jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2021-12-01 19:13

Browse Source
This commit is contained in:
Daniel Berteaud
2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
roles/wordpress/defaults/main.yml Normal file
View File

@@ -0,0 +1,51 @@
---
# Uniq ID of this instance
wp_id: 1
# Root dir where wordpress will be installed
wp_root_dir: /opt/wordpress_{{ wp_id }}
# Should ansible handle upgrades or just initial install
wp_manage_upgrade: True
# Version of PHP to use
wp_php_version: 74
# Unix account which will run PHP scripts
wp_php_user: php-wp_{{ wp_id }}
# Default language to install
wp_locale: fr_FR
# If defined, an alias will be configured in apache conf. Else, you need to
# define a vhost to access it
wp_alias: /wordpress_{{ wp_id }}
# Public URL of wordpress
wp_public_url: http://{{ inventory_hostname }}{{ wp_alias | default('/') }}
# Restrict web access by IP address. If empty, no restriction
wp_src_ip: []
# Max size of attachments
wp_upload_max_filesize: 100M
# A php fpm pool will be configured. Alternatively, you can create your own pool
# and use it by setting wp_php_fpm_pool
# wp_php_fpm_pool: php74
# Database settings
wp_db_server: "{{ mysql_server | default('localhost') }}"
wp_db_port: 3306
wp_db_name: wordpress_{{ wp_id }}
wp_db_user: wordpress_{{ wp_id }}
# If not defined, a random password will be generated
# wp_db_pass: S3Cr3t.
wp_table_prefix: wp_
# Initial admin account to create
wp_admin_user: wpadmin
wp_admin_email: "{{ system_admin_email | default('root@' + ansible_domain) }}"
wp_admin_pass: password

1
roles/wordpress/handlers/main.yml Normal file
View File

@@ -0,0 +1 @@
---

8
roles/wordpress/meta/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
allow_duplicates: True
dependencies:
- role: mkdir
- role: httpd_php
- role: mysql_server
when: wp_db_server == 'localhost' or wp_db_server == '127.0.0.1'
...

7
roles/wordpress/tasks/archive_post.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- import_tasks: ../includes/webapps_compress_archive.yml
vars:
- root_dir: "{{ wp_root_dir }}"
- version: "{{ wp_current_version }}"
tags: wp

9
roles/wordpress/tasks/archive_pre.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- import_tasks: ../includes/webapps_archive.yml
vars:
- root_dir: "{{ wp_root_dir }}"
- version: "{{ wp_current_version }}"
- db_name: "{{ wp_db_name }}"
tags: wp

21
roles/wordpress/tasks/conf.yml Normal file
View File

@@ -0,0 +1,21 @@
---
- import_tasks: ../includes/webapps_webconf.yml
vars:
- app_id: wordpress_{{ wp_id }}
- php_version: "{{ wp_php_version }}"
- php_fpm_pool: "{{ wp_php_fpm_pool | default('') }}"
tags: wp
- import_tasks: ../includes/webapps_create_mysql_db.yml
vars:
- db_name: "{{ wp_db_name }}"
- db_user: "{{ wp_db_user }}"
- db_server: "{{ wp_db_server }}"
- db_pass: "{{ wp_db_pass }}"
tags: wp
- name: Deploy wp configuration
template: src=wp-config.php.j2 dest={{ wp_root_dir }}/web/wp-config.php owner={{ wp_php_user }} group={{ wp_php_user }} mode=660
tags: wp

24
roles/wordpress/tasks/directories.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Create directory structure
file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
with_items:
- dir: "{{ wp_root_dir }}"
- dir: "{{ wp_root_dir }}/web"
owner: "{{ wp_php_user }}"
group: "{{ wp_php_user }}"
- dir: "{{ wp_root_dir }}/tmp"
owner: "{{ wp_php_user }}"
group: "{{ wp_php_user }}"
mode: 700
- dir: "{{ wp_root_dir }}/sessions"
owner: "{{ wp_php_user }}"
group: "{{ wp_php_user }}"
mode: 700
- dir: "{{ wp_root_dir }}/meta"
mode: 700
- dir: "{{ wp_root_dir }}/backup"
mode: 700
- dir: "{{ wp_root_dir }}/archives"
mode: 700
tags: wp

