[
  {
    "path": ".gitignore",
    "content": "provision.retry\n"
  },
  {
    "path": "README.md",
    "content": "# WordPress Ansible\n\nThis repository contains a playbook for provisioning modern hosting environments geared towards WordPress. It's based on [How to Install WordPress on Ubuntu 18.04](https://deliciousbrains.com/hosting-wordpress-setup-secure-virtual-server/) and [WordPress Nginx](https://github.com/A5hleyRich/wordpress-nginx). The following is handled out of the box:\n\n* User setup\n* SSH hardening\n* Firewall setup\n\nIt will also install the following software:\n\n* Nginx with HTTP/2 and [improved default configs](https://github.com/A5hleyRich/wordpress-nginx)\n* PHP 7.4\n* MariaDB\n* Redis\n* WP-CLI\n* Fail2Ban\n* Git\n\n## Usage\n\nConfigure your [hosts file](https://github.com/A5hleyRich/wordpress-ansible/blob/master/hosts).\n\n```\n[production]\n192.168.1.1 #sampledomain.com\n```\n\nEdit [provision.yml](https://github.com/A5hleyRich/wordpress-ansible/blob/master/provision.yml) to configure your default user, [hashed](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) sudo password and local public key path. This will create a new user on the provisioned servers that you can use to gain SSH access.\n\nRun:\n\n`ansible-playbook provision.yml`\n"
  },
  {
    "path": "ansible.cfg",
    "content": "[defaults]\ninventory = hosts"
  },
  {
    "path": "hosts",
    "content": "# Add hosts here, one per line. Additional groups can be created using\n# [group] syntax. Hosts can join multiple groups.\n\n[production]\nserver_hostname1\n\n[staging]\nserver_hostname2"
  },
  {
    "path": "provision.yml",
    "content": "---\n- hosts: production\n  user: root\n  vars:\n    username: ashley\n    password: $6$rlLdG6wd1CT8v7i$7psP8l26lmaPhT3cigoYYXhjG28CtD1ifILq9KzvA0W0TH2Hj4.iO43RkPWgJGIi60Mz0CsxWbRVBSQkAY95W0\n    public_key: ~/.ssh/id_rsa.pub\n  roles: \n   - common\n   - ufw\n   - user\n   - nginx\n   - php\n   - mariadb\n   - wp-cli\n   - ssh"
  },
  {
    "path": "roles/common/tasks/main.yml",
    "content": "---\n- name: Upgrade packages\n  apt: upgrade=safe\n  \n- name: Install packages\n  apt:\n    name: \"{{ item }}\"\n    state: present\n    update_cache: yes\n  with_items:\n  - fail2ban\n  - git-core\n  - redis-server\n  - ufw"
  },
  {
    "path": "roles/mariadb/handlers/main.yml",
    "content": ""
  },
  {
    "path": "roles/mariadb/tasks/main.yml",
    "content": "---\n- name: Install MariaDB\n  apt:\n    name: mariadb-server\n    state: present\n    force: yes"
  },
  {
    "path": "roles/nginx/handlers/main.yml",
    "content": "---\n- name: restart nginx\n  service: \n    name: nginx\n    state: restarted\n\n- name: reload nginx\n  service: \n    name: nginx\n    state: reloaded"
  },
  {
    "path": "roles/nginx/tasks/main.yml",
    "content": "---\n- name: Add Nginx repo\n  apt_repository:\n    repo: ppa:ondrej/nginx\n\n- name: Install Nginx\n  apt:\n    name: nginx\n    state: present\n    force: yes\n    update_cache: yes\n\n- name: Check Nginx configs exist\n  stat: path=/etc/nginx/.git\n  register: git_exists\n\n- name: Remove default Nginx configs\n  file:\n    path: /etc/nginx\n    state: absent\n  when: not git_exists.stat.exists\n\n- name: Clone Nginx configs\n  git:\n    repo: https://github.com/A5hleyRich/wordpress-nginx.git\n    dest: /etc/nginx\n    version: master\n    force: yes\n  when: not git_exists.stat.exists\n\n- name: Symlink default site\n  file:\n    src: /etc/nginx/sites-available/default\n    dest: /etc/nginx/sites-enabled/default\n    state: link\n  notify: reload nginx\n\n- name: Set Nginx user\n  lineinfile:\n    dest: /etc/nginx/nginx.conf\n    regexp: \"^user\"\n    line: \"user {{ username }};\"\n    state: present\n  notify: restart nginx"
  },
  {
    "path": "roles/php/handlers/main.yml",
    "content": "---\n- name: start php\n  service:\n    name: php7.4-fpm\n    state: started\n\n- name: reload php\n  service:\n    name: php7.4-fpm\n    state: reloaded\n\n- name: restart php\n  service:\n    name: php7.4-fpm\n    state: restarted"
