https://github.com/dimiboi/wordpress-ansible

🦾 An Ansible playbook to spin up a WordPress server running hardened Nginx and MariaDB with an SSL certificate issued by Let's Encrypt using dns-01 challenge.
https://github.com/dimiboi/wordpress-ansible

ansible ansible-playbook certbot mariadb nginx wordpress

Last synced: 2 months ago
JSON representation

🦾 An Ansible playbook to spin up a WordPress server running hardened Nginx and MariaDB with an SSL certificate issued by Let's Encrypt using dns-01 challenge.

• Host: GitHub
• URL: https://github.com/dimiboi/wordpress-ansible
• Owner: dimiboi
• License: mpl-2.0
• Created: 2020-12-20T21:20:32.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2021-07-06T17:09:07.000Z (almost 5 years ago)
• Last Synced: 2025-01-14T12:29:17.374Z (over 1 year ago)
• Topics: ansible, ansible-playbook, certbot, mariadb, nginx, wordpress
• Language: Jinja
• Homepage:
• Size: 34.2 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# 🦾 Hardened WordPress Ansible Playbook

The `cloud-init.yml` configuration file:

- 👥 Creates a default user `dmitry` with a public key and gives it sudo permissions

- 📦 Configures and enables unattended-upgrades

- 🧱 Enables the firewall and lets SSH through it

- 🐝 Pollinates entropy using Ubuntu's server

The Ansible playbook:

- 📦 Installs and configures _MariaDB_, _Nginx_, _WordPress_, and _Certbot_

  - 🔑 Generated MariaDB _credentials_ are stored in `.credentials` directory

- 📜 Acquires Let's Encrypt _ceritificate_ using `dns-01` challenge with the configured _DNS provider_

  - 🤖 Google Cloud Platform _service account_ credentials in a JSON file ([instructions](https://cloud.google.com/iam/docs/creating-managing-service-accounts))

    - 🔧 Configure the file path as `certbot_dns.google_credentials_file`

  - ☁️ CloudFlare _API token_ ([instructions](https://developers.cloudflare.com/api/tokens/create))

    - 🔧 Configure the token as `certbot_dns.cloudflare_api_token`

  - ❗ The playbook uses Let's Encrypt _staging environment_ by default

      - 🔧 Make sure to override `certbot_server` with the production server

- 🔏 Hardens the system and its running services

## Instructions

Install [devsec.hardening](https://github.com/dev-sec/ansible-collection-hardening) collection before running:

```bash

$ ansible-galaxy collection install devsec.hardening

```

Create a `.vars.yml` file and set the required variable values:

```yaml

ssh_allow_users: john

wordpress_http_hosts:

  - john.example.net

  - doe.example.com

certbot_email: john@doe.example.com

certbot_server: https://acme-v02.api.letsencrypt.org/directory

certbot_dns:

  cloudflare_api_token: 0123456789abcdef0123456789abcdef01234567

```

To use Google Cloud Platform DNS configure the service account credentials file path:

```yaml

certbot_dns:

  google_credentials_file: ~/certbot-service-account.json

```

Run the playbook:

```bash

$ ansible-playbook playbook.yml --limit  --user  --extra-vars @.vars.yml

```