diff --git a/doc/role-doc/wordpress.md b/doc/role-doc/wordpress.md index d8f50a9..29f1ab9 100644 --- a/doc/role-doc/wordpress.md +++ b/doc/role-doc/wordpress.md @@ -44,19 +44,33 @@ Fill this information and click the "Install Wordpress" button. Wordpress will create its database tables and then let you sign in with the username and password you just entered. +## Changing the location from which wordpress is served + +By default, Caislean serves wordpress from a subdirectory of the website for +your server, which is installed by the `nginx` role. This can be changed using +the optional parameters described below. The possibilities are: + +- `https://server_name.domain_name/wordpress/` <- default +- `https://server_name.domain_name/wordpress_subdirectory/` +- `https://server_name.domain_name/` +- `https://wordpress_domain_name/wordpress` +- `https://wordpress_domain_name/wordpress_subdirectory` +- `https://wordpress_domain_name/` + +See the section on optional parameters for an explanation of the variables in +the examples above and how they interrelate. + ## Allowing LDAP users into Wordpress -If you wish to allow the LDAP users to log into Wordpress, you can use the -[wpDirAuth](https://wordpress.org/plugins/wpdirauth/) plugin. This requires the -php5-ldap package to be installed, which you can specify by setting the -optional `wordpress_ldap_auth` parameter. To configure Wordpress to use LDAP -authentication: - -- move into the Plugin section and click "Add new" -- search for _wpDirAuth_ and click "Install now" -- once the plugin is installed, go to the "Directory Auth." submenu in the - Settings menu -- configure the plugin as follows: +If you wish to allow the LDAP users to log into Wordpress, you must install the +php5-ldap package for the OS, and the +[wpDirAuth](https://wordpress.org/plugins/wpdirauth/) plugin for wordpress. You +can install both by setting the optional `wordpress_ldap_auth` parameter. To +configure Wordpress to use LDAP authentication: + +- Move into the Plugin section and click "activate" for the wpDirAuth plugin. +- Go to the "Directory Auth." submenu in the Settings menu +- Configure the plugin as follows: - select "Yes" to "Enable Directory Authentication" - select "Yes" to "Automatically Register Authenticated Users" - input `localhost` in "Directory Servers" @@ -98,9 +112,71 @@ Password for the `wordpress` MySQL user used by Wordpress. ## Optional parameters +### `wordpress_subdirectory` + +Tells Caislean whether to configure wordpress for installation in the document +root of its domain or as a subdirectory. This is the difference between the +wordpress blog appearing at `https://server_name.domain_name` (document root) +and `https://server_name.domain_name/wordpress/` (subdirectory = `wordpress`). + +Default value: `true`. Set to `false` to serve from the document root. + +### `wordpress_install_path` + +Tells Caislean where to install wordpress. + +Default value: `wordpress` (suitable for a subdirectory installation - see the +`wordpress_subdirectory` parameter. + +With `wordpress_subdirectory = true`, set this optional parameter to some other +string to have that be the subdirectory from which wordpress is served. For +example setting `wordpress_install_path = blog` will cause wordpress to be +served from `https://server_name.domain_name/blog` + +With `wordpress_subdirectory = false`, this parameter should be set to match +the `wordpress_domain_name` parameter. This can be done with +`wordpress_subdirectory = "{{ wordpress_domain_name }}"`. + +### `wordpress_domain_name` + +Tells Caislean the domain name from which wordpress will be served. + +Default value: `"{{ server_name }}.