From 3baf692759355508c5232bd5cf8ecbc857b13dc1 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Fri, 7 Feb 2020 17:59:51 +0100
Subject: [PATCH] Various fixes. Add the jobs that upgrade the core and the
 plugins.

---
 defaults/main.yml                             | 11 +++--
 tasks/main.yml                                |  1 +
 tasks/wp_install.yml                          |  4 +-
 tasks/wp_maintenance.yml                      | 46 +++++++++++++++++++
 tasks/wp_nginx.yml                            |  6 +--
 tasks/wp_prerequisites.yml                    |  2 +-
 ...wordpress.conf => nginx_wordpress.conf.j2} | 29 +++++++++++-
 templates/{wp-config.php => wp-config.php.j2} |  0
 vars/main.yml                                 |  4 +-
 9 files changed, 90 insertions(+), 13 deletions(-)
 create mode 100644 tasks/wp_maintenance.yml
 rename templates/{nginx_wordpress.conf => nginx_wordpress.conf.j2} (79%)
 rename templates/{wp-config.php => wp-config.php.j2} (100%)

diff --git a/defaults/main.yml b/defaults/main.yml
index 7eae7cf..05f02a9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,12 +1,15 @@
 ---
 wordpress_dist_name: wordpress
-wordpress_major: 4
-wordpress_minor: 9
-wordpress_fix: 5
+wordpress_major: 5
+wordpress_minor: 3
+wordpress_fix: 2
 wordpress_version: '{{ wordpress_major }}.{{ wordpress_minor }}.{{ wordpress_fix }} '
 wordpress_cli_url: 'https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar'
 wordpress_cli_bin: /usr/local/bin/wp
 wordpress_system_user: wp
+wordpress_auto_upgrade: True
+wordpress_auto_upgrade_minor_only: False
+wordpress_auto_upgrade_all_plugins: True
 
 wordpress_servername: '{{ ansible_fqdn }}'
 wordpress_url: 'https://{{ wordpress_servername }}'
@@ -19,6 +22,8 @@ wordpress_debug: 'false'
 
 # wordpress_plugins_install_list:
 
+# wordpress_plugins_upgrade_list: '{{ wordpress_plugins_install_list }}'
+
 # wordpress_plugins_delete_list:
   
 wordpress_php_prereq:
diff --git a/tasks/main.yml b/tasks/main.yml
index e86ba65..1eec2f9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,5 +2,6 @@
 - import_tasks: wp_prerequisites.yml
 - import_tasks: wp_install.yml
 - import_tasks: wp_plugins.yml
+- import_tasks: wp_maintenance.yml
 - import_tasks: wp_nginx.yml
 
diff --git a/tasks/wp_install.yml b/tasks/wp_install.yml
index 3baf23b..f3463ff 100644
--- a/tasks/wp_install.yml
+++ b/tasks/wp_install.yml
@@ -10,7 +10,7 @@
     register: wordpress_salt
 
   - name: Install the initial WordPress configuration file
-    template: src=wp-config.php dest={{ wordpress_doc_root }}/wp-config.php mode=0640 force=no
+    template: src=wp-config.php.j2 dest={{ wordpress_doc_root }}/wp-config.php mode=0640 force=no
 
   - name: Install the WP DB tables 
     command: wp core install --url={{ wordpress_servername }} --title="{{ wordpress_title }}" --admin_user={{ wordpress_admin_user }} --admin_password='{{ wordpress_admin_pwd }}' --admin_email={{ wordpress_admin_email }}
@@ -25,7 +25,7 @@
     shell: wp site empty --yes ; touch {{ wordpress_doc_root }}/.htemptied
     args:
       chdir: '{{ wordpress_doc_root }}'
-    when: not wp_wipe.stat.exists
+    when: not wp_wipe.stat.exists | bool
 
