Add ansible roles and playbook to setup LEMP stack

Ansible roles added: * nginx * php * mysql * wordpress Additionally adds a Vagrantfile to setup two machines using the new playbook for testing.
2023-08-17 20:53:23 +02:00 · 2023-08-17 20:53:23 +02:00 · 649e48930e
commit 649e48930e
parent d860eccc4d
15 changed files with 422 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -36,4 +36,7 @@ terraform.rc

 # ---> Ansible
 *.retry
+vault_pass

+# ---> vagrant
+.vagrant
--- a/22
+++ b/22
@ -0,0 +1,22 @@
+VAGRANTFILE_API_VERSION = "2"
+ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  config.vm.box = "ubuntu/jammy64"
+  config.vm.define "web1" do |master|
+    master.vm.hostname = "web1"
+    master.vm.network "forwarded_port", guest: 80, host: 8080
+    master.vm.network "private_network", ip: "192.168.56.2"
+  end
+  config.vm.define "web2" do |master|
+    master.vm.hostname = "web2"
+    master.vm.network "forwarded_port", guest: 80, host: 8081
+    master.vm.network "private_network", ip: "192.168.56.3"
+  end
+  config.vm.provider "virtualbox" do |v|
+    v.memory = 1024
+    v.cpus = 2
+  end
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = "ansible/playbook.yaml"
+    ansible.vault_password_file = "vault_pass"
+  end
+end
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@ -0,0 +1,19 @@
+---
+- name: Setup LEMP stack
+  hosts: all
+  vars_files:
+    - vault.yaml
+  vars:
+    server_name: wordpress-jr.senecops.com
+    wordpress:
+      dir: /var/www/html/wordpress
+      db_name: wordpress
+      db_user: wp
+      db_pass: 12345678
+    php:
+      version: 8.1
+  roles:
+    - nginx
+    - mysql
+    - php
+    - wordpress
--- a/ansible/roles/mysql/handlers/main.yaml
+++ b/ansible/roles/mysql/handlers/main.yaml
@ -0,0 +1,7 @@
+---
+- name: restart mysql
+  ansible.builtin.service:
+    name: mysql
+    state: restarted
+    enabled: true
+  become: true
--- a/ansible/roles/mysql/tasks/main.yaml
+++ b/ansible/roles/mysql/tasks/main.yaml
@ -0,0 +1,46 @@
+---
+- name: Install relevant packages
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+    name:
+      - mariadb-client
+      - mariadb-server
+      - python3-pymysql
+    state: present
+  become: true
+
+- name: Set new root user password
+  community.mysql.mysql_user:
+    name: root
+    password: "{{ mysql_root_password }}"
+    check_implicit_admin: true
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: true
+
+- name: Create wordpress user with password, grant wordpress permissions
+  community.mysql.mysql_user:
+    state: present
+    name: "{{ wordpress.db_user }}"
+    login_user: root
+    login_password: "{{ mysql_root_password }}"
+    password: "{{ wordpress.db_pass }}"
+    priv:
+      "wordpress.*": "ALL,GRANT"
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: true
+
+- name: Store the config for task indempotency as written in the mysql collection docs
+  ansible.builtin.template:
+    src: "my.cnf.j2"
+    dest: "/root/.my.cnf"
+    mode: "0400"
+  become: true
+  notify: restart mysql
+
+- name: Setup database for wordpress
+  community.mysql.mysql_db:
+    name: "{{ wordpress.db_name }}"
+    state: present
+    login_unix_socket: /var/run/mysqld/mysqld.sock
+  become: true
--- a/ansible/roles/mysql/templates/my.cnf.j2
+++ b/ansible/roles/mysql/templates/my.cnf.j2
@ -0,0 +1,3 @@
+[client]
+user=root
+password={{ mysql_root_password }}
--- a/ansible/roles/nginx/handlers/main.yaml
+++ b/ansible/roles/nginx/handlers/main.yaml
@ -0,0 +1,7 @@
+---
+- name: restart nginx
+  ansible.builtin.service:
+    name: nginx
+    state: restarted
+    enabled: true
+  become: true
--- a/ansible/roles/nginx/tasks/main.yaml
+++ b/ansible/roles/nginx/tasks/main.yaml
@ -0,0 +1,21 @@
+---
+- name: Install packages
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+    name:
+      - nginx
+  become: true
+
+- name: Remove default nginx config
+  ansible.builtin.file:
+    path: "/etc/nginx/sites-enabled/default"
+    state: absent
+  become: true
+
+- name: Copy wordpress nginx config
+  ansible.builtin.template:
+    src: "wordpress.conf.j2"
+    dest: "/etc/nginx/sites-enabled/wordpress.conf"
+  notify: restart nginx
+  become: true
--- a/ansible/roles/nginx/templates/wordpress.conf.j2
