Browse Source

Refactor based on best practices established in jwflory/infrastructure (#19)

* [group_vars] move from playbooks/ to inventory/

* Remove archived/ directory (still exist in git if ever needed again)

* Purge WordPress-related roles / playbooks

* [base] rebase from jwflory/infrastructure base role

* Set vault_password_file in ansible.cfg

Closes #14. Kind of. I know I can do it and how to do it now, even
though no new Ansible Vault files exist in the repo yet.

* [vars] set target_user and user_home_dir
pull/20/head
Justin W. Flory 3 years ago
committed by GitHub
parent
commit
851cf8a279
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 30 additions and 519 deletions
  1. +3
    -2
      ansible.cfg
  2. +0
    -42
      archived/meet-fossbox/README.md
  3. +3
    -0
      inventory/group_vars/all.yml
  4. +0
    -3
      inventory/inventory
  5. +0
    -28
      playbooks/group_vars/all
  6. +0
    -23
      playbooks/wordpress-stack-install.yml
  7. +24
    -0
      roles/base/centos-7/tasks/main.yml
  8. +0
    -18
      roles/common-centos/7/tasks/main.yml
  9. +0
    -5
      roles/mariadb/handlers/main.yml
  10. +0
    -42
      roles/mariadb/tasks/main.yml
  11. +0
    -10
      roles/mariadb/templates/my.cnf.j2
  12. +0
    -3
      roles/nginx/handlers/main.yml
  13. +0
    -36
      roles/nginx/tasks/main.yml
  14. +0
    -25
      roles/nginx/templates/fossrit.jwf.io.conf
  15. +0
    -23
      roles/nginx/templates/restrictions.conf
  16. +0
    -44
      roles/nginx/templates/wordpress.conf
  17. +0
    -3
      roles/php-fpm/handlers/main.yml
  18. +0
    -22
      roles/php-fpm/tasks/main.yml
  19. +0
    -15
      roles/php-fpm/templates/wordpress.conf
  20. +0
    -85
      roles/wordpress/tasks/main.yml
  21. +0
    -90
      roles/wordpress/templates/wp-config.php

+ 3
- 2
ansible.cfg View File

@ -1,3 +1,4 @@
[defaults]
inventory = inventory/inventory
roles_path = roles/
inventory = inventory/inventory
roles_path = roles/
vault_password_file = ~/.config/ansible/fossrit_ansible_vault_pass

+ 0
- 42
archived/meet-fossbox/README.md View File

@ -1,42 +0,0 @@
Meeting the FOSSBox
===================
Have you heard about the "FOSSBox" and the free and open source software community on RIT's campus? [FOSS@MAGIC](http://foss.rit.edu/) is the Free and Open Source Software (FOSS) program at the RIT MAGIC Center. Founded in 2009, it is an initiative created to help develop and support FOSS efforts at RIT. The community of students that meet come from a variety of majors and cross-disciplinary interests. Many students involved with the program are enrolled in the [Free and Open Source Software minor](https://www.rit.edu/news/story.php?id=50590), although many students who participate are only involved as contributors, supporters, and/or users of open source software.
The community is open and welcome to everyone in the RIT community and beyond. If you want to get more involved with the FOSS@MAGIC program, check out the following steps you can follow.
## Students
There are plenty of opportunities for students on campus to get involved with FOSS@MAGIC. Some of the following steps will help get you "bootstrapped" into the program.
### 1. Join our IRC channel.
IRC, or [Internet Relay Chat](https://en.wikipedia.org/wiki/Internet_Relay_Chat), is an online chat communication protocol. IRC "networks" are run by operators and anyone in the world can connect to a network. Once on a network, you can create or join a "channel" to talk with others about any topic you choose. The FOSS@MAGIC program has our own IRC channel on the [freenode](https://freenode.net/) IRC network, [#rit-foss](https://webchat.freenode.net/?channels=rit-foss). You can connect via webchat or you can connect with your favorite IRC client.
If you are not familiar with IRC, check out the [Beginner's Guide to IRC](https://fedoramagazine.org/beginners-guide-irc/) on the Fedora Magazine. Coming soon, we will have our own "IRC how-to" in this repository.
After idling for a while, you can request to have a [ZNC bouncer]() from [jflory7](https://github.com/jflory7) so you remain persistently connected to freenode and the channel (so you won't lose messages when you're logged out). For an overview of ZNC, read this [helpful article](https://fedoramagazine.org/never-leave-irc-znc/). To request one, send a private message to jflory7 on freenode with your contact info so he can reach out to you with more info.
### 2. Come to FOSShours.
Each week in the semester, there are planned "meetup" times where members of the FOSS community at RIT come together and meet. What we do in our weekly meetups varies. Some of us come to work on our independent studies or co-ops with professors in the program. Others come to talk about their tools, cool discoveries, and other things in the world of FOSS. Other people come to just work on homework and get help from others who might know more in the room.
At the end of the day, the community that meets is all about _sharing information_ and _meeting others_ who are also interested in FOSS, both on and off campus. If you have done work in open source, want to do work in open source, or just want to learn more about FOSS, you are welcome to attend!
Each semester, our meeting time may change. If you are unsure if the information in this repository is correct, please ask in the IRC channel.
#### Current meeting time
_Last updated for 2015-2016 academic year._
* *When*: Tuesdays and Thursdays, 4pm - 6pm
* *Where*: GOL-2500 (conference room next to WiC headquarters)
### 3. Find a project.
Whether it's one of the countless repositories on the [FOSSRIT organization](https://github.com/FOSSRIT) or it's your own personal project, try finding an open source project to work on. If you're looking for something to work on, scroll through the repositories in the organization or ask someone in the IRC channel if they have ideas of where to look. If you have your own project, don't be afraid to share it with others and ask for feedback.
## Faculty / Professors
Coming soon…
## Outside collaborators / "Friends of FOSS"
Coming soon…

