        }
    }

    // Don't cache Authenticate & Authorization
    // You may remove this when using REST API with basic auth.
    if (req.http.Authenticate || req.http.Authorization) {
        if (client.ip ~ debuggers) {
            set req.http.X-Debug = "Not Cached according to configuration (Authorization)";
        }
        return (hash);
    }

    // Do a standard lookup on assets
    // Note that file extension list below is not extensive, so consider completing it to fit your needs.
    if (req.url ~ "\.(css|js|gif|jpe?g|bmp|png|tiff?|ico|img|tga|wmf|svg|swf|ico|mp3|mp4|m4a|ogg|mov|avi|wmv|zip|gz|pdf|ttf|eot|wof)$") {
        return (hash);
    }

    // Retrieve client user hash and add it to the forwarded request.
    call ez_user_hash;

    // If it passes all these tests, do a lookup anyway.
    return (hash);
}

// Called when the requested object has been retrieved from the backend
sub vcl_backend_response {

    if (bereq.http.accept ~ "application/vnd.fos.user-context-hash"
        && beresp.status >= 500
    ) {
        return (abandon);
    }

    // Optimize to only parse the Response contents from Symfony
    if (beresp.http.Surrogate-Control ~ "ESI/1.0") {
        unset beresp.http.Surrogate-Control;
        set beresp.do_esi = true;
    }

    // Allow stale content, in case the backend goes down or cache is not fresh any more
    // make Varnish keep all objects for 1 hours beyond their TTL
    set beresp.grace = 1h;
}

// Handle purge
// You may add FOSHttpCacheBundle tagging rules
// See http://foshttpcache.readthedocs.org/en/latest/varnish-configuration.html#id4
sub ez_purge {

    if (req.method == "BAN") {
        if (!client.ip ~ invalidators) {
            return (synth(405, "Method not allowed"));
        }

        if (req.http.X-Location-Id) {
            ban("obj.http.X-Location-Id ~ " + req.http.X-Location-Id);
            if (client.ip ~ debuggers) {
                set req.http.X-Debug = "Ban done for content connected to LocationId " + req.http.X-Location-Id;
            }
            return (synth(200, "Banned"));
        }
    }
}

// Sub-routine to get client user hash, for context-aware HTTP cache.
sub ez_user_hash {

    // Prevent tampering attacks on the hash mechanism
    if (req.restarts == 0
        && (req.http.accept ~ "application/vnd.fos.user-context-hash"
            || req.http.x-user-hash
        )
    ) {
        return (synth(400));
    }

    if (req.restarts == 0 && (req.method == "GET" || req.method == "HEAD")) {
        // Anonymous user => Set a hardcoded anonymous hash
        if (req.http.Cookie !~ "eZSESSID" && !req.http.authorization) {
            set req.http.X-User-Hash = "38015b703d82206ebc01d17a39c727e5";
        }
        // Pre-authenticate request to get shared cache, even when authenticated
        else {
            set req.http.x-fos-original-url    = req.url;
            set req.http.x-fos-original-accept = req.http.accept;
            set req.http.x-fos-original-cookie = req.http.cookie;
            // Clean up cookie for the hash request to only keep session cookie, as hash cache will vary on cookie.
            set req.http.cookie = ";" + req.http.cookie;
            set req.http.cookie = regsuball(req.http.cookie, "; +", ";");
            set req.http.cookie = regsuball(req.http.cookie, ";(eZSESSID[^=]*)=", "; \1=");
            set req.http.cookie = regsuball(req.http.cookie, ";[^ ][^;]*", "");
            set req.http.cookie = regsuball(req.http.cookie, "^[; ]+|[; ]+$", "");

            set req.http.accept = "application/vnd.fos.user-context-hash";
            set req.url = "/_fos_user_context_hash";

            // Force the lookup, the backend must tell how to cache/vary response containing the user hash

            return (hash);
        }
    }

    // Rebuild the original request which now has the hash.
    if (req.restarts > 0
        && req.http.accept == "application/vnd.fos.user-context-hash"
    ) {
        set req.url         = req.http.x-fos-original-url;
        set req.http.accept = req.http.x-fos-original-accept;
        set req.http.cookie = req.http.x-fos-original-cookie;

        unset req.http.x-fos-original-url;
        unset req.http.x-fos-original-accept;
        unset req.http.x-fos-original-cookie;

        // Force the lookup, the backend must tell not to cache or vary on the
        // user hash to properly separate cached data.

        return (hash);
    }
}

sub vcl_deliver {
    // On receiving the hash response, copy the hash header to the original
    // request and restart.
    if (req.restarts == 0
        && resp.http.content-type ~ "application/vnd.fos.user-context-hash"
    ) {
        set req.http.x-user-hash = resp.http.x-user-hash;

        return (restart);
    }

    // If we get here, this is a real response that gets sent to the client.

    // Remove the vary on context user hash, this is nothing public. Keep all
    // other vary headers.
    set resp.http.Vary = regsub(resp.http.Vary, "(?i),? *x-user-hash *", "");
    set resp.http.Vary = regsub(resp.http.Vary, "^, *", "");
    if (resp.http.Vary == "") {
        unset resp.http.Vary;
    }

    // Sanity check to prevent ever exposing the hash to a client.
    unset resp.http.x-user-hash;

    if (client.ip ~ debuggers) {
        if (obj.hits > 0) {
            set resp.http.X-Cache = "HIT";
            set resp.http.X-Cache-Hits = obj.hits;
        } else {
            set resp.http.X-Cache = "MISS";
        }
    }
}

Be sure to install required roles with the command :

ansible-galaxy install -fr requirements.yml

And to configure your github token in the playbook, to complete eZ Publish dependencies installation with composer :

# Composer configuration
#composer_github_oauth: YOUR_GITHUB_TOKEN