feat: v2.5.0 - Complete Technology & Security Update

Features:
- PHP 8.4 support (from 8.3)
- WordPress 7.0 (auto-update via WP-CLI)
- Modern TLS 1.3 cipher suites (2026 best practices)
- Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive)
- Auto-update cron job for WordPress (weekly Minor updates)
- Debian 14 Forky support (testing)
- Ubuntu 25.04 support
- Python 3.12 in GitHub Actions

Security:
- Fail2Ban with SSH brute force protection (24h ban)
- WordPress wp-login.php protection (2h ban)
- Nginx bot scanner protection
- Recidive jail for repeat offenders (1 week ban)
- Modern TLS ciphers (AEAD only)
- HSTS 2 years for preload

Documentation:
- docs/autoupdate.md - WordPress auto-update guide
- docs/fail2ban.md - Fail2Ban configuration guide
- docs/troubleshooting.md - Updated with php_version variable

Breaking changes:
- PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
This commit is contained in:
Sebastian Palencsar
2026-05-04 19:37:27 +02:00
parent 2045307d1d
commit dffd8e3b76
41 changed files with 754 additions and 74 deletions

75
playbooks/lemp-wordpress.yml Normal file → Executable file
View File

@@ -80,6 +80,9 @@
# These variables come from inventory/production.yml
# wp_admin_user, wp_admin_password, wp_admin_email, wp_site_title
# Auto-Update Configuration
update_cron_enabled: true
tasks:
# Package Installation
- name: Update package cache
@@ -342,6 +345,73 @@
Admin Email: {{ wp_admin_email }}
tags: wp-install
# WordPress Auto-Update Setup
- name: Create update script directory
file:
path: /var/backups/wordpress
state: directory
mode: '0755'
tags: update
- name: Deploy WordPress update script
copy:
src: ../scripts/wp-update.sh
dest: /usr/local/bin/wp-update.sh
mode: '0755'
tags: update
- name: Configure WordPress auto-update settings
command: >
wp option update auto_update_core_minor enabled
--allow-root
environment:
HOME: "{{ wordpress_path }}"
ignore_errors: yes
tags: update
- name: Set up cron job for WordPress updates
cron:
name: wordpress-weekly-update
job: "/usr/local/bin/wp-update.sh --minor --no-backup >> /var/log/wp-update.log 2>&1"
minute: "0"
hour: "4"
weekday: "0"
user: "root"
when: update_cron_enabled | default(true) | bool
tags: update
# Fail2Ban Security
- name: Deploy Fail2Ban configuration
template:
src: ../templates/fail2ban.j2
dest: /etc/fail2ban/jail.local
mode: '0644'
notify: restart fail2ban
tags: fail2ban
- name: Deploy WordPress Fail2Ban filter
copy:
src: ../templates/fail2ban-wordpress-filter.conf
dest: /etc/fail2ban/filter.d/wordpress-login.conf
mode: '0644'
notify: restart fail2ban
tags: fail2ban
- name: Ensure Fail2Ban service is running
service:
name: fail2ban
state: started
enabled: yes
tags: fail2ban
- name: Display Fail2Ban status info
debug:
msg: |
Fail2Ban security enabled!
Jails: sshd, nginx-http-auth, nginx-botsearch, wordpress-login, recidive
Use: fail2ban-client status to see banned IPs
tags: fail2ban
handlers:
- name: restart nginx
service:
@@ -353,6 +423,11 @@
name: "{{ php_fpm_service }}"
state: restarted
- name: restart fail2ban
service:
name: fail2ban
state: restarted
- name: restart mysql
service:
name: "{{ mysql_service }}"