{{ domain_name }}"`. + +Changing this value will install a new nginx virtual server for the specified +domain. You should ensure this domain name resolves to your server. You should +also adjust the `tls` role, and the `letsencrypt` role if in use, to include +this domain in your TLS certificates. + ### `wordpress_ldap_auth` -Tells Caislean whether to install the php5-ldap package, which is required for -Wordpress authentication against LDAP to work. +Tells Caislean whether to install the php5-ldap package and wpDirAuth wordpress +plugin, which ae required for Wordpress authentication against LDAP to work. +LDAP authentication depends on the `ldap` role. + +Default value: `false`. Set to `true` to enable this option. + +### `wordpress_network` + +Tells Caislean to enable the installation of wordpress as a network. See the +[wordpress documentation](http://codex.wordpress.org/Create_A_Network) for more +information. Specifically, enabling this option will complete step 2, "Allow +Multisite". Further manual configuration must be completed by following the +rest of the instructions on that page. + +Setting this option also installs the [wordpress domain-mapping +plugin](https://wordpress.org/plugins/wordpress-mu-domain-mapping/), however +this will not be available until the following line is added to the +`wp-config.php` file, which can be found in the `wordpress_install_path` +directory. + +`define( 'SUNRISE', 'on' );` + +This line must be added above the following comment in that file: + +`/* That's all, stop editing! Happy blogging. */` + +More information can be found in the [plugin installation +instructions](https://wordpress.org/plugins/wordpress-mu-domain-mapping/installation/). Default value: `false`. Set to `true` to enable this option. diff --git a/roles/wordpress/defaults/main.yml b/roles/wordpress/defaults/main.yml new file mode 100644 index 0000000..0c82964 --- /dev/null +++ b/roles/wordpress/defaults/main.yml @@ -0,0 +1,7 @@ +--- + +wordpress_subdirectory: true +wordpress_install_path: wordpress +wordpress_domain_name: "{{ server_name }}.{{ domain_name }}" +wordpress_network: false +wordpress_ldap_auth: false diff --git a/roles/wordpress/handlers/main.yml b/roles/wordpress/handlers/main.yml new file mode 100644 index 0000000..9f4efa2 --- /dev/null +++ b/roles/wordpress/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: restart php5-fpm + service: name=php5-fpm state=restarted + +- name: restart nginx + service: name=nginx state=restarted diff --git a/roles/wordpress/tasks/install-wordpress.yml b/roles/wordpress/tasks/install-wordpress.yml new file mode 100644 index 0000000..e2af60b --- /dev/null +++ b/roles/wordpress/tasks/install-wordpress.yml @@ -0,0 +1,98 @@ +- name: Download Wordpress + get_url: + url: https://wordpress.org/wordpress-4.4.2.tar.gz + dest: /root/wordpress-4.4.2.tar.gz + sha256sum: c8a74c0f7cfc0d19989d235759e70cebd90f42aa0513bd9bc344230b0f79e08b + tags: wordpress + +- name: Extract Wordpress archive + unarchive: + copy: no + src: /root/wordpress-4.4.2.tar.gz + dest: /root/ + creates: /root/wordpress + owner: wordpress + group: wordpress + tags: wordpress + +- name: Remove useless Wordpress files + file: + path: "/root/wordpress/{{item}}" + state: absent + with_items: + - readme.html + - license.txt + tags: wordpress + +- name: Install wp-keys.php + template: + src: wp-keys.php.j2 + dest: /root/wordpress/wp-keys.php + owner: wordpress + group: wordpress + mode: 0640 + force: no + tags: wordpress + +- name: Install wp-config.php + template: + src: wp-config.php.j2 + dest: /root/wordpress/wp-config.php + owner: wordpress + group: wordpress + mode: 0640 + tags: wordpress + +- name: Configure wordpress in network mode + include: wordpress-network.yml + when: "{{ wordpress_network }} == true" + +- name: Configure wordpress to use LDAP authentication + include: wordpress-ldap.yml + when: "{{ wordpress_ldap_auth }} == true" + +- name: Ensure correct ownership of Wordpress files + file: + path: /root/wordpress + state: directory + owner: wordpress + group: wordpress + recurse: yes + tags: wordpress + +- name: Ensure writeability of plugin and theme directories + file: + path: "/root/wordpress/wp-content" + state: directory + mode: 'u=rwX,g=rX,o=rX' + recurse: yes + tags: wordpress + +- name: Move wordpress to subdirectory of /var/www/ + command: "mv /root/wordpress /var/www/{{ wordpress_install_path }}" + args: + creates: "/var/www/{{ wordpress_install_path }}" + when: "{{ wordpress_subdirectory }} == true" + tags: wordpress + +- block: + + - name: Ensure document root exists & is owned by wordpress user + file: + path: "/var/www/{{ wordpress_domain_name }}" + state: directory + group: wordpress + owner: wordpress + mode: 0755 + recurse: no + + - name: Move wordpress files inside document root + shell: mv /root/wordpress/* /var/www/{{ wordpress_domain_name }} creates=/var/www/{{ wordpress_domain_name }}/wp-keys.php + + - name: Remove wordpress 'build' directory + file: + path: /root/wordpress + state: absent + + when: "{{ wordpress_subdirectory }} == false" + tags: wordpress diff --git a/roles/wordpress/tasks/main.yml b/roles/wordpress/tasks/main.yml index 2339d19..66b14f2 100644 --- a/roles/wordpress/tasks/main.yml +++ b/roles/wordpress/tasks/main.yml @@ -1,86 +1,73 @@ -- name: Install php5-ldap (for WP auth using openldap) - apt: pkg=php5-ldap state=installed - when: "{{ wordpress_ldap_auth | default(false) }} == true" - tags: - - wordpress - -- name: Download Wordpress - get_url: url=https://wordpress.org/wordpress-4.2.2.tar.gz dest=/root/wordpress-4.2.2.tar.gz sha256sum=3c4e2cc3af289366ff5352e35c3f80fca2dcaed3d56a79f33b25374c356c3f90 - tags: - - wordpress - - name: Create wordpress group group: name=wordpress state=present - tags: - - wordpress + tags: wordpress - name: Create wordpress user - user: name=wordpress group=wordpress state=present shell="/bin/false" home=/var/www/wordpress createhome=no - tags: - - wordpress - -- name: Extract Wordpress archive - unarchive: copy=no src=/root/wordpress-4.2.2.tar.gz dest=/var/www/ creates=/var/www/wordpress owner=wordpress group=wordpress - tags: - - wordpress - -- name: Remove useless files in /var/www/wordpress - file: path=/var/www/wordpress/{{item}} state=absent - with_items: - - readme.html - - license.txt - tags: - - wordpress + user: + name: wordpress + group: wordpress + state: present + shell: "/bin/false" + home: /var/www/wordpress + createhome: no + tags: wordpress -- name: Ensure correct ownership in /var/www/wordpress - file: path=/var/www/wordpress state=directory owner=wordpress group=wordpress recurse=yes - tags: - - wordpress - -- name: Ensure writability of some Wordpress subdirectories - file: path=/var/www/wordpress/{{item}} state=directory owner=wordpress group=wordpress mode=0775 - with_items: - - wp-content - - wp-content/themes - tags: - - wordpress +- name: Install wordpress + include: install-wordpress.yml + tags: wordpress - name: Create wordpress database - mysql_db: login_user=root login_password={{ mysql_root_password }} name=wordpress state=present - tags: - - wordpress + mysql_db: + login_user: root + login_password: "{{ mysql_root_password }}" + name: wordpress + state: present + tags: wordpress - name: Create wordpress MySQL user and grant access to database - mysql_user: login_user=root login_password={{ mysql_root_password }} name=wordpress state=present password={{ wordpress_mysql_password }} priv=wordpress.