   become: True
   become_user: '{{ wordpress_system_user }}'
diff --git a/tasks/wp_maintenance.yml b/tasks/wp_maintenance.yml
new file mode 100644
index 0000000..949e41c
--- /dev/null
+++ b/tasks/wp_maintenance.yml
@@ -0,0 +1,46 @@
+---
+- block:
+  - name: Create a directory to store the logs of the wp maintenance commands
+    file: /var/log/wordpress_maintenance state=directory owner={{ wordpress_system_user }} mode=0755
+  tags: wordpress
+
+- block:
+  - name: 
+    command: wp core update {% if wordpress_auto_upgrade_minor_only %} --minor{% endif %}
+    args:
+      chdir: '{{ wordpress_doc_root }}'
+    when: wordpress_auto_upgrade | bool
+
+  - name: Cron job that updates the Wordpress core
+    cron:
+      name: "Update the Wordpress core"
+      special_time: 'daily'
+      job: "cd {{ wordpress_doc_root }} && wp core update {% if wordpress_auto_upgrade_minor_only %} --minor{% endif %} > /var/log/wordpress_maintenance/wp_core_update.log 2>&1"
+      state: present
+      user: '{{ wordpress_system_user }}'
+
+  - name: Upgrade all the plugins
+    command: wp plugin update --all
+    args:
+      chdir: '{{ wordpress_doc_root }}'
+    when: wordpress_auto_upgrade_all_plugins | bool
+
+  - name: Upgrade a list of plugins
+    command: wp plugin update {{ item }}
+    args:
+      chdir: '{{ wordpress_doc_root }}'
+    with_items: '{{ wordpress_plugins_upgrade_list }}'
+    when: wordpress_plugins_upgrade_list is defined
+
+  - name: Cron job that updates the Wordpress plugins
+    cron:
+      name: "Update the Wordpress plugins"
+      special_time: 'daily'
+      job: "cd {{ wordpress_doc_root }} && wp plugin update --all > /var/log/wordpress_maintenance/wp_plugins_update.log 2>&1"
+      state: present
+      user: '{{ wordpress_system_user }}'
+
+  become: True
+  become_user: '{{ wordpress_system_user }}'
+  tags: wordpress
+
diff --git a/tasks/wp_nginx.yml b/tasks/wp_nginx.yml
index 6bfdb26..47c6d0c 100644
--- a/tasks/wp_nginx.yml
+++ b/tasks/wp_nginx.yml
@@ -1,14 +1,14 @@
 ---
 - block:
   - name: Install the nginx virtualhost
-    template: src=nginx_wordpress.conf dest=/etc/nginx/sites-available/wordpress mode=0444
+    template: src=nginx_wordpress.conf.j2 dest=/etc/nginx/sites-available/wordpress.conf mode=0444
     with_items: '{{ phpfpm_pools }}'
     notify: Reload nginx
 
   - name: Enable the nginx virtualhost
-    file: src=/etc/nginx/sites-available/wordpress dest=/etc/nginx/sites-enabled/wordpress state=link
+    file: src=/etc/nginx/sites-available/wordpress.conf dest=/etc/nginx/sites-enabled/wordpress.conf state=link
     notify: Reload nginx
   
-  when: wordpress_local_nginx_virtualhost
+  when: wordpress_local_nginx_virtualhost | bool
   tags: [ 'wordpress', 'nginx', 'virtualhost' ]
   
\ No newline at end of file
diff --git a/tasks/wp_prerequisites.yml b/tasks/wp_prerequisites.yml
index 9f404d0..d175d3c 100644
--- a/tasks/wp_prerequisites.yml
+++ b/tasks/wp_prerequisites.yml
@@ -1,7 +1,7 @@
 ---
 - block:
   - name: Install the wordpress php prerequisites
-    apt: name={{ item }} state=present
+    apt: name={{ item }} state=present cache_valid_time=1800
     with_items: '{{ wordpress_php_prereq }}'
 
   - name: Get the wordpress CLI tool
diff --git a/templates/nginx_wordpress.conf b/templates/nginx_wordpress.conf.j2
similarity index 79%
rename from templates/nginx_wordpress.conf
rename to templates/nginx_wordpress.conf.j2
index 3a2bef1..687265c 100644
--- a/templates/nginx_wordpress.conf
+++ b/templates/nginx_wordpress.conf.j2
@@ -9,6 +9,15 @@ server {
         ## Your only path reference.
         root {{ item.doc_root }};
 
