From e4b2871a2199346b7fe77f1a8bcb95f88c7bb692 Mon Sep 17 00:00:00 2001 From: Nareshkumar Rao Date: Sat, 25 Sep 2021 01:56:47 +0200 Subject: [PATCH] stable single wp --- hosts.ini | 2 + provision.yml | 9 ++ roles/wordpress/handlers/main.yml | 6 ++ roles/wordpress/tasks/letsencrypt.yml | 91 +++++++++++++++++++ roles/wordpress/tasks/main.yml | 38 ++++++++ .../templates/apache-challenge-site.conf | 8 ++ roles/wordpress/templates/apache-site.conf | 23 +++++ vars.yml | 15 +++ 8 files changed, 192 insertions(+) create mode 100644 hosts.ini create mode 100644 provision.yml create mode 100644 roles/wordpress/handlers/main.yml create mode 100644 roles/wordpress/tasks/letsencrypt.yml create mode 100644 roles/wordpress/tasks/main.yml create mode 100644 roles/wordpress/templates/apache-challenge-site.conf create mode 100644 roles/wordpress/templates/apache-site.conf create mode 100644 vars.yml diff --git a/hosts.ini b/hosts.ini new file mode 100644 index 0000000..9cebb25 --- /dev/null +++ b/hosts.ini @@ -0,0 +1,2 @@ +psmcentral ansible_host=159.69.47.163 + diff --git a/provision.yml b/provision.yml new file mode 100644 index 0000000..4227f6d --- /dev/null +++ b/provision.yml @@ -0,0 +1,9 @@ +--- +- name: Provision PSM Server + hosts: psmcentral + remote_user: root + roles: + - wordpress + vars_files: + - ./vars.yml + diff --git a/roles/wordpress/handlers/main.yml b/roles/wordpress/handlers/main.yml new file mode 100644 index 0000000..97476a4 --- /dev/null +++ b/roles/wordpress/handlers/main.yml @@ -0,0 +1,6 @@ +- name: Restart Apache + service: + name: apache2 + state: restarted + enabled: yes + diff --git a/roles/wordpress/tasks/letsencrypt.yml b/roles/wordpress/tasks/letsencrypt.yml new file mode 100644 index 0000000..990c52a --- /dev/null +++ b/roles/wordpress/tasks/letsencrypt.yml @@ -0,0 +1,91 @@ +- name: "Create required directories in /etc/letsencrypt" + file: + path: "/etc/letsencrypt/{{ item }}" + state: directory + owner: root + group: root + mode: u=rwx,g=x,o=x + with_items: + - account + - certs + - csrs + - keys + +- name: "Generate a Let's Encrypt account key" + shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi" + args: + creates: "{{ letsencrypt_account_key }}" + +- name: "Generate Let's Encrypt private key" + shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ site_url }}.key" + +- name: "Generate Let's Encrypt CSR" + shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ site_url }}.key -subj \"/CN={{ site_url }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ site_url }}\")) | sudo tee /etc/letsencrypt/csrs/{{ site_url }}.csr" + args: + executable: /bin/bash + +- name: "Begin Let's Encrypt challenges" + letsencrypt: + acme_directory: "{{ acme_directory }}" + acme_version: "{{ acme_version }}" + account_key_src: "{{ letsencrypt_account_key }}" + account_email: "{{ admin_email }}" + terms_agreed: 1 + challenge: "{{ acme_challenge_type }}" + csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr" + dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" + fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}.crt" + remaining_days: 91 + force: yes + register: acme_challenge_domain + +- name: "Create .well-known/acme-challenge directory" + file: + path: /var/www/html/{{ site_url }}/.well-known/acme-challenge + state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx + +- name: "Implement http-01 challenge files" + copy: + content: "{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource_value'] }}" + dest: "/var/www/html/{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource'] }}" + owner: root + group: root + mode: u=rw,g=r,o=r + with_items: + - "{{ site_url }}" + when: acme_challenge_domain['challenge_data'][item] is defined + +- name: "Use challenge Apache conf" + template: + src: apache-challenge-site.conf + dest: /etc/apache2/sites-available/{{ site_url }}.