From e545807a6649b11126575978cb29f6b014589927 Mon Sep 17 00:00:00 2001 From: Tim Gerla Date: Sun, 30 Jun 2013 21:54:21 -0700 Subject: [PATCH] Initial commit of a Wordpress site deployment playbook --- wordpress-nginx/README.md | 28 +++++++ wordpress-nginx/group_vars/all | 15 ++++ wordpress-nginx/hosts | 2 + .../roles/common/files/RPM-GPG-KEY-EPEL-6 | 29 +++++++ wordpress-nginx/roles/common/files/epel.repo | 26 ++++++ .../roles/common/files/iptables-save | 13 +++ .../roles/common/handlers/main.yml | 3 + wordpress-nginx/roles/common/tasks/main.yml | 10 +++ wordpress-nginx/roles/mysql/handlers/main.yml | 3 + wordpress-nginx/roles/mysql/tasks/main.yml | 19 +++++ .../roles/mysql/templates/my.cnf.j2 | 11 +++ wordpress-nginx/roles/nginx/handlers/main.yml | 3 + wordpress-nginx/roles/nginx/tasks/main.yml | 7 ++ .../roles/nginx/templates/default.conf | 31 +++++++ .../roles/php-fpm/handlers/main.yml | 3 + wordpress-nginx/roles/php-fpm/tasks/main.yml | 22 +++++ .../roles/php-fpm/templates/wordpress.conf | 15 ++++ .../roles/wordpress/tasks/main.yml | 28 +++++++ .../roles/wordpress/templates/wp-config.php | 84 +++++++++++++++++++ wordpress-nginx/site.yml | 11 +++ 20 files changed, 363 insertions(+) create mode 100644 wordpress-nginx/README.md create mode 100644 wordpress-nginx/group_vars/all create mode 100644 wordpress-nginx/hosts create mode 100644 wordpress-nginx/roles/common/files/RPM-GPG-KEY-EPEL-6 create mode 100644 wordpress-nginx/roles/common/files/epel.repo create mode 100644 wordpress-nginx/roles/common/files/iptables-save create mode 100644 wordpress-nginx/roles/common/handlers/main.yml create mode 100644 wordpress-nginx/roles/common/tasks/main.yml create mode 100644 wordpress-nginx/roles/mysql/handlers/main.yml create mode 100644 wordpress-nginx/roles/mysql/tasks/main.yml create mode 100644 wordpress-nginx/roles/mysql/templates/my.cnf.j2 create mode 100644 wordpress-nginx/roles/nginx/handlers/main.yml create mode 100644 wordpress-nginx/roles/nginx/tasks/main.yml create mode 100644 wordpress-nginx/roles/nginx/templates/default.conf create mode 100644 wordpress-nginx/roles/php-fpm/handlers/main.yml create mode 100644 wordpress-nginx/roles/php-fpm/tasks/main.yml create mode 100644 wordpress-nginx/roles/php-fpm/templates/wordpress.conf create mode 100644 wordpress-nginx/roles/wordpress/tasks/main.yml create mode 100644 wordpress-nginx/roles/wordpress/templates/wp-config.php create mode 100644 wordpress-nginx/site.yml diff --git a/wordpress-nginx/README.md b/wordpress-nginx/README.md new file mode 100644 index 0000000..0f9531c --- /dev/null +++ b/wordpress-nginx/README.md @@ -0,0 +1,28 @@ +## Wordpress+Nginx+PHP-FPM Deployment + +- Requires Ansible 1.2 or newer +- Expects CentOS/RHEL 6.x hosts + +These playbooks deploy a simple all-in-one configuration of the popular +Wordpress blogging platform and CMS, frontend by the Nginx web server and the +PHP-FPM process manager. To use, edit the "hosts" inventory file to include the +names of the servers you want to deploy. + +Then run the playbook, like this: + + ansible-playbook -i hosts site.yml + +The playbooks will configure MySQL, Wordpress, Nginx, and PHP-FPM. When the run +is complete, you can hit access server to begin the Wordpress configuration. + +### Ideas for Improvement + +Here are some ideas for ways that these playbooks could be extended: + +- Parameterize the Wordpress deployment to handle multi-site configurations. +- Separate the components (PHP-FPM, MySQL, Nginx) onto separate hosts and +hande the configuration appropriately. +- Handle Wordpress upgrades automatically. + +We would love to see contributions and improvements, so please fork this +repository on GitHub and send us your changes via pull requests. diff --git a/wordpress-nginx/group_vars/all