Merge pull request #2166 from holta/wordpress-scaffolding

Wordpress & Munin scaffolding (WIP)

roles/munin/tasks/main.yml

@@ -1,6 +1,6 @@
-- name: Install Munin if it does not appear installed in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- name: Install Munin if 'munin_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
   include_tasks: install.yml
-  when: not munin_installed is defined
+  when: munin_installed is undefined
 
 - name: Enable or Disable Munin
   include_tasks: enable-or-disable.yml

roles/wordpress/defaults/main.yml

@@ -14,11 +14,9 @@ wp_db_name: iiab_wp
 wp_db_user: iiab_wp
 wp_db_user_password: changeme
 
-wp_install_path: "{{ content_base }}"
-#wp_install_path: /library
+wp_install_path: "{{ content_base }}"    # /library
 
-wp_abs_path: "{{ wp_install_path }}/wordpress"
-#wp_abs_path: /library/wordpress
+wp_abs_path: "{{ wp_install_path }}/wordpress"    # /library
 
-wp_url: /wordpress
+wp_url: /wordpress    # For http://box/wordpress
 wp_full_url: "http://{{ iiab_hostname }}{{ wp_url }}"

roles/wordpress/tasks/enable-or-disable.yml

@@ -0,0 +1,35 @@
+# Apache
+
+- name: Enable http://box{{ wp_url }} via Apache
+  command: a2ensite wordpress.conf
+  when: apache_install and wordpress_enabled
+
+- name: Disable http://box{{ wp_url }} via Apache
+  command: a2dissite wordpress.conf
+  when: apache_install and not wordpress_enabled
+
+- name: Restart Apache systemd service ({{ apache_service }})
+  systemd:
+    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
+    state: restarted
+  when: apache_install and apache_enabled
+
+# NGINX
+
+- name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
+  template:
+    src: wordpress-nginx.conf.j2
+    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
+  when: wordpress_enabled    # and nginx_enabled
+
+- name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
+  file:
+    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
+    state: absent
+  when: not wordpress_enabled
+
+- name: Restart 'nginx' systemd service
+  systemd:
+    name: nginx
+    state: restarted
+  #when: nginx_enabled | bool

roles/wordpress/tasks/enable.yml

@@ -1,62 +0,0 @@
-# Apache
-
-- name: Enable http://box{{ wp_url }} via Apache
-  command: a2ensite wordpress.conf
-  when: apache_install and wordpress_enabled
-
-- name: Disable http://box{{ wp_url }} via Apache
-  command: a2dissite wordpress.conf
-  when: apache_install and not wordpress_enabled
-
-- name: Restart Apache systemd service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
-    state: restarted
-  when: apache_enabled | bool
-
-# NGINX
-
-- name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
-  template:
-    src: wordpress-nginx.conf.j2
-    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"
-  when: nginx_install and wordpress_enabled
-
-- name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
-  file:
-    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"
-    state: absent
-  when: nginx_install and not wordpress_enabled
-
-- name: Restart 'nginx' systemd service
-  systemd:
-    name: nginx
-    state: restarted
-  when: nginx_enabled | bool
-
-
-- name: Add 'wordpress' variable values to {{ iiab_ini_file }}
-  ini_file:
-    path: "{{ iiab_ini_file }}"
-    section: wordpress
-    option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
-  with_items:
-    - option: name
-      value: WordPress
-    - option: description
-      value: '"WordPress is a blog and web site management application."'
-    - option: wordpress_src
-      value: "{{ wordpress_src }}"
-    - option: wp_abs_path
-      value: "{{ wp_abs_path }}"
-    - option: wp_db_name
-      value: "{{ wp_db_name }}"
-    - option: wp_db_user
-      value: "{{ wp_db_user }}"
-    - option: wp_url
-      value: "{{ wp_url }}"
-    - option: wp_full_url
-      value: "{{ wp_full_url }}"
-    - option: wordpress_enabled
-      value: "{{ wordpress_enabled }}"

roles/wordpress/tasks/install.yml

@@ -16,8 +16,6 @@
     url: "{{ wordpress_download_base_url }}/{{ wordpress_src }}"
     dest: "{{ downloads_dir }}"
     timeout: "{{ download_timeout }}"
-    # force: yes
-    # backup: yes
   register: wp_download_output
   when: internet_available | bool
 