93
roles/wordpress/tasks/facts.yml Normal file
View File

@@ -0,0 +1,93 @@
---
- block:
- set_fact: wp_install_mode='none'
- set_fact: wp_installed=False
- set_fact: wp_current_version=''
- set_fact: wp_version=''
tags: wp
- name: Install wp-cli
yum:
name:
- wp-cli
tags: wp
- name: Check if wordpress is installed
command: php{{ wp_php_version }} /usr/bin/wp core is-installed
args:
chdir: "{{ wp_root_dir }}/web"
become_user: "{{ wp_php_user }}"
failed_when: False
changed_when: False
register: wp_installed
tags: wp
- name: Set install mode
set_fact: wp_install_mode='install'
when: wp_installed.rc != 0
tags: wp
- when: wp_manage_upgrade == True and wp_installed.rc == 0
tags: wp
block:
- name: Check if an update is available
shell: "php{{ wp_php_version }} /usr/bin/wp core check-update | grep -q 'Success: WordPress is at the latest version'"
args:
chdir: "{{ wp_root_dir }}/web"
become_user: "{{ wp_php_user }}"
changed_when: False
failed_when: False
register: wp_check_new_version
- name: Set upgrade mode
set_fact: wp_install_mode='upgrade'
when: wp_check_new_version.rc != 0
- name: Register current version
command: php{{ wp_php_version }} /usr/bin/wp core version
args:
chdir: "{{ wp_root_dir }}/web"
become_user: "{{ wp_php_user }}"
changed_when: False
register: wp_current_version
- set_fact: wp_current_version={{ wp_current_version.stdout }}
- when: wp_db_pass is not defined
tags: wp
block:
- import_tasks: ../includes/get_rand_pass.yml
vars:
- pass_file: "{{ wp_root_dir }}/meta/ansible_dbpass"
- set_fact: wp_db_pass={{ rand_pass }}
- name: Check is secrets have been created
stat: path={{ wp_root_dir }}/meta/ansible_{{ item }}
register: wp_secrets_files
loop:
- AUTH_KEY
- SECURE_AUTH_KEY
- LOGGED_IN_KEY
- NONCE_KEY
- AUTH_SALT
- SECURE_AUTH_SALT
- LOGGED_IN_SALT
- NONCE_SALT
- WP_CACHE_KEY_SALT
tags: wp
- name: Create missing secrets
shell: curl https://api.wordpress.org/secret-key/1.1/salt | perl -ne '/^define\(.{{ item.item }}.\s*,\s*.(.*).\s*\);/ && print "$1"' > {{ wp_root_dir }}/meta/ansible_{{ item.item }}
args:
creates: " {{ wp_root_dir }}/meta/ansible_{{ item.item }}"
warn: False
loop: "{{ wp_secrets_files.results }}"
when: not item.stat.exists
tags: wp
- name: Read secrets
command: cat {{ wp_root_dir }}/meta/ansible_{{ item.item }}
register: wp_secrets
changed_when: False
loop: "{{ wp_secrets_files.results }}"
tags: wp

