Compare commits
23 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
da2f0876dd | ||
|
|
cfb63da386 | ||
|
|
55193c7bd4 | ||
|
|
2aa5480d17 | ||
|
|
168c59f3ea | ||
|
|
58ffb82378 | ||
|
|
38241f82e3 | ||
|
|
9eac2c2057 | ||
|
|
feb6a2c962 | ||
|
|
619205e0a8 | ||
|
|
1361466dfe | ||
|
|
1fa863f107 | ||
|
|
605b4e8c7b | ||
|
|
e5b0a80bb2 | ||
|
|
c2b4181756 | ||
|
|
9f8e4d980b | ||
|
|
d0781f2102 | ||
|
|
a9d3c851a4 | ||
|
|
451cdad6e9 | ||
|
|
2e219d928a | ||
|
|
d52c996414 | ||
|
|
81567aa91c | ||
|
|
dffd8e3b76 |
0
.ansible-lint
Normal file → Executable file
0
.ansible-lint
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/bug_report.yml
vendored
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/bug_report.yml
vendored
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/documentation.yml
vendored
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/documentation.yml
vendored
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/feature_request.yml
vendored
Normal file → Executable file
0
.github/ISSUE_TEMPLATE/feature_request.yml
vendored
Normal file → Executable file
0
.github/pull_request_template.md
vendored
Normal file → Executable file
0
.github/pull_request_template.md
vendored
Normal file → Executable file
63
.github/workflows/ci-cd.yml
vendored
Normal file → Executable file
63
.github/workflows/ci-cd.yml
vendored
Normal file → Executable file
@@ -1,12 +1,16 @@
|
||||
name: CI/CD Pipeline
|
||||
# Updated: Removed systemd, using SSH-based testing for better stability
|
||||
# Updated: Dynamic tag for release, CodeQL v4, Node.js 24 support
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main, develop ]
|
||||
tags: [ 'v*' ]
|
||||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
env:
|
||||
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
name: Lint Ansible Playbooks
|
||||
@@ -14,12 +18,12 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v4
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.11'
|
||||
python-version: '3.12'
|
||||
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
@@ -38,8 +42,13 @@ jobs:
|
||||
|
||||
- name: Validate Ansible syntax
|
||||
run: |
|
||||
mkdir -p test-inventory
|
||||
cat > test-inventory/hosts <<EOF
|
||||
[all]
|
||||
localhost ansible_connection=local
|
||||
EOF
|
||||
for playbook in playbooks/*.yml; do
|
||||
ansible-playbook --syntax-check "$playbook"
|
||||
ansible-playbook -i test-inventory/hosts --syntax-check "$playbook"
|
||||
done
|
||||
|
||||
test-ubuntu:
|
||||
@@ -48,14 +57,22 @@ jobs:
|
||||
needs: lint
|
||||
strategy:
|
||||
matrix:
|
||||
ubuntu_version: ['20.04', '22.04', '24.04']
|
||||
include:
|
||||
- ubuntu_version: '22.04'
|
||||
allow_failure: false
|
||||
- ubuntu_version: '24.04'
|
||||
allow_failure: false
|
||||
- ubuntu_version: '25.04'
|
||||
allow_failure: true
|
||||
|
||||
continue-on-error: ${{ matrix.allow_failure }}
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v4
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: '3.11'
|
||||
|
||||
@@ -77,7 +94,7 @@ jobs:
|
||||
echo "Testing syntax for all playbooks..."
|
||||
for playbook in playbooks/*.yml; do
|
||||
echo "Checking $playbook..."
|
||||
ansible-playbook "$playbook" --syntax-check
|
||||
ansible-playbook -i test-inventory/hosts "$playbook" --syntax-check
|
||||
done
|
||||
|
||||
- name: Test variable loading
|
||||
@@ -93,10 +110,10 @@ jobs:
|
||||
run: |
|
||||
echo "Testing basic container setup for Ubuntu ${{ matrix.ubuntu_version }}..."
|
||||
docker run --rm ubuntu:${{ matrix.ubuntu_version }} /bin/bash -c "
|
||||
export DEBIAN_FRONTEND=noninteractive &&
|
||||
apt-get update &&
|
||||
apt-get install -y python3 python3-apt &&
|
||||
python3 --version &&
|
||||
set -e &&
|
||||
grep '^NAME=' /etc/os-release &&
|
||||
grep '^VERSION_ID=' /etc/os-release &&
|
||||
bash --version > /dev/null &&
|
||||
echo 'Ubuntu ${{ matrix.ubuntu_version }} container test successful'"
|
||||
|
||||
|
||||
@@ -110,7 +127,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
@@ -121,7 +138,7 @@ jobs:
|
||||
output: 'trivy-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3 # Updated to v3 to fix deprecated v2 warning
|
||||
uses: github/codeql-action/upload-sarif@v4
|
||||
if: always()
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
@@ -130,23 +147,21 @@ jobs:
|
||||
name: Create Release
|
||||
runs-on: ubuntu-latest
|
||||
needs: [test-ubuntu, security-scan]
|
||||
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
||||
if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v5
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Get latest tag
|
||||
- name: Get current tag
|
||||
id: get_tag
|
||||
run: |
|
||||
# Get the latest tag, default to v1.0.0 if none exist
|
||||
latest_tag=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
|
||||
echo "latest_tag=$latest_tag" >> $GITHUB_OUTPUT
|
||||
echo "Found latest tag: $latest_tag"
|
||||
echo "latest_tag=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
|
||||
echo "Using tag: ${GITHUB_REF_NAME}"
|
||||
|
||||
- name: Generate changelog
|
||||
run: |
|
||||
@@ -159,8 +174,8 @@ jobs:
|
||||
- name: Create Release
|
||||
uses: softprops/action-gh-release@v2
|
||||
with:
|
||||
tag_name: v1.1.0
|
||||
name: Release v1.1.0 - Multilingual & Stability Improvements
|
||||
tag_name: ${{ steps.get_tag.outputs.latest_tag }}
|
||||
name: Release ${{ steps.get_tag.outputs.latest_tag }}
|
||||
body_path: CHANGELOG_RELEASE.md
|
||||
draft: false
|
||||
prerelease: false
|
||||
|
||||
0
.gitignore
vendored
Normal file → Executable file
0
.gitignore
vendored
Normal file → Executable file
0
.yamllint.yml
Normal file → Executable file
0
.yamllint.yml
Normal file → Executable file
64
CHANGELOG.md
Normal file → Executable file
64
CHANGELOG.md
Normal file → Executable file
@@ -5,6 +5,68 @@ All notable changes to this project will be documented in this file.
