From 48bef536e9b799be9c10d1aa6ffc083d839ed624 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 27 Jun 2024 23:34:36 -0700 Subject: [PATCH 01/22] add master playbook --- ansible/site.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ansible/site.yml diff --git a/ansible/site.yml b/ansible/site.yml new file mode 100644 index 0000000..86ab216 --- /dev/null +++ b/ansible/site.yml @@ -0,0 +1,5 @@ +- hosts: web + become: yes + become_user: sysadmin + roles: + - wordpress \ No newline at end of file From 6d8eab24441cfe34774bb10783326d05036f9543 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 27 Jun 2024 23:36:48 -0700 Subject: [PATCH 02/22] add roles/wordpress --- ansible/roles/wordpress/tasks/main.yml | 46 ++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 ansible/roles/wordpress/tasks/main.yml diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml new file mode 100644 index 0000000..382c1be --- /dev/null +++ b/ansible/roles/wordpress/tasks/main.yml @@ -0,0 +1,46 @@ +- name: Install WordPress CLI (WP-CLI) + get_url: + url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar + dest: /usr/local/bin/wp/wp-cli.phar + # you can do anything with the file or directory, and other users can read and execute it but not alter it + mode: '0755' + +- name: Create WP-CLI directory for www-data + file: + path: /var/www/.wp-cli + state: directory + owner: www-data + group: www-data + mode: '0755' + +- name: Use WP-CLI to install WordPress + command: wp core download --version={{ WP_VERSION }} + args: + chdir: /var/www/dev + become: yes + become_user: www-data + +# Download wp-config-docker.php for use as wp-config.php +- name: WordPress basic configuration step 1 + get_url: + url: https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php + dest: /var/www/dev/wp-config.php + +# Use awk to replace all instances of "put your unique phrase here" with a properly unique string (for AUTH_KEY and friends to have safe defaults if they aren't specified with environment variables) +- name: WordPress basic configuration step 2 + command: > + awk ' + /put your unique phrase here/ { + cmd = "head -c1m /dev/urandom | sha1sum | cut -d\\ -f1"; + cmd | getline str; + close(cmd); + gsub("put your unique phrase here", str); + } + { print } + ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp + && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php + + + + + \ No newline at end of file From 5175d3d76c9299007ee37128d34ab89d15a0e861 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 27 Jun 2024 23:37:13 -0700 Subject: [PATCH 03/22] remove wordpress related configs in web/Dockerfile --- web/Dockerfile | 44 +------------------------------------------- 1 file changed, 1 insertion(+), 43 deletions(-) diff --git a/web/Dockerfile b/web/Dockerfile index f64a651..295d282 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -78,48 +78,6 @@ RUN a2enmod rewrite # Configure PHP COPY web/config-web/90-local.ini /etc/php/8.2/apache2/conf.d/ -# Install WordPress CLI (WP-CLI) -# https://wp-cli.org/#installing -RUN curl -L \ - https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar \ - -o wp-cli.phar \ - && chmod +x wp-cli.phar \ - && mv wp-cli.phar /usr/local/bin/wp - -# Create WP-CLI directory for www-data -RUN mkdir /var/www/.wp-cli -RUN chown -R www-data:www-data /var/www/.wp-cli - # Create the dev directory and set permissions RUN mkdir -p /var/www/dev/wp-content/uploads -RUN chown -R www-data:www-data /var/www/dev - -# Use WP-CLI to install WordPress -USER www-data -WORKDIR /var/www/dev -ARG WP_VERSION -RUN wp core download --version=$WP_VERSION - -# Add WordPress basic configuration -# 1) Download wp-config-docker.php for use as wp-config.php. Friendly view at: -# https://github.com/docker-library/wordpress/blob/master/latest/php8.2/apache/wp-config-docker.php -RUN curl -L \ - https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php \ - -o /var/www/dev/wp-config.php - -# 2) Use awk to replace all instances of "put your unique phrase here" with a -# properly unique string (for AUTH_KEY and friends to have safe defaults if -# they aren't specified with environment variables) -# Based on: -# https://github.com/docker-library/wordpress/blob/master/latest/php8.2/apache/docker-entrypoint.sh -RUN awk ' \ - /put your unique phrase here/ { \ - cmd = "head -c1m /dev/urandom | sha1sum | cut -d\\ -f1"; \ - cmd | getline str; \ - close(cmd); \ - gsub("put your unique phrase here", str); \ - } \ - { print } \ - ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp \ - && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php - +RUN chown -R www-data:www-data /var/www/dev \ No newline at end of file From 0fa821d9d8d9e10e4ef3f0be57a43ae48ea5389e Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Fri, 