Skip to content

Instantly share code, notes, and snippets.

@axel-ft

axel-ft/Vagrantfile

Last active November 28, 2019 15:45
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save axel-ft/513841825803e4118c423036a9504333 to your computer and use it in GitHub Desktop.
Save axel-ft/513841825803e4118c423036a9504333 to your computer and use it in GitHub Desktop.
Download ZIP
Wordpress Vagrantfile (Nginx + MariaDB)
Raw
Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "hashicorp/bionic64"
config.vm.box_check_update = true
config.vm.define "wordpress-db", primary: true do |wordpress_db|
wordpress_db.vm.hostname = "wordpress-db"
wordpress_db.vm.network "public_network", bridge: "Intel(R) Wireless-AC 9560 160MHz", ip: "192.168.43.10", netmask: "255.255.255.0"
wordpress_db.vm.provider "virtualbox" do |vb|
vb.cpus = 2
vb.memory = 2048
end
wordpress_db.vm.provision "shell", inline: <<-SHELL
export DEBIAN_FRONTEND=noninteractive
# Update and install packages
echo "[##### ] Updating repos"
apt -qq update
echo "[########## ] Upgrading packages"
apt -qq upgrade -y
echo "[############### ] Installing necessary packages"
apt -qq install -y neovim unzip wget mariadb-server mariadb-client iptables-persistent
# Enable services
echo "[#################### ] Enabling mariadb"
systemctl enable mariadb 1>/dev/null
systemctl enable netfilter-persistent 1>/dev/null
# Configure firewall
iptables -F
ip6tables -F
iptables -N ICMPRULES
ip6tables -N ICMPRULES
echo "[######################### ] Configuring iptables"
# Ping rules
iptables -A ICMPRULES -m recent --name ICMP --set --rsource
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP
iptables -A ICMPRULES -j ACCEPT
ip6tables -A ICMPRULES -m recent --name ICMP --set --rsource
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP
ip6tables -A ICMPRULES -j ACCEPT
# Input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPRULES
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 192.168.43.11 --dport mysql -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type 0 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ICMPRULES
ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -P INPUT DROP
# Forward rules
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
# Output rules
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -d 192.168.43.11 --sport mysql -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -P OUTPUT DROP
# save rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Authorize external connections
echo "[######################### ] Allow external connections (bind to 0.0.0.0)"
sed -i.bak -e "s/.*bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mariadb.conf.d/50-server.cnf
echo "[############################## ] Securing mariadb"
# Secure mariadb installation
mysql -e "UPDATE mysql.user SET Password=PASSWORD('pfY[5&kJ[jVr') WHERE User='root';"
mysql -e "DELETE FROM mysql.user WHERE User='';"
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');"
mysql -e "DROP DATABASE IF EXISTS test;"
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'"
mysql -e "FLUSH PRIVILEGES;"
echo "[################################### ] Creating database for Wordpress"
# Create WordPress Database
mysql -e "CREATE DATABASE wordpress DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
mysql -e "GRANT ALL ON wordpress.* TO 'wordpressuser'@'192.168.43.11' IDENTIFIED BY 'cU+2:S*p-Kf?';"
mysql -e "FLUSH PRIVILEGES;"
# Restart mariadb
echo "[########################################] Restarting mariadb service"
systemctl restart mariadb
SHELL
end
config.vm.define "wordpress-web" do |wordpress_web|
wordpress_web.vm.hostname = "wordpress-web"
wordpress_web.vm.network "public_network", bridge: "Intel(R) Wireless-AC 9560 160MHz", ip: "192.168.43.11", netmask: "255.255.255.0"
wordpress_web.vm.provider "virtualbox" do |vb|
vb.cpus = 2
vb.memory = 2048
end
wordpress_web.vm.provision "shell", inline: <<-SHELL
export DEBIAN_FRONTEND=noninteractive
sed -i -e "s/.*127.0.0.1.*localhost.*/127.0.0.1 localhost opensource.axelfloquet.fr/" /etc/hosts
# Update and install packages
echo "[##### ] Updating repos"
apt -qq update
echo "[########## ] Upgrading packages"
apt -qq upgrade -y
echo "[############### ] Installing necessary packages"
apt -qq install -y nginx neovim unzip wget php7.2-fpm php7.2-curl php7.2-gd php7.2-intl php7.2-mbstring php7.2-soap php7.2-xml php7.2-xmlrpc php7.2-zip php7.2-mysql iptables-persistent
# Enable services
echo "[#################### ] Enabling nginx and php7.2-fpm"
systemctl enable nginx 1>/dev/null
systemctl enable php7.2-fpm 1>/dev/null
systemctl enable netfilter-persistent 1>/dev/null
# Configure firewall
iptables -F
ip6tables -F
iptables -N ICMPRULES
ip6tables -N ICMPRULES
echo "[######################### ] Configuring iptables"
# Ping rules
iptables -A ICMPRULES -m recent --name ICMP --set --rsource
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
iptables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP
iptables -A ICMPRULES -j ACCEPT
ip6tables -A ICMPRULES -m recent --name ICMP --set --rsource
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