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [2.5.0] - 2026-05-04 - Fail2Ban Security
|
||||
|
||||
### Added
|
||||
- Fail2Ban integration in playbooks
|
||||
- fail2ban jail.local template with SSH, Nginx, WordPress jails
|
||||
- WordPress wp-login.php protection filter
|
||||
- fail2ban documentation (`docs/fail2ban.md`)
|
||||
|
||||
### Security Jails
|
||||
- sshd: SSH brute force protection (24h ban)
|
||||
- nginx-http-auth: HTTP Auth failures
|
||||
- nginx-botsearch: Bot scanners
|
||||
- wordpress-login: WordPress login protection
|
||||
- recidive: Repeat offenders (1 week ban)
|
||||
|
||||
### Changed
|
||||
- fail2ban package added to system packages
|
||||
- Incremental bans enabled for repeat offenders
|
||||
|
||||
## [2.4.0] - 2026-05-04 - Auto-Update Feature
|
||||
|
||||
### Added
|
||||
- WordPress auto-update script (`scripts/wp-update.sh`)
|
||||
- Automated weekly minor updates via cron
|
||||
- WP-CLI update automation in playbooks
|
||||
- Auto backup before updates
|
||||
- Auto-update documentation (`docs/autoupdate.md`)
|
||||
|
||||
### Changed
|
||||
- Minor updates enabled by default (recommended for production)
|
||||
|
||||
### Security
|
||||
- Automatic database and file backups before updates
|
||||
|
||||
## [2.3.0] - 2026-05-04 - Security & Maintenance Update
|
||||
|
||||
### Changed
|
||||
- Modern TLS cipher suites (2026 best practices) - AEAD ciphers only
|
||||
- TLS session handling improved (ssl_session_tickets off, 1d timeout)
|
||||
- HSTS max-age increased to 63072000 (2 years for preload)
|
||||
- Docker description updated with PHP 8.4
|
||||
|
||||
### Security
|
||||
- Removed deprecated ciphers (CBC mode, static RSA)
|
||||
- Only TLS 1.2 + 1.3 with forward secrecy
|
||||
|
||||
## [2.2.0] - 2026-05-04 - OS Compatibility Update
|
||||
|
||||
### Changed
|
||||
- Debian 14 "Forky" support (testing/upcoming)
|
||||
- Ubuntu 25.04 added to CI/CD test matrix
|
||||
- Python 3.12 in GitHub Actions (from 3.11)
|
||||
|
||||
## [2.1.0] - 2026-05-04 - Technology Update
|
||||
|
||||
### Changed
|
||||
- PHP 8.4 support (from 8.3) with property hooks, asymmetric visibility, and performance improvements
|
||||
- WordPress 7.0 as default (from 6.x) with Notes feature, Command Palette, and Abilities API
|
||||
- Ubuntu 25.04 compatibility (Plucky Puffin interim release)
|
||||
- Debian 13 "Trixie" compatibility (current stable)
|
||||
- Updated OS compatibility matrix in all documentation
|
||||
|
||||
## [2.0.0] - 2025-06-21 - Production-Ready Release
|
||||
|
||||
### Added
|
||||
@@ -62,7 +124,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Contributing guidelines and troubleshooting guide
|
||||
- Docker testing environment
|
||||
- Multi-environment support (Docker, VMs, bare metal)
|
||||
- Ubuntu/Debian support (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- Ubuntu/Debian support (22.04, 24.04, 25.04, Debian 12, 13, 14)
|
||||
- 🌍 Multilingual documentation (German, Hungarian translations)
|
||||
- 🧪 Simplified and robust CI/CD testing approach
|
||||
- 📝 Professional language navigation in README
|
||||
|
||||
0
CONTRIBUTING.md
Normal file → Executable file
0
CONTRIBUTING.md
Normal file → Executable file
20
README.md
Normal file → Executable file
20
README.md
Normal file → Executable file
@@ -3,10 +3,10 @@
|
||||
🚀 **Production-ready, fully automated LEMP stack (Linux, Nginx, MySQL, PHP) + WordPress deployment using Ansible**
|
||||
|
||||
[](https://opensource.org/licenses/MIT)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://www.ansible.com/)
|
||||
[](https://wordpress.org/)
|
||||
[](https://wordpress.org/)
|
||||
|
||||
## 🌐 Other Languages
|
||||
|
||||
@@ -19,8 +19,8 @@
|
||||
✅ **Complete LEMP Stack Installation**
|
||||
- Nginx web server with production-ready optimization
|
||||
- MySQL 8.0+ with secure setup and performance tuning
|
||||
- PHP 8.3+ with FPM, OPcache and WordPress extensions
|
||||
- Ubuntu/Debian family support (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- PHP 8.4+ with FPM, OPcache and WordPress extensions
|
||||
- Ubuntu/Debian family support (22.04, 24.04, 25.04, Debian 12, 13, 14)
|
||||
|
||||
### 🛡️ WordPress & Security
|
||||
✅ **WordPress Automation & Security**
|
||||
@@ -49,7 +49,7 @@
|
||||
### Prerequisites
|
||||
|
||||
- **Control Machine**: Ansible 6.0+ installed
|
||||
- **Target Server**: Ubuntu 20.04+ or Debian 11+ with SSH access and sudo privileges
|
||||
- **Target Server**: Ubuntu 22.04+ or Debian 12+ with SSH access and sudo privileges
|
||||
- **Network**: SSH access (port 22) and web access (ports 80/443)
|
||||
|
||||
### 1. Clone Repository
|
||||
@@ -212,7 +212,7 @@ nginx_optimization_enabled: true
|
||||
```
|
||||
### Server Requirements
|
||||
|
||||
- **OS**: Ubuntu 20.04+ or Debian 11+
|
||||
- **OS**: Ubuntu 22.04+ or Debian 12+
|
||||
- **RAM**: Minimum 1GB (2GB+ recommended for Ultimate mode)
|
||||
- **Storage**: Minimum 10GB free space
|
||||
- **Network**: SSH access + web ports (80/443)
|
||||
@@ -297,9 +297,11 @@ ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.y
|
||||
|
||||
| OS | Version | Status | Notes |
|
||||
|---|---|---|---|
|
||||
| Ubuntu | 25.04 | ✅ Supported | Interim release |
|
||||
| Ubuntu | 24.04 LTS | ✅ Fully Tested | Recommended |
|
||||
| Ubuntu | 22.04 LTS | ✅ Fully Tested | Recommended |
|
||||
| Ubuntu | 20.04 LTS | ✅ Supported | Tested |
|
||||
| Ubuntu | 22.04 LTS | ✅ Supported | Legacy support |
|
||||
| Debian | 14 | 🔶 Testing | Forky (upcoming) |
|
||||
| Debian | 13 | ✅ Supported | Current stable |
|
||||
| Debian | 12 | ✅ Supported | Compatible |
|
||||
| Debian | 11 | ✅ Supported | Compatible |
|
||||
|
||||
|
||||
0
SECURITY.md
Normal file → Executable file
0
SECURITY.md
Normal file → Executable file
41
docker/Dockerfile
Normal file → Executable file
41
docker/Dockerfile
Normal file → Executable file
@@ -14,12 +14,15 @@ RUN mkdir -p /var/run/sshd /var/log/supervisor \
|
||||
&& echo 'ansible ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
|
||||
|
||||
# Install base system packages in a single layer
|
||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
|
||||
# Core system
|
||||
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
|
||||
# Core system
|
||||
ca-certificates \
|
||||
gnupg \
|
||||
lsb-release \
|
||||
apt-transport-https \
|
||||
software-properties-common \
|
||||
# SSH and system control
|
||||
openssh-server \
|
||||
sudo \
|
||||
@@ -50,23 +53,23 @@ RUN apt-get update && apt-get install -y \
|
||||
# Web server
|
||||
nginx \
|
||||
# Database
|
||||
mysql-server \
|
||||
mysql-client \
|
||||
mariadb-server \
|
||||
mariadb-client \
|
||||
# PHP and extensions
|
||||
php8.3 \
|
||||
php8.3-fpm \
|
||||
php8.3-cli \
|
||||
php8.3-mysql \
|
||||
php8.3-gd \
|
||||
php8.3-xml \
|
||||
php8.3-mbstring \
|
||||
php8.3-curl \
|
||||
php8.3-zip \
|
||||
php8.3-intl \
|
||||
php8.3-soap \
|
||||
php8.3-xmlrpc \
|
||||
php8.3-opcache \
|
||||
php8.3-redis \
|
||||
php8.4 \
|
||||
php8.4-fpm \
|
||||
php8.4-cli \
|
||||
php8.4-mysql \
|
||||
php8.4-gd \
|
||||
php8.4-xml \
|
||||
php8.4-mbstring \
|
||||
php8.4-curl \
|
||||
php8.4-zip \
|
||||
php8.4-intl \
|
||||
php8.4-soap \
|
||||
php8.4-xmlrpc \
|
||||
php8.4-opcache \
|
||||
php8.4-redis \
|
||||
# Security and monitoring
|
||||
fail2ban \
|
||||
ufw \
|
||||
@@ -84,8 +87,8 @@ RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/
|
||||
# Configure systemd
|
||||
RUN systemctl enable ssh \
|
||||
&& systemctl enable nginx \
|
||||
&& systemctl enable mysql \
|
||||
&& systemctl enable php8.3-fpm
|
||||
&& systemctl enable mysql mariadb \
|
||||
&& systemctl enable php8.4-fpm
|
||||
|
||||
# Create web directory structure
|
