feat: v2.0.0 production-ready release with Redis, OPcache and Nginx optimizations
This commit is contained in:
272
docs/vault.md
Normal file
272
docs/vault.md
Normal file
@@ -0,0 +1,272 @@
|
||||
# Ansible Vault Security Guide
|
||||
|
||||
This guide explains how to use Ansible Vault to securely manage passwords and sensitive data in your WordPress deployment.
|
||||
|
||||
## What is Ansible Vault?
|
||||
|
||||
Ansible Vault is a feature that allows you to encrypt sensitive data like passwords, API keys, and certificates, so they can be safely stored in version control systems like Git.
|
||||
|
||||
## Why Use Ansible Vault?
|
||||
|
||||
**Without Vault (Insecure):**
|
||||
```yaml
|
||||
# production.yml - INSECURE!
|
||||
mysql_root_password: "my-secret-password" # Visible to everyone
|
||||
```
|
||||
|
||||
**With Vault (Secure):**
|
||||
```yaml
|
||||
# production.yml - SECURE!
|
||||
mysql_root_password: "{{ vault_mysql_root_password }}" # References encrypted value
|
||||
|
||||
# group_vars/all/vault.yml - ENCRYPTED!
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66633030613... # Encrypted content
|
||||
```
|
||||
|
||||
## Quick Setup Guide
|
||||
|
||||
### 1. Create the Vault Structure
|
||||
|
||||
```bash
|
||||
# Create directories
|
||||
mkdir -p group_vars/all/
|
||||
|
||||
# Create encrypted vault file
|
||||
ansible-vault create group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
You'll be prompted to enter a vault password. **Remember this password!**
|
||||
|
||||
### 2. Add Encrypted Passwords
|
||||
|
||||
In the vault editor, add your sensitive data:
|
||||
|
||||
```yaml
|
||||
# Content of group_vars/all/vault.yml (will be encrypted)
|
||||
vault_mysql_root_password: "your-super-secure-mysql-password"
|
||||
vault_wordpress_db_password: "your-secure-wp-db-password"
|
||||
vault_wp_admin_password: "your-secure-admin-password"
|
||||
```
|
||||
|
||||
### 3. Update Your Inventory
|
||||
|
||||
Modify your `inventory/production.yml` to reference vault variables:
|
||||
|
||||
```yaml
|
||||
wordpress_servers:
|
||||
hosts:
|
||||
your-server.example.com:
|
||||
# ... other settings ...
|
||||
|
||||
# Database - Using vault variables
|
||||
mysql_root_password: "{{ vault_mysql_root_password }}"
|
||||
wordpress_db_password: "{{ vault_wordpress_db_password }}"
|
||||
|
||||
# WordPress Admin - Using vault variables
|
||||
wp_admin_password: "{{ vault_wp_admin_password }}"
|
||||
```
|
||||
|
||||
### 4. Deploy with Vault
|
||||
|
||||
```bash
|
||||
# Deploy and provide vault password
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
|
||||
|
||||
# Or store vault password in a file (keep secure!)
|
||||
echo "your-vault-password" > .vault_password
|
||||
chmod 600 .vault_password
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
|
||||
```
|
||||
|
||||
## Vault File Management
|
||||
|
||||
### View Encrypted Content
|
||||
```bash
|
||||
ansible-vault view group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
### Edit Encrypted Content
|
||||
```bash
|
||||
ansible-vault edit group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
### Change Vault Password
|
||||
```bash
|
||||
ansible-vault rekey group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
### Encrypt Existing File
|
||||
```bash
|
||||
ansible-vault encrypt group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
### Decrypt File (Temporarily)
|
||||
```bash
|
||||
ansible-vault decrypt group_vars/all/vault.yml
|
||||
# Edit the file
|
||||
ansible-vault encrypt group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
## Complete Example
|
||||
|
||||
### Project Structure
|
||||
```
|
||||
ansible-lemp-wordpress/
|
||||
├── inventory/
|
||||
│ └── production.yml # References vault variables
|
||||
├── group_vars/
|
||||
│ └── all/
|
||||
│ └── vault.yml # Encrypted passwords
|
||||
├── playbooks/
|
||||
│ └── lemp-wordpress.yml
|
||||
└── .vault_password # Optional: vault password file
|
||||
```
|
||||
|
||||
### Example Vault File
|
||||
```yaml
|
||||
# group_vars/all/vault.yml (encrypted)
|
||||
vault_mysql_root_password: "MySecure123!@#Root"
|
||||
vault_wordpress_db_password: "WordPressDB456$%^"
|
||||
vault_wp_admin_password: "AdminPass789&*()"
|
||||
vault_ssl_email: "admin@yourcompany.com"
|
||||
```
|
||||
|
||||
### Example Inventory
|
||||
```yaml
|
||||
# inventory/production.yml
|
