Preparing a LEMP Ubuntu 18 Server with WordPress using Ansible

By Ankit Mehta, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

This blog post will cover parameterization and use of the Ansible Galaxy to configure the servers. If you are new to Ansible, read the previous blog post on how Ansible works and some basic configuration.

Parameterization is one of the most important segments of automation. Parameterization can help you reuse the script and file without rewriting the complete solution again.

People frequently ask, “I have only one VPS, will I get any benefits using Ansible?” the answer is yes, whether one VPS or multiple VPS servers. Ansible scripts can be used to manage all servers. This will not only retain the configuration but also help in configuring new servers, applying changes to the SSL, and also can help to configure and deploy websites on new cloud hosting provider.

For this blog post we will implement the following solution with Ansible where:

Image for post
Image for post
  1. Website Domain is using DNS service from Cloudflare
  2. Website is hosted on Alibaba Cloud Elastic Compute Service (ECS)
  3. The web server is configured with the following
  • Custom SSH port 1992
  • PHP version 7.2
  • MySQL
  • Fail2Ban
  • Swap size 1 GB
  • NginX WebServer
  • SSH for root is blocked
  • Firewall to allow only SSH , HTTP and HTTPS
  • SSL from CloudFlare

To achieve above, the blog is divided into two segments

  1. Prepare LEMP server on Ubuntu 18.04 (Linux, Nginx, MySQL, PHP)
  2. Prepare server for one domain with Cloudflare SSL

Part 1: Preparing LEMP Server on Ubuntu 18.04

Prerequisites

Make sure that the server is ready and accessible by Ansible host. To configure Ansible host, refer to the Ansible Basics blog post.

Install NGINX

There are multiple Ansible Galaxy scripts available to install NGINX. However, from my own experience, it is better to use the APT to install Nginx. A complete list of Ansible Galaxy can be found on https://galaxy.ansible.com/

The following block will install the NGINX on the server and make sure that the services are enabled

Save the above block as install-nginx.yml and run it with the following command.

Install PHP

Different Ubuntu version comes with different PHP version support. During the time of this post PHP version 7.2

Ansible galaxy helps in reducing the tasks install the required dependencies quickly. “Ansible Galaxy refers to the Galaxy website where users can share roles, and to a command line tool for installing, creating and managing roles.

To install the PHP, two ansible galaxy roles are needed: PHP version and PHP (installation sequence can be of any order).

To install PHP version, enter the following command

To install PHP version, enter the following command

Image for post
Image for post

Once the Ansible Galaxy roles are installed, prepare the installation yaml file. The Ansible roles require a variable file. For the demonstration purpose, the variable files are stored in vars/main.yml file. In this case, we added PHP version, PHP settings (settings for php.ini file) and required PHP extensions in the vars file.

The following are the contents of the main.yml file

The code snippet below is the installation yaml file (php-install.yml)

To install the php following command needs to be entered

Install MariaDB

Likewise many packages available to install MySQL/MariaDB. However, the best option is to use the direct install package. MariaDB / MySQL requires Python-py MySQL on the server. The following installation block will install dependencies and MySQL.

Save the above block as mysql-install.yml and run the following command to install.

Configure Swap

Linux uses swap space to increase the amount of virtual memory available to a host. It can use one or more dedicated swap partitions or a swap file on a regular filesystem or logical volume. Ansible galaxy role will help to configure the swap space easily.

Install the swap ansible role with the following command

Set the expected swap space and pressure details in vars/main.yml

Save the following code block as swap-install.yml

To install the swap run the following command

Update the parameter swap_file_size if more swap file size is needed. With current configuration it will create a swap file partition of 1GB

Configure Security

Web server security is the most integral part of any server (ECS) configuration. To improve the security it is recommended to disable the root login, disable the password login, change the SSH port and activate the fail2ban. (Please note that there are many more features and services to improve the Linux server security.)

To install the Linux security ansible role run the following command

Add following variables to vars/main.yml

Save the following code block as install-security.yml

To install the security run,

For the example above, the SSH port will be changed to 65239 after the successful run of the test.

Configure Firewall

By applying the firewall configuration the server can be prevented from known network attacks. As the application is going to use the port HTTP, HTTPS, and SSH, it is recommended to block access to all other ports. To install the firewall Ansible galaxy role, run the following command.

Provide the port details in vars/main.yml file

Save the following code block as install-firewall.yml

To apply the firewall changes run the following command

Note: Make sure to apply the firewall changes for the ECS instance as well. To apply the changes navigate to ECS > Security Group > Add Rule

Image for post
Image for post

Sample LEMP installation script can be found at https://github.com/ankyit/ansible-lemp-wordpress/tree/master/LEMP

Part 2: Prepare Server for One Domain with Cloudflare SSL

Prerequisites

  1. A LEMP server
  2. A domain name with DNS on Cloudflare
  3. An SSL certificate
  4. Website with Database (For this case WordPress demo web)

In the segment above, we discussed in detail regarding the preparation of the LEMP server. This segment will help in installing a WordPress website using Ansible.

Following is the high level structure for the site deployment configuration. Note that the format can be defined and configured as per the needs.

Image for post
Image for post

Here, the certs directory will contain the SSL certificate and Key file. The sites-config folder will contain NGINX configuration. The sites will contain the files and folder structure of the website. The vars folder will contain the site variables.

The hosts.yml file will contain the host information and deploy-site.yml will contain the steps/tasks for the site deployment.

The deploy-site.yml file extends the functionalities covered in the blog posts.

Tasks from deploy-site.yml

The following block will copy the certificate and key file from the certs folder to /etc/nginx/ssl folder. Here {{site_url}} is a dynamic parameter and it’s values are replaced on the fly from vars/main.yml

The following code block will copy the NGINX configuration file for the website and will be stored in /etc/nginx/sites-available

The following code block will create symbolic link for the URL from sites-available to sites-enabled.

The following code block will create a website folder on /var/www/ location

The following code block will copy the files from sites folder to /var/www/ using rsync. Here the delete yes will delete the files at destination location if the files are deleted from the source location.

The following code block will create a database.

The following code block will create a user and assign the DB privileges.

The following code block will import the database

The following code block will set the directory permission and set it to www-data with 0755 rights.

The following code block will restart NGINX and PHP-FPM

Note: All the scripts discussed here can be accessed from https://github.com/ankyit/ansible-lemp-wordpress

Reference:https://www.alibabacloud.com/blog/preparing-a-lemp-ubuntu-18-server-with-wordpress-using-ansible_594655?spm=a2c41.12741389.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store