||||
RUN mkdir -p /var/www/html \
|
||||
@@ -111,6 +114,6 @@ CMD ["/usr/local/bin/start-services.sh"]
|
||||
|
||||
# Labels for metadata
|
||||
LABEL org.opencontainers.image.title="LEMP WordPress Testing Environment"
|
||||
LABEL org.opencontainers.image.description="Ubuntu 24.04 with Nginx, MySQL, PHP 8.3 for WordPress testing"
|
||||
LABEL org.opencontainers.image.description="Ubuntu 24.04 LTS with Nginx, MySQL, PHP 8.4 for WordPress testing"
|
||||
LABEL org.opencontainers.image.version="1.0"
|
||||
LABEL org.opencontainers.image.licenses="MIT"
|
||||
|
||||
0
docker/docker-compose.yml
Normal file → Executable file
0
docker/docker-compose.yml
Normal file → Executable file
6
docker/start-services.sh
Normal file → Executable file
6
docker/start-services.sh
Normal file → Executable file
@@ -1,11 +1,11 @@
|
||||
#!/bin/bash
|
||||
# Services für LEMP-Stack starten
|
||||
|
||||
# MySQL starten
|
||||
service mysql start
|
||||
# MySQL/MariaDB starten
|
||||
service mysql start || service mariadb start
|
||||
|
||||
# PHP-FPM starten
|
||||
service php8.3-fpm start
|
||||
service php8.4-fpm start
|
||||
|
||||
# Nginx starten
|
||||
service nginx start
|
||||
|
||||
8
docs/PROJECT_OVERVIEW.md
Normal file → Executable file
8
docs/PROJECT_OVERVIEW.md
Normal file → Executable file
@@ -70,8 +70,8 @@ ansible-lemp-wordpress/
|
||||
## 🚀 Supported Environments
|
||||
|
||||
### Operating Systems
|
||||
- ✅ **Ubuntu** 20.04, 22.04, 24.04 LTS (fully tested)
|
||||
- ✅ **Debian** 11, 12 (compatible)
|
||||
- ✅ **Ubuntu** 22.04, 24.04, 25.04 (fully tested)
|
||||
- ✅ **Debian** 12, 13, 14 (compatible)
|
||||
|
||||
### Deployment Targets
|
||||
- ✅ **Docker** containers (development/testing with included setup)
|
||||
@@ -86,7 +86,7 @@ ansible-lemp-wordpress/
|
||||
|---------|------------|---------------|
|
||||
| Nginx Web Server | ✅ | ✅ (optimized) |
|
||||
| MySQL Database | ✅ | ✅ (tuned) |
|
||||
| PHP 8.3+ | ✅ | ✅ (with OPcache) |
|
||||
| PHP 8.4+ | ✅ | ✅ (with OPcache) |
|
||||
| WordPress + WP-CLI | ✅ | ✅ |
|
||||
| SSL/HTTPS Support | ✅ | ✅ |
|
||||
| Security Hardening | ✅ | ✅ |
|
||||
@@ -180,7 +180,7 @@ ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.y
|
||||
|
||||
- **Total Files**: ~30 (clean, focused codebase)
|
||||
- **Lines of Code**: ~2,000 (Ansible YAML, Jinja2, Documentation)
|
||||
- **Supported OS**: Ubuntu 20.04/22.04/24.04, Debian 11/12
|
||||
- **Supported OS**: Ubuntu 22.04/24.04/25.04, Debian 12/13/14
|
||||
- **Deployment Modes**: 2 (Basic + Ultimate)
|
||||
- **Templates**: 5 (production-tested)
|
||||
- **Documentation Pages**: 9 comprehensive guides (README + 8 in docs/)
|
||||
|
||||
17
docs/README.de.md
Normal file → Executable file
17
docs/README.de.md
Normal file → Executable file
@@ -3,8 +3,8 @@
|
||||
🚀 **Produktionsreife, vollautomatisierte LEMP-Stack (Linux, Nginx, MySQL, PHP) + WordPress-Bereitstellung mit Ansible**
|
||||
|
||||
[](https://opensource.org/licenses/MIT)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://www.ansible.com/)
|
||||
[](https://wordpress.org/)
|
||||
|
||||
@@ -19,8 +19,8 @@
|
||||
✅ **Komplette LEMP-Stack-Installation**
|
||||
- Nginx-Webserver mit produktionsreifer Optimierung
|
||||
- MySQL 8.0+ mit sicherer Einrichtung und Performance-Tuning
|
||||
- PHP 8.3+ mit FPM, OPcache und WordPress-Erweiterungen
|
||||
- Ubuntu/Debian-Familie Unterstützung (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- PHP 8.4+ mit FPM, OPcache und WordPress-Erweiterungen
|
||||
- Ubuntu/Debian-Familie Unterstützung (22.04, 24.04, 25.04, Debian 12, 13, 14)
|
||||
|
||||
### 🛡️ WordPress & Sicherheit
|
||||
✅ **WordPress-Automatisierung & Sicherheit**
|
||||
@@ -49,7 +49,7 @@
|
||||
### Voraussetzungen
|
||||
|
||||
- **Ansible** 6.0+ auf Ihrem lokalen Rechner
|
||||
- **Ubuntu/Debian-Server** (20.04+, Debian 11+)
|
||||
- **Ubuntu/Debian-Server** (22.04+, Debian 12+)
|
||||
- **SSH-Zugang** zu Ihren Zielservern
|
||||
- **sudo-Berechtigung** auf Zielservern
|
||||
|
||||
@@ -213,7 +213,7 @@ nginx_optimization_enabled: true
|
||||
|
||||
### Server-Anforderungen
|
||||
|
||||
- **OS**: Ubuntu 20.04+ oder Debian 11+
|
||||
- **OS**: Ubuntu 22.04+ oder Debian 12+
|
||||
- **RAM**: Mindestens 1GB (2GB+ empfohlen für Ultimate Modus)
|
||||
- **Speicher**: Mindestens 10GB freier Speicherplatz
|
||||
- **Netzwerk**: SSH-Zugang + Web-Ports (80/443)
|
||||
@@ -296,11 +296,12 @@ ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.y
|
||||
|
||||
| OS | Version | Status | Hinweise |
|
||||
|---|---|---|---|
|
||||
| Ubuntu | 25.04 | ✅ Unterstützt | Interim Release |
|
||||
| Ubuntu | 24.04 LTS | ✅ Vollständig getestet | Empfohlen |
|
||||
| Ubuntu | 22.04 LTS | ✅ Vollständig getestet | Empfohlen |
|
||||
| Ubuntu | 20.04 LTS | ✅ Unterstützt | Getestet |
|
||||
| Debian | 14 | 🔶 Testing | Forky (bevorstehend) |
|
||||
| Debian | 13 | ✅ Unterstützt | Aktuell stabil |
|
||||
| Debian | 12 | ✅ Unterstützt | Kompatibel |
|
||||
| Debian | 11 | ✅ Unterstützt | Kompatibel |
|
||||
|
||||
## 📚 Dokumentation
|
||||
|
||||
|
||||
17
docs/README.hu.md
Normal file → Executable file
17
docs/README.hu.md
Normal file → Executable file
@@ -3,8 +3,8 @@
|
||||
🚀 **Termelésre kész, teljesen automatizált LEMP stack (Linux, Nginx, MySQL, PHP) + WordPress telepítés Ansible-lel**
|
||||
|
||||
[](https://opensource.org/licenses/MIT)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://ubuntu.com/)
|
||||
[](https://debian.org/)
|
||||
[](https://www.ansible.com/)
|
||||
[](https://wordpress.org/)
|
||||
|
||||
@@ -19,8 +19,8 @@
|
||||
✅ **Teljes LEMP Stack telepítés**
|
||||
- Nginx webszerver termelésre kész optimalizálással
|
||||
- MySQL 8.0+ biztonságos beállítással és teljesítmény-hangolással
|
||||
- PHP 8.3+ FPM-mel, OPcache-sel és WordPress bővítményekkel
|
||||
- Ubuntu/Debian család támogatás (20.04, 22.04, 24.04, Debian 11, 12)
|
||||
- PHP 8.4+ FPM-mel, OPcache-sel és WordPress bővítményekkel
|
||||
- Ubuntu/Debian család támogatás (22.04, 24.04, 25.04, Debian 12, 13, 14)
|
||||
|
||||
### 🛡️ WordPress és Biztonság
|
||||
✅ **WordPress automatizálás és biztonság**
|
||||
@@ -49,7 +49,7 @@
|
||||
### Előfeltételek
|
||||
|
||||
- **Ansible** 6.0+ a helyi gépén
|
||||
- **Ubuntu/Debian szerver** (20.04+, Debian 11+)
|
||||
- **Ubuntu/Debian szerver** (22.04+, Debian 12+)
|
||||
- **SSH hozzáférés** a célszerverekhez
|
||||
- **sudo jogosultságok** a célszervereken
|
||||
|
||||
@@ -213,7 +213,7 @@ nginx_optimization_enabled: true
|
||||
|
||||
### Szerver követelmények
|
||||
|
||||
- **OS**: Ubuntu 20.04+ vagy Debian 11+
|
||||
- **OS**: Ubuntu 22.04+ vagy Debian 12+
|
||||
- **RAM**: Minimum 1GB (2GB+ ajánlott Ultimate módhoz)
|
||||
- **Tárhely**: Minimum 10GB szabad hely
|
||||
- **Hálózat**: SSH hozzáférés + web portok (80/443)
|
||||
@@ -296,11 +296,12 @@ ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.y
|
||||
|
||||
| OS | Verzió | Státusz | Megjegyzések |
|
||||
|---|---|---|---|
|
||||
| Ubuntu | 25.04 | ✅ Támogatott | Interim Release |
|
||||
| Ubuntu | 24.04 LTS | ✅ Teljesen tesztelt | Ajánlott |
|
||||
| Ubuntu | 22.04 LTS | ✅ Teljesen tesztelt | Ajánlott |
|
||||
| Ubuntu | 20.04 LTS | ✅ Támogatott | Tesztelt |
|
||||
| Debian | 14 | 🔶 Tesztelés | Forky (közelgő) |
|
||||
| Debian | 13 | ✅ Támogatott | Aktuális stabil |
|
||||
| Debian | 12 | ✅ Támogatott | Kompatibilis |
|
||||
| Debian | 11 | ✅ Támogatott | Kompatibilis |
|
||||
|
||||
## 📚 Dokumentáció
|
||||
|
||||
|
||||
117
docs/autoupdate.md
Normal file
117
docs/autoupdate.md
Normal file
@@ -0,0 +1,117 @@
|
||||
# WordPress Auto-Update Guide
|
||||
|
||||
## Overview
|
||||
|
||||
This project includes automated WordPress update functionality via WP-CLI.