28 Jun 2024 00:00:02 -0700 Subject: [PATCH 04/22] add step: Create the wp directory and set permissions --- web/Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/web/Dockerfile b/web/Dockerfile index 295d282..7d6f7b7 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -78,6 +78,10 @@ RUN a2enmod rewrite # Configure PHP COPY web/config-web/90-local.ini /etc/php/8.2/apache2/conf.d/ +# Create the wp directory and set permissions +RUN mkdir -p /usr/local/bin/wp/ +RUN chown -R www-data:www-data /usr/local/bin/wp/ + # Create the dev directory and set permissions RUN mkdir -p /var/www/dev/wp-content/uploads RUN chown -R www-data:www-data /var/www/dev \ No newline at end of file From 4aa7cefd17fd5998b55eb4e4e33a737c7edc7559 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Fri, 28 Jun 2024 00:01:01 -0700 Subject: [PATCH 05/22] add play: Ensure wp directory exists and has correct permissions in wordpress/tasks/main.yml --- ansible/etc-ansible-config/site.yml | 0 ansible/roles/wordpress/tasks/main.yml | 14 ++++++++++++-- docker-compose.yml | 2 ++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100755 ansible/etc-ansible-config/site.yml diff --git a/ansible/etc-ansible-config/site.yml b/ansible/etc-ansible-config/site.yml new file mode 100755 index 0000000..e69de29 diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 382c1be..66abe2c 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -1,9 +1,19 @@ +- name: Ensure wp directory exists and has correct permissions + file: + path: /usr/local/bin/wp + state: directory + owner: www-data + group: www-data + mode: '0755' + - name: Install WordPress CLI (WP-CLI) get_url: url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar dest: /usr/local/bin/wp/wp-cli.phar # you can do anything with the file or directory, and other users can read and execute it but not alter it mode: '0755' + become: yes + become_user: www-data - name: Create WP-CLI directory for www-data file: @@ -14,11 +24,11 @@ mode: '0755' - name: Use WP-CLI to install WordPress + become: yes + become_user: www-data command: wp core download --version={{ WP_VERSION }} args: chdir: /var/www/dev - become: yes - become_user: www-data # Download wp-config-docker.php for use as wp-config.php - name: WordPress basic configuration step 1 diff --git a/docker-compose.yml b/docker-compose.yml index 651cdae..efaee4d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,8 @@ services: - dev-backend volumes: - ./ansible/etc-ansible-config:/etc/ansible/ + - ./ansible/site.yml:/etc/ansible/site.yml + - ./ansible/roles:/etc/ansible/roles - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro From b5e0f30d7bf8a70d0f20377f7177b75e2df64ba8 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Wed, 3 Jul 2024 11:21:47 -0400 Subject: [PATCH 06/22] update the main.yml --- ansible/roles/wordpress/tasks/main.yml | 51 +++++++++++++++++++++----- 1 file changed, 41 insertions(+), 10 deletions(-) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 66abe2c..58d6a59 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -1,3 +1,18 @@ +- name: Add Apache2's www-data user to sudo group + user: + name: www-data + groups: sudo + append: yes + become: yes + become_user: root + +- name: Enable passwordless startup for www-data + copy: + dest: /etc/sudoers.d/www-data_startupservice + content: "www-data ALL=(ALL) NOPASSWD:ALL" + become: yes + become_user: root + - name: Ensure wp directory exists and has correct permissions file: path: /usr/local/bin/wp @@ -5,15 +20,17 @@ owner: www-data group: www-data mode: '0755' + become: yes + become_user: root - name: Install WordPress CLI (WP-CLI) get_url: url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar - dest: /usr/local/bin/wp/wp-cli.phar + dest: /usr/local/bin/wp # you can do anything with the file or directory, and other users can read and execute it but not alter it mode: '0755' become: yes - become_user: www-data + become_user: root - name: Create WP-CLI directory for www-data file: @@ -22,23 +39,37 @@ owner: www-data group: www-data mode: '0755' + become: yes + become_user: root -- name: Use WP-CLI to install WordPress +- name: Create the WordPress directory and set permissions + file: + path: /var/www/dev/wp-content/uploads + state: directory + owner: www-data + group: www-data + mode: '0755' become: yes - become_user: www-data - command: wp core download --version={{ WP_VERSION }} + become_user: root + +- name: Download WordPress core + command: wp core download --version={{ wp_version }} args: chdir: /var/www/dev + become: true + become_user: www-data # Download wp-config-docker.php for use as wp-config.php - name: WordPress basic configuration step 1 get_url: url: https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php dest: /var/www/dev/wp-config.php + become: true + become_user: www-data # Use awk to replace all instances of "put your unique phrase here" with a properly unique string (for AUTH_KEY and friends to have safe defaults if they aren't specified with environment variables) - name: WordPress basic configuration step 2 - command: > + shell: | awk ' /put your unique phrase here/ { cmd = "head -c1m /dev/urandom | sha1sum | cut -d\\ -f1"; @@ -49,8 +80,8 @@ { print } ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php + args: + chdir: /var/www/dev + become: true + become_user: www-data - - - - \ No newline at end of file From b920d34e43352dd4b91e1062a5e2904b42ddee3f Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Wed, 3 Jul 2024 15:36:26 -0400 Subject: [PATCH 07/22] update the directory structure of web --- ansible/etc-ansible-config/ansible.cfg | 8 ++++++-- ansible/site.yml | 4 +--- web/Dockerfile | 9 +++++---- .../etc-apache2-sites-available/000-default.conf | 0 .../90-local.ini | 0 web/etc-sudoers.d/sysadmin_all_nopass | 5 +++++ .../www-data_startupservice | 0 web/{config-web => }/startupservice.sh | 0 8 files changed, 17 insertions(+), 9 deletions(-) rename web/{config-web => }/etc-apache2-sites-available/000-default.conf (100%) rename web/{config-web => etc-php-8.2-apache2-conf.d}/90-local.ini (100%) create mode 100644 web/etc-sudoers.d/sysadmin_all_nopass rename web/{config-web => etc-sudoers.d}/www-data_startupservice (100%) rename web/{config-web => }/startupservice.sh (100%) diff --git a/ansible/etc-ansible-config/ansible.cfg b/ansible/etc-ansible-config/ansible.cfg index 24a7d9a..da0a519 100644 --- a/ansible/etc-ansible-config/ansible.cfg +++ b/ansible/etc-ansible-config/ansible.cfg @@ -1,9 +1,13 @@ [defaults] inventory = /etc/ansible/hosts remote_user = sysadmin -host_key_checking = True +host_key_checking = False retry_files_enabled = False private_key_file = /home/sysadmin/.ssh/id_rsa +[privilege_escalation] +become=True +become_passowrd='' + [web:vars] -ansible_python_interpreter=/usr/bin/python3 \ No newline at end of file +ansible_python_interpreter=/usr/bin/python3 diff --git a/ansible/site.yml b/ansible/site.yml index 86ab216..400c6f4 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -1,5 +1,3 @@ - hosts: web - become: yes - become_user: sysadmin roles: - - wordpress \ No newline at end of file + - wordpress diff --git a/web/Dockerfile b/web/Dockerfile index 7d6f7b7..86a00e9 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -46,6 +46,7 @@ RUN rm -rf /var/lib/apt/lists/* RUN useradd -m -s /bin/bash sysadmin && \ echo "sysadmin:sysadmin" | chpasswd && \ usermod -aG sudo sysadmin +COPY·web/etc-sudoers.d/sysadmin_all_nopass·/etc/sudoers.d/sysadmin_all_nopass # Ensure SSH directory exists with correct permissions RUN mkdir -p /home/sysadmin/.ssh && \ @@ -57,10 +58,10 @@ RUN mkdir -p /run/sshd # Add Apache2's www-data user to sudo group and enable passwordless startup RUN adduser www-data sudo -COPY web/config-web/www-data_startupservice /etc/sudoers.d/www-data_startupservice +COPY web/etc-sudoers.d/www-data_startupservice /etc/sudoers.d/www-data_startupservice # Add Apache2 service startup script -COPY web/config-web/startupservice.sh /startupservice.sh +COPY web/startupservice.sh /startupservice.sh RUN chmod +x /startupservice.sh CMD ["sudo", "--preserve-env", "/startupservice.sh"] @@ -76,7 +77,7 @@ RUN a2enmod php8.2 RUN a2enmod rewrite # Configure PHP -COPY web/config-web/90-local.ini /etc/php/8.2/apache2/conf.d/ +COPY web/etc-php-8.2-apache2-conf.d/90-local.ini /etc/php/8.2/apache2/conf.d/ # Create the wp directory and set permissions RUN mkdir -p /usr/local/bin/wp/ @@ -84,4 +85,4 @@ RUN chown -R www-data:www-data /usr/local/bin/wp/ # Create the dev directory and set permissions RUN mkdir -p /var/www/dev/wp-content/uploads -RUN chown -R www-data:www-data /var/www/dev \ No newline at end of file +RUN chown -R www-data:www-data /var/www/dev diff --git a/web/config-web/etc-apache2-sites-available/000-default.conf b/web/etc-apache2-sites-available/000-default.conf similarity index 100% rename from web/config-web/etc-apache2-sites-available/000-default.conf rename to web/etc-apache2-sites-available/000-default.conf diff --git a/web/config-web/90-local.ini b/web/etc-php-8.2-apache2-conf.d/90-local.ini similarity index 100% rename from web/config-web/90-local.ini rename to web/etc-php-8.2-apache2-conf.d/90-local.ini diff --git a/web/etc-sudoers.d/sysadmin_all_nopass b/web/etc-sudoers.d/sysadmin_all_nopass new file mode 100644 index 0000000..090dd70 --- /dev/null +++ b/web/etc-sudoers.d/sysadmin_all_nopass @@ -0,0 +1,5 @@ +# vim: ft=sudoers +# +# This file MUST be edited with `/usr/sbin/visudo -sf FILENAME`. + +%sudo ALL =(ALL) NOPASSWD:ALL diff --git a/web/config-web/www-data_startupservice