-
Notifications
You must be signed in to change notification settings - Fork 0
/
wp-cloud-config-le.yml
317 lines (273 loc) · 10.6 KB
/
wp-cloud-config-le.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
# WordPress with LetsEncrypt Support
# This will Install WordPress on Nginx and MariaDB
# with automatic LetsEncrypt support.
# update packages
package_update: true
# packages to install
packages:
- nginx
- certbot
- python3-certbot-nginx
- mariadb-server
- redis-server
- php7.4-fpm
- php7.4-mysql
- php7.4-common
- php7.4-xml
- php7.4-xmlrpc
- php7.4-curl
- php7.4-gd
- php7.4-imagick
- php7.4-cli
- php7.4-dev
- php7.4-imap
- php7.4-intl
- php7.4-mbstring
- php7.4-opcache
- php7.4-redis
- php7.4-soap
- php7.4-zip
# add developer user
users:
- default
- name: developer
sudo: ALL=(ALL) NOPASSWD:ALL
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF3HmIwJ7hOeUbP69BKcuRnhmrkicZJMGYUeDfN1XH/E kaleb@jamfire.io
# write files needed for wordpress app
write_files:
- path: /home/ubuntu/wordpress-cron.sh
content: |
#!/bin/bash
# This script runs all due events on every WordPress site in a Multisite install, using WP CLI.
# To be run by the "www-data" user every 15 minutes.
PATH_TO_WORDPRESS="/var/www/wordpress/public"
DEBUG=false
DEBUG_LOG=/var/log/wp-cron
if [ "$DEBUG" = true ]; then
echo $(date -u) "Running WP Cron for all sites." >> $DEBUG_LOG
fi
for URL in = $(wp site list --field=url --path="/var/www/wordpress/public" --deleted=0 --archived=0)
do
if [[ $URL == "http"* ]]; then
if [ "$DEBUG" = true ]; then
echo $(date -u) "Running WP Cron for $URL:" >> $DEBUG_LOG
wp cron event run --due-now --url="$URL" --path="$PATH_TO_WORDPRESS" >> $DEBUG_LOG
else
wp cron event run --quiet --due-now --url="$URL" --path="$PATH_TO_WORDPRESS"
fi
fi
done
owner: 'ubuntu:ubuntu'
permissions: '0640'
- path: /etc/cron.d/wordpress
content: |
*/15 * * * * www-data /bin/bash /home/ubuntu/wordpress-cron.sh
append: true
- path: /etc/nginx/sites-available/default
content: |
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
server {
# server information
server_name _;
# Logging
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# End Logging
root /var/www/wordpress/public;
index index.php;
# Enable Gzip compression
gzip on;
# Compression level (1-9)
gzip_comp_level 5;
# Don't compress anything under 256 bytes
gzip_min_length 256;
# Compress output of these MIME-types
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-font-opentype
application/x-font-truetype
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/opentype
font/otf
image/svg+xml
image/x-icon
image/vnd.microsoft.icon
text/css
text/plain
text/javascript
text/x-component;
# Disable gzip for bad browsers
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Restrictions
# Disable logging for favicon and robots.txt
location = /favicon.ico {
log_not_found off;
access_log off;
}
# Robots
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# stop robots at wp-admin
location @robots {
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Deny access to Wordfence .user.ini
location ~ ^/\.user\.ini {
deny all;
}
# End Restrictions
# Caching
set $skip_cache 0;
# POST requests and urls with a query string should always go to PHP
if ($request_method = POST) {
set $no_cache 1;
}
if ($query_string != "") {
set $skip_cache 1;
}
# Don't cache uris containing the following segments
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
set $skip_cache 1;
}
# Don't use the cache for logged in users or recent commenters
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
set $skip_cache 1;
}
#end Caching
# WordPress multisite rules.
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
try_files $uri $uri/ /index.php?$args;
}
# Add support for subdirectory structure in WordPress Multisite
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^(/[^/]+)?(/wp-.*) $2 last;
rewrite ^(/[^/]+)?(/.*.php) $2 last;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(eot|otf|woff|woff2|ttf|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
# Media: images, icons, video, audio send expires headers.
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript send expires headers.