+++ b/ansible/roles/nginx/templates/wordpress.conf.j2
@ -0,0 +1,36 @@
+server {
+        listen       80 default_server;
+        server_name  {{ server_name }};
+        root {{ wordpress.dir }};
+				index index.php;
+ 
+	# Deny access to any files with a .php extension in the uploads directory
+        location ~* /(?:uploads|files)/.*\.php$ {
+                deny all;
+        }
+ 
+        location / {
+                try_files $uri $uri/ /index.php?$args;
+        }
+ 
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+                expires max;
+                log_not_found off;
+        }
+ 
+        location ~ \.php$ {
+                try_files $uri =404;
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index index.php;
+                fastcgi_pass  unix:/var/run/php/wordpress.sock;
+                fastcgi_param   SCRIPT_FILENAME
+                                $document_root$fastcgi_script_name;
+                include       fastcgi_params;
+        }
+
+        location = /robots.txt {
+                allow all;
+                log_not_found off;
+                access_log off;
+        }
+}
--- a/ansible/roles/php/handlers/main.yaml
+++ b/ansible/roles/php/handlers/main.yaml
@ -0,0 +1,5 @@
+---
+- name: restart php-fpm
+  service:
+    name: php{{ php.version }}-fpm
+    state: restarted
--- a/ansible/roles/php/tasks/main.yaml
+++ b/ansible/roles/php/tasks/main.yaml
@ -0,0 +1,40 @@
+---
+- name: Install relevant packages
+  ansible.builtin.apt:
+    cache_valid_time: 3600
+    update_cache: true
+    name:
+      - php{{ php.version }}-cli
+      - php{{ php.version }}-fpm
+      - php{{ php.version }}-mysql
+      - php{{ php.version }}-opcache
+      - php{{ php.version }}-mbstring
+      - php{{ php.version }}-xml
+      - php{{ php.version }}-gd
+      - php{{ php.version }}-curl
+      - php-json
+    state: present
+  become: true
+
+- name: Disable default pool
+  ansible.builtin.command: mv /etc/php/{{ php.version }}/fpm/pool.d/www.conf /etc/php/{{ php.version }}/fpm/pool.d/www.conf.disabled
+  args:
+    creates: /etc/php/{{ php.version }}/fpm/pool.d/www.conf.disabled
+  notify: restart php-fpm
+  become: true
+
+- name: Create socket
+  ansible.builtin.file:
+    path: /var/run/php/wordpress.sock
+    state: touch
+    owner: www-data
+    group: www-data
+  notify: restart php-fpm
+  become: true
+
+- name: Copy php-fpm configuration
+  ansible.builtin.template:
+    src: wordpress.conf.j2
+    dest: "/etc/php/{{ php.version }}/fpm/pool.d/wordpress.conf"
+  notify: restart php-fpm
+  become: true
--- a/ansible/roles/php/templates/wordpress.conf.j2
+++ b/ansible/roles/php/templates/wordpress.conf.j2
@ -0,0 +1,15 @@
+[wordpress]
+listen = /var/run/php/wordpress.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0660
+user = wordpress
+group = wordpress
+pm = dynamic
+pm.max_children = 10
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+pm.max_requests = 500
+chdir = {{ wordpress.dir }}
+php_admin_value[open_basedir] = {{ wordpress.dir }}:/tmp
--- a/ansible/roles/wordpress/tasks/main.yaml
+++ b/ansible/roles/wordpress/tasks/main.yaml
@ -0,0 +1,39 @@
+---
+- name: Download wordpress archive
+  ansible.builtin.get_url:
+    url: https://de.wordpress.org/latest-de_DE.tar.gz
+    dest: /tmp/wordpress.tar.gz
+
+- name: Extract wordpress
+  ansible.builtin.unarchive:
+    src: /tmp/wordpress.tar.gz
+    dest: "{{ wordpress.dir | dirname }}"
+    remote_src: true
+  become: true
+
+- name: Add wordpress group
+  ansible.builtin.group:
+    name: wordpress
+  become: true
+
+- name: Add wordpress user
+  ansible.builtin.user:
+    name: wordpress
+    group: www-data
+  become: true
+
+- name: Add wordpress config
+  ansible.builtin.template:
+    src: "wp-config.php.j2"
+    dest: "{{ wordpress.dir }}/wp-config.php"
+  become: true
+
+- name: Change ownership of wordpress installation
+  ansible.builtin.file:
+    path: "{{ wordpress.dir }}"
+    owner: wordpress
+    group: www-data
+    state: directory
+    recurse: true
+  become: true
+
--- a/ansible/roles/wordpress/templates/wp-config.php.j2
+++ b/ansible/roles/wordpress/templates/wp-config.php.j2
@ -0,0 +1,116 @@
+<?php
+/**
+ * Grundeinstellungen für WordPress
+ *
+ * Diese Datei wird zur Erstellung der wp-config.php verwendet.