b/web/etc-sudoers.d/www-data_startupservice similarity index 100% rename from web/config-web/www-data_startupservice rename to web/etc-sudoers.d/www-data_startupservice diff --git a/web/config-web/startupservice.sh b/web/startupservice.sh similarity index 100% rename from web/config-web/startupservice.sh rename to web/startupservice.sh From c971fff09d95e69f96a4663b2de0d3a9fa1fec0a Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Wed, 3 Jul 2024 16:05:07 -0400 Subject: [PATCH 08/22] setup default path, updated playbook to isntall wpcli --- ansible/Dockerfile | 1 + ansible/roles/wordpress/tasks/main.yml | 18 +----------------- web/Dockerfile | 14 ++++++++------ 3 files changed, 10 insertions(+), 23 deletions(-) diff --git a/ansible/Dockerfile b/ansible/Dockerfile index 463da18..e26e748 100644 --- a/ansible/Dockerfile +++ b/ansible/Dockerfile @@ -46,6 +46,7 @@ RUN python3 -m venv /opt/ansible-venv --system-site-packages && \ # Create a directory for Ansible configuration RUN mkdir /etc/ansible/ +WORKDIR /etc/ansible/ # Set environment variables for Ansible ENV PATH="/opt/ansible-venv/bin:$PATH" diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 58d6a59..035e2d6 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -3,15 +3,11 @@ name: www-data groups: sudo append: yes - become: yes - become_user: root - name: Enable passwordless startup for www-data copy: dest: /etc/sudoers.d/www-data_startupservice content: "www-data ALL=(ALL) NOPASSWD:ALL" - become: yes - become_user: root - name: Ensure wp directory exists and has correct permissions file: @@ -20,8 +16,6 @@ owner: www-data group: www-data mode: '0755' - become: yes - become_user: root - name: Install WordPress CLI (WP-CLI) get_url: @@ -29,8 +23,6 @@ dest: /usr/local/bin/wp # you can do anything with the file or directory, and other users can read and execute it but not alter it mode: '0755' - become: yes - become_user: root - name: Create WP-CLI directory for www-data file: @@ -39,8 +31,6 @@ owner: www-data group: www-data mode: '0755' - become: yes - become_user: root - name: Create the WordPress directory and set permissions file: @@ -49,11 +39,9 @@ owner: www-data group: www-data mode: '0755' - become: yes - become_user: root - name: Download WordPress core - command: wp core download --version={{ wp_version }} + command: wp core download args: chdir: /var/www/dev become: true @@ -64,8 +52,6 @@ get_url: url: https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php dest: /var/www/dev/wp-config.php - become: true - become_user: www-data # Use awk to replace all instances of "put your unique phrase here" with a properly unique string (for AUTH_KEY and friends to have safe defaults if they aren't specified with environment variables) - name: WordPress basic configuration step 2 @@ -82,6 +68,4 @@ && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php args: chdir: /var/www/dev - become: true - become_user: www-data diff --git a/web/Dockerfile b/web/Dockerfile index 86a00e9..6d3eaa7 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -1,5 +1,4 @@ -# https://docs.docker.com/engine/reference/builder/ -# https://hub.docker.com/_/debian +# Use the Debian Bookworm Slim base image FROM debian:bookworm-slim # Configure apt not to prompt during docker build @@ -46,7 +45,9 @@ RUN rm -rf /var/lib/apt/lists/* RUN useradd -m -s /bin/bash sysadmin && \ echo "sysadmin:sysadmin" | chpasswd && \ usermod -aG sudo sysadmin -COPY·web/etc-sudoers.d/sysadmin_all_nopass·/etc/sudoers.d/sysadmin_all_nopass + +# Copy the sudoers file for sysadmin user to the appropriate directory +COPY ./web/etc-sudoers.d/sysadmin_all_nopass /etc/sudoers.d/sysadmin_all_nopass # Ensure SSH directory exists with correct permissions RUN mkdir -p /home/sysadmin/.ssh && \ @@ -58,10 +59,10 @@ RUN mkdir -p /run/sshd # Add Apache2's www-data user to sudo group and enable passwordless startup RUN adduser www-data sudo -COPY web/etc-sudoers.d/www-data_startupservice /etc/sudoers.d/www-data_startupservice +COPY ./web/etc-sudoers.d/www-data_startupservice /etc/sudoers.d/www-data_startupservice # Add Apache2 service startup script -COPY web/startupservice.sh /startupservice.sh +COPY ./web/startupservice.sh /startupservice.sh RUN chmod +x /startupservice.sh CMD ["sudo", "--preserve-env", "/startupservice.sh"] @@ -77,7 +78,7 @@ RUN a2enmod php8.2 RUN a2enmod rewrite # Configure PHP -COPY web/etc-php-8.2-apache2-conf.d/90-local.ini /etc/php/8.2/apache2/conf.d/ +COPY ./web/etc-php-8.2-apache2-conf.d/90-local.ini /etc/php/8.2/apache2/conf.d/ # Create the wp directory and set permissions RUN mkdir -p /usr/local/bin/wp/ @@ -86,3 +87,4 @@ RUN chown -R www-data:www-data /usr/local/bin/wp/ # Create the dev directory and set permissions RUN mkdir -p /var/www/dev/wp-content/uploads RUN chown -R www-data:www-data /var/www/dev + From 57b1884563acaf7beecb25f0e7c5532cf9d4692b Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Wed, 3 Jul 2024 16:31:21 -0400 Subject: [PATCH 09/22] update to set the permissions --- ansible/roles/wordpress/tasks/main.