@@ -42,49 +40,52 @@
   unarchive:
     src: "{{ downloads_dir }}/wordpress.tar.gz"
     dest: "{{ wp_install_path }}"
-    # owner: root
+    owner: root    # 2020-01-17: confirmed that wordpress.tar.gz (otherwise) unpacks as nobody:nogroup, with all files as '0644', and all dirs as '0755'
     group: "{{ apache_user }}"    # DO WE REALLY STILL WANT THIS FOR NGINX?
-    mode: '0664'
+    mode: '0664'    # PHP/Apache/NGINX apparently need g+rw (group write access, not just read) similar to '0775' for directory traversing below
     keep_newer: yes
 
-- name: Make /library/wordpress directories 775 so Apache can traverse and write (most files remain 0664)
-  command: "/usr/bin/find {{ wp_abs_path }} -type d -exec chmod 775 {} +"
+- name: Make {{ wp_abs_path }} directories 775 so PHP/Apache/NGINX can traverse and write (above files remain 664)
+  command: "/usr/bin/find {{ wp_abs_path }} -type d -exec chmod 775 {} +"    # /library/wordpress
 
-- name: Install {{ wp_abs_path }}/wp-keys.php.BAK
+# 4 stanzas to install wp-keys.php.BAK, wp-keys.php & wp-config.php into /library/wordpress
+
+- name: Install {{ wp_abs_path }}/wp-keys.php.BAK from template (if file does not already exist) in case download of 8 dynamically-generated salts/keys fails below
   copy:
     src: wp-keys.php.BAK
-    dest: "{{ wp_abs_path }}/wp-keys.php.BAK"
-    # owner: root
+    dest: "{{ wp_abs_path }}/wp-keys.php.BAK"    # /library/wordpress
+    owner: root
     group: "{{ apache_user }}"    # DO WE REALLY STILL WANT THIS FOR NGINX?
     mode: '0640'
-
-# Fetch random salts for WordPress config into wp-keys.php file by generating script and running
+    force: no    # Preserve site's unique keys, as might have been placed into .BAK during an earlier run, by the script below
 
 - name: Install script /tmp/get-iiab-wp-salts from template
   template:
     src: get-iiab-wp-salts.j2
     dest: /tmp/get-iiab-wp-salts
-    # owner: root
-    # group: root
+    owner: root
+    group: root
     mode: '0700'
 
-- name: Run /tmp/get-iiab-wp-salts to create /library/wordpress/wp-keys.php
+- name: Run /tmp/get-iiab-wp-salts to download 8 random salts/keys, creating a new {{ wp_abs_path }}/wp-keys.php (or if nec, copy from known/prior {{ wp_abs_path }}/wp-keys.php.BAK)    # /library/wordpress
   command: /tmp/get-iiab-wp-salts
+  #when: internet_available | bool    # Better to run it every time, installing from wp-keys.php.BAK if download fails
 
-- name: Remove script /tmp/get-iiab-wp-salts
-  file:
-    path: /tmp/get-iiab-wp-salts
-    state: absent
+# Don't Bother: /tmp file are deleted on reboot!
+#- name: Remove script /tmp/get-iiab-wp-salts
+#  file:
+#    path: /tmp/get-iiab-wp-salts
+#    state: absent
 
-- name: Install {{ wp_abs_path }}/wp-config.php
+- name: Install {{ wp_abs_path }}/wp-config.php    # /library/wordpress
   template:
     src: wp-config.php.j2
     dest: "{{ wp_abs_path }}/wp-config.php"
-    # owner: root
+    owner: root
     group: "{{ apache_user }}"    # DO WE REALLY STILL WANT THIS FOR NGINX?
-    mode: '0660'
+    mode: '0660'    # Others strongly recommend '0600' (or do Apache/NGINX really need group read & write permissions?)
 