|
||||
|
||||
## Features
|
||||
|
||||
- Automated weekly core updates (Minor)
|
||||
- Plugin and theme updates
|
||||
- Automatic backup before updates
|
||||
- Maintenance mode handling
|
||||
- Logging to `/var/log/wp-update.log`
|
||||
|
||||
## Configuration
|
||||
|
||||
### Default Behavior
|
||||
|
||||
| Setting | Value | Description |
|
||||
|---------|-------|-------------|
|
||||
| Core Updates | Minor only | 6.x → 6.x.y |
|
||||
| Schedule | Weekly (Sunday 4:00 AM) | Configurable |
|
||||
| Backup | Enabled | Auto backup before update |
|
||||
|
||||
### Change Update Schedule
|
||||
|
||||
Edit the cron job on your server:
|
||||
|
||||
```bash
|
||||
# Edit cron job
|
||||
crontab -e
|
||||
|
||||
# Change from weekly to daily (2 AM)
|
||||
0 2 * * * /usr/local/bin/wp-update.sh --minor --no-backup >> /var/log/wp-update.log 2>&1
|
||||
```
|
||||
|
||||
### Enable Major Updates
|
||||
|
||||
In your inventory file, add:
|
||||
|
||||
```yaml
|
||||
update_cron_enabled: true
|
||||
# Note: Major updates are manual only for safety
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
### Manual Update
|
||||
|
||||
```bash
|
||||
# Minor update (default)
|
||||
sudo /usr/local/bin/wp-update.sh
|
||||
|
||||
# Major update
|
||||
sudo /usr/local/bin/wp-update.sh --major
|
||||
|
||||
# Force update (specific version)
|
||||
sudo /usr/local/bin/wp-update.sh --force
|
||||
|
||||
# Skip backup
|
||||
sudo /usr/local/bin/wp-update.sh --no-backup
|
||||
```
|
||||
|
||||
### View Current Version
|
||||
|
||||
```bash
|
||||
wp core version
|
||||
```
|
||||
|
||||
### Check for Updates
|
||||
|
||||
```bash
|
||||
wp core check-update
|
||||
```
|
||||
|
||||
### Disable Auto-Updates
|
||||
|
||||
```bash
|
||||
# Remove cron job
|
||||
sudo crontab -e
|
||||
# Delete the line: wordpress-weekly-update
|
||||
|
||||
# Or disable via Ansible
|
||||
update_cron_enabled: false
|
||||
```
|
||||
|
||||
## Log Files
|
||||
|
||||
- Update log: `/var/log/wp-update.log`
|
||||
- Backups: `/var/backups/wordpress/`
|
||||
- Database: `/var/backups/wordpress/YYYYMMDD-HHMMSS/wp-db.sql`
|
||||
- Files: `/var/backups/wordpress/YYYYMMDD-HHMMSS/wp-files.tar.gz`
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Update Failed
|
||||
|
||||
```bash
|
||||
# Check logs
|
||||
tail -f /var/log/wp-update.log
|
||||
|
||||
# Manual recovery
|
||||
wp maintenance-mode deactivate
|
||||
```
|
||||
|
||||
### Rollback
|
||||
|
||||
```bash
|
||||
# Restore database
|
||||
mysql -u wordpress_user -p wordpress_db < /var/backups/wordpress/20240101-120000/wp-db.sql
|
||||
```
|
||||
|
||||
## Security Notes
|
||||
|
||||
- Auto-updates are set to Minor only (recommended)
|
||||
- Major updates should be tested on staging first
|
||||
- Always backup before updating
|
||||
155
docs/fail2ban.md
Normal file
155
docs/fail2ban.md
Normal file
@@ -0,0 +1,155 @@
|
||||
# Fail2Ban Security Guide
|
||||
|
||||
## Overview
|
||||
|
||||
Fail2Ban is included in this project to protect your server against brute-force attacks. It monitors log files and bans IPs that show malicious behavior.
|
||||
|
||||
## Enabled Jails
|
||||
|
||||
| Jail | Description | Default Actions |
|
||||
|------|-------------|-----------------|
|
||||
| sshd | SSH brute force | Ban for 24h after 3 failures |
|
||||
| nginx-http-auth | HTTP Auth failures | Ban for 1h after 5 failures |
|
||||
| nginx-botsearch | Bot scanners | Ban for 2h after 2 failures |
|
||||
| wordpress-login | WordPress login attempts | Ban for 2h after 5 failures |
|
||||
| recidive | Repeat offenders | Ban for 1 week after 3 bans |
|
||||
|
||||
## Quick Commands
|
||||
|
||||
### Check Status
|
||||
|
||||
```bash
|
||||
# See all bans
|
||||
sudo fail2ban-client status
|
||||
|
||||
# See specific jail
|
||||
sudo fail2ban-client status sshd
|
||||
sudo fail2ban-client status wordpress-login
|
||||
```
|
||||
|
||||
### Unban IP
|
||||
|
||||
```bash
|
||||
# Unban specific IP
|
||||
sudo fail2ban-client set sshd unbanip 192.168.1.100
|
||||
sudo fail2ban-client unban 192.168.1.100
|
||||
|
||||
# Unban all
|
||||
sudo fail2ban-client unban --all
|
||||
```
|
||||
|
||||
### Manage Jails
|
||||
|
||||
```bash
|
||||
# Disable a jail
|
||||
sudo fail2ban-client set wordpress-login disabled
|
||||
|
||||
# Enable a jail
|
||||
sudo fail2ban-client set wordpress-login enabled
|
||||
```
|
||||
|
||||
## Log Files
|
||||
|
||||
- Fail2Ban log: `/var/log/fail2ban.log`
|
||||
- Banned IPs database: `/var/lib/fail2ban/fail2ban.sqlite3`
|
||||
|
||||
## Configuration
|
||||
|
||||
### Default Settings
|
||||
|
||||
| Setting | Value | Description |
|
||||
|--------|-------|-------------|
|
||||
| bantime | 3600s (1h) | Default ban duration |
|
||||
| findtime | 600s (10m) | Window to count failures |
|
||||
| maxretry | 5 | Failures before ban |
|
||||
| bantime.increment | true | Increase for repeat offenders |
|
||||
|
||||
### Add Trusted IP
|
||||
|
||||
Edit `/etc/fail2ban/jail.local`:
|
||||
|
||||
```ini
|
||||
[DEFAULT]
|
||||
ignoreip = 127.0.0.1/8 ::1 203.0.113.42
|
||||
```
|
||||
|
||||
## Testing
|
||||
|
||||
### Test SSH Filter
|
||||
|
||||
```bash
|
||||
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
|
||||
```
|
||||
|
||||
### Test WordPress Filter
|
||||
|
||||
```bash
|
||||
sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf
|
||||
```
|
||||
|
||||
## Whitelist Your IP (Important!)
|
||||
|
||||
Before testing, add your IP to the whitelist:
|
||||
|
||||
```bash
|
||||
# Edit jail.local
|
||||
sudo nano /etc/fail2ban/jail.local
|
||||
|
||||
# Add to [DEFAULT]:
|
||||
ignoreip = 127.0.0.1/8 ::1 YOUR_IP_ADDRESS
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### No Bans Happen
|
||||
|
||||
1. Check log path: `sudo fail2ban-client get wordpress-login logpath`
|
||||
2. Test filter: `sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-login.conf`
|
||||
3. Verify log exists: `sudo tail /var/log/nginx/access.log`
|
||||
|
||||
### Locked Out
|
||||
|
||||
```bash
|
||||
# Unban yourself
|
||||
sudo fail2ban-client unban YOUR_IP
|
||||
```
|
||||
|
||||
### Service Not Starting
|
||||
|
||||
```bash
|
||||
# Check status
|
||||
sudo systemctl status fail2ban
|
||||
|
||||
# Check logs
|
||||
sudo journalctl -u fail2ban -n 50
|
||||
```
|
||||
|
||||
## Customize Ban Time
|
||||
|
||||
For specific services, edit `/etc/fail2ban/jail.local`:
|
||||
|
||||
```ini
|
||||
[sshd]
|
||||
bantime = 86400 # 24 hours for SSH
|
||||
|
||||
[wordpress-login]
|
||||
bantime = 7200 # 2 hours for WordPress
|
||||
maxretry = 3 # Stricter for WordPress
|
||||
```
|
||||
|
||||
## Disable Fail2Ban
|
||||
|
||||
```bash
|
||||
# Stop service
|
||||
sudo systemctl stop fail2ban
|
||||
|
||||
# Disable on boot
|
||||
sudo systemctl disable fail2ban
|
||||
```
|
||||
|
||||
## Security Notes
|
||||
|
||||
- Always whitelist your own IP before deploying
|
||||
- SSH jail has strict settings (3 retries) - ensure you use SSH keys
|
||||
- Incremental bans enabled - repeat offenders get longer bans
|
||||
- Recidive jail bans for 1 week after 3 bans in 24h
|
||||
0
docs/multi-environment-deployment.md
Normal file → Executable file
0
docs/multi-environment-deployment.md
Normal file → Executable file
9
docs/production-deployment.md
Normal file → Executable file
9
docs/production-deployment.md
Normal file → Executable file
@@ -188,7 +188,7 @@ sudo ufw enable
|
||||
### 1. Log Files
|
||||
Monitor these log files:
|
||||
- Nginx: `/var/log/nginx/access.log` and `/var/log/nginx/error.log`
|
||||
- PHP-FPM: `/var/log/php8.3-fpm.log`
|
||||
- PHP-FPM: `/var/log/php8.4-fpm.log`
|
||||
- MySQL: `/var/log/mysql/error.log`
|
||||
- WordPress: `/var/www/html/wp-content/debug.log` (if WP_DEBUG enabled)
|
||||
|
||||
@@ -233,12 +233,9 @@ ssh -v deployer@your-server.com
|
||||
# Check service status
|
||||
sudo systemctl status nginx
|
||||
sudo systemctl status mysql
|
||||
sudo systemctl status php8.3-fpm
|
||||
sudo systemctl status php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# View logs