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 035e2d6..98aac32 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -8,6 +8,7 @@ copy: dest: /etc/sudoers.d/www-data_startupservice content: "www-data ALL=(ALL) NOPASSWD:ALL" + mode: '0440' # Correct mode for sudoers file - name: Ensure wp directory exists and has correct permissions file: @@ -21,9 +22,9 @@ get_url: url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar dest: /usr/local/bin/wp - # you can do anything with the file or directory, and other users can read and execute it but not alter it mode: '0755' + - name: Create WP-CLI directory for www-data file: path: /var/www/.wp-cli @@ -40,8 +41,8 @@ group: www-data mode: '0755' -- name: Download WordPress core - command: wp core download +- name: Use WP_CLI to install wordpress + command: /usr/local/bin/wp core download args: chdir: /var/www/dev become: true @@ -52,6 +53,9 @@ get_url: url: https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php dest: /var/www/dev/wp-config.php + owner: www-data + group: www-data + mode: '0644' # Use awk to replace all instances of "put your unique phrase here" with a properly unique string (for AUTH_KEY and friends to have safe defaults if they aren't specified with environment variables) - name: WordPress basic configuration step 2 @@ -68,4 +72,6 @@ && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php args: chdir: /var/www/dev + become: true + become_user: www-data From d066b514aaa66085af16e069d47a093cf7ddd535 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Wed, 3 Jul 2024 16:49:20 -0400 Subject: [PATCH 10/22] update to align the spacing --- ansible/roles/wordpress/tasks/main.yml | 28 +++++++++++--------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 98aac32..f1c118f 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -42,11 +42,9 @@ mode: '0755' - name: Use WP_CLI to install wordpress - command: /usr/local/bin/wp core download + shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download args: chdir: /var/www/dev - become: true - become_user: www-data # Download wp-config-docker.php for use as wp-config.php - name: WordPress basic configuration step 1 @@ -57,21 +55,19 @@ group: www-data mode: '0644' -# Use awk to replace all instances of "put your unique phrase here" with a properly unique string (for AUTH_KEY and friends to have safe defaults if they aren't specified with environment variables) -- name: WordPress basic configuration step 2 +- name: Use awk to replace all instances of "put your unique phrase here" with a unique string shell: | - awk ' - /put your unique phrase here/ { - cmd = "head -c1m /dev/urandom | sha1sum | cut -d\\ -f1"; - cmd | getline str; - close(cmd); - gsub("put your unique phrase here", str); - } - { print } - ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp + awk ' + /put your unique phrase here/ { + cmd = "head -c1m /dev/urandom | sha1sum | cut -d\\\\ -f1"; + cmd | getline str; + close(cmd); + gsub("put your unique phrase here", str); + } + { print } + ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp \ && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php args: chdir: /var/www/dev - become: true - become_user: www-data + From b1ecdbdb9edfe90e77e707906b1b653586d941a2 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Thu, 4 Jul 2024 09:54:53 -0700 Subject: [PATCH 11/22] fix typo in ansible.cfg --- ansible/etc-ansible-config/ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/etc-ansible-config/ansible.cfg b/ansible/etc-ansible-config/ansible.cfg index da0a519..666d002 100644 --- a/ansible/etc-ansible-config/ansible.cfg +++ b/ansible/etc-ansible-config/ansible.cfg @@ -7,7 +7,7 @@ private_key_file = /home/sysadmin/.ssh/id_rsa [privilege_escalation] become=True -become_passowrd='' +become_password='' [web:vars] ansible_python_interpreter=/usr/bin/python3 From d17ad109965c04abd0d6162472174fe764960c0e Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sat, 6 Jul 2024 13:43:48 -0700 Subject: [PATCH 12/22] add wp_version arg when using WP_CLI to install wordpress --- ansible/roles/wordpress/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index f1c118f..c71725d 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -42,9 +42,11 @@ mode: '0755' - name: Use WP_CLI to install wordpress - shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download + shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} args: chdir: /var/www/dev + vars: + wp_version: 6.3.4 # Download wp-config-docker.php for use as wp-config.php - name: WordPress basic configuration step 1 From 318e778ca4e2d96e9a40eaddff120bd9821b679b Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sat, 6 Jul 2024 15:28:59 -0700 Subject: [PATCH 13/22] add if condition to check wp installation but fail due to premission --- ansible/roles/wordpress/tasks/main.