cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

wp

Browse source
This commit is contained in:
cronekorkn 2024-02-08 10:46:27 +01:00
parent 782b3fbe0b
commit e3fe0eeb79
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw
15 changed files with 323 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bundles/mariadb/README.md Normal file
View file

@ -0,0 +1 @@
https://mariadb.com/kb/en/systemd/#configuring-mariadb-to-write-the-error-log-to-syslog

11
bundles/mariadb/files/override.conf Normal file
View file

@ -0,0 +1,11 @@
% for section, options in sorted(conf.items()):
[${section}]
% for key, value in sorted(options.items()):
% if value is None:
${key}
% else:
${key} = ${value}
% endif
% endfor
% endfor

89
bundles/mariadb/items.py Normal file
View file

@ -0,0 +1,89 @@
from shlex import quote
def mariadb(sql, **kwargs):
kwargs_string = ''.join(f" --{k} {v}" for k, v in kwargs.items())
return f"mariadb{kwargs_string} -Bsr --execute {quote(sql)}"
directories = {
'/var/lib/mysql': {
'owner': 'mysql',
'group': 'mysql',
'needs': [
'zfs_dataset:tank/mariadb',
],
'needed_by': [
'pkg_apt:mariadb-server',
],
},
}
files = {
'/etc/mysql/conf.d/override.conf': {
'context': {
'conf': node.metadata.get('mariadb/conf'),
},
'content_type': 'mako',
},
}
svc_systemd = {
'mariadb.service': {
'needs': [
'pkg_apt:mariadb-server',
],
},
}
actions = {
'mariadb_sec_remove_anonymous_users': {
'command': mariadb("DELETE FROM mysql.global_priv WHERE User=''"),
'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User = ''") + " | grep -q '^0$'",
'needs': [
'svc_systemd:mariadb.service',
],
'triggers': [
'svc_systemd:mariadb.service:restart',
],
},
'mariadb_sec_remove_remote_root': {
'command': mariadb("DELETE FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')"),
'unless': mariadb("SELECT count(0) FROM mysql.global_priv WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')") + " | grep -q '^0$'",
'needs': [
'svc_systemd:mariadb.service',
],
'triggers': [
'svc_systemd:mariadb.service:restart',
],
},
}
for db, conf in node.metadata.get('mariadb/databases', {}).items():
actions[f'mariadb_create_database_{db}'] = {
'command': mariadb(f"CREATE DATABASE {db}"),
'unless': mariadb(f"SHOW DATABASES LIKE '{db}'") + f" | grep -q '^{db}$'",
'needs': [
'svc_systemd:mariadb.service',
],
}
actions[f'mariadb_user_{db}_create'] = {
'command': mariadb(f"CREATE USER {db}"),
'unless': mariadb(f"SELECT User FROM mysql.user WHERE User = '{db}'") + f" | grep -q '^{db}$'",
'needs': [
f'action:mariadb_create_database_{db}',
],
}
pw = conf['password']
actions[f'mariadb_user_{db}_password'] = {
'command': mariadb(f"SET PASSWORD FOR {db} = PASSWORD('{conf['password']}')"),
'unless': f'echo {quote(pw)} | mariadb -u {db} -e quit -p',
'needs': [
f'action:mariadb_user_{db}_create',
],
}
actions[f'mariadb_grant_privileges_to_{db}'] = {
'command': mariadb(f"GRANT ALL PRIVILEGES ON {db}.* TO '{db}'", database=db),
'unless': mariadb(f"SHOW GRANTS FOR {db}") + f" | grep -q '^GRANT ALL PRIVILEGES ON `{db}`.* TO `{db}`@`%`'",
'needs': [
f'action:mariadb_user_{db}_create',
],
}

36
bundles/mariadb/metadata.py Normal file
View file

@ -0,0 +1,36 @@
defaults = {
'apt': {
'packages': {
'mariadb-server': {},
},
},
'mariadb': {
'databases': {},
'conf': {
# https://www.reddit.com/r/zfs/comments/u1xklc/mariadbmysql_database_settings_for_zfs
'mysqld': {
'skip-innodb_doublewrite': None,
'innodb_flush_method': 'fsync',
'innodb_doublewrite': '0',
'innodb_use_atomic_writes': '0',
'innodb_use_native_aio': '0',
'innodb_read_io_threads': '10',
'innodb_write_io_threads': '10',
'innodb_buffer_pool_size': '26G',
'innodb_flush_log_at_trx_commit': '1',
'innodb_log_file_size': '1G',
'innodb_flush_neighbors': '0',
'innodb_fast_shutdown': '2',
},
},
},
'zfs': {
'datasets': {
'tank/mariadb': {
'mountpoint': '/var/lib/mysql',
'recordsize': '16384',
'atime': 'off',
},
},
},
}

1
bundles/wordpress/README.md Normal file
View file

@ -0,0 +1 @@
https://developer.wordpress.org/advanced-administration/upgrade/upgrading/

