The cloud-init.yml configuration file:
- π₯ Creates a default user
dmitrywith a public key and gives it sudo permissions - π¦ Configures and enables unattended-upgrades
- 𧱠Enables the firewall and lets SSH through it
- π Pollinates entropy using Ubuntu's server
The Ansible playbook:
- π¦ Installs and configures MariaDB, Nginx, WordPress, and Certbot
- π Generated MariaDB credentials are stored in
.credentialsdirectory
- π Generated MariaDB credentials are stored in
- π Acquires Let's Encrypt ceritificate using
dns-01challenge with the configured DNS provider- π€ Google Cloud Platform service account credentials in a JSON file (instructions)
- π§ Configure the file path as
certbot_dns.google_credentials_file
- π§ Configure the file path as
- βοΈ CloudFlare API token (instructions)
- π§ Configure the token as
certbot_dns.cloudflare_api_token
- π§ Configure the token as
- β The playbook uses Let's Encrypt staging environment by default
- π§ Make sure to override
certbot_serverwith the production server
- π§ Make sure to override
- π€ Google Cloud Platform service account credentials in a JSON file (instructions)
- π Hardens the system and its running services
Install devsec.hardening collection before running:
$ ansible-galaxy collection install devsec.hardeningCreate a .vars.yml file and set the required variable values:
ssh_allow_users: john
wordpress_http_hosts:
- john.example.net
- doe.example.com
certbot_email: john@doe.example.com
certbot_server: https://acme-v02.api.letsencrypt.org/directory
certbot_dns:
cloudflare_api_token: 0123456789abcdef0123456789abcdef01234567To use Google Cloud Platform DNS configure the service account credentials file path:
certbot_dns:
google_credentials_file: ~/certbot-service-account.jsonRun the playbook:
$ ansible-playbook playbook.yml --limit <host-name> --user <remote-user> --extra-vars @.vars.yml