+ 3
- 0
inventory/group_vars/all.yml View File

@ -0,0 +1,3 @@
---
target_user: jflory
user_home_dir: /home/jflory

+ 0
- 3
inventory/inventory View File

@ -3,6 +3,3 @@ fossrit.jwf.io
[staging]
estrella
[wordpress-server]
fossrit

+ 0
- 28
playbooks/group_vars/all View File

@ -1,28 +0,0 @@
---
# Variables listed here are applicable to all host groups
wp_version: 4.6
wp_sha256sum: c1856cf969b1e73025ba2c681491908c3a4a6c5a2333f4531bf9bfb90f634380
# MySQL settings
mysqlservice: mysqld
mysql_port: 3306
# These are the WordPress database settings
wp_db_name: wordpress
wp_db_user: wordpress
wp_db_password: secret
# This is used for the nginx server configuration, but access to the
# WordPress site is not restricted by a named host.
nginx_port: 80
server_hostname: server.example.com
# Disable All Updates
# By default automatic updates are enabled, set this value to true to disable all automatic updates
auto_up_disable: false
#Define Core Update Level
# true = Development, minor, and major updates are all enabled
# false = Development, minor, and major updates are all disabled
# minor = Minor updates are enabled, development, and major updates are disabled
core_update_level: true

+ 0
- 23
playbooks/wordpress-stack-install.yml View File

@ -1,23 +0,0 @@
---
- name: install MariaDB, nginx, PHP-FPM, and WordPress
hosts: all
become: yes
roles:
- common-centos/7
- mariadb
- nginx
- php-fpm
- role: wordpress
# Disable All Updates
# By default automatic updates are enabled, set this value to true to
# disable all automatic updates
auto_up_disable: false
# Define Core Update Level
# true = Development, minor, and major updates are all enabled
# false = Development, minor, and major updates are all disabled
# minor = Minor updates are enabled, major updates are disabled
core_update_level: true
wp_db_name: wordpress-foss-magic
wp_db_password: 'What is a secure way to manage passwords in public infrastructure?'
wp_db_user: wordpress-admin

+ 24
- 0
roles/base/centos-7/tasks/main.yml View File

@ -0,0 +1,24 @@
---
- name: add EPEL and IUS repositories
package:
state: latest
name:
- epel-release
- https://centos7.iuscommunity.org/ius-release.rpm
- name: install base packages
package:
state: latest
name:
- https://repos.influxdata.com/centos/7Server/x86_64/stable/telegraf-1.8.0-1.x86_64.rpm
- certbot
- duply
- git
- htop
- python36u
- python36u-pip
- name: enable SELinux
selinux:
policy: targeted
state: enforcing