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index c71725d..868df3f 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -41,8 +41,17 @@ group: www-data mode: '0755' +- name: check wordpress installed + shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar --no-color --quiet core is-installed #$> /dev/null is supposed to silence stdout and stderr while keeping the return code, but for some reason this one also gets rid of the return code + ignore_errors: true + args: + chdir: /var/www/dev + register: wp_installed + +# Currently not working because web-dev is running the server with www-data user which cannot connect to the db because www-data does not have access to the environment variables passed from docker. Only root has access to those environment variables. And because it cannot connect to the DB, this step always fails when trying to check if wordpress is installed - name: Use WP_CLI to install wordpress shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} + when: wp_installed.rc != 0 args: chdir: /var/www/dev vars: From 99001711565bd24c5880ca86097b1fa508209b98 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Sat, 6 Jul 2024 15:33:58 -0700 Subject: [PATCH 14/22] remove extra site.yml --- ansible/etc-ansible-config/site.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100755 ansible/etc-ansible-config/site.yml diff --git a/ansible/etc-ansible-config/site.yml b/ansible/etc-ansible-config/site.yml deleted file mode 100755 index e69de29..0000000 From 6215ef9dfdca7199f5fc9c8757b5345fd2491e20 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Mon, 8 Jul 2024 23:59:10 -0700 Subject: [PATCH 15/22] remove db/Dockerfile for connecting to db in ansible playbook, previously didn't set up correctly --- ansible/roles/wordpress/tasks/main.yml | 11 ++++---- db/Dockerfile | 35 -------------------------- docker-compose.yml | 11 +------- 3 files changed, 6 insertions(+), 51 deletions(-) delete mode 100644 db/Dockerfile diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/roles/wordpress/tasks/main.yml index 868df3f..842bb30 100644 --- a/ansible/roles/wordpress/tasks/main.yml +++ b/ansible/roles/wordpress/tasks/main.yml @@ -42,15 +42,14 @@ mode: '0755' - name: check wordpress installed - shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar --no-color --quiet core is-installed #$> /dev/null is supposed to silence stdout and stderr while keeping the return code, but for some reason this one also gets rid of the return code - ignore_errors: true + shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar --no-color --quiet core is-installed args: chdir: /var/www/dev register: wp_installed + ignore_errors: yes -# Currently not working because web-dev is running the server with www-data user which cannot connect to the db because www-data does not have access to the environment variables passed from docker. Only root has access to those environment variables. And because it cannot connect to the DB, this step always fails when trying to check if wordpress is installed -- name: Use WP_CLI to install wordpress - shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} +- name: Use WP_CLI to install WordPress + shell: sudo -E -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} when: wp_installed.rc != 0 args: chdir: /var/www/dev @@ -58,7 +57,7 @@ wp_version: 6.3.4 # Download wp-config-docker.php for use as wp-config.php -- name: WordPress basic configuration step 1 +- name: WordPress basic configuration get_url: url: https://raw.githubusercontent.com/docker-library/wordpress/master/latest/php8.2/apache/wp-config-docker.php dest: /var/www/dev/wp-config.php diff --git a/db/Dockerfile b/db/Dockerfile deleted file mode 100644 index c0481dd..0000000 --- a/db/Dockerfile +++ /dev/null @@ -1,35 +0,0 @@ -# https://docs.docker.com/engine/reference/builder/ - -# https://hub.docker.com/_/mariadb -FROM mariadb - -# Resynchronize the package index files from their sources -RUN apt-get update - -# Install packages for ssh -RUN apt-get install -y \ - openssh-client \ - openssh-server - -# Clean up packages: Saves space by removing unnecessary package files and lists -RUN apt-get clean -RUN rm -rf /var/lib/apt/lists/* - -# Create sysadmin user and add to sudoers -RUN useradd -m -s /bin/bash sysadmin && \ - echo "sysadmin:sysadmin" | chpasswd && \ - usermod -aG sudo sysadmin - -# Ensure SSH directory exists with correct permissions -RUN mkdir -p /home/sysadmin/.ssh && \ - chown sysadmin:sysadmin /home/sysadmin/.ssh && \ - chmod 700 /home/sysadmin/.ssh - -# Create privilege separation directory for SSH -RUN mkdir -p /run/sshd - -# Expose SSH port -EXPOSE 22 - -# Start SSH service -CMD ["/usr/sbin/sshd", "-D"] diff --git a/docker-compose.yml b/docker-compose.yml index efaee4d..2c02880 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -66,11 +66,8 @@ services: db-dev: container_name: db-dev - build: - context: . - dockerfile: db/Dockerfile + image: mariadb environment: - USER: sysadmin MYSQL_DATABASE: wordpress MYSQL_ROOT_PASSWORD: root MYSQL_USER: root @@ -79,12 +76,6 @@ services: restart: on-failure ports: - "3306:3306" - - "22003:22" - volumes: - - db-data:/var/lib/mysql - - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro volumes: db-data: From ba7d22feddc0abaa35d640fa5d00864278ef08f6 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Tue, 9 Jul 2024 18:34:53 -0400 Subject: [PATCH 16/22] site and role moved into ansible-config --- .../{ => etc-ansible-config}/roles/wordpress/tasks/main.yml | 0 ansible/{ => etc-ansible-config}/site.yml | 0 docker-compose.yml | 3 +-- web/etc-apache2-sites-available/000-default.conf | 2 +- 4 files changed, 2 insertions(+), 3 deletions(-) rename ansible/{ => etc-ansible-config}/roles/wordpress/tasks/main.yml (100%) rename ansible/{ => etc-ansible-config}/site.yml (100%) diff --git a/ansible/roles/wordpress/tasks/main.yml b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml similarity index 100% rename from ansible/roles/wordpress/tasks/main.yml rename to ansible/etc-ansible-config/roles/wordpress/tasks/main.yml diff --git a/ansible/site.yml b/ansible/etc-ansible-config/site.yml similarity index 100% rename from ansible/site.yml rename to ansible/etc-ansible-config/site.yml diff --git a/docker-compose.yml b/docker-compose.yml index 2c02880..a967bb2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,8 +10,6 @@ services: - dev-backend volumes: - ./ansible/etc-ansible-config:/etc/ansible/ - - ./ansible/site.yml:/etc/ansible/site.yml - - ./ansible/roles:/etc/ansible/roles - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro @@ -59,6 +57,7 @@ services: - '22002:22' restart: on-failure volumes: + - ./web/etc-apache2-sites-available:/etc/apache2/sites-available - wp-data:/var/www/dev - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro diff --git a/web/etc-apache2-sites-available/000-default.conf b/web/etc-apache2-sites-available/000-default.conf index 10f65a3..b963b3f 100644 --- a/web/etc-apache2-sites-available/000-default.conf +++ b/web/etc-apache2-sites-available/000-default.conf @@ -71,4 +71,4 @@ ServerName localhost:8080 -# vim: ft=apache ts=4 sw=4 sts=4 sr et \ No newline at end of file +# vim: ft=apache ts=4 sw=4 sts=4 sr et From ad368170dbb0f2224e8e50c4da2c531a3b354937 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Tue, 9 Jul 2024 18:42:48 -0400 Subject: [PATCH 17/22] fixed wordpress site reverting db changes --- docker-compose.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index a967bb2..4579315 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -65,8 +65,12 @@ services: db-dev: container_name: db-dev + build: + context: . + dockerfile: db/Dockerfile image: mariadb environment: + USER: sysadmin MYSQL_DATABASE: wordpress MYSQL_ROOT_PASSWORD: root MYSQL_USER: root @@ -75,6 +79,13 @@ services: restart: on-failure ports: - "3306:3306" + - "22003:22" + volumes: + - db-data:/var/lib/mysql + - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro + - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro + volumes: db-data: From e72d329d2d4fd6cefb22b7976ae9003fb5e871b6 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Tue, 9 Jul 2024 18:44:42 -0400 Subject: [PATCH 18/22] add db/dockerfile --- db/Dockerfile | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 db/Dockerfile diff --git a/db/Dockerfile b/db/Dockerfile new file mode 100644 index 0000000..25cd61d --- /dev/null +++ b/db/Dockerfile @@ -0,0 +1,36 @@ +# https://docs.docker.com/engine/reference/builder/ + +# https://hub.docker.com/_/mariadb +FROM mariadb + +# Resynchronize the package index files from their sources +RUN apt-get update + +# Install packages for ssh +RUN apt-get install -y \ + openssh-client \ + openssh-server + +# Clean up packages: Saves space by removing unnecessary package files and lists +RUN apt-get clean +RUN rm -rf /var/lib/apt/lists/* + +# Create sysadmin user and add to sudoers +RUN useradd -m -s /bin/bash sysadmin && \ + echo "sysadmin:sysadmin" | chpasswd && \ + usermod -aG sudo sysadmin + +# Ensure SSH directory exists with correct permissions +RUN mkdir -p /home/sysadmin/.ssh && \ + chown sysadmin:sysadmin /home/sysadmin/.ssh && \ + chmod 700 /home/sysadmin/.ssh + +# Create privilege separation directory for SSH +RUN mkdir -p /run/sshd + +# Expose SSH port +EXPOSE 22 + +# Start SSH service +CMD ["/usr/sbin/sshd", "-D"] + From b92510e0b3a17d846b28df11a92a97f4064bf177 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Tue, 9 Jul 2024 18:47:34 -0400 Subject: [PATCH 19/22] removed condition to check wp installed --- ansible/etc-ansible-config/roles/wordpress/tasks/main.