|
||||
sudo journalctl -u nginx
|
||||
sudo journalctl -u mysql
|
||||
sudo journalctl -u php8.3-fpm
|
||||
sudo journalctl -u php{{ php_version | default('8.4') }}-fpm
|
||||
```
|
||||
|
||||
### WordPress Issues
|
||||
|
||||
0
docs/ssl-setup.md
Normal file → Executable file
0
docs/ssl-setup.md
Normal file → Executable file
32
docs/troubleshooting.md
Normal file → Executable file
32
docs/troubleshooting.md
Normal file → Executable file
@@ -200,7 +200,7 @@ grep opcache /etc/php/*/fpm/php.ini
|
||||
# Restart all LEMP services
|
||||
sudo systemctl restart nginx
|
||||
sudo systemctl restart mysql
|
||||
sudo systemctl restart php8.3-fpm
|
||||
sudo systemctl restart php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# For Ultimate mode, also restart Redis
|
||||
sudo systemctl restart redis-server
|
||||
@@ -209,25 +209,25 @@ sudo systemctl restart redis-server
|
||||
### Check Service Status
|
||||
```bash
|
||||
# Check all service statuses
|
||||
sudo systemctl status nginx mysql php8.3-fpm
|
||||
sudo systemctl status nginx mysql php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# For Ultimate mode
|
||||
sudo systemctl status redis-server
|
||||
```
|
||||
sudo systemctl status php8.3-fpm
|
||||
|
||||
sudo systemctl status php{{ php_version | default('8.4') }}-fpm
|
||||
|
||||
# Check socket file
|
||||
ls -la /run/php/php8.3-fpm.sock
|
||||
ls -la /run/php/php{{ php_version | default('8.4') }}-fpm.sock
|
||||
|
||||
# Check PHP-FPM configuration
|
||||
sudo nginx -t
|
||||
sudo php-fpm8.3 -t
|
||||
sudo php-fpm{{ php_version | default('8.4') }} -t
|
||||
```
|
||||
|
||||
**PHP Errors in WordPress:**
|
||||
```bash
|
||||
# Enable PHP error logging
|
||||
sudo tail -f /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
|
||||
# Check WordPress debug
|
||||
# Add to wp-config.php:
|
||||
@@ -245,14 +245,14 @@ tail -f /var/www/html/wp-content/debug.log
|
||||
**White Screen of Death:**
|
||||
```bash
|
||||
# Check PHP errors
|
||||
sudo tail -f /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
sudo tail -f /var/log/nginx/error.log
|
||||
|
||||
# Increase PHP memory limit
|
||||
sudo nano /etc/php/8.3/fpm/php.ini
|
||||
sudo nano /etc/php/{{ php_version | default('8.4') }}/fpm/php.ini
|
||||
# memory_limit = 256M
|
||||
|
||||
sudo systemctl restart php8.3-fpm
|
||||
sudo systemctl restart php{{ php_version | default('8.4') }}-fpm
|
||||
```
|
||||
|
||||
**Database Connection Error:**
|
||||
@@ -278,7 +278,7 @@ sudo chmod 600 /var/www/html/wp-config.php
|
||||
**Slow Website Loading:**
|
||||
```bash
|
||||
# Enable PHP OPcache
|
||||
sudo nano /etc/php/8.3/fpm/php.ini
|
||||
sudo nano /etc/php/{{ php_version | default('8.4') }}/fpm/php.ini
|
||||
# opcache.enable=1
|
||||
# opcache.memory_consumption=128
|
||||
|
||||
@@ -344,7 +344,7 @@ Important log files for debugging:
|
||||
|
||||
- **Nginx Access:** `/var/log/nginx/access.log`
|
||||
- **Nginx Error:** `/var/log/nginx/error.log`
|
||||
- **PHP-FPM:** `/var/log/php8.3-fpm.log`
|
||||
- **PHP-FPM:** `/var/log/php8.4-fpm.log`
|
||||
- **MySQL:** `/var/log/mysql/error.log`
|
||||
- **WordPress:** `/var/www/html/wp-content/debug.log`
|
||||
- **System:** `journalctl -f`
|
||||
@@ -361,15 +361,15 @@ Important log files for debugging:
|
||||
|
||||
```bash
|
||||
# Restart all services
|
||||
sudo systemctl restart nginx php8.3-fpm mysql
|
||||
sudo systemctl restart nginx php{{ php_version | default('8.4') }}-fpm mysql
|
||||
|
||||
# Check all service status
|
||||
sudo systemctl status nginx php8.3-fpm mysql
|
||||
sudo systemctl status nginx php{{ php_version | default('8.4') }}-fpm mysql
|
||||
|
||||
# Test configurations
|
||||
sudo nginx -t
|
||||
sudo php-fpm8.3 -t
|
||||
sudo php-fpm{{ php_version | default('8.4') }} -t
|
||||
|
||||
# Monitor logs in real-time
|
||||
sudo tail -f /var/log/nginx/error.log /var/log/php8.3-fpm.log
|
||||
sudo tail -f /var/log/nginx/error.log /var/log/php{{ php_version | default('8.4') }}-fpm.log
|
||||
```
|
||||
|
||||
0
docs/vault.md
Normal file → Executable file
0
docs/vault.md
Normal file → Executable file
0
inventory/docker.yml
Normal file → Executable file
0
inventory/docker.yml
Normal file → Executable file
0
inventory/production.yml
Normal file → Executable file
0
inventory/production.yml
Normal file → Executable file
0
inventory/production.yml.example
Normal file → Executable file
0
inventory/production.yml.example
Normal file → Executable file
102
playbooks/lemp-wordpress-ultimate.yml
Normal file → Executable file
102
playbooks/lemp-wordpress-ultimate.yml
Normal file → Executable file
@@ -20,15 +20,15 @@
|
||||
- name: Debug OS information
|
||||
debug:
|
||||
msg: |
|
||||
OS Family: {{ ansible_os_family }}
|
||||
Distribution: {{ ansible_distribution }}
|
||||
Version: {{ ansible_distribution_version }}
|
||||
OS Family: {{ ansible_facts["os_family"] }}
|
||||
Distribution: {{ ansible_facts["distribution"] }}
|
||||
Version: {{ ansible_facts["distribution_version"] }}
|
||||
Supported: Ubuntu/Debian family systems
|
||||
|
||||
- name: Verify supported OS
|
||||
fail:
|
||||
msg: "This playbook only supports Ubuntu/Debian systems. Detected: {{ ansible_os_family }}"
|
||||
when: ansible_os_family != "Debian"
|
||||
msg: "This playbook only supports Ubuntu/Debian systems. Detected {{ ansible_facts['os_family'] }}"
|
||||
when: ansible_facts["os_family"] != "Debian"
|
||||
|
||||
# Environment Detection and Configuration
|
||||
- name: Detect if running in Docker
|
||||
@@ -54,7 +54,7 @@
|
||||
vars:
|
||||
_auto_wp_url: >-
|
||||
{{ 'http://localhost:8080' if (deployment_environment == 'docker')
|
||||
else 'http://' + (ansible_default_ipv4.address | default('localhost')) }}
|
||||
else 'http://' + (ansible_facts["default_ipv4"]["address"] | default('localhost')) }}
|
||||
tags: always
|
||||
|
||||
- name: Debug deployment configuration
|
||||
@@ -66,9 +66,12 @@
|
||||
tags: always
|
||||
|
||||
vars:
|
||||
# Default PHP version (will be overridden by detection)
|
||||
php_version: "8.4"
|
||||
|
||||
# WordPress Configuration
|
||||
wordpress_path: "{{ web_root }}"
|
||||
wordpress_url: "http://{{ ansible_default_ipv4.address | default('localhost') }}"
|
||||
wordpress_url: "http://{{ ansible_facts['default_ipv4']['address'] | default('localhost') }}"
|
||||
|
||||
# Database Configuration (use inventory variables or these defaults)
|
||||
default_mysql_root_password: "{{ mysql_root_password | default('secure_root_password_123') }}"
|
||||
@@ -81,6 +84,30 @@
|
||||
# wp_admin_user, wp_admin_password, wp_admin_email, wp_site_title
|
||||
|
||||
tasks:
|
||||
# IMPORTANT: Pre-flight checks - create basic directory structure FIRST
|
||||
- name: Ensure /var/www exists
|
||||
file:
|
||||
path: /var/www
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
- name: Create web root directory
|
||||
file:
|
||||
path: /var/www/html
|
||||
state: directory
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
- name: Create PHP-FPM log directory
|
||||
file:
|
||||
path: "/var/log/php{{ php_version }}-fpm"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
# Package Installation
|
||||
- name: Update package cache
|
||||
apt:
|
||||
@@ -88,10 +115,65 @@
|
||||
cache_valid_time: 3600
|
||||
tags: packages
|
||||
|
||||
- name: Install all required packages
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
- name: Install essential packages
|
||||
apt:
|
||||
name:
|
||||
- gnupg
|
||||
- nginx
|
||||
state: present
|
||||
tags: [packages, nginx]
|
||||
|
||||
- name: Detect available PHP version and set fallback
|
||||
shell: |
|
||||
if apt-cache show php8.4-fpm >/dev/null 2>&1; then
|
||||
echo "8.4"
|
||||
elif apt-cache show php8.3-fpm >/dev/null 2>&1; then
|
||||
echo "8.3"
|
||||
else
|
||||
echo "none"
|
||||
fi
|
||||
register: php_version_detect
|
||||
changed_when: false
|
||||
tags: packages
|
||||
|
||||
- name: Set PHP version fact
|
||||
set_fact:
|
||||
php_version: "{{ php_version_detect.stdout }}"
|
||||