+ 0
- 18
roles/common-centos/7/tasks/main.yml View File

@ -1,18 +0,0 @@
---
- name: install EPEL and IUS repositories
package:
state: latest
name:
- epel-release
- https://centos7.iuscommunity.org/ius-release.rpm
- name: install firewalld
package:
name: firewalld
state: present
- name: start and enable firewalld service
service:
name: firewalld
state: started
enabled: yes

+ 0
- 5
roles/mariadb/handlers/main.yml View File

@ -1,5 +0,0 @@
---
# Handler to handle DB tier notifications
- name: restart mariadb
service: name=mariadb state=restarted

+ 0
- 42
roles/mariadb/tasks/main.yml View File

@ -1,42 +0,0 @@
---
# This playbook will install MariaDB and create db user and give permissions.
- name: remove older versions of conflicting packages
package:
state: absent
name:
- mariadb-libs
- name: install MariaDB
package:
state: present
name:
- mariadb101u-server
- name: copy MySQL configuration file
template:
src: my.cnf.j2
dest: /etc/my.cnf
notify:
- restart mariadb
- name: create MariaDB log file
file:
path: /var/log/mysqld.log
state: touch
owner: mysql
group: mysql
mode: 0644
- name: start and enable MariaDB service
service:
name: mariadb
state: started
enabled: yes
- name: add MariaDB firewalld rule
firewalld:
service: mysql
state: enabled
immediate: yes
permanent: true

+ 0
- 10
roles/mariadb/templates/my.cnf.j2 View File

@ -1,10 +0,0 @@
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
[mysqld_safe]
log-error=/var/log/mariadb/mariadb.log
pid-file=/var/run/mariadb/mariadb.pid

+ 0
- 3
roles/nginx/handlers/main.yml View File

@ -1,3 +0,0 @@
---
- name: restart nginx
service: name=nginx state=restarted enabled=yes

+ 0
- 36
roles/nginx/tasks/main.yml View File

@ -1,36 +0,0 @@
---
- name: install nginx
package:
name: nginx
state: present
- name: create directory for global configurations
file:
state: directory
path: /etc/nginx/global
- name: copy global nginx configurations
template: src={{ item }} dest=/etc/nginx/global/{{ item }}
notify: restart nginx
with_items:
- restrictions.conf
- wordpress.conf
- name: copy WordPress nginx configuration
template:
src: fossrit.jwf.io.conf
dest: /etc/nginx/conf.d/fossrit.jwf.io.conf
- name: insert firewalld rule for nginx
firewalld:
service: https
permanent: true
state: enabled
immediate: yes
ignore_errors: yes
- name: start and enable nginx service
service:
name: nginx
state: started
enabled: yes

+ 0
- 25
roles/nginx/templates/fossrit.jwf.io.conf View File

@ -1,25 +0,0 @@
# Redirect everything to the main site. We use a separate server statement and NOT an if statement.
# See: http://wiki.nginx.org/IfIsEvil
# https://codex.wordpress.org/Nginx
# Upstream to abstract backend connection(s) for php
upstream php {
server unix:/var/run/php-fpm/wordpress.sock;
server 127.0.0.1:9000;
}
server {
server_name _;
return 302 $scheme://fossrit.jwf.io$request_uri;
}
server {
server_name fossrit.jwf.io;
root /var/www/wordpress;
include global/restrictions.conf;
include global/wordpress.conf;
}

+ 0
- 23
roles/nginx/templates/restrictions.conf View File

@ -1,23 +0,0 @@
# Global restrictions configuration file.
# https://codex.wordpress.org/Nginx
# Designed to be included in any server {} block.
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}

+ 0
- 44
roles/nginx/templates/wordpress.conf View File

@ -1,44 +0,0 @@
# WordPress single site rules.
# https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
# Designed to be included in any server {} block.
index index.php;
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks don't break with query string
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_pass php;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# Deny access to any files with a .php extension in the uploads directory for the single site
location ~ ^/wp-content/uploads/.*\.php$ {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}