25
bundles/wordpress/files/check_wordpress_insecure Normal file
View file

@ -0,0 +1,25 @@
#!/bin/bash
SITE=$1
VERSION=$(php -r "require('/opt/$SITE/wp-includes/version.php'); echo \$wp_version;")
STATUS=$(curl -ssL http://api.wordpress.org/core/stable-check/1.0/ | jq -r '.["'$VERSION'"]')
echo "WordPress $VERSION is '$STATUS'"
if [[ "$STATUS" == latest ]]
then
exit 0
elif [[ "$STATUS" == outdated ]]
then
exit 1
elif [[ "$STATUS" == insecure ]]
then
if test -f /etc/nginx/sites/$SITE
then
rm /etc/nginx/sites/$SITE
systemctl restart nginx
fi
exit 2
else
exit 2
fi

5
bundles/wordpress/files/print-version.php Normal file
View file

@ -0,0 +1,5 @@
<?php
require_once '${path}/wp-includes/version.php';
echo "$wp_version";

0
bundles/wordpress/files/wp-config.php Normal file
View file

12
bundles/wordpress/items.py Normal file
View file

@ -0,0 +1,12 @@
files = {
'/usr/lib/nagios/plugins/check_wordpress_insecure': {
'mode': '0750',
},
}
for site, conf in node.metadata.get('wordpress').items():
directories[f'/opt/{site}'] = {
'owner': 'www-data',
'group': 'www-data',
'mode': '0755',
}

84
bundles/wordpress/metadata.py Normal file
View file

@ -0,0 +1,84 @@
defaults = {}
@metadata_reactor.provides(
'wordpress',
)
def wordpress(metadata):
return {
'wordpress': {
site: {
'db_password': repo.vault.password_for(f"wordpress {site} db").value,
}
for site in metadata.get('wordpress')
},
}
@metadata_reactor.provides(
'mariadb/databases',
)
def mariadb(metadata):
return {
'mariadb': {
'databases': {
site: {
'password': metadata.get(f'wordpress/{site}/db_password')
}
for site in metadata.get('wordpress')
},
},
}
@metadata_reactor.provides(
'nginx/vhosts'
)
def vhost(metadata):
return {
'nginx': {
'vhosts': {
conf['domain']: {
'content': 'wordpress/vhost.conf',
'context': {
'root': f'/opt/{site}',
},
}
for site, conf in metadata.get('wordpress').items()
},
},
}
@metadata_reactor.provides(
'zfs/datasets',
)
def zfs(metadata):
return {
'zfs': {
'datasets': {
f'tank/{site}': {
'mountpoint': f'/opt/{site}',
}
for site in metadata.get('wordpress')
},
},
}
@metadata_reactor.provides(
'monitoring/services',
)
def check_insecure(metadata):
return {
'monitoring': {
'services': {
f'wordpress {site} insecure': {
'vars.command': f'/usr/lib/nagios/plugins/check_wordpress_insecure {site}',
'check_interval': '30m',
'vars.sudo': True,
}
for site in metadata.get('wordpress')
},
},
}

43
data/wordpress/vhost.conf Normal file
View file

@ -0,0 +1,43 @@
# Upstream to abstract backend connection(s) for php
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
root ${root};
index index.php;
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include params/fastcgi;
fastcgi_intercept_errors on;
fastcgi_pass php-handler;
# The following parameter can be also included in fastcgi_params file
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}

8
groups/applications/wordpress.py Normal file
View file

@ -0,0 +1,8 @@
{
'bundles': [
'letsencrypt',
'mariadb',
'nginx',
'wordpress',
],
}

1
nodes/home.backups.py
View file

@ -1,4 +1,5 @@
{
'dummy': True,
'hostname': '10.0.0.5',
'groups': [
'autologin',

2
nodes/home.server.py
View file

@ -111,7 +111,7 @@
},
'nextcloud': {
'hostname': 'cloud.sublimity.de',
'version': '27.1.4',
'version': '28.0.1',
'config': {
'instanceid': 'oci6dw1woodz',
'secret': '!decrypt:encrypt$gAAAAABj96CFynVtEgsje7173zjQAcY7xQG3uyf5cxE-sJAvhyPh_KUykTKdwnExc8NTDJ8RIGUmVfgC6or5crnYaggARPIEg5-Cb0xVdEPPZ3oZ01ImLmynLu3qXT9O8kVM-H21--OKeztMRn7bySsbXdWEGtETFQ==',

18
nodes/netcup.mails.py
View file

@ -7,6 +7,7 @@
'monitored',
'webserver',
'dnsserver',
'wordpress',
#'left4dead2',
],
'bundles': [
@ -21,6 +22,11 @@
'zfs',
],
'metadata': {
'wordpress': {
'elimukwanza': {
'domain': 'elimu-kwanza.de',
},
},
'id': 'ea29bdf0-0b47-4bf4-8346-67d60c9dc4ae',
'network': {
'internal': {
@ -73,10 +79,6 @@
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
'elimu-kwanza.de': {
'A': ['202.61.255.108'],
'AAAA': ['2a01:4f8:1c1c:4121::1'],
},
},
'download-server': {
'hostname': 'dl.sublimity.de',
@ -172,14 +174,6 @@
},
'internal_dns': False,
},
'elimu-kwanza.de': {
'content': 'nginx/message.conf',
'context': {
'title': 'Im Aufbau/under construction',
'message': '<a href=mailto:info@elimu-kwanza.de>info@elimu-kwanza.de</a>',
},
'internal_dns': False,
},
'cronekorkn.de': {
'content': 'nginx/redirect.conf',
'context': {