Files
Sebastian Palencsar dffd8e3b76 feat: v2.5.0 - Complete Technology & Security Update
Features:
- PHP 8.4 support (from 8.3)
- WordPress 7.0 (auto-update via WP-CLI)
- Modern TLS 1.3 cipher suites (2026 best practices)
- Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive)
- Auto-update cron job for WordPress (weekly Minor updates)
- Debian 14 Forky support (testing)
- Ubuntu 25.04 support
- Python 3.12 in GitHub Actions

Security:
- Fail2Ban with SSH brute force protection (24h ban)
- WordPress wp-login.php protection (2h ban)
- Nginx bot scanner protection
- Recidive jail for repeat offenders (1 week ban)
- Modern TLS ciphers (AEAD only)
- HSTS 2 years for preload

Documentation:
- docs/autoupdate.md - WordPress auto-update guide
- docs/fail2ban.md - Fail2Ban configuration guide
- docs/troubleshooting.md - Updated with php_version variable

Breaking changes:
- PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
2026-05-04 19:37:27 +02:00

273 lines
7.1 KiB
Markdown
Executable File

# Ansible Vault Security Guide
This guide explains how to use Ansible Vault to securely manage passwords and sensitive data in your WordPress deployment.
## What is Ansible Vault?
Ansible Vault is a feature that allows you to encrypt sensitive data like passwords, API keys, and certificates, so they can be safely stored in version control systems like Git.
## Why Use Ansible Vault?
**Without Vault (Insecure):**
```yaml
# production.yml - INSECURE!
mysql_root_password: "my-secret-password" # Visible to everyone
```
**With Vault (Secure):**
```yaml
# production.yml - SECURE!
mysql_root_password: "{{ vault_mysql_root_password }}" # References encrypted value
# group_vars/all/vault.yml - ENCRYPTED!
$ANSIBLE_VAULT;1.1;AES256
66633030613... # Encrypted content
```
## Quick Setup Guide
### 1. Create the Vault Structure
```bash
# Create directories
mkdir -p group_vars/all/
# Create encrypted vault file
ansible-vault create group_vars/all/vault.yml
```
You'll be prompted to enter a vault password. **Remember this password!**
### 2. Add Encrypted Passwords
In the vault editor, add your sensitive data:
```yaml
# Content of group_vars/all/vault.yml (will be encrypted)
vault_mysql_root_password: "your-super-secure-mysql-password"
vault_wordpress_db_password: "your-secure-wp-db-password"
vault_wp_admin_password: "your-secure-admin-password"
```
### 3. Update Your Inventory
Modify your `inventory/production.yml` to reference vault variables:
```yaml
wordpress_servers:
hosts:
your-server.example.com:
# ... other settings ...
# Database - Using vault variables
mysql_root_password: "{{ vault_mysql_root_password }}"
wordpress_db_password: "{{ vault_wordpress_db_password }}"
# WordPress Admin - Using vault variables
wp_admin_password: "{{ vault_wp_admin_password }}"
```
### 4. Deploy with Vault
```bash
# Deploy and provide vault password
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
# Or store vault password in a file (keep secure!)
echo "your-vault-password" > .vault_password
chmod 600 .vault_password
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
```
## Vault File Management
### View Encrypted Content
```bash
ansible-vault view group_vars/all/vault.yml
```
### Edit Encrypted Content
```bash
ansible-vault edit group_vars/all/vault.yml
```
### Change Vault Password
```bash
ansible-vault rekey group_vars/all/vault.yml
```
### Encrypt Existing File
```bash
ansible-vault encrypt group_vars/all/vault.yml
```
### Decrypt File (Temporarily)
```bash
ansible-vault decrypt group_vars/all/vault.yml
# Edit the file
ansible-vault encrypt group_vars/all/vault.yml
```
## Complete Example
### Project Structure
```
ansible-lemp-wordpress/
├── inventory/
│ └── production.yml # References vault variables
├── group_vars/
│ └── all/
│ └── vault.yml # Encrypted passwords
├── playbooks/
│ └── lemp-wordpress.yml
└── .vault_password # Optional: vault password file
```
### Example Vault File
```yaml
# group_vars/all/vault.yml (encrypted)
vault_mysql_root_password: "MySecure123!@#Root"
vault_wordpress_db_password: "WordPressDB456$%^"
vault_wp_admin_password: "AdminPass789&*()"
vault_ssl_email: "admin@yourcompany.com"
```
### Example Inventory
```yaml
# inventory/production.yml
wordpress_servers:
hosts:
web1.yourcompany.com:
ansible_host: 192.168.1.100
ansible_user: ubuntu
domain_name: yoursite.com
# SSL Configuration
ssl_enabled: true
ssl_email: "{{ vault_ssl_email }}"
# Database (using vault)
mysql_root_password: "{{ vault_mysql_root_password }}"
wordpress_db_name: "wordpress"
wordpress_db_user: "wp_user"
wordpress_db_password: "{{ vault_wordpress_db_password }}"
# WordPress Admin (using vault)
wp_admin_user: "admin"
wp_admin_password: "{{ vault_wp_admin_password }}"
wp_admin_email: "{{ vault_ssl_email }}"
wp_site_title: "My Company Website"
```
## Security Best Practices
### 1. Vault Password Management
- **Never commit the vault password to Git**
- Use a strong, unique password for your vault
- Consider using a password manager
- For teams, use external secret management systems
### 2. File Permissions
```bash
# Secure vault password file
chmod 600 .vault_password
# Add to .gitignore
echo ".vault_password" >> .gitignore
```
### 3. Git Configuration
```bash
# Add vault file to Git (it's encrypted, so it's safe)
git add group_vars/all/vault.yml
# But never add the password file
echo ".vault_password" >> .gitignore
git add .gitignore
```
### 4. Team Collaboration
For teams, consider these approaches:
**Option 1: Shared Vault Password**
- Share vault password through secure channels (encrypted email, password manager)
- Each team member stores password locally
**Option 2: External Secret Management**
- Use HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
- Ansible can integrate with these systems
## Deployment Commands
### Basic Deployment
```bash
# Standard deployment with vault
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
```
### Ultimate Performance Deployment
```bash
# Ultimate deployment with vault
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.yml --ask-vault-pass
```
### Using Password File
```bash
# With password file (for automation)
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
```
## Troubleshooting
### "Decryption failed" Error
- Check that you're using the correct vault password
- Verify the vault file isn't corrupted: `ansible-vault view group_vars/all/vault.yml`
### "Variable not found" Error
- Ensure vault variables are properly referenced in inventory
- Check variable names match exactly (case sensitive)
- Verify vault file is in the correct location
### Permission Denied
- Check file permissions: `ls -la group_vars/all/vault.yml`
- Ensure Ansible can read the vault file
## Migration from Plain Text
If you have existing plain text passwords in your inventory:
1. **Create vault file:**
```bash
ansible-vault create group_vars/all/vault.yml
```
2. **Move passwords to vault:**
```yaml
# Add to vault.yml
vault_mysql_root_password: "your-existing-password"
```
3. **Update inventory:**
```yaml
# Change in production.yml
mysql_root_password: "{{ vault_mysql_root_password }}"
```
4. **Test deployment:**
```bash
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass --check
```
## Conclusion
Ansible Vault provides a secure way to manage sensitive data while keeping it version-controlled. While it adds complexity, it's essential for production deployments where security is paramount.
For simple testing or development, plain text passwords in inventory files may be acceptable, but always use Vault for production environments.
---
**Next Steps:**
- [Production Deployment Guide](production-deployment.md)
- [SSL Setup Guide](ssl-setup.md)
- [Security Best Practices](../SECURITY.md)