b/wordpress-nginx/group_vars/all new file mode 100644 index 0000000..3b79d53 --- /dev/null +++ b/wordpress-nginx/group_vars/all @@ -0,0 +1,15 @@ +--- +# Which version of Wordpress to deploy +wp_version: 3.5.2 + +# These are the Wordpress database settings +wp_db_name: wordpress +wp_db_user: wordpress +wp_db_password: secret + +# You shouldn't need to change this. +mysql_port: 3306 + +# This is used for the nginx server configuration, but # access to the +# Wordpress site is not restricted by a # named host. +server_hostname: www.example.com diff --git a/wordpress-nginx/hosts b/wordpress-nginx/hosts new file mode 100644 index 0000000..0dbfb16 --- /dev/null +++ b/wordpress-nginx/hosts @@ -0,0 +1,2 @@ +[wordpress-server] +webserver2 diff --git a/wordpress-nginx/roles/common/files/RPM-GPG-KEY-EPEL-6 b/wordpress-nginx/roles/common/files/RPM-GPG-KEY-EPEL-6 new file mode 100644 index 0000000..7a20304 --- /dev/null +++ b/wordpress-nginx/roles/common/files/RPM-GPG-KEY-EPEL-6 @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQINBEvSKUIBEADLGnUj24ZVKW7liFN/JA5CgtzlNnKs7sBg7fVbNWryiE3URbn1 +JXvrdwHtkKyY96/ifZ1Ld3lE2gOF61bGZ2CWwJNee76Sp9Z+isP8RQXbG5jwj/4B +M9HK7phktqFVJ8VbY2jfTjcfxRvGM8YBwXF8hx0CDZURAjvf1xRSQJ7iAo58qcHn +XtxOAvQmAbR9z6Q/h/D+Y/PhoIJp1OV4VNHCbCs9M7HUVBpgC53PDcTUQuwcgeY6 +pQgo9eT1eLNSZVrJ5Bctivl1UcD6P6CIGkkeT2gNhqindRPngUXGXW7Qzoefe+fV +QqJSm7Tq2q9oqVZ46J964waCRItRySpuW5dxZO34WM6wsw2BP2MlACbH4l3luqtp +Xo3Bvfnk+HAFH3HcMuwdaulxv7zYKXCfNoSfgrpEfo2Ex4Im/I3WdtwME/Gbnwdq +3VJzgAxLVFhczDHwNkjmIdPAlNJ9/ixRjip4dgZtW8VcBCrNoL+LhDrIfjvnLdRu +vBHy9P3sCF7FZycaHlMWP6RiLtHnEMGcbZ8QpQHi2dReU1wyr9QgguGU+jqSXYar +1yEcsdRGasppNIZ8+Qawbm/a4doT10TEtPArhSoHlwbvqTDYjtfV92lC/2iwgO6g +YgG9XrO4V8dV39Ffm7oLFfvTbg5mv4Q/E6AWo/gkjmtxkculbyAvjFtYAQARAQAB +tCFFUEVMICg2KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAjYEEwECACAFAkvS +KUICGw8GCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRA7Sd8qBgi4lR/GD/wLGPv9 +qO39eyb9NlrwfKdUEo1tHxKdrhNz+XYrO4yVDTBZRPSuvL2yaoeSIhQOKhNPfEgT +9mdsbsgcfmoHxmGVcn+lbheWsSvcgrXuz0gLt8TGGKGGROAoLXpuUsb1HNtKEOwP +Q4z1uQ2nOz5hLRyDOV0I2LwYV8BjGIjBKUMFEUxFTsL7XOZkrAg/WbTH2PW3hrfS +WtcRA7EYonI3B80d39ffws7SmyKbS5PmZjqOPuTvV2F0tMhKIhncBwoojWZPExft +HpKhzKVh8fdDO/3P1y1Fk3Cin8UbCO9MWMFNR27fVzCANlEPljsHA+3Ez4F7uboF +p0OOEov4Yyi4BEbgqZnthTG4ub9nyiupIZ3ckPHr3nVcDUGcL6lQD/nkmNVIeLYP +x1uHPOSlWfuojAYgzRH6LL7Idg4FHHBA0to7FW8dQXFIOyNiJFAOT2j8P5+tVdq8 +wB0PDSH8yRpn4HdJ9RYquau4OkjluxOWf0uRaS//SUcCZh+1/KBEOmcvBHYRZA5J +l/nakCgxGb2paQOzqqpOcHKvlyLuzO5uybMXaipLExTGJXBlXrbbASfXa/yGYSAG +iVrGz9CE6676dMlm8F+s3XXE13QZrXmjloc6jwOljnfAkjTGXjiB7OULESed96MR +XtfLk0W5Ab9pd7tKDR6QHI7rgHXfCopRnZ2VVQ== +=V/6I +-----END PGP PUBLIC KEY BLOCK----- diff --git a/wordpress-nginx/roles/common/files/epel.repo b/wordpress-nginx/roles/common/files/epel.repo new file mode 100644 index 0000000..0160dfe --- /dev/null +++ b/wordpress-nginx/roles/common/files/epel.repo @@ -0,0 +1,26 @@ +[epel] +name=Extra Packages for Enterprise Linux 6 - $basearch +#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch +failovermethod=priority +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 + +[epel-debuginfo] +name=Extra Packages for Enterprise Linux 6 - $basearch - Debug +#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch/debug +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-6&arch=$basearch +failovermethod=priority +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 +gpgcheck=1 + +[epel-source] +name=Extra Packages for Enterprise Linux 6 - $basearch - Source +#baseurl=http://download.fedoraproject.org/pub/epel/6/SRPMS +mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-6&arch=$basearch +failovermethod=priority +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 +gpgcheck=1 diff --git