ip6tables -A ICMPRULES -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP
ip6tables -A ICMPRULES -j ACCEPT
# Input rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPRULES
iptables -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.43.10 --sport mysql -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m multiport --dports http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
ip6tables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
ip6tables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ip6tables -A INPUT -p icmpv6 --icmpv6-type 0 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 3 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type 8 -m conntrack --ctstate NEW -j ICMPRULES
ip6tables -A INPUT -p icmpv6 --icmpv6-type 11 -m conntrack --ctstate NEW -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m multiport --sports ftp,http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m multiport --sports 53,ntp -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i eth1 -p tcp -m multiport --dports http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -P INPUT DROP
# Forward rules
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
# Output rules
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.43.10 --dport mysql -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m multiport --sports http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -P OUTPUT ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
ip6tables -A OUTPUT -p tcp --sport ssh -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m multiport --dports ftp,http,https -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m multiport --dports 53,ntp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o eth1 -p tcp -m multiport --sports http,https -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -P OUTPUT DROP
# save rules
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
# Download WordPress and extract it to root web server
echo "[############################## ] Downloading and extracting latest version of Wordpress"
cd /tmp && wget --progress=bar:force https://fr.wordpress.org/latest-fr_FR.zip
unzip -q latest-fr_FR.zip
rm /var/www/html/*
mv /tmp/wordpress/* /var/www/html
rm /etc/nginx/sites-enabled/default
# Write conf file
echo "[################################### ] Writing nginx configuration file"
cat << 'NGINX' > /etc/nginx/sites-available/wordpress.conf
upstream php {
server unix:/run/php/php7.2-fpm.sock;
}
server {
if ($host = opensource.axelfloquet.fr) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name opensource.axelfloquet.fr;
return 404;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name opensource.axelfloquet.fr;
root /var/www/html;
index index.php;
ssl_certificate /vagrant/cert/fullchain.pem;
ssl_certificate_key /vagrant/cert/privkey.pem;
include /vagrant/cert/options-ssl-nginx.conf;
ssl_dhparam /vagrant/cert/ssl-dhparams.pem;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi.conf;
fastcgi_intercept_errors on;
fastcgi_pass php;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
NGINX
# Enable site and restart nginx
echo "[######################################## ] Enabling website and restarting nginx if config file is correct"
ln -sf /etc/nginx/sites-available/wordpress.conf /etc/nginx/sites-enabled/wordpress.conf
nginx -t && systemctl restart nginx
# Request to create new wordpress config and save it to file
echo "[#############################################] Initialazing wp-config.php"
curl -s -d "dbname=wordpress&uname=wordpressuser&pwd=cU%2B2%3AS*p-Kf%3F&dbhost=192.168.43.10&prefix=os1_&language=fr_FR&submit=Envoyer" -X POST https://opensource.axelfloquet.fr/wp-admin/setup-config.php?step=2 | sed '1,/textarea/d;/textarea/,$d;w /tmp/wp-config.php'
if [ -f /tmp/wp-config.php ] && [ $(wc -l /tmp/wp-config.php | cut -b 1) -gt 0 ]; then sed -i -e '1s/^/<?php\\n/' /tmp/wp-config.php 1>/dev/null && mv /tmp/wp-config.php /var/www/html/wp-config.php; else echo "Unable to configure database for Wordpress, will be prompted on first connection"; fi;
SHELL
end
end
@axel-ft
Copy link
Author

axel-ft commented Nov 28, 2019

A changer avant d'exécuter dans Vagrant

  • Le nom de l'interface pour le bridge
  • Les adresses IP des deux machines (attention à modifier toutes les occurences)
  • Faire attention à avoir un certificat dans un dossier cert a côté du Vagrantfile (sinon le site ne démarre pas)

NB : Désactiver les mises à jour système en commentant la ligne #apt -qq upgrade -y permet d’accélérer pas mal le déploiement

@axel-ft
Copy link
Author

axel-ft commented Nov 28, 2019

Pour ceux qui veulent une conf HTTP uniquement :

upstream php {
  server unix:/run/php/php7.2-fpm.sock;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server; 
    
  server_name opensource.axelfloquet.fr;
  root /var/www/html;
  index index.php;

  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
    include fastcgi.conf;
    fastcgi_intercept_errors on;
    fastcgi_pass php;
  }

  location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
    expires max;
    log_not_found off;
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment