Update to 2021-12-01 19:13

roles/wordpress/templates/httpd.conf.j2

@@ -0,0 +1,36 @@
+{% if wp_alias is defined %}
+Alias /{{ wp_alias }} {{ wp_root_dir }}/web
+{% else %}
+# No alias defined, create a vhost to access it
+{% endif %}
+
+<Directory {{ wp_root_dir }}/web>
+  AllowOverride All
+  Options FollowSymLinks
+{% if wp_src_ip | length > 0 %}
+  Require ip {{ wp_src_ip | join(' ') }}
+{% else %}
+  Require all granted
+{% endif %}
+  <FilesMatch \.php$>
+    SetHandler "proxy:unix:/run/php-fpm/{{ wp_php_fpm_pool | default('wp_' + wp_id | string) }}.sock|fcgi://localhost"
+  </FilesMatch>
+
+  <FilesMatch "(\.ansible_version|\.git.*|wp-config.php)">
+    Require all denied
+  </FilesMatch>
+</Directory>
+
+<Directory {{ wp_root_dir }}/web/wp-content>
+  <Files *.htacess>
+    Require all denied
+  </Files>
+  <FilesMatch "\.(jhtml|jnlp|jvs|jws|php|exe|src|bin|sh|pl|swf)$">
+    order allow,deny
+    deny from all
+  </FilesMatch>
+  <FilesMatch \.php$>
+    SetHandler None
+  </FilesMatch>
+</Directory>
+

roles/wordpress/templates/perms.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash -e
+
+restorecon -R {{ wp_root_dir }}
+chown -R {{ wp_php_user }}:{{ wp_php_user }} {{ wp_root_dir }}/{web,sessions,tmp}

roles/wordpress/templates/php.conf.j2

@@ -0,0 +1,35 @@
+[wp_{{ wp_id }}]
+
+listen.owner = root
+listen.group = apache
+listen.mode = 0660
+listen = /run/php-fpm/wp_{{ wp_id }}.sock
+user = {{ wp_php_user }}
+group = {{ wp_php_user }}
+catch_workers_output = yes
+
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 3
+pm.min_spare_servers = 3
+pm.max_spare_servers = 6
+pm.max_requests = 5000
+request_terminate_timeout = 5m
+
+php_flag[display_errors] = off
+php_admin_flag[log_errors] = on
+php_admin_value[error_log] = syslog
+php_admin_value[memory_limit] = 256M
+php_admin_value[session.save_path] = {{ wp_root_dir }}/sessions
+php_admin_value[upload_tmp_dir] = {{ wp_root_dir }}/tmp
+php_admin_value[sys_temp_dir] = {{ wp_root_dir }}/tmp
+php_admin_value[post_max_size] = {{ wp_upload_max_filesize }}
+php_admin_value[upload_max_filesize] = {{ wp_upload_max_filesize }}
+php_admin_value[disable_functions] = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
+php_admin_value[open_basedir] = {{ wp_root_dir }}:/usr/share/pear/:/usr/share/php/
+php_admin_value[max_execution_time] = 120
+php_admin_value[max_input_time] = 60
+php_admin_flag[allow_url_include] = off
+php_admin_flag[allow_url_fopen] = off
+php_admin_flag[file_uploads] = on
+php_admin_flag[session.cookie_httponly] = on

roles/wordpress/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+rm -f {{ wp_root_dir }}/backup/*

roles/wordpress/templates/pre-backup.sh.j2

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -eo pipefail
+
+/usr/bin/mysqldump \
+{% if not wp_db_server in ['localhost', '127.0.0.1'] %}
+    --user={{ wp_db_user }} \
+    --password={{ wp_db_pass | quote }} \
+    --host={{ wp_db_server }} \
+    --port={{ wp_db_port }} \
+{% endif %}
+    --quick --single-transaction \
+    --add-drop-table {{ wp_db_name }} | zstd -c > {{ wp_root_dir }}/backup/{{ wp_db_name }}.sql.zst
+

roles/wordpress/templates/wp-config.php.j2

@@ -0,0 +1,37 @@
+<?php
+
+// {{ ansible_managed }}
+
+define('DB_NAME', '{{ wp_db_name }}');
+define('DB_USER', '{{ wp_db_user }}');
+define('DB_PASSWORD', '{{ wp_db_pass }}');
+define('DB_HOST', '{{ wp_db_server }}');
+define('DB_PORT', '{{ wp_db_port }}');
+define('DB_CHARSET', 'utf8mb4');
+
+{% for secret in wp_secrets.results %}
+define('{{ secret.item.item }}', '{{ wp_secrets.results | selectattr('item','equalto',secret.item) | map(attribute='stdout') | first | string }}');
+{% endfor %}
+
+$table_prefix = '{{ wp_table_prefix }}';
+
+if ( ! defined( 'ABSPATH' ) ) {
+  define( 'ABSPATH', dirname( __FILE__ ) . '/' );
+}
+
+define('WP_TEMP_DIR','{{ wp_root_dir }}/tmp');
+
+define('DISALLOW_FILE_EDIT',true);
+if ( (!empty( $_SERVER['HTTP_X_FORWARDED_HOST'])) ||
+     (!empty( $_SERVER['HTTP_X_FORWARDED_FOR'])) ) {
+  // http://wordpress.org/support/topic/wordpress-behind-reverse-proxy-1
+  $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
+}
+// When running behind a reverse proxy doing the SSL endpoint
+if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https'){
+  $_SERVER['HTTPS'] = 'on';
+}
+define('FS_METHOD','direct');
+
+require_once ABSPATH . 'wp-settings.php';
+