78
roles/wordpress/tasks/install.yml Normal file
View File

@@ -0,0 +1,78 @@
---
- import_tasks: ../includes/webapps_webconf.yml
vars:
- app_id: wordpress_{{ wp_id }}
- php_version: "{{ wp_php_version }}"
- php_fpm_pool: "{{ wp_php_fpm_pool | default('') }}"
tags: wp
- when: wp_install_mode == 'install'
tags: wp
become_user: "{{ wp_php_user }}"
block:
- name: Download wordpress
command: php{{ wp_php_version }} /usr/bin/wp core download --locale={{ wp_locale }}
failed_when: False # Ignore failure, it might have been downloaded previously
args:
chdir: "{{ wp_root_dir }}/web"
- name: Install wordpress
command: >
php{{ wp_php_version }} /usr/bin/wp core install
--url={{ wp_public_url }}
--title=Wordpress
--admin_user={{ wp_admin_user }}
--admin_email={{ wp_admin_email }}
--admin_password='{{ wp_admin_pass }}'
--skip-email
args:
chdir: "{{ wp_root_dir }}/web"
- when: wp_install_mode == 'upgrade'
tags: wp
become_user: "{{ wp_php_user }}"
block:
- name: Upgrade wordpress
command: php{{ wp_php_version }} /usr/bin/wp core update
args:
chdir: "{{ wp_root_dir }}/web"
- name: Upgrade database
command: php{{ wp_php_version }} /usr/bin/wp core update-db
args:
chdir: "{{ wp_root_dir }}/web"
- name: Upgrade locales, plugins and themes
shell: |
php{{ wp_php_version }} /usr/bin/wp core language update
php{{ wp_php_version }} /usr/bin/wp plugin update --all
php{{ wp_php_version }} /usr/bin/wp theme update --all
php{{ wp_php_version }} /usr/bin/wp language plugin update --all
php{{ wp_php_version }} /usr/bin/wp language theme update --all
args:
chdir: "{{ wp_root_dir }}/web"
- name: Set correct SELinux context
sefcontext:
target: "{{ wp_root_dir }}(/.*)?"
setype: httpd_sys_content_t
when: ansible_selinux.status == 'enabled'
tags: wp
- name: Deploy permission script
template: src=perms.sh.j2 dest={{ wp_root_dir }}/perms.sh mode=755
register: wp_perms_script
tags: wp
- name: Set permissions
command: "{{ wp_root_dir }}/perms.sh"
when: wp_install_mode != 'none' or wp_perms_script.changed
tags: wp
- name: Deploy pre/post backup hooks
template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/wordpress_{{ wp_id }} mode=750
loop:
- pre
- post
tags: wp

11
roles/wordpress/tasks/main.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- include: user.yml
- include: directories.yml
- include: facts.yml
- include: archive_pre.yml
when: wp_install_mode == 'upgrade'
- include: conf.yml
- include: install.yml
- include: archive_post.yml
when: wp_install_mode == 'upgrade'

7
roles/wordpress/tasks/user.yml Normal file
View File

@@ -0,0 +1,7 @@
---
- import_tasks: ../includes/create_system_user.yml
vars:
- user: "{{ wp_php_user }}"
- comment: "PHP FPM for wordpress {{ wp_id }}"
tags: wp

36
roles/wordpress/templates/httpd.conf.j2 Normal file
View File

@@ -0,0 +1,36 @@
{% if wp_alias is defined %}
Alias /{{ wp_alias }} {{ wp_root_dir }}/web
{% else %}
# No alias defined, create a vhost to access it
{% endif %}
<Directory {{ wp_root_dir }}/web>
AllowOverride All
Options FollowSymLinks
{% if wp_src_ip | length > 0 %}
Require ip {{ wp_src_ip | join(' ') }}
{% else %}
Require all granted
{% endif %}
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/{{ wp_php_fpm_pool | default('wp_' + wp_id | string) }}.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch "(\.ansible_version|\.git.*|wp-config.php)">
Require all denied
</FilesMatch>
</Directory>
<Directory {{ wp_root_dir }}/web/wp-content>
<Files *.htacess>
Require all denied
</Files>
<FilesMatch "\.(jhtml|jnlp|jvs|jws|php|exe|src|bin|sh|pl|swf)$">
order allow,deny
deny from all
</FilesMatch>
<FilesMatch \.php$>
SetHandler None
</FilesMatch>
</Directory>