+        {% if nginx_block_dotfiles %}
+        location ~ /\.(?!well-known).* {
+                deny all;
+                access_log off;
+                log_not_found off;
+                return 404;
+        }
+        {% endif %}
+
         {% if letsencrypt_acme_install %}
         include /etc/nginx/snippets/letsencrypt-proxy.conf;
         {% endif %}
@@ -49,9 +58,9 @@ server {
 }
 
 server {
-        listen {{ https_port }} ssl;
+        listen {{ https_port }} ssl http2;
         ## Your website name goes here.
-        server_name {{ item.virthost }};
+        server_name {{ item.virthost }} {{ item.virthost_aliases }};
         ## Your only path reference.
         root {{ item.doc_root }};
 
@@ -62,6 +71,22 @@ server {
         ## This should be in your http block and if it is, it's not needed here.
         index index.php;
 
+        {% if nginx_block_dotfiles %}
+        location ~ /\. {
+                deny all;
+                access_log off;
+                log_not_found off;
+                return 404;
+        }
+        {% endif %}
+
+        {% if haproxy_ips is defined %}
+        # We are behind haproxy
+        {% for ip in haproxy_ips %}
+        set_real_ip_from {{ ip }};
+        {% endfor %}
+        real_ip_header X-Forwarded-For;
+        {% endif %}
 
         # redirect server error pages to the static page /50x.html
         #
diff --git a/templates/wp-config.php b/templates/wp-config.php.j2
similarity index 100%
rename from templates/wp-config.php
rename to templates/wp-config.php.j2
diff --git a/vars/main.yml b/vars/main.yml
index 61c744e..0f6fdea 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -5,7 +5,7 @@ https_port: 443
 letsencrypt_acme_dest_dir: '{{ wordpress_servername }}'
 
 php_from_ppa: True
-php_version: 5.6
+php_version: 7.2
 
 phpfpm_base_dir: '/etc/php/{{ php_version }}/fpm'
 phpfpm_cli_dir: '/etc/php{{ php_version }}/cli'
@@ -17,4 +17,4 @@ phpfpm_default_pool_name: '{{ wordpress_system_user }}'
 phpfpm_default_user: '{{ wordpress_system_user }}'
 
 phpfpm_pools:
-  - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', admin_write: True, doc_root: '{{ wordpress_doc_root }}', virthost: '{{ wordpress_servername }}' }
\ No newline at end of file
+  - { pool_name: '{{ phpfpm_default_pool_name }}', app_context: '{{ phpfpm_default_context }}', user: '{{ phpfpm_default_user }}', group: '{{ phpfpm_default_group }}', listen: '{{ phpfpm_default_listen }}', allowed_clients: '{{ phpfpm_default_allowed_clients }}', pm: '{{ phpfpm_default_pm }}', pm_max_children: '{{ phpfpm_default_pm_max_children }}', pm_start_servers: '{{ phpfpm_default_pm_start_servers }}', pm_min_spare: '{{ phpfpm_default_pm_min_spare_servers }}', pm_max_spare: '{{ phpfpm_default_pm_max_spare_servers }}', pm_max_requests: '{{ phpfpm_default_pm_max_requests }}', pm_status_enabled: '{{ phpfpm_default_pm_status_enabled }}', pm_status_path: '{{ phpfpm_default_pm_status_path }}', ping_enabled: '{{ phpfpm_default_ping_enabled }}', ping_path: '{{ phpfpm_default_ping_path }}', ping_response: '{{ phpfpm_default_ping_response }}', display_errors: '{{ phpfpm_default_display_errors }}', log_errors: '{{ phpfpm_default_log_errors }}', memory_limit: '{{ phpfpm_default_memory_limit }}', slowlog_timeout: '{{ phpfpm_default_slowlog_timeout }}', rlimit_files: '{{ phpfpm_default_rlimit_files }}', php_extensions: '{{ phpfpm_default_extensions }}', define_custom_variables: '{{ phpfpm_default_define_custom_variables }}', admin_write: True, doc_root: '{{ wordpress_doc_root }}', virthost: '{{ wordpress_servername }}', virthost_aliases: '{{ wordpress_aliases | default('') }}' }
\ No newline at end of file