Build	Release
nginx
jennythebaker.com

wp-host-on-containers

Continuously deploying WordPress sites in docker containers to a $5/mo DigitalOcean Ubuntu VPS via Azure Pipelines

A modern, containerized v2 of wp-vps-build-guide.

Note: This repo is primarily for my personal DevOps process and not meant to be directly re-usable by anyone. However, it could potentially serve as a reference for anyone trying to do something similar.

The Stack

• GitHub
• Azure Pipelines
• DigitalOcean
• Ubuntu LTS
• Docker CE
• Docker Compose
• MariaDB
• Redis
• php-fpm
• WordPress
• nginx
• Cloudflare

Deployment Target Setup

Initial Setup

1. Create a minimum-size Standard Droplet with the latest Ubuntu LTS.
   • Add backups.
   • Enable Monitoring.
   • Include a pre-configured SSH key.
2. Follow the DigitalOcean guide for Initial Server Setup with Ubuntu.
3. Set PermitRootLogin to no in /etc/ssh/sshd_config.
4. sudo apt install fail2ban
5. Enable Ubuntu automatic updates.

Register with Azure DevOps

1. Visit https://dev.azure.com/<ORGANIZATIONNAME>/_settings/deploymentpools.
2. Add a new deployment pool.
3. Execute the provided installation script for linux.

Install Docker

1. See the official docs for installing on Ubuntu.
2. Complete the desired linux postinstall procedures.

Install Docker Compose

See the official docs for installing on linux.

TLS Certificates

I use Cloudflare's free ssl certificates.

1. SFTP the following to ~/cert:
   • domain-specific key .pem files
   • domain-specific cert .pem files
   • Cloudflare Authenticated Origin Pull cert
2. sudo openssl dhparam -out ~/cert/dhparam.pem 2048
3. sudo chmod -R 600 ~/cert
4. sudo chown -R root:root ~/cert

Azure Pipelines Setup

TBD

Additional Configuration After First Release

Restrict MariaDB User Permissions

Since the default user initialized by the MariaDB docker container is granted all privileges on the default database, we want to restrict that to just the permissions required by normal WordPress operations. Replace angle brackets with our actual values.

• docker exec -i -t <MariaDB_container_name> /bin/bash
• mysql -u root -p
• REVOKE ALL PRIVILEGES ON <_WORDPRESS_DB_NAME>.* FROM '<_WORDPRESS_DB_USER>'@'%';
• GRANT SELECT, INSERT, UPDATE, DELETE ON <_WORDPRESS_DB_NAME>.* TO '<_WORDPRESS_DB_USER>'@'%';

WordPress Auto-Updates

For now, enable auto-updates using WordPress's built-in functionality. I plan to extend the flexibility of this in the future by using wp-cli triggered from cron jobs to perform udpates and maintenance.

• docker exec -i -t <WordPress_container_name> /bin/bash
• apk add nano (Or other text editor of choice. Since I have --force-recreate on releases, this will get removed during the next release to keep the container slim.)

WordPress Core

• Add define( 'WP_AUTO_UPDATE_CORE', true ); to wp-config.php

Plugins

• Add add_filter( 'auto_update_plugin', '__return_true' ); to theme's functions.php

TODO List

• Use secrets for database configurations.
• Limit permissions of WordPress database user.
• Implement scheduled backups of databases and files.
  • Phase 1: using DigitalOcean's droplet backups
  • Phase 2: docker-compose named volume backups
• Implement auto-updates of WordPress core and plugins.
  • Phase 1: using WordPress's auto-updater
  • Phase 2: scheduled using wp-cli
• Implement scheduled wp-sweep via wp-cli.
• Implement miscellaneous nginx best practices for speed and security.
• Implement redis object caching.
• Implement fastCGI page caching.
• Tune MariaDB instances for WordPress performance.