  },
  {
    "path": "roles/php/tasks/main.yml",
    "content": "---\n- name: Add PHP repo\n  apt_repository:\n    repo: ppa:ondrej/php\n\n- name: Install PHP\n  apt:\n    name: \"{{ item }}\"\n    state: present\n    force: yes\n    update_cache: yes\n  with_items:\n  - \"php7.4-bcmath\"\n  - \"php7.4-cli\"\n  - \"php7.4-common\"\n  - \"php7.4-curl\"\n  - \"php7.4-fpm\"\n  - \"php7.4-gd\"\n  - \"php7.4-igbinary\"\n  - \"php7.4-imagick\"\n  - \"php7.4-mbstring\"\n  - \"php7.4-mysql\"\n  - \"php7.4-opcache\"\n  - \"php7.4-redis\"\n  - \"php7.4-soap\"\n  - \"php7.4-xml\"\n  - \"php7.4-xmlrpc\"\n  - \"php7.4-zip\"\n\n- name: Set PHP user\n  lineinfile:\n    dest: /etc/php/7.4/fpm/pool.d/www.conf\n    regexp: \"^user\"\n    line: \"user = {{ username }}\"\n    state: present\n  notify: restart php\n\n- name: Set PHP group\n  lineinfile:\n    dest: /etc/php/7.4/fpm/pool.d/www.conf\n    regexp: \"^group\"\n    line: \"group = {{ username }}\"\n    state: present\n  notify: restart php\n\n- name: Set PHP listen owner\n  lineinfile:\n    dest: /etc/php/7.4/fpm/pool.d/www.conf\n    regexp: \"^listen\\\\.owner\"\n    line: \"listen.owner = {{ username }}\"\n    state: present\n  notify: restart php\n\n- name: Set PHP listen group\n  lineinfile:\n    dest: /etc/php/7.4/fpm/pool.d/www.conf\n    regexp: \"^listen\\\\.group\"\n    line: \"listen.group = {{ username }}\"\n    state: present\n  notify: restart php\n\n- name: Set PHP upload max filesize\n  lineinfile:\n    dest: /etc/php/7.4/fpm/php.ini\n    regexp: \"^upload_max_filesize\"\n    line: \"upload_max_filesize = 128M\"\n    state: present\n  notify: reload php\n\n- name: Set PHP post max filesize\n  lineinfile:\n    dest: /etc/php/7.4/fpm/php.ini\n    regexp: \"^post_max_size\"\n    line: \"post_max_size = 128M\"\n    state: present\n  notify: reload php"
  },
  {
    "path": "roles/ssh/handlers/main.yml",
    "content": "---\n- name: restart ssh\n  service:\n    name: ssh\n    state: restarted"
  },
  {
    "path": "roles/ssh/tasks/main.yml",
    "content": "---\n- name: Disable root login\n  lineinfile: \n    dest: /etc/ssh/sshd_config\n    regexp: \"^PermitRootLogin\"\n    line: \"PermitRootLogin no\"\n    state: present\n  notify: restart ssh\n\n- name: Disable password authentication\n  lineinfile:\n    dest: /etc/ssh/sshd_config\n    regexp: \"^#?PasswordAuthentication\"\n    line: \"PasswordAuthentication no\"\n    state: present\n  notify: restart ssh"
  },
  {
    "path": "roles/ufw/handlers/main.yml",
    "content": ""
  },
  {
    "path": "roles/ufw/tasks/main.yml",
    "content": "---\n- name: Enable firewall\n  ufw: state=enabled policy=deny\n\n- name: Allow HTTP\n  ufw: rule=allow port=80 proto=tcp\n\n- name: Allow HTTPS\n  ufw: rule=allow port=443 proto=tcp\n\n- name: Allow SSH\n  ufw: rule=allow port=22 proto=tcp\n"
  },
  {
    "path": "roles/user/tasks/main.yml",
    "content": "---\n- name: Ensure sudo group is present\n  group:\n    name: sudo\n    state: present\n\n- name: Ensure sudo group has sudo privileges\n  lineinfile:\n    dest: /etc/sudoers\n    state: present\n    regexp: \"^%sudo\"\n    line: \"%sudo ALL=(ALL:ALL) ALL\"\n    validate: \"/usr/sbin/visudo -cf %s\"\n\n- name: Create default user\n  user:\n    name: \"{{ username }}\"\n    groups: sudo\n    password: \"{{ password }}\"\n    shell: /bin/bash\n    update_password: always\n    state: present\n\n- name: Add authorized key\n  authorized_key:\n    user: \"{{ username }}\"\n    key: \"{{ lookup('file', public_key) }}\""
  },
  {
    "path": "roles/wp-cli/tasks/main.yml",
    "content": "---\n- name: Install WP-CLI\n  get_url:\n    url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar\n    dest: /usr/bin/wp\n    mode: 0755\n\n- name: Install WP-CLI tab completions\n  get_url:\n    url: https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash\n    dest: /etc/bash_completion.d\n    mode: 0644"
  }
]