*:ALL - tags: - - wordpress - -- name: Install wp-keys.php - template: src=wp-keys.php.j2 dest=/var/www/wordpress/wp-keys.php owner=wordpress group=wordpress mode=0640 force=no - tags: - - wordpress - -- name: Install wp-config.php - template: src=wp-config.php.j2 dest=/var/www/wordpress/wp-config.php owner=wordpress group=wordpress mode=0640 - tags: - - wordpress + mysql_user: + login_user: root + login_password: "{{ mysql_root_password }}" + name: wordpress + state: present + password: "{{ wordpress_mysql_password }}" + priv: wordpress.*:ALL + tags: wordpress - name: Install php-fpm Wordpress configuration file - copy: src=etc/php5/fpm/pool.d/wordpress.conf dest=/etc/php5/fpm/pool.d/wordpress.conf owner=root group=root mode=0644 + template: + src: php5-fpm-wordpress.conf.j2 + dest: /etc/php5/fpm/pool.d/wordpress.conf + owner: root + group: root + mode: 0644 + tags: wordpress notify: - restart php5-fpm - tags: - - wordpress - name: Create PHP session directory for wordpress - file: path=/var/lib/phpsession/wordpress state=directory owner=wordpress group=wordpress mode=0700 recurse=no - tags: - - wordpress + file: + path: /var/lib/phpsession/wordpress + state: directory + owner: wordpress + group: wordpress + mode: 0700 + recurse: no + tags: wordpress -- name: Install nginx configuration part for wordpress - template: src=nginx-wordpress.inc.j2 dest=/etc/nginx/includes/{{ server_name }}.{{ domain_name}}/wordpress owner=root group=root mode=0644 +- name: Install nginx config part for wordpress installed in a subdirectory + template: + src: nginx-wordpress-subdirectory.inc.j2 + dest: "/etc/nginx/includes/{{ wordpress_domain_name }}/wordpress" + owner: root + group: root + mode: 0644 + when: "{{ wordpress_subdirectory }} == true" + tags: wordpress notify: - restart nginx - tags: - - wordpress +- name: Install nginx config for wordpress installed in the document root + include: wordpress-in-document-root.yml + when: "{{ wordpress_subdirectory }} == false" + tags: wordpress diff --git a/roles/wordpress/tasks/wordpress-in-document-root.yml b/roles/wordpress/tasks/wordpress-in-document-root.yml new file mode 100644 index 0000000..c134952 --- /dev/null +++ b/roles/wordpress/tasks/wordpress-in-document-root.yml @@ -0,0 +1,42 @@ +- name: Install nginx virtual server configuration for wordpress_domain_name + template: + src: nginx-wordpress-documentroot-vhost.j2 + dest: "/etc/nginx/sites-available/{{ wordpress_domain_name }}" + group: root + owner: root + mode: 0644 + force: no + tags: wordpress + notify: + - restart nginx + +- name: Create domain-specific directory in /etc/nginx/includes + file: + path: "/etc/nginx/includes/{{ wordpress_domain_name }}" + recurse: no + state: directory + owner: root + group: root + mode: 0755 + force: yes + tags: wordpress + +- name: Install nginx configuration part for wordpress + template: + src: nginx-wordpress-documentroot.inc.j2 + dest: "/etc/nginx/includes/{{ wordpress_domain_name }}/wordpress" + owner: root + group: root + mode: 0644 + tags: wordpress + notify: + - restart nginx + +- name: Enable wordpress_domain_name virtual server + file: + path: "/etc/nginx/sites-enabled/{{ wordpress_domain_name }}" + state: link + src: "/etc/nginx/sites-available/{{ wordpress_domain_name }}" + tags: wordpress + notify: + - restart nginx diff --git a/roles/wordpress/tasks/wordpress-ldap.yml b/roles/wordpress/tasks/wordpress-ldap.yml new file