add wordpress SSH user for uploads

roles/nextcloud/tasks/nextcloud.yml

@@ -16,7 +16,7 @@
         state: directory
         owner: "{{ webserver_user }}"
         group: "{{ webserver_group }}"
-        mode: 0775
+        mode: 0770
         force: false
 
     - name: Download nextcloud latest from nextcloud.com

roles/nextcloud/tasks/rclone.yml

@@ -1,10 +1,10 @@
 ---
 # ensure rclone.conf is present (meta role dependencies)
 
-- name: Create rclone mount dir
+- name: Create Rclone mount directory
   file:
     path: "{{ nextcloud_rclone_mount_dir }}"
-    mode: 0755
+    mode: 0770
     state: directory
 
 # Touch rclone log file to set permissions
@@ -12,7 +12,7 @@
   file:
     path: "{{ rclone_log_dir }}/mount_nextcloud.log"
     state: touch
-    mode: 0644
+    mode: 0640
     access_time: preserve
     modification_time: preserve
 
@@ -20,7 +20,7 @@
   template:
     src: rclone_mount_nextcloud.service.j2
     dest: /etc/systemd/system/rclone_mount_nextcloud.service
-    mode: 0644
+    mode: 0640
   notify: restart rclone_mount_nextcloud
 
 - name: "Add {{ webserver_user }} user to rclone group"

roles/nextcloud/templates/rclone_mount_nextcloud.service.j2

@@ -11,12 +11,13 @@ Type=notify
 ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \
         --devname rclone \
         --use-mmap \
+        --default-permissions \
         --allow-other \
         --uid {{ created_rclone_user.uid }} \
         --gid {{ created_rclone_group.gid }} \
-        --umask 002 \
-        --dir-perms 775 \
-        --file-perms 664 \
+        --umask 0007 \
+        --dir-perms 0770 \
+        --file-perms 0660 \
         --dir-cache-time 8760h \
         --poll-interval 1h \
         --buffer-size 64M \

roles/rclone/tasks/main.yml

@@ -69,7 +69,7 @@
 - name: Create rclone cache/log directory
   file:
     path: "{{ item }}"
-    mode: 0755
+    mode: 0750
     state: directory
   loop:
     - "{{ rclone_cache_dir }}"

roles/webserver/tasks/volume.yml

@@ -11,6 +11,7 @@
   file:
     path: "{{ hcloud_webserver_volume_path }}"
     state: directory
+    mode: 0750
     force: false
 
 - name: Mount hcloud volume

roles/webserver/templates/conf.d/wordpress.conf.j2

@@ -1,53 +0,0 @@
-## Managed by Ansible ##
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
-    # enforce https
-    return 301 https://$server_name$request_uri;
-}
-
-server {
-    # Enable HTTP/2
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name dev.{{ webserver_domain }} www.dev.{{ webserver_domain }};
-    include global/cert.conf;
-    include global/header.conf;
-
-    # Path to the root of your installation
-    root {{ wordpress_dir }};
-
-    add_header Strict-Transport-Security "max-age=63072000" always;
-
-    index  index.php index.html index.htm;
-
-    client_max_body_size 500M;
-
-    location / {
-        try_files $uri $uri/ /index.php?$args;
-    }
-
-    location = /favicon.ico {
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
-        expires max;
-        log_not_found off;
-    }
-
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~ \.php$ {
-         fastcgi_pass php-handler;
-         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-         include fastcgi_params;
-    }
-}

roles/wordpress/files/public_keys.pub

@@ -0,0 +1,2 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5M3pWvjwFjDOsrAwnJsysE23SuWW+wQRHUgBWInzX oli@VSC
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTPOurRC0RiGe7+hgWyZzD/kNIEB+XuztHxKkC/xRe6 wordpress@NOVA

roles/wordpress/tasks/main.yml

@@ -1,27 +1,45 @@
 ---
+- name: Create wordpress group
+  group:
+    name: "{{ wordpress_group }}"
+    state: present
+    system: true
+  when: wordpress_group != "root"
+
+- name: Create wordpress user
+  user:
+    name: "{{ wordpress_user }}"
+    group: "{{ wordpress_group }}"
+    groups: "{{ wordpress_group }}"
+    append: true
+    shell: /bin/bash
+    create_home: true
+
+- name: Set authorized keys for wordpress user
+  authorized_key:
+    user: "{{ wordpress_user }}"
+    key: "{{ lookup('file', 'public_keys.pub') }}"
+    state: present
+    exclusive: false  # removing all the authorized keys already set
+
+- name: Add {{ webserver_user }} user to {{ wordpress_group }} group
+  user:
+    name: "{{ webserver_user }}"
+    groups: "{{ wordpress_group }}"
+    append: true
+
 - name: Create wordpress directory
   file:
     path: "{{ wordpress_dir }}"
     state: directory
     owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
+    group: "{{ wordpress_group }}"
     mode: 0755
 
-- name: unpack latest wordpress version
-  unarchive:
-    remote_src: true
-    src: "https://wordpress.org/latest.tar.gz"
-    dest: "{{ wordpress_dir }}"
-    owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
-    creates: "{{ wordpress_dir }}/wp-config-sample.php"
-    extra_opts:
-      - --strip-components=1
-
 - name: Copy configuration file
   template:
     src: wp-config.php.j2
     dest: "{{ wordpress_dir }}/wp-config.php"
     owner: "{{ webserver_user }}"
-    group: "{{ webserver_group }}"
-    mode: 0600
+    group: "{{ wordpress_group }}"
+    mode: 0640

roles/wordpress/vars/main.yml

@@ -1,4 +1,6 @@
 ---
+wordpress_group: wordpress
+wordpress_user: "{{ wordpress_group }}"
 wordpress_dir: "/var/www/wordpress"
 
 # database