a/wordpress-nginx/roles/common/files/iptables-save b/wordpress-nginx/roles/common/files/iptables-save new file mode 100644 index 0000000..e4f2211 --- /dev/null +++ b/wordpress-nginx/roles/common/files/iptables-save @@ -0,0 +1,13 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [37:13960] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT diff --git a/wordpress-nginx/roles/common/handlers/main.yml b/wordpress-nginx/roles/common/handlers/main.yml new file mode 100644 index 0000000..29856cc --- /dev/null +++ b/wordpress-nginx/roles/common/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart iptables + service: name=iptables state=restarted diff --git a/wordpress-nginx/roles/common/tasks/main.yml b/wordpress-nginx/roles/common/tasks/main.yml new file mode 100644 index 0000000..efe0a72 --- /dev/null +++ b/wordpress-nginx/roles/common/tasks/main.yml @@ -0,0 +1,10 @@ +--- +- name: Copy the EPEL repository definition + copy: src=epel.repo dest=/etc/yum.repos.d/epel.repo + +- name: Create the GPG key for EPEL + copy: src=RPM-GPG-KEY-EPEL-6 dest=/etc/pki/rpm-gpg + +- name: Set up iptables rules + copy: src=iptables-save dest=/etc/sysconfig/iptables + notify: restart iptables diff --git a/wordpress-nginx/roles/mysql/handlers/main.yml b/wordpress-nginx/roles/mysql/handlers/main.yml new file mode 100644 index 0000000..d0daa04 --- /dev/null +++ b/wordpress-nginx/roles/mysql/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart mysql + service: name=mysqld state=restarted diff --git a/wordpress-nginx/roles/mysql/tasks/main.yml b/wordpress-nginx/roles/mysql/tasks/main.yml new file mode 100644 index 0000000..8b97a3e --- /dev/null +++ b/wordpress-nginx/roles/mysql/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Install Mysql package + yum: name={{ item }} state=present + with_items: + - mysql-server + - MySQL-python + - libselinux-python + - libsemanage-python + +- name: Configure SELinux to start mysql on any port + seboolean: name=mysql_connect_any state=true persistent=yes + +- name: Create Mysql configuration file + template: src=my.cnf.j2 dest=/etc/my.cnf + notify: + - restart mysql + +- name: Start Mysql Service + service: name=mysqld state=started enabled=true diff --git a/wordpress-nginx/roles/mysql/templates/my.cnf.j2 b/wordpress-nginx/roles/mysql/templates/my.cnf.j2 new file mode 100644 index 0000000..3944d06 --- /dev/null +++ b/wordpress-nginx/roles/mysql/templates/my.cnf.j2 @@ -0,0 +1,11 @@ +[mysqld] +datadir=/var/lib/mysql +socket=/var/lib/mysql/mysql.sock +user=mysql +# Disabling symbolic-links is recommended to prevent assorted security risks +symbolic-links=0 +port={{ mysql_port }} + +[mysqld_safe] +log-error=/var/log/mysqld.log +pid-file=/var/run/mysqld/mysqld.pid diff --git a/wordpress-nginx/roles/nginx/handlers/main.yml b/wordpress-nginx/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..92971d2 --- /dev/null +++ b/wordpress-nginx/roles/nginx/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart nginx + service: name=nginx state=restarted diff --git a/wordpress-nginx/roles/nginx/tasks/main.yml b/wordpress-nginx/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..569b425 --- /dev/null +++ b/wordpress-nginx/roles/nginx/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Install nginx + yum: name=nginx state=present + +- name: Copy nginx configuration for wordpress + template: src=default.conf dest=/etc/nginx/conf.d/default.conf + notify: restart nginx diff --git a/wordpress-nginx/roles/nginx/templates/default.conf b/wordpress-nginx/roles/nginx/templates/default.conf new file mode 100644 index 0000000..aac9f7e --- /dev/null +++ b/wordpress-nginx/roles/nginx/templates/default.conf @@ -0,0 +1,31 @@ +server { + listen 80 default_server; + server_name {{ server_hostname }}; + root /srv/wordpress/ ; + + client_max_body_size 64M; + + # Deny access to any files with a .php extension in the uploads directory + location ~* /(?:uploads|files)/.