Repository: A5hleyRich/wordpress-ansible Branch: master Commit: 285ada0c6131 Files: 18 Total size: 6.4 KB Directory structure: gitextract_hew2n5wq/ ├── .gitignore ├── README.md ├── ansible.cfg ├── hosts ├── provision.yml └── roles/ ├── common/ │ └── tasks/ │ └── main.yml ├── mariadb/ │ ├── handlers/ │ │ └── main.yml │ └── tasks/ │ └── main.yml ├── nginx/ │ ├── handlers/ │ │ └── main.yml │ └── tasks/ │ └── main.yml ├── php/ │ ├── handlers/ │ │ └── main.yml │ └── tasks/ │ └── main.yml ├── ssh/ │ ├── handlers/ │ │ └── main.yml │ └── tasks/ │ └── main.yml ├── ufw/ │ ├── handlers/ │ │ └── main.yml │ └── tasks/ │ └── main.yml ├── user/ │ └── tasks/ │ └── main.yml └── wp-cli/ └── tasks/ └── main.yml ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ provision.retry ================================================ FILE: README.md ================================================ # WordPress Ansible This repository contains a playbook for provisioning modern hosting environments geared towards WordPress. It's based on [How to Install WordPress on Ubuntu 18.04](https://deliciousbrains.com/hosting-wordpress-setup-secure-virtual-server/) and [WordPress Nginx](https://github.com/A5hleyRich/wordpress-nginx). The following is handled out of the box: * User setup * SSH hardening * Firewall setup It will also install the following software: * Nginx with HTTP/2 and [improved default configs](https://github.com/A5hleyRich/wordpress-nginx) * PHP 7.4 * MariaDB * Redis * WP-CLI * Fail2Ban * Git ## Usage Configure your [hosts file](https://github.com/A5hleyRich/wordpress-ansible/blob/master/hosts). ``` [production] 192.168.1.1 #sampledomain.com ``` Edit [provision.yml](https://github.com/A5hleyRich/wordpress-ansible/blob/master/provision.yml) to configure your default user, [hashed](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) sudo password and local public key path. This will create a new user on the provisioned servers that you can use to gain SSH access. Run: `ansible-playbook provision.yml` ================================================ FILE: ansible.cfg ================================================ [defaults] inventory = hosts ================================================ FILE: hosts ================================================ # Add hosts here, one per line. Additional groups can be created using # [group] syntax. Hosts can join multiple groups. [production] server_hostname1 [staging] server_hostname2 ================================================ FILE: provision.yml ================================================ --- - hosts: production user: root vars: username: ashley password: $6$rlLdG6wd1CT8v7i$7psP8l26lmaPhT3cigoYYXhjG28CtD1ifILq9KzvA0W0TH2Hj4.iO43RkPWgJGIi60Mz0CsxWbRVBSQkAY95W0 public_key: ~/.ssh/id_rsa.pub roles: - common - ufw - user - nginx - php - mariadb - wp-cli - ssh ================================================ FILE: roles/common/tasks/main.yml ================================================ --- - name: Upgrade packages apt: upgrade=safe - name: Install packages apt: name: "{{ item }}" state: present update_cache: yes with_items: - fail2ban - git-core - redis-server - ufw ================================================ FILE: roles/mariadb/handlers/main.yml ================================================ ================================================ FILE: roles/mariadb/tasks/main.yml ================================================ --- - name: Install MariaDB apt: name: mariadb-server state: present force: yes ================================================ FILE: roles/nginx/handlers/main.yml ================================================ --- - name: restart nginx service: name: nginx state: restarted - name: reload nginx service: name: nginx state: reloaded ================================================ FILE: roles/nginx/tasks/main.yml ================================================ --- - name: Add Nginx repo apt_repository: repo: ppa:ondrej/nginx - name: Install Nginx apt: name: nginx state: present force: yes update_cache: yes - name: Check Nginx configs exist stat: path=/etc/nginx/.git register: git_exists - name: Remove default Nginx configs file: path: /etc/nginx state: absent when: not git_exists.stat.exists - name: Clone Nginx configs git: repo: https://github.com/A5hleyRich/wordpress-nginx.git dest: /etc/nginx version: master force: yes when: not git_exists.stat.exists - name: Symlink default site file: src: /etc/nginx/sites-available/default dest: /etc/nginx/sites-enabled/default state: link notify: reload nginx - name: Set Nginx user lineinfile: dest: /etc/nginx/nginx.conf regexp: "^user" line: "user {{ username }};" state: present notify: restart nginx ================================================ FILE: roles/php/handlers/main.yml ================================================ --- - name: start php service: name: php7.4-fpm state: started - name: reload php service: name: php7.4-fpm state: reloaded - name: restart php service: name: php7.4-fpm state: restarted ================================================ FILE: roles/php/tasks/main.yml ================================================ --- - name: Add PHP repo apt_repository: repo: ppa:ondrej/php - name: Install PHP apt: name: "{{ item }}" state: present force: yes update_cache: yes with_items: - "php7.4-bcmath" - "php7.4-cli" - "php7.4-common" - "php7.4-curl" - "php7.4-fpm" - "php7.4-gd" - "php7.4-igbinary" - "php7.4-imagick" - "php7.4-mbstring" - "php7.4-mysql" - "php7.4-opcache" - "php7.4-redis" - "php7.4-soap" - "php7.4-xml" - "php7.4-xmlrpc" - "php7.4-zip" - name: Set PHP user lineinfile: dest: /etc/php/7.4/fpm/pool.d/www.conf regexp: "^user" line: "user = {{ username }}" state: present notify: restart php - name: Set PHP group lineinfile: dest: /etc/php/7.4/fpm/pool.d/www.conf regexp: "^group" line: "group = {{ username }}" state: present notify: restart php - name: Set PHP listen owner lineinfile: dest: /etc/php/7.4/fpm/pool.d/www.conf regexp: "^listen\\.owner" line: "listen.owner = {{ username }}" state: present notify: restart php - name: Set PHP listen group lineinfile: dest: /etc/php/7.4/fpm/pool.d/www.conf regexp: "^listen\\.group" line: "listen.group = {{ username }}" state: present notify: restart php - name: Set PHP upload max filesize lineinfile: dest: /etc/php/7.4/fpm/php.ini regexp: "^upload_max_filesize" line: "upload_max_filesize = 128M" state: present notify: reload php - name: Set PHP post max filesize lineinfile: dest: /etc/php/7.4/fpm/php.ini regexp: "^post_max_size" line: "post_max_size = 128M" state: present notify: reload php ================================================ FILE: roles/ssh/handlers/main.yml ================================================ --- - name: restart ssh service: name: ssh state: restarted ================================================ FILE: roles/ssh/tasks/main.yml ================================================ --- - name: Disable root login lineinfile: dest: /etc/ssh/sshd_config regexp: "^PermitRootLogin" line: "PermitRootLogin no" state: present notify: restart ssh - name: Disable password authentication lineinfile: dest: /etc/ssh/sshd_config regexp: "^#?PasswordAuthentication" line: "PasswordAuthentication no" state: present notify: restart ssh ================================================ FILE: roles/ufw/handlers/main.yml ================================================ ================================================ FILE: roles/ufw/tasks/main.yml ================================================ --- - name: Enable firewall ufw: state=enabled policy=deny - name: Allow HTTP ufw: rule=allow port=80 proto=tcp - name: Allow HTTPS ufw: rule=allow port=443 proto=tcp - name: Allow SSH ufw: rule=allow port=22 proto=tcp ================================================ FILE: roles/user/tasks/main.yml ================================================ --- - name: Ensure sudo group is present group: name: sudo state: present - name: Ensure sudo group has sudo privileges lineinfile: dest: /etc/sudoers state: present regexp: "^%sudo" line: "%sudo ALL=(ALL:ALL) ALL" validate: "/usr/sbin/visudo -cf %s" - name: Create default user user: name: "{{ username }}" groups: sudo password: "{{ password }}" shell: /bin/bash update_password: always state: present - name: Add authorized key authorized_key: user: "{{ username }}" key: "{{ lookup('file', public_key) }}" ================================================ FILE: roles/wp-cli/tasks/main.yml ================================================ --- - name: Install WP-CLI get_url: url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar dest: /usr/bin/wp mode: 0755 - name: Install WP-CLI tab completions get_url: url: https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash dest: /etc/bash_completion.d mode: 0644