+ * Du musst aber dafür nicht das Installationsskript verwenden.
+ * Stattdessen kannst du auch diese Datei als „wp-config.php“ mit
+ * deinen Zugangsdaten für die Datenbank abspeichern.
+ *
+ * Diese Datei beinhaltet diese Einstellungen:
+ *
+ * * Datenbank-Zugangsdaten,
+ * * Tabellenpräfix,
+ * * Sicherheitsschlüssel
+ * * und ABSPATH.
+ *
+ * @link https://wordpress.org/support/article/editing-wp-config-php/
+ *
+ * @package WordPress
+ */
+
+// ** Datenbank-Einstellungen - Diese Zugangsdaten bekommst du von deinem Webhoster. ** //
+/**
+ * Ersetze datenbankname_hier_einfuegen
+ * mit dem Namen der Datenbank, die du verwenden möchtest.
+ */
+define( 'DB_NAME', '{{ wordpress.db_name }}' );
+
+/**
+ * Ersetze benutzername_hier_einfuegen
+ * mit deinem Datenbank-Benutzernamen.
+ */
+define( 'DB_USER', '{{ wordpress.db_user }}' );
+
+/**
+ * Ersetze passwort_hier_einfuegen mit deinem Datenbank-Passwort.
+ */
+define( 'DB_PASSWORD', '{{ wordpress.db_pass }}' );
+
+/**
+ * Ersetze localhost mit der Datenbank-Serveradresse.
+ */
+define( 'DB_HOST', 'localhost' );
+
+/**
+ * Der Datenbankzeichensatz, der beim Erstellen der
+ * Datenbanktabellen verwendet werden soll
+ */
+define( 'DB_CHARSET', 'utf8' );
+
+/**
+ * Der Collate-Type sollte nicht geändert werden.
+ */
+define( 'DB_COLLATE', '' );
+
+/**#@+
+ * Sicherheitsschlüssel
+ *
+ * Ändere jeden untenstehenden Platzhaltertext in eine beliebige,
+ * möglichst einmalig genutzte Zeichenkette.
+ * Auf der Seite {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ * kannst du dir alle Schlüssel generieren lassen.
+ *
+ * Du kannst die Schlüssel jederzeit wieder ändern, alle angemeldeten
+ * Benutzer müssen sich danach erneut anmelden.
+ *
+ * @since 2.6.0
+ */
+define( 'AUTH_KEY',         '{{ wordpress_auth_key }}' );
+define( 'SECURE_AUTH_KEY',  '{{ wordpress_secure_auth_key }}' );
+define( 'LOGGED_IN_KEY',    '{{ wordpress_logged_in_key }}' );
+define( 'NONCE_KEY',        '{{ wordpress_nonce_key }}' );
+define( 'AUTH_SALT',        '{{ wordpress_auth_salt }}' );
+define( 'SECURE_AUTH_SALT', '{{ wordpress_secure_auth_salt }}' );
+define( 'LOGGED_IN_SALT',   '{{ wordpress_logged_in_salt }}' );
+define( 'NONCE_SALT',       '{{ wordpress_nonce_salt }}' );
+
+/**#@-*/
+
+/**
+ * WordPress Datenbanktabellen-Präfix
+ *
+ * Wenn du verschiedene Präfixe benutzt, kannst du innerhalb einer Datenbank
+ * verschiedene WordPress-Installationen betreiben.
+ * Bitte verwende nur Zahlen, Buchstaben und Unterstriche!
+ */
+$table_prefix = 'wp_';
+
+/**
+ * Für Entwickler: Der WordPress-Debug-Modus.