tags: packages
|
||||
|
||||
- name: Install PHP with fallback (try 8.4, fallback to 8.3)
|
||||
apt:
|
||||
name:
|
||||
- "php{{ php_version }}-fpm"
|
||||
- "php{{ php_version }}-mysql"
|
||||
- "php{{ php_version }}-curl"
|
||||
- "php{{ php_version }}-gd"
|
||||
- "php{{ php_version }}-intl"
|
||||
- "php{{ php_version }}-mbstring"
|
||||
- "php{{ php_version }}-soap"
|
||||
- "php{{ php_version }}-xml"
|
||||
- "php{{ php_version }}-xmlrpc"
|
||||
- "php{{ php_version }}-zip"
|
||||
- "php{{ php_version }}-opcache"
|
||||
- "php{{ php_version }}-redis"
|
||||
state: present
|
||||
register: php_install_result
|
||||
tags: packages
|
||||
|
||||
- name: Install remaining packages
|
||||
package:
|
||||
name: "{{ packages | reject('search', '^php') | list }}"
|
||||
state: present
|
||||
tags: packages
|
||||
|
||||
- name: Display PHP version installed
|
||||
debug:
|
||||
msg: "Using PHP version {{ php_version }}"
|
||||
tags: packages
|
||||
|
||||
- name: Set PHP FPM service name dynamically
|
||||
set_fact:
|
||||
php_fpm_service: "php{{ php_version }}-fpm"
|
||||
tags: packages
|
||||
|
||||
# Service Management
|
||||
|
||||
175
playbooks/lemp-wordpress.yml
Normal file → Executable file
175
playbooks/lemp-wordpress.yml
Normal file → Executable file
@@ -1,6 +1,6 @@
|
||||
---
|
||||
# Ubuntu/Debian LEMP WordPress installation
|
||||
- name: Install LEMP stack with WordPress (Ubuntu/Debian)
|
||||
- name: "Install LEMP stack with WordPress (Ubuntu/Debian)"
|
||||
hosts: all
|
||||
become: yes
|
||||
|
||||
@@ -20,15 +20,15 @@
|
||||
- name: Debug OS information
|
||||
debug:
|
||||
msg: |
|
||||
OS Family: {{ ansible_os_family }}
|
||||
Distribution: {{ ansible_distribution }}
|
||||
Version: {{ ansible_distribution_version }}
|
||||
OS Family: {{ ansible_facts["os_family"] }}
|
||||
Distribution: {{ ansible_facts["distribution"] }}
|
||||
Version: {{ ansible_facts["distribution_version"] }}
|
||||
Supported: Ubuntu/Debian family systems
|
||||
|
||||
- name: Verify supported OS
|
||||
fail:
|
||||
msg: "This playbook only supports Ubuntu/Debian systems. Detected: {{ ansible_os_family }}"
|
||||
when: ansible_os_family != "Debian"
|
||||
msg: "This playbook only supports Ubuntu/Debian systems. Detected {{ ansible_facts['os_family'] }}"
|
||||
when: ansible_facts["os_family"] != "Debian"
|
||||
|
||||
# Environment Detection and Configuration
|
||||
- name: Detect if running in Docker
|
||||
@@ -54,7 +54,7 @@
|
||||
vars:
|
||||
_auto_wp_url: >-
|
||||
{{ 'http://localhost:8080' if (deployment_environment == 'docker')
|
||||
else 'http://' + (ansible_default_ipv4.address | default('localhost')) }}
|
||||
else 'http://' + (ansible_facts["default_ipv4"]["address"] | default('localhost')) }}
|
||||
tags: always
|
||||
|
||||
- name: Debug deployment configuration
|
||||
@@ -66,9 +66,12 @@
|
||||
tags: always
|
||||
|
||||
vars:
|
||||
# Default PHP version (will be overridden by detection)
|
||||
php_version: "8.4"
|
||||
|
||||
# WordPress Configuration
|
||||
wordpress_path: "{{ web_root }}"
|
||||
wordpress_url: "http://{{ ansible_default_ipv4.address | default('localhost') }}"
|
||||
wordpress_url: "http://{{ ansible_facts['default_ipv4']['address'] | default('localhost') }}"
|
||||
|
||||
# Database Configuration (use inventory variables or these defaults)
|
||||
default_mysql_root_password: "{{ mysql_root_password | default('secure_root_password_123') }}"
|
||||
@@ -80,7 +83,34 @@
|
||||
# These variables come from inventory/production.yml
|
||||
# wp_admin_user, wp_admin_password, wp_admin_email, wp_site_title
|
||||
|
||||
# Auto-Update Configuration
|
||||
update_cron_enabled: true
|
||||
|
||||
tasks:
|
||||
# IMPORTANT: Pre-flight checks - create basic directory structure FIRST
|
||||
- name: Ensure /var/www exists
|
||||
file:
|
||||
path: /var/www
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
- name: Create web root directory
|
||||
file:
|
||||
path: /var/www/html
|
||||
state: directory
|
||||
owner: www-data
|
||||
group: www-data
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
- name: Create PHP-FPM log directory
|
||||
file:
|
||||
path: "/var/log/php{{ php_version }}-fpm"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: [preflight]
|
||||
|
||||
# Package Installation
|
||||
- name: Update package cache
|
||||
apt:
|
||||
@@ -88,10 +118,63 @@
|
||||
cache_valid_time: 3600
|
||||
tags: packages
|
||||
|
||||
- name: Install all required packages
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
- name: Install essential packages
|
||||
apt:
|
||||
name:
|
||||
- gnupg
|
||||
- nginx
|
||||
state: present
|
||||
tags: [packages, nginx]
|
||||
|
||||
- name: Detect available PHP version and set fallback
|
||||
shell: |
|
||||
if apt-cache show php8.4-fpm >/dev/null 2>&1; then
|
||||
echo "8.4"
|
||||
elif apt-cache show php8.3-fpm >/dev/null 2>&1; then
|
||||
echo "8.3"
|
||||
else
|
||||
echo "none"
|
||||
fi
|
||||
register: php_version_detect
|
||||
changed_when: false
|
||||
tags: packages
|
||||
|
||||
- name: Set PHP version fact
|
||||
set_fact:
|
||||
php_version: "{{ php_version_detect.stdout }}"
|
||||
tags: packages
|
||||
|
||||
- name: Install PHP with fallback (try 8.4, fallback to 8.3)
|
||||
apt:
|
||||
name:
|
||||
- "php{{ php_version }}-fpm"
|
||||
- "php{{ php_version }}-mysql"
|
||||
- "php{{ php_version }}-curl"
|
||||
- "php{{ php_version }}-gd"
|
||||
- "php{{ php_version }}-intl"
|
||||
- "php{{ php_version }}-mbstring"
|
||||
- "php{{ php_version }}-soap"
|
||||
- "php{{ php_version }}-xml"
|
||||
- "php{{ php_version }}-xmlrpc"
|
||||
- "php{{ php_version }}-zip"
|
||||
state: present
|
||||
register: php_install_result
|
||||
tags: packages
|
||||
|
||||
- name: Install remaining packages
|
||||
package:
|
||||
name: "{{ packages | reject('search', '^php') | list }}"
|
||||
state: present
|
||||
tags: packages
|
||||
|
||||
- name: Display PHP version installed
|
||||
debug:
|
||||
msg: "Using PHP version {{ php_version }}"
|
||||
tags: packages
|
||||
|
||||
- name: Set PHP FPM service name dynamically
|
||||
set_fact:
|
||||
php_fpm_service: "php{{ php_version }}-fpm"
|
||||
tags: packages
|
||||
|
||||
# Service Management
|
||||
@@ -342,6 +425,71 @@
|
||||
Admin Email: {{ wp_admin_email }}
|
||||
tags: wp-install
|
||||
|
||||
# WordPress Auto-Update Setup
|
||||
- name: Create update script directory
|
||||
file:
|
||||
path: /var/backups/wordpress
|
||||
state: directory
|
||||
mode: '0755'
|
||||
tags: update
|
||||
|
||||
- name: Deploy WordPress update script
|
||||
copy:
|
||||
src: ../scripts/wp-update.sh
|
||||
dest: /usr/local/bin/wp-update.sh
|
||||
mode: '0755'
|
||||
tags: update
|
||||
|
||||
- name: Configure WordPress auto-update settings
|
||||
command: >
|
||||
wp option update auto_update_core_minor enabled
|
||||
--path="{{ wordpress_path }}"
|
||||
--allow-root
|
||||
tags: update
|
||||
|
||||
- name: Set up cron job for WordPress updates
|
||||
cron:
|
||||
name: wordpress-weekly-update
|
||||
job: "/usr/local/bin/wp-update.sh --minor --no-backup >> /var/log/wp-update.log 2>&1"
|
||||
minute: "0"
|
||||
hour: "4"
|
||||
weekday: "0"
|
||||
user: "root"
|
||||
when: update_cron_enabled | default(true) | bool
|
||||
tags: update
|
||||
|
||||
# Fail2Ban Security
|
||||
- name: Deploy Fail2Ban configuration
|
||||
template:
|
||||
src: ../templates/fail2ban.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: '0644'
|
||||
notify: restart fail2ban
|
||||
tags: fail2ban
|
||||
|
||||
- name: Deploy WordPress Fail2Ban filter
|
||||
copy:
|
||||
src: ../templates/fail2ban-wordpress-filter.conf
|
||||
dest: /etc/fail2ban/filter.d/wordpress-login.conf
|
||||
mode: '0644'
|
||||
notify: restart fail2ban
|
||||
tags: fail2ban
|
||||
|
||||
- name: Ensure Fail2Ban service is running
|
||||
service:
|
||||
name: fail2ban
|
||||
state: started
|
||||
enabled: yes
|
||||
tags: fail2ban
|
||||
|
||||
- name: Display Fail2Ban status info
|
||||
debug:
|
||||
msg: |
|
||||
Fail2Ban security enabled!