*\.php$ { + deny all; + } + + location / { + index index.php index.html index.htm; + try_files $uri $uri/ /index.php?$args; + } + + location ~* \.(gif|jpg|jpeg|png|css|js)$ { + expires max; + } + + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_pass unix:/var/run/php-fpm/wordpress.sock; + fastcgi_param SCRIPT_FILENAME + $document_root$fastcgi_script_name; + include fastcgi_params; + } +} diff --git a/wordpress-nginx/roles/php-fpm/handlers/main.yml b/wordpress-nginx/roles/php-fpm/handlers/main.yml new file mode 100644 index 0000000..6a975ad --- /dev/null +++ b/wordpress-nginx/roles/php-fpm/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart php-fpm + service: name=php-fpm state=restarted diff --git a/wordpress-nginx/roles/php-fpm/tasks/main.yml b/wordpress-nginx/roles/php-fpm/tasks/main.yml new file mode 100644 index 0000000..e39b4f1 --- /dev/null +++ b/wordpress-nginx/roles/php-fpm/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: Install php-fpm and deps + yum: name={{ item }} state=present + with_items: + - php + - php-fpm + - php-enchant + - php-IDNA_Convert + - php-mbstring + - php-mysql + - php-PHPMailer + - php-process + - php-simplepie + - php-xml + +- name: Disable default pool + command: mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.disabled creates=/etc/php-fpm.d/www.disabled + notify: restart php-fpm + +- name: Copy php-fpm configuration + template: src=wordpress.conf dest=/etc/php-fpm.d/ + notify: restart php-fpm diff --git a/wordpress-nginx/roles/php-fpm/templates/wordpress.conf b/wordpress-nginx/roles/php-fpm/templates/wordpress.conf new file mode 100644 index 0000000..10434c5 --- /dev/null +++ b/wordpress-nginx/roles/php-fpm/templates/wordpress.conf @@ -0,0 +1,15 @@ +[wordpress] +listen = /var/run/php-fpm/wordpress.sock +listen.owner = nginx +listen.group = nginx +listen.mode = 0660 +user = wordpress +group = wordpress +pm = dynamic +pm.max_children = 10 +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +pm.max_requests = 500 +chdir = /srv/wordpress/ +php_admin_value[open_basedir] = /srv/wordpress/:/tmp diff --git a/wordpress-nginx/roles/wordpress/tasks/main.yml b/wordpress-nginx/roles/wordpress/tasks/main.yml new file mode 100644 index 0000000..1aabee7 --- /dev/null +++ b/wordpress-nginx/roles/wordpress/tasks/main.yml @@ -0,0 +1,28 @@ +--- +- name: Download Wordpress + get_url: url=http://wordpress.org/wordpress-{{ wp_version }}.tar.gz dest=/srv/wordpress-{{ wp_version }}.tar.gz + +- name: Extract archive + command: chdir=/srv/ /bin/tar xvf wordpress-{{ wp_version }}.tar.gz creates=/srv/wordpress + +- name: Add group "wordpress" + group: name=wordpress + +- name: Add user "wordpress" + user: name=wordpress group=wordpress home=/srv/wordpress/ + +- name: Change ownership of Wordpress installation + file: path=/srv/wordpress/ owner=wordpress group=wordpress state=directory recurse=yes + +- name: Fetch random salts for Wordpress config + local_action: command curl https://api.wordpress.org/secret-key/1.1/salt/ + register: wp_salt + +- name: Create Wordpress database + mysql_db: name={{ wp_db_name }} state=present + +- name: Create Wordpress database user + mysql_user: name={{ wp_db_user }} password={{ wp_db_password }} priv={{ wp_db_name }}.*:ALL host='localhost' state=present + +- name: Copy Wordpress config file + template: src=wp-config.php dest=/srv/wordpress/ diff --git a/wordpress-nginx/roles/wordpress/templates/wp-config.php b/wordpress-nginx/roles/wordpress/templates/wp-config.php new file mode 100644 index 0000000..36b3cf0 --- /dev/null +++ b/wordpress-nginx/roles/wordpress/templates/wp-config.php @@ -0,0 +1,84 @@ +