+ *
+ * Setze den Wert auf „true“, um bei der Entwicklung Warnungen und Fehler-Meldungen angezeigt zu bekommen.
+ * Plugin- und Theme-Entwicklern wird nachdrücklich empfohlen, WP_DEBUG
+ * in ihrer Entwicklungsumgebung zu verwenden.
+ *
+ * Besuche den Codex, um mehr Informationen über andere Konstanten zu finden,
+ * die zum Debuggen genutzt werden können.
+ *
+ * @link https://wordpress.org/support/article/debugging-in-wordpress/
+ */
+define( 'WP_DEBUG', false );
+
+/* Füge individuelle Werte zwischen dieser Zeile und der „Schluss mit dem Bearbeiten“ Zeile ein. */
+
+
+
+/* Das war’s, Schluss mit dem Bearbeiten! Viel Spaß. */
+/* That's all, stop editing! Happy publishing. */
+
+/** Der absolute Pfad zum WordPress-Verzeichnis. */
+if ( ! defined( 'ABSPATH' ) ) {
+	define( 'ABSPATH', __DIR__ . '/' );
+}
+
+/** Definiert WordPress-Variablen und fügt Dateien ein.  */
+require_once ABSPATH . 'wp-settings.php';
--- a/ansible/vault.yaml
+++ b/ansible/vault.yaml
@ -0,0 +1,43 @@
+$ANSIBLE_VAULT;1.1;AES256
+32613037373933666161383738313531306336633666333332383066316566363033616237303436
+6632323331346634316630646566393639376339653334630a333861613934623337383839333031
+34356237636465646537616661643234316533633735343233383230386665303935313065656662
+3130386366643061390a396266336231633265663762653330306238313431343537356263316664
+31373063623535653232373863633864643364633137363130643865646266306634633939396139
+31353431393831383531633862336533303731346133633864343938383632336639373065613062
+31633438643633623462316232313437396631313163653539616166373530646530633530336461
+31376236316639356365323366306634373235643638653433303638653631666461353064666431
+34393165653730316237353439336531383865373462386232313635313436333862346339633235
+37393839356461323730353261303462663230303734313036346430373434376631626232626639
+39306665356139663730356238346634653561326662353331613064316363373339313562666339
+62363232306331373432393339303663306331663737633534623332616238343938373531616231
+66366464353134363139376635643366386530373963336566626136383031373634343866363130
+36383930396334376561653564623439366230646361633738323763336466343938363339646464
+31613936306133666366373065363062633337616131386137343366326131303365366265643032
+62646434356135653031373039636333346135646261643834643439656361653031663634636564
+66666234333364386436356265343635393664346131653035623961343266666339313763363237
+62306139323336326463326230313630643337353535313239393130373735346466353335613032
+35396538396566326137316161333032363330653434363637366430396331333065336564373366
+36323832643535663065316438393734353435363536643033326134396465383863363265373230
+64626639346330306466656636323834353664353863373537393862326366343062313535326363
+63353933366235663364333234636235633037303732366663383538616535623635326663356230
+61626561383735623035366563393639373037646631336164323561313763326163636466636434
+66663935303339313338396436353632653062396563623664336264313265376262386537356432
+30366137323037653038656365666239666136666239323133333632623864663364303330623166
+64323332356539313933646564303864346535376536316335653735393037386164343536313939
+65376539643334633834656537646532323135326639353663633365343666313231346164663131
+32306334396537306633393632343033336437373666643561343166316334623261663361653436
+30616162623534313336313865316134613032386638303261383739383135363135316337666234
+39363130306633646631373934326436313630366133363033326164343463333934633835383036
+31613731356630363866386462363932633737363861626535306435366162663533316365353561
+35666336616336386639366364363736663762636231386664333030373234653738356435306530
+32333664383734353633366137303837393835306637663665623330323065613731623165633532
+65373135346636303531353830656563633063383138336433376234636434353064376463643366
+32636565336237373166333134396532616166626135613662636566313936383130353039336539
+30656265373364396334346539376431373439393634323833633336643435623166393766336432
+31386330636365383438356639356161333535623632616366653933313834373664326464373238
+62323637333939356332643461303630353064336631646337373239383031373733663037376634
+30366337303263653035356264363332653535336466363737343166363966353935366137383861
+30306131616336333430663239393030626166646432653033633837633139333031663939373135
+37313438333661373330663735633565653364336138323135636532363665646136336132393739
+3934333330316564643237643434333230306161633230623939