Features: - PHP 8.4 support (from 8.3) - WordPress 7.0 (auto-update via WP-CLI) - Modern TLS 1.3 cipher suites (2026 best practices) - Fail2Ban security integration (5 jails: SSH, Nginx, WordPress, recidive) - Auto-update cron job for WordPress (weekly Minor updates) - Debian 14 Forky support (testing) - Ubuntu 25.04 support - Python 3.12 in GitHub Actions Security: - Fail2Ban with SSH brute force protection (24h ban) - WordPress wp-login.php protection (2h ban) - Nginx bot scanner protection - Recidive jail for repeat offenders (1 week ban) - Modern TLS ciphers (AEAD only) - HSTS 2 years for preload Documentation: - docs/autoupdate.md - WordPress auto-update guide - docs/fail2ban.md - Fail2Ban configuration guide - docs/troubleshooting.md - Updated with php_version variable Breaking changes: - PHP 8.4 is now the default (requires Ubuntu 20.04+ or Debian 11+)
273 lines
7.1 KiB
Markdown
Executable File
273 lines
7.1 KiB
Markdown
Executable File
# Ansible Vault Security Guide
|
|
|
|
This guide explains how to use Ansible Vault to securely manage passwords and sensitive data in your WordPress deployment.
|
|
|
|
## What is Ansible Vault?
|
|
|
|
Ansible Vault is a feature that allows you to encrypt sensitive data like passwords, API keys, and certificates, so they can be safely stored in version control systems like Git.
|
|
|
|
## Why Use Ansible Vault?
|
|
|
|
**Without Vault (Insecure):**
|
|
```yaml
|
|
# production.yml - INSECURE!
|
|
mysql_root_password: "my-secret-password" # Visible to everyone
|
|
```
|
|
|
|
**With Vault (Secure):**
|
|
```yaml
|
|
# production.yml - SECURE!
|
|
mysql_root_password: "{{ vault_mysql_root_password }}" # References encrypted value
|
|
|
|
# group_vars/all/vault.yml - ENCRYPTED!
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
66633030613... # Encrypted content
|
|
```
|
|
|
|
## Quick Setup Guide
|
|
|
|
### 1. Create the Vault Structure
|
|
|
|
```bash
|
|
# Create directories
|
|
mkdir -p group_vars/all/
|
|
|
|
# Create encrypted vault file
|
|
ansible-vault create group_vars/all/vault.yml
|
|
```
|
|
|
|
You'll be prompted to enter a vault password. **Remember this password!**
|
|
|
|
### 2. Add Encrypted Passwords
|
|
|
|
In the vault editor, add your sensitive data:
|
|
|
|
```yaml
|
|
# Content of group_vars/all/vault.yml (will be encrypted)
|
|
vault_mysql_root_password: "your-super-secure-mysql-password"
|
|
vault_wordpress_db_password: "your-secure-wp-db-password"
|
|
vault_wp_admin_password: "your-secure-admin-password"
|
|
```
|
|
|
|
### 3. Update Your Inventory
|
|
|
|
Modify your `inventory/production.yml` to reference vault variables:
|
|
|
|
```yaml
|
|
wordpress_servers:
|
|
hosts:
|
|
your-server.example.com:
|
|
# ... other settings ...
|
|
|
|
# Database - Using vault variables
|
|
mysql_root_password: "{{ vault_mysql_root_password }}"
|
|
wordpress_db_password: "{{ vault_wordpress_db_password }}"
|
|
|
|
# WordPress Admin - Using vault variables
|
|
wp_admin_password: "{{ vault_wp_admin_password }}"
