🦾 Hardened WordPress Ansible Playbook

The cloud-init.yml configuration file:

• 👥 Creates a default user dmitry with a public key and gives it sudo permissions
• 📦 Configures and enables unattended-upgrades
• 🧱 Enables the firewall and lets SSH through it
• 🐝 Pollinates entropy using Ubuntu's server

The Ansible playbook:

• 📦 Installs and configures MariaDB, Nginx, WordPress, and Certbot
  • 🔑 Generated MariaDB credentials are stored in .credentials directory
• 📜 Acquires Let's Encrypt ceritificate using dns-01 challenge with the configured DNS provider
  • 🤖 Google Cloud Platform service account credentials in a JSON file (instructions)
    • 🔧 Configure the file path as certbot_dns.google_credentials_file
  • ☁️ CloudFlare API token (instructions)
    • 🔧 Configure the token as certbot_dns.cloudflare_api_token
  • ❗ The playbook uses Let's Encrypt staging environment by default
    • 🔧 Make sure to override certbot_server with the production server
• 🔏 Hardens the system and its running services

Instructions

Install devsec.hardening collection before running:

$ ansible-galaxy collection install devsec.hardening

Create a .vars.yml file and set the required variable values:

ssh_allow_users: john
wordpress_http_hosts:
  - john.example.net
  - doe.example.com
certbot_email: [email protected]
certbot_server: https://acme-v02.api.letsencrypt.org/directory
certbot_dns:
  cloudflare_api_token: 0123456789abcdef0123456789abcdef01234567

To use Google Cloud Platform DNS configure the service account credentials file path:

certbot_dns:
  google_credentials_file: ~/certbot-service-account.json

Run the playbook:

$ ansible-playbook playbook.yml --limit <host-name> --user <remote-user> --extra-vars @.vars.yml