From 4d1d48651261e8504029d38046d690fa44d0a6bd Mon Sep 17 00:00:00 2001
From: Oli <oliver@opitz.ws>
Date: Sun, 5 Feb 2023 00:02:42 +0000
Subject: [PATCH] add wordpress SSH user for uploads

---
 roles/nextcloud/tasks/nextcloud.yml           |  2 +-
 .../templates/conf.d/wordpress.conf.j2        | 53 -------------------
 roles/wordpress/files/public_keys.pub         |  2 +
 roles/wordpress/tasks/main.yml                | 46 +++++++++++-----
 roles/wordpress/vars/main.yml                 |  2 +
 5 files changed, 37 insertions(+), 68 deletions(-)
 delete mode 100644 roles/webserver/templates/conf.d/wordpress.conf.j2
 create mode 100644 roles/wordpress/files/public_keys.pub

diff --git a/roles/nextcloud/tasks/nextcloud.yml b/roles/nextcloud/tasks/nextcloud.yml
index 6c4075b..1d5eb7f 100644
--- a/roles/nextcloud/tasks/nextcloud.yml
+++ b/roles/nextcloud/tasks/nextcloud.yml
@@ -16,7 +16,7 @@
         state: directory
         owner: "{{ webserver_user }}"
         group: "{{ webserver_group }}"
-        mode: 0775
+        mode: 0770
         force: false
 
     - name: Download nextcloud latest from nextcloud.com
diff --git a/roles/webserver/templates/conf.d/wordpress.conf.j2 b/roles/webserver/templates/conf.d/wordpress.conf.j2
deleted file mode 100644
index c0bd80f..0000000
--- a/roles/webserver/templates/conf.d/wordpress.conf.j2
+++ /dev/null
@@ -1,53 +0,0 @@
-## Managed by Ansible ##
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
-    # enforce https
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    # Enable HTTP/2
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
-    include global/cert.conf;
-    include global/header.conf;
-
-    # Path to the root of your installation
-    root {{ wordpress_dir }};
-
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    index  index.php index.html index.htm;
-
-    client_max_body_size 500M;
-
-    location / {
-        try_files $uri $uri/ /index.php?$args;
-    }
-
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires max;
-        log_not_found off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~ \.php$ {
-         fastcgi_pass php-handler;
-         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-         include fastcgi_params;
-    }
-}
\ No newline at end of file
diff --git a/roles/wordpress/files/public_keys.pub b/roles/wordpress/files/public_keys.pub
new file mode 100644
index 0000000..3f9e927
--- /dev/null
+++ b/roles/wordpress/files/public_keys.pub
@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5M3pWvjwFjDOsrAwnJsysE23SuWW+wQRHUgBWInzX oli@VSC
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTPOurRC0RiGe7+hgWyZzD/kNIEB+XuztHxKkC/xRe6 wordpress@NOVA
diff --git a/roles/wordpress/tasks/main.yml b/roles/wordpress/tasks/main.yml
index a4ad0a5..21e51d9 100644
--- a/roles/wordpress/tasks/main.yml
+++ b/roles/wordpress/tasks/main.yml
@@ -1,27 +1,45 @@
 ---
+- name: Create wordpress group
+  group:
+    name: "{{ wordpress_group }}"
+    state: present
+    system: true
+  when: wordpress_group != "root"
+
+- name: Create wordpress user
+  user:
+    name: "{{ wordpress_user }}"
+    group: "{{ wordpress_group }}"
+    groups: "{{ wordpress_group }}"
+    append: true
+    shell: /bin/bash
+    create_home: true
+
+- name: Set authorized keys for wordpress user
+  authorized_key:
+    user: "{{ wordpress_user }}"
+    key: "{{ lookup('file', 'public_keys.pub') }}"
+    state: present
+    exclusive: false  # removing all the authorized keys already set
+
+- name: Add {{ webserver_user }} user to {{ wordpress_group }} group
+  user:
+    name: "{{ webserver_user }}"
+    groups: "{{ wordpress_group }}"
+    append: true
+
 - name: Create wordpress directory
   file:
     path: "{{ wordpress_dir }}"
     state: directory
     owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
+    group: "{{ wordpress_group }}"
     mode: 0755
 
-- name: unpack latest wordpress version
-  unarchive:
-    remote_src: true
-    src: "https://wordpress.org/latest.tar.gz"
-    dest: "{{ wordpress_dir }}"
-    owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
-    creates: "{{ wordpress_dir }}/wp-config-sample.php"
-    extra_opts:
-      - --strip-components=1
-
 - name: Copy configuration file
   template:
     src: wp-config.php.j2
     dest: "{{ wordpress_dir }}/wp-config.php"
     owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
-    mode: 0600
+    group: "{{ wordpress_group }}"
+    mode: 0640
diff --git a/roles/wordpress/vars/main.yml b/roles/wordpress/vars/main.yml
index e2cce34..ddbb29b 100644
--- a/roles/wordpress/vars/main.yml
+++ b/roles/wordpress/vars/main.yml
@@ -1,4 +1,6 @@
 ---
+wordpress_group: wordpress
+wordpress_user: "{{ wordpress_group }}"
 wordpress_dir: "/var/www/wordpress"
 
 # database