|
|
```
|
|
|
|
### 4. Deploy with Vault
|
|
|
|
```bash
|
|
# Deploy and provide vault password
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
|
|
|
|
# Or store vault password in a file (keep secure!)
|
|
echo "your-vault-password" > .vault_password
|
|
chmod 600 .vault_password
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
|
|
```
|
|
|
|
## Vault File Management
|
|
|
|
### View Encrypted Content
|
|
```bash
|
|
ansible-vault view group_vars/all/vault.yml
|
|
```
|
|
|
|
### Edit Encrypted Content
|
|
```bash
|
|
ansible-vault edit group_vars/all/vault.yml
|
|
```
|
|
|
|
### Change Vault Password
|
|
```bash
|
|
ansible-vault rekey group_vars/all/vault.yml
|
|
```
|
|
|
|
### Encrypt Existing File
|
|
```bash
|
|
ansible-vault encrypt group_vars/all/vault.yml
|
|
```
|
|
|
|
### Decrypt File (Temporarily)
|
|
```bash
|
|
ansible-vault decrypt group_vars/all/vault.yml
|
|
# Edit the file
|
|
ansible-vault encrypt group_vars/all/vault.yml
|
|
```
|
|
|
|
## Complete Example
|
|
|
|
### Project Structure
|
|
```
|
|
ansible-lemp-wordpress/
|
|
├── inventory/
|
|
│ └── production.yml # References vault variables
|
|
├── group_vars/
|
|
│ └── all/
|
|
│ └── vault.yml # Encrypted passwords
|
|
├── playbooks/
|
|
│ └── lemp-wordpress.yml
|
|
└── .vault_password # Optional: vault password file
|
|
```
|
|
|
|
### Example Vault File
|
|
```yaml
|
|
# group_vars/all/vault.yml (encrypted)
|
|
vault_mysql_root_password: "MySecure123!@#Root"
|
|
vault_wordpress_db_password: "WordPressDB456$%^"
|
|
vault_wp_admin_password: "AdminPass789&*()"
|
|
vault_ssl_email: "admin@yourcompany.com"
|
|
```
|
|
|
|
### Example Inventory
|
|
```yaml
|
|
# inventory/production.yml
|
|
wordpress_servers:
|
|
hosts:
|
|
web1.yourcompany.com:
|
|
ansible_host: 192.168.1.100
|
|
ansible_user: ubuntu
|
|
domain_name: yoursite.com
|
|
|
|
# SSL Configuration
|
|
ssl_enabled: true
|
|
ssl_email: "{{ vault_ssl_email }}"
|
|
|
|
# Database (using vault)
|
|
mysql_root_password: "{{ vault_mysql_root_password }}"
|
|
wordpress_db_name: "wordpress"
|
|
wordpress_db_user: "wp_user"
|
|
wordpress_db_password: "{{ vault_wordpress_db_password }}"
|
|
|
|
# WordPress Admin (using vault)
|
|
wp_admin_user: "admin"
|
|
wp_admin_password: "{{ vault_wp_admin_password }}"
|
|
wp_admin_email: "{{ vault_ssl_email }}"
|
|
wp_site_title: "My Company Website"
|
|
```
|
|
|
|
## Security Best Practices
|
|
|
|
### 1. Vault Password Management
|
|
- **Never commit the vault password to Git**
|
|
- Use a strong, unique password for your vault
|
|
- Consider using a password manager
|
|
- For teams, use external secret management systems
|
|
|
|
### 2. File Permissions
|
|
```bash
|
|
# Secure vault password file
|
|
chmod 600 .vault_password
|
|
|
|
# Add to .gitignore
|
|
echo ".vault_password" >> .gitignore
|
|
```
|
|
|
|
### 3. Git Configuration
|
|
```bash
|
|
# Add vault file to Git (it's encrypted, so it's safe)
|
|
git add group_vars/all/vault.yml
|
|
|
|
# But never add the password file
|
|
echo ".vault_password" >> .gitignore
|
|
git add .gitignore
|
|
```
|
|
|
|
### 4. Team Collaboration
|
|
For teams, consider these approaches:
|
|
|
|
**Option 1: Shared Vault Password**
|
|
- Share vault password through secure channels (encrypted email, password manager)
|
|
- Each team member stores password locally
|
|
|
|
**Option 2: External Secret Management**
|
|
- Use HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
|
|
- Ansible can integrate with these systems
|
|
|
|
## Deployment Commands
|
|
|
|
### Basic Deployment
|
|
```bash
|
|
# Standard deployment with vault
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass
|
|
```
|
|
|
|
### Ultimate Performance Deployment
|
|
```bash
|
|
# Ultimate deployment with vault
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress-ultimate.yml --ask-vault-pass
|
|
```
|
|
|
|
### Using Password File
|
|
```bash
|
|
# With password file (for automation)
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --vault-password-file .vault_password
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### "Decryption failed" Error
|
|
- Check that you're using the correct vault password
|
|
- Verify the vault file isn't corrupted: `ansible-vault view group_vars/all/vault.yml`
|
|
|
|
### "Variable not found" Error
|
|
- Ensure vault variables are properly referenced in inventory
|
|
- Check variable names match exactly (case sensitive)
|
|
- Verify vault file is in the correct location
|
|
|
|
### Permission Denied
|
|
- Check file permissions: `ls -la group_vars/all/vault.yml`
|
|
- Ensure Ansible can read the vault file
|
|
|
|
## Migration from Plain Text
|
|
|
|
If you have existing plain text passwords in your inventory:
|
|
|
|
1. **Create vault file:**
|
|
```bash
|
|
ansible-vault create group_vars/all/vault.yml
|
|
```
|
|
|
|
2. **Move passwords to vault:**
|
|
```yaml
|
|
# Add to vault.yml
|
|
vault_mysql_root_password: "your-existing-password"
|
|
```
|
|
|
|
3. **Update inventory:**
|
|
```yaml
|
|
# Change in production.yml
|
|
mysql_root_password: "{{ vault_mysql_root_password }}"
|
|
```
|
|
|
|
4. **Test deployment:**
|
|
```bash
|
|
ansible-playbook -i inventory/production.yml playbooks/lemp-wordpress.yml --ask-vault-pass --check
|
|
```
|
|
|
|
## Conclusion
|
|
|
|
Ansible Vault provides a secure way to manage sensitive data while keeping it version-controlled. While it adds complexity, it's essential for production deployments where security is paramount.
|
|
|
|
For simple testing or development, plain text passwords in inventory files may be acceptable, but always use Vault for production environments.
|
|
|
|
---
|
|
|
|
**Next Steps:**
|
|
- [Production Deployment Guide](production-deployment.md)
|
|
- [SSL Setup Guide](ssl-setup.md)
|
|
- [Security Best Practices](../SECURITY.md)
|