4
roles/wordpress/templates/perms.sh.j2 Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash -e
restorecon -R {{ wp_root_dir }}
chown -R {{ wp_php_user }}:{{ wp_php_user }} {{ wp_root_dir }}/{web,sessions,tmp}

35
roles/wordpress/templates/php.conf.j2 Normal file
View File

@@ -0,0 +1,35 @@
[wp_{{ wp_id }}]
listen.owner = root
listen.group = apache
listen.mode = 0660
listen = /run/php-fpm/wp_{{ wp_id }}.sock
user = {{ wp_php_user }}
group = {{ wp_php_user }}
catch_workers_output = yes
pm = dynamic
pm.max_children = 15
pm.start_servers = 3
pm.min_spare_servers = 3
pm.max_spare_servers = 6
pm.max_requests = 5000
request_terminate_timeout = 5m
php_flag[display_errors] = off
php_admin_flag[log_errors] = on
php_admin_value[error_log] = syslog
php_admin_value[memory_limit] = 256M
php_admin_value[session.save_path] = {{ wp_root_dir }}/sessions
php_admin_value[upload_tmp_dir] = {{ wp_root_dir }}/tmp
php_admin_value[sys_temp_dir] = {{ wp_root_dir }}/tmp
php_admin_value[post_max_size] = {{ wp_upload_max_filesize }}
php_admin_value[upload_max_filesize] = {{ wp_upload_max_filesize }}
php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
php_admin_value[open_basedir] = {{ wp_root_dir }}:/usr/share/pear/:/usr/share/php/
php_admin_value[max_execution_time] = 120
php_admin_value[max_input_time] = 60
php_admin_flag[allow_url_include] = off
php_admin_flag[allow_url_fopen] = off
php_admin_flag[file_uploads] = on
php_admin_flag[session.cookie_httponly] = on

3
roles/wordpress/templates/post-backup.sh.j2 Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
rm -f {{ wp_root_dir }}/backup/*

14
roles/wordpress/templates/pre-backup.sh.j2 Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
set -eo pipefail
/usr/bin/mysqldump \
{% if not wp_db_server in ['localhost', '127.0.0.1'] %}
--user={{ wp_db_user }} \
--password={{ wp_db_pass | quote }} \
--host={{ wp_db_server }} \
--port={{ wp_db_port }} \
{% endif %}
--quick --single-transaction \
--add-drop-table {{ wp_db_name }} | zstd -c > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst

37
roles/wordpress/templates/wp-config.php.j2 Normal file
View File

@@ -0,0 +1,37 @@
<?php
// {{ ansible_managed }}
define('DB_NAME', '{{ wp_db_name }}');
define('DB_USER', '{{ wp_db_user }}');
define('DB_PASSWORD', '{{ wp_db_pass }}');
define('DB_HOST', '{{ wp_db_server }}');
define('DB_PORT', '{{ wp_db_port }}');
define('DB_CHARSET', 'utf8mb4');
{% for secret in wp_secrets.results %}
define('{{ secret.item.item }}', '{{ wp_secrets.results | selectattr('item','equalto',secret.item) | map(attribute='stdout') | first | string }}');
{% endfor %}
$table_prefix = '{{ wp_table_prefix }}';
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
define('WP_TEMP_DIR','{{ wp_root_dir }}/tmp');
define('DISALLOW_FILE_EDIT',true);
if ( (!empty( $_SERVER['HTTP_X_FORWARDED_HOST'])) ||
(!empty( $_SERVER['HTTP_X_FORWARDED_FOR'])) ) {
// http://wordpress.org/support/topic/wordpress-behind-reverse-proxy-1
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}
// When running behind a reverse proxy doing the SSL endpoint
if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
$_SERVER['HTTPS'] = 'on';
}
define('FS_METHOD','direct');
require_once ABSPATH . 'wp-settings.php';