Last active
November 28, 2019 15:45
-
-
Save axel-ft/513841825803e4118c423036a9504333 to your computer and use it in GitHub Desktop.
Wordpress Vagrantfile (Nginx + MariaDB)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- mode: ruby -*- | |
# vi: set ft=ruby : | |
Vagrant.configure("2") do |config| | |
config.vm.box = "hashicorp/bionic64" | |
config.vm.box_check_update = true | |
config.vm.define "wordpress-db", primary: true do |wordpress_db| | |
wordpress_db.vm.hostname = "wordpress-db" | |
wordpress_db.vm.network "public_network", bridge: "Intel(R) Wireless-AC 9560 160MHz", ip: "192.168.43.10", netmask: "255.255.255.0" | |
wordpress_db.vm.provider "virtualbox" do |vb| | |
vb.cpus = 2 | |
vb.memory = 2048 | |
end | |
wordpress_db.vm.provision "shell", inline: <<-SHELL | |
export DEBIAN_FRONTEND=noninteractive | |
# Update and install packages | |
echo "[##### ] Updating repos" | |
apt -qq update | |
echo "[########## ] Upgrading packages" | |
apt -qq upgrade -y | |
echo "[############### ] Installing necessary packages" | |
apt -qq install -y neovim unzip wget mariadb-server mariadb-client iptables-persistent | |
# Enable services | |
echo "[#################### ] Enabling mariadb" | |
systemctl enable mariadb 1>/dev/null | |
systemctl enable netfilter-persistent 1>/dev/null | |
# Configure firewall | |
iptables -F | |
ip6tables -F | |
iptables -N ICMPRULES | |
ip6tables -N ICMPRULES | |
echo "[######################### ] Configuring iptables" | |
# Ping rules | |
iptables -A ICMPRULES -m recent --name ICMP --set --rsource | |
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP | |
iptables -A ICMPRULES -j ACCEPT | |
ip6tables -A ICMPRULES -m recent --name ICMP --set --rsource | |
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP | |
ip6tables -A ICMPRULES -j ACCEPT | |
# Input rules | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPRULES | |
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i eth1 -p tcp -s 192.168.43.11 --dport mysql -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -P INPUT DROP | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
ip6tables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ICMPRULES | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -P INPUT DROP | |
# Forward rules | |
iptables -P FORWARD DROP | |
ip6tables -P FORWARD DROP | |
# Output rules | |
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
iptables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p tcp -d 192.168.43.11 --sport mysql -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -P OUTPUT ACCEPT | |
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
ip6tables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -P OUTPUT DROP | |
# save rules | |
iptables-save > /etc/iptables/rules.v4 | |
ip6tables-save > /etc/iptables/rules.v6 | |
# Authorize external connections | |
echo "[######################### ] Allow external connections (bind to 0.0.0.0)" | |
sed -i.bak -e "s/.*bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mariadb.conf.d/50-server.cnf | |
echo "[############################## ] Securing mariadb" | |
# Secure mariadb installation | |
mysql -e "UPDATE mysql.user SET Password=PASSWORD('pfY[5&kJ[jVr') WHERE User='root';" | |
mysql -e "DELETE FROM mysql.user WHERE User='';" | |
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');" | |
mysql -e "DROP DATABASE IF EXISTS test;" | |
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'" | |
mysql -e "FLUSH PRIVILEGES;" | |
echo "[################################### ] Creating database for Wordpress" | |
# Create WordPress Database | |
mysql -e "CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;" | |
mysql -e "GRANT ALL ON wordpress.* TO 'wordpressuser'@'192.168.43.11' IDENTIFIED BY 'cU+2:S*p-Kf?';" | |
mysql -e "FLUSH PRIVILEGES;" | |
# Restart mariadb | |
echo "[########################################] Restarting mariadb service" | |
systemctl restart mariadb | |
SHELL | |
end | |
config.vm.define "wordpress-web" do |wordpress_web| | |
wordpress_web.vm.hostname = "wordpress-web" | |
wordpress_web.vm.network "public_network", bridge: "Intel(R) Wireless-AC 9560 160MHz", ip: "192.168.43.11", netmask: "255.255.255.0" | |
wordpress_web.vm.provider "virtualbox" do |vb| | |
vb.cpus = 2 | |
vb.memory = 2048 | |
end | |
wordpress_web.vm.provision "shell", inline: <<-SHELL | |
export DEBIAN_FRONTEND=noninteractive | |
sed -i -e "s/.*127.0.0.1.*localhost.*/127.0.0.1 localhost opensource.axelfloquet.fr/" /etc/hosts | |
# Update and install packages | |
echo "[##### ] Updating repos" | |
apt -qq update | |
echo "[########## ] Upgrading packages" | |
apt -qq upgrade -y | |
echo "[############### ] Installing necessary packages" | |
apt -qq install -y nginx neovim unzip wget php7.2-fpm php7.2-curl php7.2-gd php7.2-intl php7.2-mbstring php7.2-soap php7.2-xml php7.2-xmlrpc php7.2-zip php7.2-mysql iptables-persistent | |
# Enable services | |
echo "[#################### ] Enabling nginx and php7.2-fpm" | |
systemctl enable nginx 1>/dev/null | |
systemctl enable php7.2-fpm 1>/dev/null | |
systemctl enable netfilter-persistent 1>/dev/null | |
# Configure firewall | |
iptables -F | |