-- name: Install etc/{{ apache_config_dir }}/wordpress.conf from template, for http://box{{ wp_url }}
+- name: Install etc/{{ apache_config_dir }}/wordpress.conf from template, for http://box{{ wp_url }} via Apache
   template:
     src: wordpress.conf.j2
     dest: "/etc/{{ apache_config_dir }}/wordpress.conf"

roles/wordpress/tasks/main.yml

@@ -1,14 +1,38 @@
 # SEE "emergency" REINSTALL INSTRUCTIONS IN roles/wordpress/tasks/install.yml
 
-- name: Provision MySQL DB for WordPress
+- name: Provision MySQL DB for WordPress, if 'wordpress_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
   include_tasks: setup.yml
-  when: wordpress_install and not installing
+  when: wordpress_installed is undefined    # and not installing
 
-- name: Install WordPress if wordpress_installed is absent
+- name: Install WordPress if 'wordpress_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
   include_tasks: install.yml
-  when: wordpress_install and not wordpress_installed is defined
+  when: wordpress_installed is undefined
 
-- name: Enable WordPress
-  include_tasks: enable.yml
-  when: wordpress_install or wordpress_installed is defined
-  # when: wordpress_enabled | bool
+- name: Enable or Disable WordPress
+  include_tasks: enable-or-disable.yml
+
+- name: Add 'wordpress' variable values to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"
+    section: wordpress
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+    - option: name
+      value: WordPress
+    - option: description
+      value: '"WordPress is a blog and web site management application."'
+    - option: wordpress_src
+      value: "{{ wordpress_src }}"
+    - option: wp_abs_path
+      value: "{{ wp_abs_path }}"
+    - option: wp_db_name
+      value: "{{ wp_db_name }}"
+    - option: wp_db_user
+      value: "{{ wp_db_user }}"
+    - option: wp_url
+      value: "{{ wp_url }}"
+    - option: wp_full_url
+      value: "{{ wp_full_url }}"
+    - option: wordpress_enabled
+      value: "{{ wordpress_enabled }}"

roles/wordpress/tasks/setup.yml

@@ -1,4 +1,4 @@
-- name: Start MySQL systemd service
+- name: Start MySQL systemd service ({{ mysql_service }})
   systemd:
     state: started
     name: "{{ mysql_service }}"
@@ -6,11 +6,9 @@
 - name: 'Create MySQL database for WordPress: {{ wp_db_name }}'
   mysql_db:
     name: "{{ wp_db_name }}"
-    state: present
 
-- name: Create MySQL username ({{ wp_db_user }}) with password, for WordPress database
+- name: Create MySQL username ({{ wp_db_user }}) with password, for above database
   mysql_user:
     name: "{{ wp_db_user }}"
     password: "{{ wp_db_user_password }}"
     priv: "{{ wp_db_name }}.*:ALL,GRANT"
-    state: present

roles/wordpress/templates/get-iiab-wp-salts.j2

@@ -1,20 +1,21 @@
 #!/bin/bash
-# Get salt constants and write to wp-keys.php
+# Download 8 dynamically-generated salt/key constants and write to wp-keys.php
 #
 # by Tim Moody tim@timmoody.com
-DEST=/library/wordpress/wp-keys.php
-BACKUP=/library/wordpress/wp-keys.php.BAK
+
+DEST={{ wp_abs_path }}/wp-keys.php    # /library/wordpress
+BACKUP={{ wp_abs_path }}/wp-keys.php.BAK
 
 echo '<?php' > $DEST
 curl https://api.wordpress.org/secret-key/1.1/salt/ >> $DEST
 RC=$?
 
 # if the download of keys failed, revert to previous version
-if [  $RC -ne 0  ];then
-  cp  $BACKUP $DEST
+if [ $RC -ne 0 ]; then
+    cp $BACKUP $DEST
 else
-  echo '?>' >> $DEST
-  chown root:{{ apache_user }} $DEST
-  chmod 640 $DEST
-  cp -f $DEST $BACKUP
+    echo '?>' >> $DEST
+    chown root:{{ apache_user }} $DEST
+    chmod 640 $DEST
+    cp -f $DEST $BACKUP
 fi