This repository contains the Ansbile playbook used to automatically setup and configure FIC's website VPS, along with a Fabric file used to script maintenance tasks.
We start with a Debian 8 VM from Linode, add nginx, varnish, php-fpm, & mariadb.
You'll need to install ansible and fabric on your workstation:
# Arch Linux
sudo pacman -S ansible fabricOr if you like to use Python virtualenvs:
cd /path/to/this/repo
mkvirtualenv -a "$(pwd)" -i fabric -i ansible fic-vpsSpin up a VM and install Debian 8 with just a SSH server, sudo, python, and
aptitude.
Now you can either add the IP address to the fic-servers inventory file &
create a new file in the host_vars directory or you can just modify the IP &
host variables for the fic-test host.
Passwords and other secrets are stored in an Ansbile Vault file. You'll need to
stick the password in playbook/pass.secret. You can edit or view the vaulted
file by running ansible-vault edit group_vars/all/vault.yml. If you're
forking or re-using this playbook, you should replace our vault file with your
own.
Now you can run the ansible playbook. You can specify a different inventory
file using the -i flag:
cd playbook/
# To the production server
ansible-playbook fic.yml
# Or to your test server
ansible-playbook fic.yml -i test-serversThe fabfile.py contains Fabric commands you can use to administer the server.
Run fab -l to see the provided commands. There is a production role and a
test role. You can run commands for specific roles using the -R flag, or
specify a host or list of hosts using the -H flag:
fab -R test make_staging
fab -H mytest.yourdomain.com make_stagingThe playbook does some initial configuration specified by Linode's Getting Started Guide, like fixing the hostname, the hosts file, & the timezone.
Then an administration user is created, and the security configuration from Linode's Security Guide is applied, including Unattended Upgrades, SSH Hardening, Fail2Ban, & an IPTables ruleset.
Outbound mail is sent using SSMTP, which is configured to relay mail to an external SMTP server.
We then install MariaDB and create databases and users for
production & staging. MariaDB is then secured using Digital Ocean's
Guide.
Nginx is then installed & configured using Linode's LEMP Server Guide. Adminer, & Wordpress Production/Staging sites proxying PHP-FPM are added to Nginx. The Wordpress site configurations are tweaked for usage with Cloudflare and the W3TC plugin. A self-signed, wildcard SSL certificate is generated for the server.
PHP-FPM is installed & configured using Digital Ocean's LEMP Stack Guide.
Varnish is installed & configured to listen on the public interface and forward requests to Nginx(which listens on the internal interface). The Varnish VCL is customized for caching Wordpress sites & skips processing of the Adminer subdomain.
Finally, we setup our [Wordpress][wordpress] Production & Staging sites. The code for our Production site is sourced from a private git repository. Scripts are installed into the root users home directory, an image optimizing script and a database cleaning script for cron, and a staging creation script for creating a staging site from the current production site. An initial staging site is created if one is not already present(use Fabric to refresh it).