add Wordpress role

roles/webserver/templates/conf.d/twirling.conf.j2

@@ -13,15 +13,41 @@ server {
     listen 443 ssl http2 default_server;
     listen [::]:443 ssl http2 default_server;
     server_name {{ webserver_domain }} www.{{ webserver_domain }};
-
     include global/cert.conf;
     include global/header.conf;
 
+    # Path to the root of your installation
+    root {{ wordpress_dir }};
+
     add_header Strict-Transport-Security "max-age=63072000" always;
 
-    # deny access and return teapot
+    index  index.php index.html index.htm;
+
+    client_max_body_size 500M;
+
     location / {
-        deny all;
+        try_files $uri $uri/ /index.php?$args;
-        return 418;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~ \.php$ {
+         fastcgi_pass php-handler;
+         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+         include fastcgi_params;
     }
 }

roles/webserver/templates/conf.d/wordpress.conf.j2

@@ -0,0 +1,53 @@
+## Managed by Ansible ##
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
+    # enforce https
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    # Enable HTTP/2
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
+    include global/cert.conf;
+    include global/header.conf;
+
+    # Path to the root of your installation
+    root {{ wordpress_dir }};
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    index  index.php index.html index.htm;
+
+    client_max_body_size 500M;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~ \.php$ {
+         fastcgi_pass php-handler;
+         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+         include fastcgi_params;
+    }
+}

roles/webserver/vars/main.yml

@@ -24,6 +24,7 @@ php_modules:
   - "apcu"
   - "redis"
   - "pgsql"
+  - "mysql"
 
 # Main
 webserver_user: "www-data"

roles/wordpress/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: webserver

roles/wordpress/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Create wordpress directory
+  file:
+    path: "{{ wordpress_dir }}"
+    state: directory
+    owner: "{{ webserver_user }}"
+    group: "{{ webserver_group }}"
+    mode: 0755
+
+- name: unpack latest wordpress version
+  unarchive:
+    remote_src: true
+    src: "https://wordpress.org/latest.tar.gz"
+    dest: "{{ wordpress_dir }}"
+    owner: "{{ webserver_user }}"
+    group: "{{ webserver_group }}"
+    creates: "{{ wordpress_dir }}/wp-config-sample.php"
+    extra_opts:
+      - --strip-components=1
+
+- name: Copy configuration file
+  template:
+    src: wp-config.php.j2
+    dest: "{{ wordpress_dir }}/wp-config.php"
+    owner: "{{ webserver_user }}"
+    group: "{{ webserver_group }}"
+    mode: 0600

