feat: v2.5.0 - Complete Technology & Security Update
Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
This commit is contained in:
0
playbooks/lemp-wordpress-ultimate.yml
Normal file → Executable file
0
playbooks/lemp-wordpress-ultimate.yml
Normal file → Executable file
75
playbooks/lemp-wordpress.yml
Normal file → Executable file
75
playbooks/lemp-wordpress.yml
Normal file → Executable file
@@ -80,6 +80,9 @@
|
||||
# These variables come from inventory/production.yml
|
||||
# wp_admin_user, wp_admin_password, wp_admin_email, wp_site_title
|
||||
|
||||
# Auto-Update Configuration
|
||||
update_cron_enabled: true
|
||||
|
||||
tasks:
|
||||
# Package Installation
|
||||
- name: Update package cache
|
||||
@@ -342,6 +345,73 @@
|
||||
Admin Email: {{ wp_admin_email }}
|
||||
tags: wp-install
|
||||
|
||||
# WordPress Auto-Update Setup
|
||||
- name: Create update script directory
|
||||
file:
|
||||
path: /var/backups/wordpress
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: update
|
||||
|
||||
- name: Deploy WordPress update script
|
||||
copy:
|
||||
src: ../scripts/wp-update.sh
|
||||
dest: /usr/local/bin/wp-update.sh
|
||||
mode: '0755'
|
||||
tags: update
|
||||
|
||||
- name: Configure WordPress auto-update settings
|
||||
command: >
|
||||
wp option update auto_update_core_minor enabled
|
||||
--allow-root
|
||||
environment:
|
||||
HOME: "{{ wordpress_path }}"
|
||||
ignore_errors: yes
|
||||
tags: update
|
||||
|
||||
- name: Set up cron job for WordPress updates
|
||||
cron:
|
||||
name: wordpress-weekly-update
|
||||
job: "/usr/local/bin/wp-update.sh --minor --no-backup >> /var/log/wp-update.log 2>&1"
|
||||
minute: "0"
|
||||
hour: "4"
|
||||
weekday: "0"
|
||||
user: "root"
|
||||
when: update_cron_enabled | default(true) | bool
|
||||
tags: update
|
||||
|
||||
# Fail2Ban Security
|
||||
- name: Deploy Fail2Ban configuration
|
||||
template:
|
||||
src: ../templates/fail2ban.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: '0644'
|
||||
notify: restart fail2ban
|
||||
tags: fail2ban
|
||||
|
||||
- name: Deploy WordPress Fail2Ban filter
|
||||
copy:
|
||||
src: ../templates/fail2ban-wordpress-filter.conf
|
||||
dest: /etc/fail2ban/filter.d/wordpress-login.conf
|
||||
mode: '0644'
|
||||
notify: restart fail2ban
|
||||
tags: fail2ban
|
||||
|
||||
- name: Ensure Fail2Ban service is running
|
||||
service:
|
||||
name: fail2ban
|
||||
state: started
|
||||
enabled: yes
|
||||
tags: fail2ban
|
||||
|
||||
- name: Display Fail2Ban status info
|
||||
debug:
|
||||
msg: |
|
||||
Fail2Ban security enabled!
|
||||
Jails: sshd, nginx-http-auth, nginx-botsearch, wordpress-login, recidive
|
||||
Use: fail2ban-client status to see banned IPs
|
||||
tags: fail2ban
|
||||
|
||||
handlers:
|
||||
- name: restart nginx
|
||||
service:
|
||||
@@ -353,6 +423,11 @@
|
||||
name: "{{ php_fpm_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: restart mysql
|
||||
service:
|
||||
name: "{{ mysql_service }}"
|
||||
|
||||
Reference in New Issue
Block a user