|
||||
Jails: sshd, nginx-http-auth, nginx-botsearch, wordpress-login, recidive
|
||||
Use: fail2ban-client status to see banned IPs
|
||||
tags: fail2ban
|
||||
|
||||
handlers:
|
||||
- name: restart nginx
|
||||
service:
|
||||
@@ -353,6 +501,11 @@
|
||||
name: "{{ php_fpm_service }}"
|
||||
state: restarted
|
||||
|
||||
- name: restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
|
||||
- name: restart mysql
|
||||
service:
|
||||
name: "{{ mysql_service }}"
|
||||
|
||||
72
scripts/update-docs.py
Executable file
72
scripts/update-docs.py
Executable file
@@ -0,0 +1,72 @@
|
||||
#!/usr/bin/env python3
|
||||
"""
|
||||
Documentation Variable Processor
|
||||
Replaces {{ variable }} placeholders in documentation files with values from vars/debian-family.yml
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
|
||||
ROOT_DIR = os.path.dirname(SCRIPT_DIR)
|
||||
VARS_FILE = os.path.join(ROOT_DIR, 'vars', 'debian-family.yml')
|
||||
DOCS_DIR = os.path.join(ROOT_DIR, 'docs')
|
||||
|
||||
def load_variables():
|
||||
"""Load variables from debian-family.yml"""
|
||||
with open(VARS_FILE, 'r') as f:
|
||||
content = f.read()
|
||||
|
||||
php_version = None
|
||||
for line in content.split('\n'):
|
||||
if 'php_version:' in line:
|
||||
php_version = line.split(':')[-1].strip().strip('"')
|
||||
break
|
||||
|
||||
return {
|
||||
'php_version': php_version or '8.4',
|
||||
}
|
||||
|
||||
def process_file(filepath, variables):
|
||||
"""Replace {{ variable }} patterns in a file"""
|
||||
with open(filepath, 'r') as f:
|
||||
content = f.read()
|
||||
|
||||
original = content
|
||||
|
||||
pattern = r'\{\{\s*php_version\s*\}\}'
|
||||
|
||||
content = content.replace('{{ php_version }}', variables['php_version'])
|
||||
|
||||
if content != original:
|
||||
with open(filepath, 'w') as f:
|
||||
f.write(content)
|
||||
return True
|
||||
return False
|
||||
|
||||
def main():
|
||||
variables = load_variables()
|
||||
|
||||
print(f"Using PHP version: {variables['php_version']}")
|
||||
|
||||
changed = 0
|
||||
for filename in os.listdir(DOCS_DIR):
|
||||
if filename.endswith('.md'):
|
||||
filepath = os.path.join(DOCS_DIR, filename)
|
||||
if process_file(filepath, variables):
|
||||
print(f" Updated: {filename}")
|
||||
changed += 1
|
||||
|
||||
for root, dirs, files in os.walk(ROOT_DIR):
|
||||
for f in files:
|
||||
if f == 'troubleshooting.md' or f == 'production-deployment.md':
|
||||
filepath = os.path.join(root, f)
|
||||
if process_file(filepath, variables):
|
||||
print(f" Updated: {f}")
|
||||
changed += 1
|
||||
|
||||
print(f"\nDone. {changed} file(s) updated.")
|
||||
return 0
|
||||
|
||||
if __name__ == '__main__':
|
||||
sys.exit(main())
|
||||
116
scripts/wp-update.sh
Executable file
116
scripts/wp-update.sh
Executable file
@@ -0,0 +1,116 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# WordPress Auto-Update Script
|
||||
# Usage: ./wp-update.sh [--minor|--major|--force] [--backup]
|
||||
#
|
||||
|
||||
set -e
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
WORDPRESS_PATH="${WORDPRESS_PATH:-/var/www/html}"
|
||||
BACKUP_PATH="${BACKUP_PATH:-/var/backups/wordpress}"
|
||||
LOG_FILE="${LOG_FILE:-/var/log/wp-update.log}"
|
||||
|
||||
MODE="minor"
|
||||
DO_BACKUP=true
|
||||
|
||||
log() {
|
||||
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
|
||||
}
|
||||
|
||||
error_exit() {
|
||||
log "ERROR: $1"
|
||||
wp maintenance-mode deactivate 2>/dev/null || true
|
||||
exit 1
|
||||
}
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case $1 in
|
||||
--minor)
|
||||
MODE="minor"
|
||||
shift
|
||||
;;
|
||||
--major)
|
||||
MODE="major"
|
||||
shift
|
||||
;;
|
||||
--force)
|
||||
MODE="force"
|
||||
shift
|
||||
;;
|
||||
--no-backup)
|
||||
DO_BACKUP=false
|
||||
shift
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 [--minor|--major|--force] [--no-backup]"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
log "========================================"
|
||||
log "WordPress Update Started (Mode: $MODE)"
|
||||
log "========================================"
|
||||
|
||||
cd "$WORDPRESS_PATH"
|
||||
|
||||
if [ ! -f "wp-config.php" ]; then
|
||||
error_exit "WordPress not found at $WORDPRESS_PATH"
|
||||
fi
|
||||
|
||||
if $DO_BACKUP; then
|
||||
log "Creating database backup..."
|
||||
|
||||
BACKUP_DIR="$BACKUP_PATH/$(date +%Y%m%d-%H%M%S)"
|
||||
mkdir -p "$BACKUP_DIR"
|
||||
|
||||
if wp db export "$BACKUP_DIR/wp-db.sql"; then
|
||||
log "Database backup saved to $BACKUP_DIR/wp-db.sql"
|
||||
else
|
||||
error_exit "Database backup failed"
|
||||
fi
|
||||
|
||||
log "Creating file backup..."
|
||||
tar -czf "$BACKUP_DIR/wp-files.tar.gz" -C "$(dirname "$WORDPRESS_PATH")" "$(basename "$WORDPRESS_PATH")" 2>/dev/null || true
|
||||
log "File backup saved to $BACKUP_DIR/wp-files.tar.gz"
|
||||
fi
|
||||
|
||||
log "Activating maintenance mode..."
|
||||
wp maintenance-mode activate || error_exit "Failed to activate maintenance mode"
|
||||
|
||||
log "Checking for WordPress updates..."
|
||||
if [ "$MODE" = "major" ]; then
|
||||
wp core update || log "No major update available or update failed"
|
||||
elif [ "$MODE" = "force" ]; then
|
||||
wp core update --force || log "Update failed"
|
||||
else
|
||||
wp core update --minor || log "No minor update available"
|
||||
fi
|
||||
|
||||
log "Running database updates..."
|
||||
wp core update-db || log "No database update needed"
|
||||
|
||||
log "Updating plugins..."
|
||||
wp plugin update --all || log "Plugin update completed with warnings"
|
||||
|
||||
log "Updating themes..."
|
||||
wp theme update --all || log "Theme update completed with warnings"
|
||||
|
||||
log "Verifying WordPress installation..."
|
||||
wp core verify-checksums || log "Checksum verification completed with warnings"
|
||||
|
||||
log "Deactivating maintenance mode..."