roles/wordpress/templates/wp-config.php.j2

@@ -0,0 +1,96 @@
+<?php
+/**
+ * The base configuration for WordPress
+ *
+ * The wp-config.php creation script uses this file during the installation.
+ * You don't have to use the web site, you can copy this file to "wp-config.php"
+ * and fill in the values.
+ *
+ * This file contains the following configurations:
+ *
+ * * Database settings
+ * * Secret keys
+ * * Database table prefix
+ * * ABSPATH
+ *
+ * @link https://wordpress.org/support/article/editing-wp-config-php/
+ *
+ * @package WordPress
+ */
+
+// ** Database settings - You can get this info from your web host ** //
+/** The name of the database for WordPress */
+define( 'DB_NAME', '{{ wordpress_db_name }}' );
+
+/** Database username */
+define( 'DB_USER', '{{ wordpress_db_user }}' );
+
+/** Database password */
+define( 'DB_PASSWORD', '{{ vault_wordpress_db_pass }}' );
+
+/** Database hostname */
+define( 'DB_HOST', '{{ wordpress_db_host }}' );
+
+/** Database charset to use in creating database tables. */
+define( 'DB_CHARSET', 'utf8' );
+
+/** The database collate type. Don't change this if in doubt. */
+define( 'DB_COLLATE', '' );
+
+/**#@+
+ * Authentication unique keys and salts.
+ *
+ * Change these to different unique phrases! You can generate these using
+ * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
+ *
+ * You can change these at any point in time to invalidate all existing cookies.
+ * This will force all users to have to log in again.
+ *
+ * @since 2.6.0
+ */
+define('AUTH_KEY',         '{{ vault_wordpress_auth_key }}');
+define('SECURE_AUTH_KEY',  '{{ vault_wordpress_secure_auth_key }}');
+define('LOGGED_IN_KEY',    '{{ vault_wordpress_logged_in_key }}');
+define('NONCE_KEY',        '{{ vault_wordpress_nonce_key }}');
+define('AUTH_SALT',        '{{ vault_wordpress_auth_salt }}');
+define('SECURE_AUTH_SALT', '{{ vault_wordpress_secure_auth_salt }}');
+define('LOGGED_IN_SALT',   '{{ vault_wordpress_logged_in_salt }}');
+define('NONCE_SALT',       '{{ vault_wordpress_nonce_salt }}');
+
+/**#@-*/
+
+/**
+ * WordPress database table prefix.
+ *
+ * You can have multiple installations in one database if you give each
+ * a unique prefix. Only numbers, letters, and underscores please!
+ */
+$table_prefix = 'wp_';
+
+/**
+ * For developers: WordPress debugging mode.
+ *
+ * Change this to true to enable the display of notices during development.
+ * It is strongly recommended that plugin and theme developers use WP_DEBUG
+ * in their development environments.
+ *
+ * For information on other constants that can be used for debugging,
+ * visit the documentation.
+ *
+ * @link https://wordpress.org/support/article/debugging-in-wordpress/
+ */
+define( 'WP_DEBUG', false );
+
+/* Add any custom values between this line and the "stop editing" line. */
+
+
+
+/* That's all, stop editing! Happy publishing. */
+
+/** Absolute path to the WordPress directory. */
+if ( ! defined( 'ABSPATH' ) ) {
+	define( 'ABSPATH', __DIR__ . '/' );
+}
+
+/** Sets up WordPress vars and included files. */
+require_once ABSPATH . 'wp-settings.php';