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml index 842bb30..98caf57 100644 --- a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml +++ b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml @@ -41,13 +41,6 @@ group: www-data mode: '0755' -- name: check wordpress installed - shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar --no-color --quiet core is-installed - args: - chdir: /var/www/dev - register: wp_installed - ignore_errors: yes - - name: Use WP_CLI to install WordPress shell: sudo -E -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} when: wp_installed.rc != 0 From 41175d8b490f176d2d840555f3eb85a5bd37e862 Mon Sep 17 00:00:00 2001 From: Shafiya Heena Date: Tue, 9 Jul 2024 19:02:27 -0400 Subject: [PATCH 20/22] update to read 000_default.conf --- ansible/etc-ansible-config/roles/wordpress/tasks/main.yml | 1 - docker-compose.yml | 8 +++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml index 98caf57..1252d5a 100644 --- a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml +++ b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml @@ -43,7 +43,6 @@ - name: Use WP_CLI to install WordPress shell: sudo -E -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} - when: wp_installed.rc != 0 args: chdir: /var/www/dev vars: diff --git a/docker-compose.yml b/docker-compose.yml index 4579315..401156f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -66,9 +66,8 @@ services: db-dev: container_name: db-dev build: - context: . - dockerfile: db/Dockerfile - image: mariadb + context: . + dockerfile: db/Dockerfile environment: USER: sysadmin MYSQL_DATABASE: wordpress @@ -79,14 +78,13 @@ services: restart: on-failure ports: - "3306:3306" - - "22003:22" + - "22003:22" volumes: - db-data:/var/lib/mysql - ./sysadmin-ssh-keys/rsa_sysadmin:/home/sysadmin/.ssh/id_rsa:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/id_rsa.pub:ro - ./sysadmin-ssh-keys/rsa_sysadmin.pub:/home/sysadmin/.ssh/authorized_keys:ro - volumes: db-data: name: db-data From d1e2e2f7e22112ab3fd43187d870a1355149f731 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Tue, 9 Jul 2024 20:24:52 -0700 Subject: [PATCH 21/22] add Wordpress Installation check task in main.yml --- .../roles/wordpress/tasks/main.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml index 1252d5a..f4d174c 100644 --- a/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml +++ b/ansible/etc-ansible-config/roles/wordpress/tasks/main.yml @@ -41,8 +41,14 @@ group: www-data mode: '0755' +- name: Check Wordpress installed + stat: + path: /var/www/dev/wp-config.php + register: wp_config + - name: Use WP_CLI to install WordPress - shell: sudo -E -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} + shell: sudo -u www-data /usr/local/bin/wp/wp-cli.phar core download --version={{wp_version}} + when: not wp_config.stat.exists args: chdir: /var/www/dev vars: @@ -70,6 +76,4 @@ ' /var/www/dev/wp-config.php > /var/www/dev/wp-config.tmp \ && mv /var/www/dev/wp-config.tmp /var/www/dev/wp-config.php args: - chdir: /var/www/dev - - + chdir: /var/www/dev \ No newline at end of file From d68f59c0a9516a70ae76449b383a4631e2c4a2f6 Mon Sep 17 00:00:00 2001 From: Yi Chien Lee Date: Wed, 10 Jul 2024 22:29:37 -0700 Subject: [PATCH 22/22] add db/startupservice.sh to initialize db --- db/Dockerfile | 8 ++++++-- db/startupservice.sh | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 db/startupservice.sh diff --git a/db/Dockerfile b/db/Dockerfile index 25cd61d..d367b98 100644 --- a/db/Dockerfile +++ b/db/Dockerfile @@ -30,7 +30,11 @@ RUN mkdir -p /run/sshd # Expose SSH port EXPOSE 22 +EXPOSE 3306 -# Start SSH service -CMD ["/usr/sbin/sshd", "-D"] +# Add mariadb service startup script +COPY ./db/startupservice.sh /startupservice.sh +RUN chmod +x /startupservice.sh +ENTRYPOINT ["/startupservice.sh"] +CMD ["mariadbd"] \ No newline at end of file diff --git a/db/startupservice.sh b/db/startupservice.sh new file mode 100644 index 0000000..d21d0ca --- /dev/null +++ b/db/startupservice.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -o errexit +set -o nounset + +# https://en.wikipedia.org/wiki/ANSI_escape_code +E0="$(printf "\e[0m")" # reset +E1="$(printf "\e[1m")" # bold + +echo "${E1}Starting mariadb: http://127.0.0.1:3306${E0}" + +# Start mariadb in the background +docker-entrypoint.sh "$@" + +# Start SSH service +/usr/sbin/sshd -D \ No newline at end of file