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: "Enable site" + shell: a2ensite {{ site_url }} + +- name: "Restart Apache" + service: + name: apache2 + state: restarted + +- name: "Complete Let's Encrypt challenges" + letsencrypt: + acme_directory: "{{ acme_directory }}" + acme_version: "{{ acme_version }}" + account_key_src: "{{ letsencrypt_account_key }}" + account_email: "{{ admin_email }}" + challenge: "{{ acme_challenge_type }}" + csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr" + dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" + chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ site_url }}.crt" + fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}" + data: "{{ acme_challenge_domain }}" + force: yes + + diff --git a/roles/wordpress/tasks/main.yml b/roles/wordpress/tasks/main.yml new file mode 100644 index 0000000..f63141d --- /dev/null +++ b/roles/wordpress/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Install LAMP stack + apt: + name: apache2, php, libapache2-mod-php, php-mysql, mariadb-server + state: present + update_cache: true + +- name: Install Wordpress Pre-Reqs + apt: + name: php-curl, php-imagick, php-json, php-mbstring, php-xml, php-zip, php-gd, ghostscript, imagemagick + state: present + +- name: Check Certificate Modify Dates + stat: + path: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" + register: stat_results + +- name: Get LetsEncrypt Certificates + import_tasks: letsencrypt.yml + when: ((ansible_date_time.epoch|int - stat_results.stat.mtime) > (90 * 60 * 60 * 24)) + +- name: Copy Apache config + template: + src: apache-site.conf + dest: /etc/apache2/sites-available/{{ site_url }}.conf + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Enable Apache Modules + shell: a2enmod ssl rewrite + notify: + - Restart Apache + +- name: Enable Apache site + shell: a2ensite {{ site_url }} + notify: + - Restart Apache + diff --git a/roles/wordpress/templates/apache-challenge-site.conf b/roles/wordpress/templates/apache-challenge-site.conf new file mode 100644 index 0000000..6e13603 --- /dev/null +++ b/roles/wordpress/templates/apache-challenge-site.conf @@ -0,0 +1,8 @@ + + ServerName {{ site_url }} + ServerAdmin {{ admin_email }} + DocumentRoot /var/www/html/{{ site_url }} + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + diff --git a/roles/wordpress/templates/apache-site.conf b/roles/wordpress/templates/apache-site.conf new file mode 100644 index 0000000..ac3cd6c --- /dev/null +++ b/roles/wordpress/templates/apache-site.conf @@ -0,0 +1,23 @@ + + ServerName {{ site_url }} + Redirect permanent / https://{{ site_url }}/ + + + ServerName {{ site_url }} + DocumentRoot /var/www/html/{{ site_url }} + + + Order Allow,Deny + Allow from All + AllowOverride All + Require all granted + + + SSLEngine on + SSLCertificateFile "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt" + SSLCertificateKeyFile "/etc/letsencrypt/keys/{{ site_url }}.key" + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + diff --git a/vars.yml b/vars.yml new file mode 100644 index 0000000..defab7f --- /dev/null +++ b/vars.yml @@ -0,0 +1,15 @@ +--- +site_url: psm.msolidariti.org +admin_email: naresh@msolidariti.org + +# LetsEncrypt Configuration + +acme_challenge_type: http-01 +acme_directory: https://acme-v02.api.letsencrypt.org/directory +acme_version: 2 +letsencrypt_dir: /etc/letsencrypt +letsencrypt_keys_dir: /etc/letsencrypt/keys +letsencrypt_csrs_dir: /etc/letsencrypt/csrs +letsencrypt_certs_dir: /etc/letsencrypt/certs +letsencrypt_account_key: /etc/letsencrypt/account/account.key +