roles/wordpress/vars/main.yml

@@ -0,0 +1,98 @@
+---
+wordpress_dir: "/var/www/wordpress"
+
+# database
+wordpress_db_host: "{{ mariadb_server_ip }}"
+wordpress_db_port: "{{ mariadb_server_port }}"
+wordpress_db_name: "wordpress_db"
+wordpress_db_user: "wordpress_db_user"
+vault_wordpress_db_pass: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  66636563363930333036326533306464323634363961626462373737643630386630666632326338
+  3032653830623864623736353463656531303162616330330a383138363731343430393166343664
+  30666139636662626335616437616266653837376437326134333139373832393739643839643035
+  3662356236356261630a353065616430366633376531376633306633613964333434353830303034
+  66633633633832343530343139346566396231363630643866623133316635333661386364656530
+  3330313461666332376665336536363533613164323533303138
+
+# secrets
+vault_wordpress_auth_key: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  63613861323165313832316631653362366139333638663433633335316266373665646537383937
+  6161396336393834623864316663303130363436633062630a353130313864313363313134353935
+  66353663643666396530346231633330306661653936343061383336386566613936303862613836
+  3066333766313139360a393539323661613332373839653865376163616234373061333363393237
+  63343935613139356637616664343238383761643766333664353535613962383162643238343662
+  31626235346264666431356135613137346264363865313139373261373739323163366333643136
+  62613433623731653537383431323235666438633263333166346334376266393535666533316335
+  35653636356263333664
+vault_wordpress_secure_auth_key: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  62613730356463636664363132653234343332356138636130643930353538626633386266323666
+  3238623730616165643630313434376630333039313637380a663664306233346234623339303765
+  39326430326337393033343931363932376533363830656238346238356234613837373337613266
+  6466643637636138310a333561346531383937303938613664666662363930636662336430626332
+  61626435306635323231383838663133636432616231653434303831366163666332336562646562
+  34656566393432376466663837373830363138656263626337343336636135623663623861333862
+  38383032343566306163306436396365356338386161663231303065653033353735323038663133
+  62653931323438663431
+vault_wordpress_logged_in_key: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  61366439323630633139306630626235636532653631663435393331663137366137353666663261
+  3762353563336438663232376535613934333535316539380a343038353366376434616664316634
+  62646633623738613361313761336662646331303135646334393433643762383062633535653261
+  3064346565666633640a356562333934633539663463663863383437383934616561633565656138
+  61646431636666623863653737306637353464633661366134656533363436346231636236313633
+  39666163303561326133633666643835366563613933373230643832316136363766363462333230
+  61306565383064303739623333373733666635616331656433393366306363303431376565386633
+  35373063363130336365
+vault_wordpress_nonce_key: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  39633032636639356461316162333164373737396265333437336266386463353231393461373164
+  3330393432326365363661623439356636393366353835390a313862656434373762333136346131
+  36306331656334663066323464353136306138643139333565353932343434346264336138333365
+  6530323232663733640a643736626633396337366464613962393236313866643337656263613966
+  62653437306663383437663938313837623365663362346565616636366234366363333663346338
+  39353366333564353764653334333336316238653930333465313731373033313531623962643139
+  63396330313739323166646235643564396235633734616535353732636533353966363363353438
+  66383534666537653938
+vault_wordpress_auth_salt: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  35626139323464326432383235353038646563653438663033313138366235623661616439386430
+  3633383530396331646231383235386564623538373237310a386231346232353535656633336335
+  31306432333661353237343866356137353061623961333734333939393461396337663966623761
+  3233393666646362660a666338643739306263373461643964303965346563386536393336613963
+  63383666636235316336626462613731636665623433363065393666666365616661666665313330
+  31636431613339393066313532313036623735613037393336623735643065393733376637346337
+  63383462613033656135666236636331316162396537346534613230666232623562353537616562
+  62383030306663643834
+vault_wordpress_secure_auth_salt: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  65316564383661653238343337353063626633613630316237346163636531303535383963326236
+  6338333735656138616430616239646434303334323964380a663665393531386537333661333138
+  38366163343738626431306565336431623633393635393263343863373831646163393766666664
+  6461313930663135360a313065303639326538356535616137313934306531393861336530383633
+  39626535356265303365623730396430626563323938353530613461663164613465316435643761
+  37663431366533623439616133393865383835366666383835613565323930353538633764396465
+  63633161303131663563393337386134633663393130633361313331326136323964663939303062
+  64303537323335663361
+vault_wordpress_logged_in_salt: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  66393763653534643232613662376562633837383133373930303637613333643265383537323466
+  3862376433316437313438306465653536653133333434370a393732666137343139303035646431
+  34366531383730366164393933336430366537303265343532396365623430393638316532316238
+  6638316639663565320a373064633664346138666431363431663834663636613461346332353934
+  33383233633062643435356262363365323633663338333364656135383136613861313337613136
+  30353466343765326461353639336431396436343330323863623663333365626231663031643137
+  35646334303664373736313031666663646265373237346533663265363734343236393362366561
+  63376132313338633234
+vault_wordpress_nonce_salt: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
+  64336566636232346433633765316261653236616464333638393961616464626563303634336130
+  6465323634393538643561336465633665653063633632320a623038343137303863376664343839
+  37636239343736636231336533363562386137333734356339316265373533313937393331323565
+  3261316131666665310a616564336535326461656434323761653238326537376530326162306138
+  36666134633431393338363436323030333963666537343139383233376263633832363061626630
+  33663836383865313837396434623262356436313362303630333536303864396266656464663133
+  32346261623631663863386561666336336264656133306265323863373564333031346135373431
+  34653131626661326534

web.yml

@@ -5,4 +5,5 @@
   roles:
     - lego
     - nextcloud
+    - wordpress
   become: true