||||
wordpress_servers:
|
||||
hosts:
|
||||
web1.yourcompany.com:
|
||||
ansible_host: 192.168.1.100
|
||||
ansible_user: ubuntu
|
||||
domain_name: yoursite.com
|
||||
|
||||
# SSL Configuration
|
||||
ssl_enabled: true
|
||||
ssl_email: "{{ vault_ssl_email }}"
|
||||
|
||||
# Database (using vault)
|
||||
mysql_root_password: "{{ vault_mysql_root_password }}"
|
||||
wordpress_db_name: "wordpress"
|
||||
wordpress_db_user: "wp_user"
|
||||
wordpress_db_password: "{{ vault_wordpress_db_password }}"
|
||||
|
||||
# WordPress Admin (using vault)
|
||||
wp_admin_user: "admin"
|
||||
wp_admin_password: "{{ vault_wp_admin_password }}"
|
||||
wp_admin_email: "{{ vault_ssl_email }}"
|
||||
wp_site_title: "My Company Website"
|
||||
```
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
### 1. Vault Password Management
|
||||
- **Never commit the vault password to Git**
|
||||
- Use a strong, unique password for your vault
|
||||
- Consider using a password manager
|
||||
- For teams, use external secret management systems
|
||||
|
||||
### 2. File Permissions
|
||||
```bash
|
||||
# Secure vault password file
|
||||
chmod 600 .vault_password
|
||||
|
||||
# Add to .gitignore
|
||||
echo ".vault_password" >> .gitignore
|
||||
```
|
||||
|
||||
### 3. Git Configuration
|
||||
```bash
|
||||
# Add vault file to Git (it's encrypted, so it's safe)
|
||||
git add group_vars/all/vault.yml
|
||||
|
||||
# But never add the password file
|
||||
echo ".vault_password" >> .gitignore
|
||||
git add .gitignore
|
||||
```
|
||||
|
||||
### 4. Team Collaboration
|
||||
For teams, consider these approaches:
|
||||
|
||||
**Option 1: Shared Vault Password**
|
||||
- Share vault password through secure channels (encrypted email, password manager)
|
||||
- Each team member stores password locally
|
||||
|
||||
**Option 2: External Secret Management**
|
||||
- Use HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
|
||||
- Ansible can integrate with these systems
|
||||
|
||||
## Deployment Commands
|
||||
|
||||
### Basic Deployment
|
||||
```bash
|
||||
# Standard deployment with vault
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
|
||||
```
|
||||
|
||||
### Ultimate Performance Deployment
|
||||
```bash
|
||||
# Ultimate deployment with vault
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.yml --ask-vault-pass
|
||||
```
|
||||
|
||||
### Using Password File
|
||||
```bash
|
||||
# With password file (for automation)
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### "Decryption failed" Error
|
||||
- Check that you're using the correct vault password
|
||||
- Verify the vault file isn't corrupted: `ansible-vault view group_vars/all/vault.yml`
|
||||
|
||||
### "Variable not found" Error
|
||||
- Ensure vault variables are properly referenced in inventory
|
||||
- Check variable names match exactly (case sensitive)
|
||||
- Verify vault file is in the correct location
|
||||
|
||||
### Permission Denied
|
||||
- Check file permissions: `ls -la group_vars/all/vault.yml`
|
||||
- Ensure Ansible can read the vault file
|
||||
|
||||
## Migration from Plain Text
|
||||
|
||||
If you have existing plain text passwords in your inventory:
|
||||
|
||||
1. **Create vault file:**
|
||||
```bash
|
||||
ansible-vault create group_vars/all/vault.yml
|
||||
```
|
||||
|
||||
2. **Move passwords to vault:**
|
||||
```yaml
|
||||
# Add to vault.yml
|
||||
vault_mysql_root_password: "your-existing-password"
|
||||
```
|
||||
|
||||
3. **Update inventory:**
|
||||
```yaml
|
||||
# Change in production.yml
|
||||
mysql_root_password: "{{ vault_mysql_root_password }}"
|
||||
```
|
||||
|
||||
4. **Test deployment:**
|
||||
```bash
|
||||
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass --check
|
||||
```
|
||||
|
||||
## Conclusion
|
||||
|
||||
Ansible Vault provides a secure way to manage sensitive data while keeping it version-controlled. While it adds complexity, it's essential for production deployments where security is paramount.
|
||||
|
||||
For simple testing or development, plain text passwords in inventory files may be acceptable, but always use Vault for production environments.
|
||||
|
||||
---
|
||||
|
||||
**Next Steps:**
|
||||
- [Production Deployment Guide](production-deployment.md)
|
||||
- [SSL Setup Guide](ssl-setup.md)
|
||||
- [Security Best Practices](../SECURITY.md)
|
||||
Reference in New Issue
Block a user