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# HTML send expires headers.
location ~* \.(html)$ {
expires 7d;
access_log off;
add_header Cache-Control "public";
}
# Browser caching of static assets.
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ {
expires 1y;
add_header Cache-Control "public, no-transform";
}
# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_cache_bypass $skip_cache;
fastcgi_no_cache $skip_cache;
fastcgi_cache WORDPRESS;
fastcgi_cache_valid 200 301 302 60m;
fastcgi_cache_min_uses 1;
fastcgi_cache_lock on;
add_header X-WP-Cache $upstream_cache_status;
}
}
owner: 'nginx:nginx'
permissions: '0640'
defer: true
- path: /etc/php/7.4/fpm/conf.d/custom.ini
content: |
memory_limit = 256M
upload_max_filesize = 64M
post_max_size = 64M
owner: 'root:root'
permissions: '0644'
- path: /etc/cron.d/letsencrypt_renew
content: "15 3 * * * /usr/bin/certbot renew --quiet"
owner: root:root
runcmd:
# variables
- export DOMAIN=wordpress.local
- export EMAIL=email@wordpress.local
- export MARIA_DB_PASS=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '')
- export WP_USER=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '')
- export WP_PASS=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '')
- export WP_DB=wordpress
- export WP_ENV=production
# mariadb setup
- sudo mysql -e "create database wordpress;"
- sudo mysql -e "CREATE USER '${WP_USER}'@'localhost' IDENTIFIED BY '${WP_PASS}';"
- sudo mysql -e "GRANT ALL PRIVILEGES ON ${WP_DB}.* TO '${WP_USER}'@'localhost';"
- sudo mysql -e "FLUSH PRIVILEGES;"
# wordpress download and install
- curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
- chmod +x wp-cli.phar
- sudo mv wp-cli.phar /usr/local/bin/wp
- sudo mkdir -p /var/www/wordpress/public
- sudo chown -R www-data:www-data /var/www/wordpress/public
- sudo -u www-data wp core download --path=/var/www/wordpress/public
- sudo -u www-data wp config create --path=/var/www/wordpress/public --dbname=wordpress --dbuser=${WP_USER} --dbpass=${WP_PASS} --locale=en_US
- sudo -u www-data wp config set --path=/var/www/wordpress/public WP_ENVIRONMENT_TYPE ${WP_ENV}
- sudo -u www-data wp config set --path=/var/www/wordpress/public WP_AUTO_UPDATE_CORE true --raw
- sudo -u www-data wp config set --path=/var/www/wordpress/public DISABLE_WP_CRON true --raw
- sudo -u www-data wp config set --path=/var/www/wordpress/public COOKIE_DOMAIN ${DOMAIN}
- sudo -u www-data wp config set --path=/var/www/wordpress/public FS_METHOD direct
# cron setup
- chmod +x /home/ubuntu/wordpress-cron.sh
# system
- echo "# delete this file" >> /home/ubuntu/.keyfile
- echo "mariadb_password=${MARIA_DB_PASS}" >> /home/ubuntu/.keyfile
- echo "wordpress_username=${WP_USER}" >> /home/ubuntu/.keyfile
- echo "wordpress_password=${WP_PASS}" >> /home/ubuntu/.keyfile
- echo "wordpress_database=wordpress" >> /home/ubuntu/.keyfile
# nginx setup
- sed -i 's/server_name _;/server_name '${DOMAIN}';/' /etc/nginx/sites-available/default
- sudo systemctl restart nginx
- sleep 30s
- certbot --nginx -n -d $DOMAIN --email $EMAIL --agree-tos --redirect #--hsts