# Hetzner HA WordPress

This repository contains scripts and configuration files to set up a highly
available (HA) WordPress instance on Hetzner Cloud infrastructure. The aim of this
project is to provide a robust and scalable solution for hosting a WordPress
website with high availability.

## Table of Contents

- [Features](#features)
- [Requirements](#requirements)
- [Deployment](#deployment)
- [Testing](#testing)
- [Open Tasks](#open-tasks)
- [License](#license)

## Features
- Automated deployment of cloud infrastructure via [terraform](https://www.terraform.io/)
- Automated provisioning of the servers with [ansible](https://www.ansible.com/)
- A Hetzner TCP Loadbalancer forwards to the loadbalancer server
- The loadbalancer server terminates TLS, automatically renews the Let's encrypt certificates and loadbalances requests between application servers using [Caddy](https://caddyserver.com/)
- The replication of wordpress files between machines is done with [GlusterFS](https://www.gluster.org/)
- The MySQL database is running on the loadbalancer for now, since this is the only server allowed to fail

## Requirements

Before you begin, ensure you have the following:

- A Hetzner Cloud account and API token
- A recent installation of [ansible](https://www.ansible.com/)
- Installed the latest version of the ansible community collection `ansible-galaxy collection install community.general`
- A recent installation of [terraform](https://developer.hashicorp.com/terraform/downloads)

## Deployment
The whole deployment is done from one ansible playbook. The playbook deploys the cloud
infrastructure with terraform and provisions the different servers. In the end the public
IPs are removed with terraform.

Change into the ansible folder
```bash
cd ansible
```
Export the hcloud token as environment variable
```bash
export HCLOUD_TOKEN="<your-hcloud-token>"
```
Write the terraform vault password to a file, to not always having to type the password
```bash
echo "<ansible-vault-pass>" > vault_pass
```
Deploy the infrastructure. This can take several minutes on the first run.
```bash
ansible-playbook playbook.yaml --vault-password-file vault_pass
```
To verify that everything is setup you can use the [hcloud CLI](https://github.com/hetznercloud/cli).
```bash
hcloud server list
```
You should see three running webservers and one loadbalancer.

## Testing
To test the provisioning with ansible, vagrant is used.
The secrets are stored in an [ansible vault](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html).
Vagrant expects them in a password file `vault_pass` in the root of the repo.
This file is not included for obvious reasons.
Please ask the project maintainer if you need the vault password.


Launch the virtualboxes inside the repository root folder
```bash
vagrant up
```
For subsequent tests of the playbook run
```bash
vagrant provision
```
To connect to a specific machine run
```bash
vagrant ssh web1
```


## Future work
- Use an external secret provider
- Store the terraform state remotely
- Monitoring and alerting


## License
Hetzner HA WordPress is licensed under the [MIT License](https://opensource.org/license/MIT/).