|
||||
wp maintenance-mode deactivate || true
|
||||
|
||||
log "========================================"
|
||||
log "WordPress Update Completed Successfully"
|
||||
log "========================================"
|
||||
|
||||
wp plugin list --status=active --format=table 2>/dev/null | tee -a "$LOG_FILE"
|
||||
|
||||
echo ""
|
||||
log "Updated WordPress version:"
|
||||
wp core version
|
||||
|
||||
exit 0
|
||||
13
templates/fail2ban-wordpress-filter.conf
Normal file
13
templates/fail2ban-wordpress-filter.conf
Normal file
@@ -0,0 +1,13 @@
|
||||
# Fail2Ban filter for WordPress login attempts
|
||||
# WordPress failed login attempts in Nginx access log
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = ^<HOST> - .* "(POST|GET) /wp-login\.php.*" (401|403|404|302)
|
||||
^<HOST> - .* "(POST|GET) /xmlrpc\.php.*" (401|403|404|405)
|
||||
^<HOST> - .* "POST /wp-admin/wp-login\.php.*" (401|403|404)
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# Author: Sebastian Palencsár
|
||||
# Notes: Matches wp-login.php, xmlrpc.php and wp-admin login attempts
|
||||
68
templates/fail2ban.j2
Normal file
68
templates/fail2ban.j2
Normal file
@@ -0,0 +1,68 @@
|
||||
# Fail2Ban configuration for WordPress LEMP stack
|
||||
# Copy this to /etc/fail2ban/jail.local on your server
|
||||
|
||||
[DEFAULT]
|
||||
# Global settings
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
maxretry = 5
|
||||
|
||||
# Your trusted IPs (never ban these)
|
||||
ignoreip = 127.0.0.1/8 ::1
|
||||
|
||||
# Enable persistent database
|
||||
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
|
||||
dbpurgeage = 86400
|
||||
|
||||
# Incremental bans for repeat offenders
|
||||
bantime.increment = true
|
||||
bantime.multiplier = 2
|
||||
bantime.maxtime = 86400
|
||||
|
||||
[sshd]
|
||||
# SSH brute force protection
|
||||
enabled = true
|
||||
port = ssh
|
||||
filter = sshd
|
||||
maxretry = 3
|
||||
bantime = 86400
|
||||
findtime = 300
|
||||
|
||||
[nginx-http-auth]
|
||||
# Nginx HTTP Basic Auth failures
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-http-auth
|
||||
logpath = /var/log/nginx/error.log
|
||||
maxretry = 5
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
|
||||
[nginx-botsearch]
|
||||
# Bot scanners searching for vulnerable scripts
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-botsearch
|
||||
logpath = /var/log/nginx/access.log
|
||||
maxretry = 2
|
||||
bantime = 7200
|
||||
findtime = 300
|
||||
|
||||
[wordpress-login]
|
||||
# WordPress wp-login.php protection
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = wordpress-login
|
||||
logpath = /var/log/nginx/access.log
|
||||
maxretry = 5
|
||||
bantime = 7200
|
||||
findtime = 600
|
||||
|
||||
[recidive]
|
||||
# Ban repeat offenders for a week
|
||||
enabled = true
|
||||
filter = recidive
|
||||
logpath = /var/log/fail2ban.log
|
||||
maxretry = 3
|
||||
bantime = 604800
|
||||
findtime = 86400
|
||||
0
templates/my.cnf.j2
Normal file → Executable file
0
templates/my.cnf.j2
Normal file → Executable file
11
templates/wordpress-ssl.nginx.j2
Normal file → Executable file
11
templates/wordpress-ssl.nginx.j2
Normal file → Executable file
@@ -17,15 +17,16 @@ server {
|
||||
ssl_certificate {{ ssl_cert_path | default('/etc/ssl/certs/nginx-selfsigned.crt') }};
|
||||
ssl_certificate_key {{ ssl_cert_key_path | default('/etc/ssl/private/nginx-selfsigned.key') }};
|
||||
|
||||
# Modern SSL configuration
|
||||
# Modern SSL configuration (2026 best practices)
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# HSTS (HTTP Strict Transport Security)
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# HSTS (HTTP Strict Transport Security) - 2 years for preload
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
||||
|
||||
# Security headers
|
||||
add_header X-Frame-Options DENY always;
|
||||
|
||||
2
templates/wordpress.nginx.j2
Normal file → Executable file
2
templates/wordpress.nginx.j2
Normal file → Executable file
@@ -26,7 +26,7 @@ server {
|
||||
# PHP-Dateien verarbeiten
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
|
||||
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
include fastcgi_params;
|
||||
}
|
||||
|
||||
20
templates/wp-config.php.j2
Normal file → Executable file
20
templates/wp-config.php.j2
Normal file → Executable file
@@ -49,14 +49,14 @@ define( 'WP_CACHE_KEY_SALT', '{{ domain_name | default('localhost') }}' );
|
||||
{% endif %}
|
||||
|
||||
// ** Authentifizierungs-Schlüssel und Salts ** //
|
||||
define( 'AUTH_KEY', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}' );
|
||||
define( 'SECURE_AUTH_KEY', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}2' );
|
||||
define( 'LOGGED_IN_KEY', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}3' );
|
||||
define( 'NONCE_KEY', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}4' );
|
||||
define( 'AUTH_SALT', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}5' );
|
||||
define( 'SECURE_AUTH_SALT', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}6' );
|
||||
define( 'LOGGED_IN_SALT', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}7' );
|
||||
define( 'NONCE_SALT', '{{ ansible_date_time.epoch }}put your unique phrase here{{ ansible_hostname }}8' );
|
||||
define( 'AUTH_KEY', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}' );
|
||||
define( 'SECURE_AUTH_KEY', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}2' );
|
||||
define( 'LOGGED_IN_KEY', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}3' );
|
||||
define( 'NONCE_KEY', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}4' );
|
||||
define( 'AUTH_SALT', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}5' );
|
||||
define( 'SECURE_AUTH_SALT', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}6' );
|
||||
define( 'LOGGED_IN_SALT', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}7' );
|
||||
define( 'NONCE_SALT', '{{ ansible_facts["date_time"]["epoch"] }}put your unique phrase here{{ ansible_facts["hostname"] }}8' );
|
||||
|
||||
// ** WordPress Tabellen-Präfix ** //
|
||||
$table_prefix = 'wp_';
|
||||
@@ -71,8 +71,8 @@ define( 'WP_DEBUG_DISPLAY', false );
|
||||
define( 'WP_HOME', 'https://{{ domain_name }}' );
|
||||
define( 'WP_SITEURL', 'https://{{ domain_name }}' );
|
||||
{% else %}
|
||||
define( 'WP_HOME', 'http://{{ domain_name }}{% if ansible_port is defined and ansible_port != 22 and ansible_port != 80 %}:{{ ansible_port }}{% endif %}' );
|
||||
define( 'WP_SITEURL', 'http://{{ domain_name }}{% if ansible_port is defined and ansible_port != 22 and ansible_port != 80 %}:{{ ansible_port }}{% endif %}' );
|
||||
define( 'WP_HOME', 'http://{{ domain_name }}{% if ansible_facts["port"] is defined and ansible_facts["port"] != 22 and ansible_facts["port"] != 80 %}:{{ ansible_facts["port"] }}{% endif %}' );
|
||||
define( 'WP_SITEURL', 'http://{{ domain_name }}{% if ansible_facts["port"] is defined and ansible_facts["port"] != 22 and ansible_facts["port"] != 80 %}:{{ ansible_facts["port"] }}{% endif %}' );
|
||||
{% endif %}
|
||||
|
||||
// ** Weitere Einstellungen ** //
|
||||
|
||||
0
templates/www.conf.j2
Normal file → Executable file
0
templates/www.conf.j2
Normal file → Executable file
33
vars/debian-family.yml
Normal file → Executable file
33
vars/debian-family.yml
Normal file → Executable file
@@ -1,35 +1,26 @@
|
||||
# Ubuntu/Debian family variables
|
||||
---
|
||||
# Package names for Ubuntu/Debian systems
|
||||
# Package names for Ubuntu/Debian systems (PHP version is detected and installed dynamically)
|
||||
packages:
|
||||
- nginx
|
||||
- mysql-server
|
||||
- php8.3-fpm
|
||||
- php8.3-mysql
|
||||
- php8.3-curl
|
||||
- php8.3-gd
|
||||
- php8.3-intl
|
||||
- php8.3-mbstring
|
||||
- php8.3-soap
|
||||
- php8.3-xml
|
||||
- php8.3-xmlrpc
|
||||
- php8.3-zip
|
||||
- mariadb-server
|
||||
- python3-pymysql
|
||||
- unzip
|
||||
- fail2ban
|
||||
- ufw
|
||||
|
||||
# Service names
|
||||
mysql_service: mysql
|
||||
mysql_service: mariadb
|
||||
nginx_service: nginx
|
||||
php_fpm_service: php8.3-fpm
|
||||
php_fpm_service: php{{ php_version }}-fpm
|
||||
|
||||
# Package manager
|
||||
package_manager: apt
|
||||
|
||||
# PHP paths
|
||||
php_fpm_config_path: /etc/php/8.3/fpm
|
||||
php_cli_config_path: /etc/php/8.3/cli
|
||||
php_fpm_pool_path: /etc/php/8.3/fpm/pool.d
|
||||
php_fpm_socket: /run/php/php8.3-fpm.sock
|
||||
# PHP paths (dynamic based on detected version)
|
||||
php_fpm_config_path: /etc/php/{{ php_version }}/fpm
|
||||
php_cli_config_path: /etc/php/{{ php_version }}/cli
|
||||
php_fpm_pool_path: /etc/php/{{ php_version }}/fpm/pool.d
|
||||
php_fpm_socket: /run/php/php{{ php_version }}-fpm.sock
|
||||
|
||||
# Nginx paths
|
||||
nginx_config_path: /etc/nginx
|
||||
@@ -46,7 +37,7 @@ mysql_log_error: /var/log/mysql/error.log
|
||||
nginx_user: www-data
|
||||
|
||||
# Default PHP version
|
||||
php_version: "8.3"
|
||||
php_version: "8.4"
|
||||
|
||||
# System paths
|
||||
web_root: /var/www/html
|
||||
|
||||
Reference in New Issue
Block a user