mode 100644 index 0000000..20c7304 --- /dev/null +++ b/roles/wordpress/tasks/wordpress-ldap.yml @@ -0,0 +1,22 @@ +- name: Install required packages + apt: + pkg: php5-ldap + state: installed + tags: wordpress-ldap + +- name: Download ldap-auth plugin + get_url: + url: https://downloads.wordpress.org/plugin/wpdirauth.1.7.11.zip + dest: /root/wpdirauth.1.7.11.zip + sha256sum: cc143889a440b60e39790dd8c6ec52f63bb1f4fa2e6dc16c44027b2bdee6c71a + tags: wordpress + +- name: Extract ldap-auth plugin archive + unarchive: + copy: no + src: /root/wpdirauth.1.7.11.zip + dest: /root/wordpress/wp-content/plugins + creates: /root/wordpress/wp-content/plugins/wpdirauth + owner: wordpress + group: wordpress + tags: wordpress diff --git a/roles/wordpress/tasks/wordpress-network.yml b/roles/wordpress/tasks/wordpress-network.yml new file mode 100644 index 0000000..652eea7 --- /dev/null +++ b/roles/wordpress/tasks/wordpress-network.yml @@ -0,0 +1,29 @@ +- name: Download domain-mapping plugin + get_url: + url: https://downloads.wordpress.org/plugin/wordpress-mu-domain-mapping.0.5.5.1.zip + dest: /root/wordpress-mu-domain-mapping.0.5.5.1.zip + sha256sum: c1fc04a52fdda12521b7c46d380c483ac648cb06df85e89a10890f4d9b954fdd + tags: wp-network + +- name: Extract domain-mapping plugin archive + unarchive: + copy: no + src: /root/wordpress-mu-domain-mapping.0.5.5.1.zip + dest: /root/wordpress/wp-content/plugins + creates: /root/wordpress/wp-content/plugins/wordpress-mu-domain-mapping + owner: wordpress + group: wordpress + tags: wp-network + +- name: Configure wordpress-mu-domain-mapping plugin + command: "mv /root/wordpress/wp-content/plugins/wordpress-mu-domain-mapping/sunrise.php /root/wordpress/wp-content/" + args: + creates: /root/wordpress/wp-content/sunrise.php + tags: wp-network + +- name: Enable wordpress network-mode in config file + lineinfile: "dest=/root/wordpress/wp-config.php state=present insertbefore='stop editing' line={{ item }}" + with_items: + - "/* Multisite */" + - "define( \'WP_ALLOW_MULTISITE\', true );\n" + tags: wp-network diff --git a/roles/wordpress/templates/nginx-wordpress-documentroot-vhost.j2 b/roles/wordpress/templates/nginx-wordpress-documentroot-vhost.j2 new file mode 100644 index 0000000..1640900 --- /dev/null +++ b/roles/wordpress/templates/nginx-wordpress-documentroot-vhost.j2 @@ -0,0 +1,19 @@ +server { + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ wordpress_domain_name }}; + + expires -1; + + if ($request_method !~ ^(GET|HEAD|POST)$ ) + { + return 405; + } + + root /var/www/{{ wordpress_domain_name }}; + + include /etc/nginx/includes/{{ wordpress_domain_name }}/*; +} diff --git a/roles/wordpress/templates/nginx-wordpress-documentroot.inc.j2 b/roles/wordpress/templates/nginx-wordpress-documentroot.inc.j2 new file mode 100644 index 0000000..ae7993c --- /dev/null +++ b/roles/wordpress/templates/nginx-wordpress-documentroot.inc.j2 @@ -0,0 +1,41 @@ +location / { + index index.php; + try_files $uri $uri/ /index.php?$args; + client_max_body_size 100M; + # Add trailing slash to */wp-admin requests. + + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + location /wp-admin/includes/ { + + return 403; + } + + location /wp-includes/theme-compat/ { + return 403; + } + + location ~ ^(.+?\.php)(/.*)?$ { + try_files $1 =404; + fastcgi_pass unix:/var/run/php5-fpm/wordpress.sock; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param SCRIPT_NAME $1; + fastcgi_param HTTPS on; + fastcgi_intercept_errors on; + + location ~ ^/wp-includes/[^/]+\.php$ { + return 403; + } + location ~ ^/wp-includes/js/tinymce/langs/.