ip6tables -F | |
iptables -N ICMPRULES | |
ip6tables -N ICMPRULES | |
echo "[######################### ] Configuring iptables" | |
# Ping rules | |
iptables -A ICMPRULES -m recent --name ICMP --set --rsource | |
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP | |
iptables -A ICMPRULES -j ACCEPT | |
ip6tables -A ICMPRULES -m recent --name ICMP --set --rsource | |
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: " | |
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP | |
ip6tables -A ICMPRULES -j ACCEPT | |
# Input rules | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPRULES | |
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp -s 192.168.43.10 --sport mysql -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A INPUT -i eth1 -p tcp -m multiport --dports http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -P INPUT DROP | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
ip6tables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | |
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 0 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ICMPRULES | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -m conntrack --ctstate NEW -j ACCEPT | |
ip6tables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A INPUT -i eth1 -p tcp -m multiport --dports http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -P INPUT DROP | |
# Forward rules | |
iptables -P FORWARD DROP | |
ip6tables -P FORWARD DROP | |
# Output rules | |
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
iptables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp -d 192.168.43.10 --dport mysql -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth1 -p tcp -m multiport --sports http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
iptables -P OUTPUT ACCEPT | |
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP | |
ip6tables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -o eth1 -p tcp -m multiport --sports http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
ip6tables -P OUTPUT DROP | |
# save rules | |
iptables-save > /etc/iptables/rules.v4 | |
ip6tables-save > /etc/iptables/rules.v6 | |
# Download WordPress and extract it to root web server | |
echo "[############################## ] Downloading and extracting latest version of Wordpress" | |
cd /tmp && wget --progress=bar:force https://fr.wordpress.org/latest-fr_FR.zip | |
unzip -q latest-fr_FR.zip | |
rm /var/www/html/* | |
mv /tmp/wordpress/* /var/www/html | |
rm /etc/nginx/sites-enabled/default | |
# Write conf file | |
echo "[################################### ] Writing nginx configuration file" | |
cat << 'NGINX' > /etc/nginx/sites-available/wordpress.conf | |
upstream php { | |
server unix:/run/php/php7.2-fpm.sock; | |
} | |
server { | |
if ($host = opensource.axelfloquet.fr) { | |
return 301 https://$host$request_uri; | |
} | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name opensource.axelfloquet.fr; | |
return 404; | |
} | |
server { | |
listen [::]:443 ssl http2; | |
listen 443 ssl http2; | |
server_name opensource.axelfloquet.fr; | |
root /var/www/html; | |
index index.php; | |
ssl_certificate /vagrant/cert/fullchain.pem; | |
ssl_certificate_key /vagrant/cert/privkey.pem; | |
include /vagrant/cert/options-ssl-nginx.conf; | |
ssl_dhparam /vagrant/cert/ssl-dhparams.pem; | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
location / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
location ~ \.php$ { | |
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini | |
include fastcgi.conf; | |
fastcgi_intercept_errors on; | |
fastcgi_pass php; | |
} | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { | |
expires max; | |
log_not_found off; | |
} | |
} | |
NGINX | |
# Enable site and restart nginx | |
echo "[######################################## ] Enabling website and restarting nginx if config file is correct" | |
ln -sf /etc/nginx/sites-available/wordpress.conf /etc/nginx/sites-enabled/wordpress.conf | |
nginx -t && systemctl restart nginx | |
# Request to create new wordpress config and save it to file | |
echo "[#############################################] Initialazing wp-config.php" | |
curl -s -d "dbname=wordpress&uname=wordpressuser&pwd=cU%2B2%3AS*p-Kf%3F&dbhost=192.168.43.10&prefix=os1_&language=fr_FR&submit=Envoyer" -X POST https://opensource.axelfloquet.fr/wp-admin/setup-config.php?step=2 | sed '1,/textarea/d;/textarea/,$d;w /tmp/wp-config.php' | |
if [ -f /tmp/wp-config.php ] && [ $(wc -l /tmp/wp-config.php | cut -b 1) -gt 0 ]; then sed -i -e '1s/^/<?php\\n/' /tmp/wp-config.php 1>/dev/null && mv /tmp/wp-config.php /var/www/html/wp-config.php; else echo "Unable to configure database for Wordpress, will be prompted on first connection"; fi; | |
SHELL | |
end | |
end |
Pour ceux qui veulent une conf HTTP uniquement :
upstream php {
server unix:/run/php/php7.2-fpm.sock;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name opensource.axelfloquet.fr;
root /var/www/html;
index index.php;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass php;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A changer avant d'exécuter dans Vagrant