+ 0
- 3
roles/php-fpm/handlers/main.yml View File

@ -1,3 +0,0 @@
---
- name: restart php-fpm
service: name=php-fpm state=restarted

+ 0
- 22
roles/php-fpm/tasks/main.yml View File

@ -1,22 +0,0 @@
---
- name: install php-fpm
package:
name:
- php72u-dba
- php72u-fpm
- php72u-mbstring
- php72u-process
- php72u-xml
state: present
- name: disable default pool
command: mv /etc/php-fpm.d/www.conf /etc/php-fpm.d/www.disabled
args:
creates: /etc/php-fpm.d/www.disabled
notify: restart php-fpm
- name: copy php-fpm configuration
template:
src: wordpress.conf
dest: /etc/php-fpm.d/
notify: restart php-fpm

+ 0
- 15
roles/php-fpm/templates/wordpress.conf View File

@ -1,15 +0,0 @@
[wordpress]
listen = /var/run/php-fpm/wordpress.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = wordpress
group = wordpress
pm = dynamic
pm.max_children = 10
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 500
chdir = /var/www/wordpress
php_admin_value[open_basedir] = /var/www/wordpress:/tmp

+ 0
- 85
roles/wordpress/tasks/main.yml View File

@ -1,85 +0,0 @@
---
- name: install dependencies and SELinux tools
package:
state: present
name:
- MySQL-python
- libselinux-python
- policycoreutils-python
- name: create web server directory
file:
state: directory
path: /var/www
- name: download and extract archive
unarchive:
creates: /var/www/wordpress/
dest: /var/www/
remote_src: yes
src: https://wordpress.org/latest.tar.gz
- name: add group "wordpress"
group:
name: wordpress
- name: add user "wordpress"
user:
name: wordpress
group: wordpress
home: /var/www/wordpress/
- name: register random salts for WordPress config
register: wp_salt
uri:
return_content: yes
url: https://api.wordpress.org/secret-key/1.1/salt/
- name: create WordPress database
mysql_db: name={{ wp_db_name }} state=present
- name: create WordPress database user
mysql_user: name={{ wp_db_user }} password={{ wp_db_password }} priv={{ wp_db_name }}.*:ALL host='localhost' state=present
- name: copy WordPress config file
template:
src: wp-config.php
dest: /var/www/wordpress/
- name: change ownership of WordPress installation
file:
path: /var/www/wordpress/
owner: wordpress
group: wordpress
state: directory
recurse: yes
- name: set SELinux policy for Wordpress directory
command: semanage fcontext -a -t httpd_sys_content_t "/var/www/wordpress(/.*)?"
- name: set SELinux policy for wp-config.php
command: semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/wordpress/wp-config\.php"
- name: set SELinux policy for wp-content directory
command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wordpress/wp-content(/.*)?"
- name: set SELinux policy for PHP files
command: semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/wordpress/.*\.php"
- name: set SELinux policy for upgrade/ directory
command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wordpress/wp-content/upgrade(/.*)?"
- name: set SELinux policy for uploads/ directory
command: semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/wordpress/wp-content/uploads(/.*)?"
- name: set SELinux policy for wp-includes PHP files
command: semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/wordpress/wp-includes/.*\.php"
- name: set SELinux on all files
command: restorecon -Rv /var/www/wordpress
- name: start php-fpm service
service:
name: php-fpm
state: started
enabled: yes

+ 0
- 90
roles/wordpress/templates/wp-config.php View File

@ -1,90 +0,0 @@
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information
* by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', '{{ wp_db_name }}');
/** MySQL database username */
define('DB_USER', '{{ wp_db_user }}');
/** MySQL database password */
define('DB_PASSWORD', '{{ wp_db_password }}');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
{{ wp_salt['content'] }}
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* WordPress Localized Language, defaults to English.
*
* Change this to localize WordPress. A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* de_DE.mo to wp-content/languages and set WPLANG to 'de_DE' to enable German
* language support.
*/
define('WPLANG', '');
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/** Disable Automatic Updates Completely */
define( 'AUTOMATIC_UPDATER_DISABLED', {{auto_up_disable}} );
/** Define AUTOMATIC Updates for Components. */
define( 'WP_AUTO_UPDATE_CORE', {{core_update_level}} );
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');

Loading…
Cancel
Save