+\.php { + return 403; + } + } + + location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { + expires 30d; + access_log off; + log_not_found off; + } +} diff --git a/roles/wordpress/templates/nginx-wordpress-subdirectory.inc.j2 b/roles/wordpress/templates/nginx-wordpress-subdirectory.inc.j2 new file mode 100644 index 0000000..1e4e812 --- /dev/null +++ b/roles/wordpress/templates/nginx-wordpress-subdirectory.inc.j2 @@ -0,0 +1,42 @@ +location /{{ wordpress_install_path }} { + alias /var/www/{{ wordpress_install_path }}; + index index.php; + try_files $uri $uri/ /index.php?$args; + client_max_body_size 100M; + + # Add trailing slash to */wp-admin requests. + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + + location /{{ wordpress_install_path }}/wp-admin/includes/ { + return 403; + } + + location /{{ wordpress_install_path }}/wp-includes/theme-compat/ { + return 403; + } + + location ~ ^/{{ wordpress_install_path }}(.+?\.php)(/.*)?$ { + try_files $1 =404; + fastcgi_pass unix:/var/run/php5-fpm/wordpress.sock; + fastcgi_index index.php; + include /etc/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$1; + fastcgi_param PATH_INFO $2; + fastcgi_param SCRIPT_NAME /{{ wordpress_install_path }}$1; + fastcgi_param HTTPS on; + fastcgi_intercept_errors on; + + location ~ ^/{{ wordpress_install_path }}/wp-includes/[^/]+\.php$ { + return 403; + } + location ~ ^/{{ wordpress_install_path }}/wp-includes/js/tinymce/langs/.+\.php { + return 403; + } + } + + location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { + expires 30d; + access_log off; + log_not_found off; + } +} diff --git a/roles/wordpress/templates/nginx-wordpress.inc.j2 b/roles/wordpress/templates/nginx-wordpress.inc.j2 deleted file mode 100644 index 30cdaf0..0000000 --- a/roles/wordpress/templates/nginx-wordpress.inc.j2 +++ /dev/null @@ -1,42 +0,0 @@ -location /wordpress { - alias /var/www/wordpress; - index index.php; - try_files $uri $uri/ /index.php?$args; - client_max_body_size 100M; - - # Add trailing slash to */wp-admin requests. - rewrite /wp-admin$ $scheme://$host$uri/ permanent; - - location /wordpress/wp-admin/includes/ { - return 403; - } - - location /wordpress/wp-includes/theme-compat/ { - return 403; - } - - location ~ ^/wordpress(.+?\.php)(/.*)?$ { - try_files $1 =404; - fastcgi_pass unix:/var/run/php5-fpm/wordpress.sock; - fastcgi_index index.php; - include /etc/nginx/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$1; - fastcgi_param PATH_INFO $2; - fastcgi_param SCRIPT_NAME /wordpress$1; - fastcgi_param HTTPS on; - fastcgi_intercept_errors on; - - location ~ ^/wordpress/wp-includes/[^/]+\.php$ { - return 403; - } - location ~ ^/wordpress/wp-includes/js/tinymce/langs/.+\.php { - return 403; - } - } - - location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { - expires 30d; - access_log off; - log_not_found off; - } -} diff --git a/roles/wordpress/files/etc/php5/fpm/pool.d/wordpress.conf b/roles/wordpress/templates/php5-fpm-wordpress.conf.j2 similarity index 77% rename from roles/wordpress/files/etc/php5/fpm/pool.d/wordpress.conf rename to roles/wordpress/templates/php5-fpm-wordpress.conf.j2 index 76f0ddc..d7bb4f3 100644 --- a/roles/wordpress/files/etc/php5/fpm/pool.d/wordpress.conf +++ b/roles/wordpress/templates/php5-fpm-wordpress.conf.j2 @@ -5,12 +5,12 @@ listen = /var/run/php5-fpm/wordpress.sock listen.owner = www listen.group = www listen.mode = 0660 - + pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 -php_admin_value[open_basedir] = /var/www/wordpress:/usr/share/php:/tmp +php_admin_value[open_basedir] = /var/www/{{ wordpress_install_path }}:/usr/share/php:/tmp php_admin_value[session.save_path] = /var/lib/phpsession/wordpress