Stedding – LEMP Stack for Laravel – is a minimalistic LEMP Stack setup for Laravel PHP. It facilitates the setting up of Laravel apps on a well prepared Ubuntu based VPS using Ansible Playbooks. This page will cover all it has to offer and how it can help you provision a LEMP server to accommodate a Laravel App.
Click image below to check out the repo at Github:
Local Box Requirements
You need to have Ansible installed on your local computer. Ansible is the tool used for the provisining and all the instructions are in Ansible using yaml formatting. The setup of Ansible really differs from box to box See Ansible Documents for instructions. The best way to do it however is using Python’s pip:
pip install ansible
Pip makes it easy to switch Ansible versions when need be. See example in this Trellis related article.
Password Hashing
For hashing the password for the admin user you have to install passlib:
pip install passlib
Remote Server Requirements
To run Ansible Playbooks properly on Ubuntu 17.10+ we need to setup a sudo user and make sure Python and some other packages such as `ppa:ondrej/php` are available so Ansible can run. The setting up of a sudo user and adding of the SSH keys has been taken care of. So is the adding of Python and Ondrej’s PHP PPA. All you need is root access to the Ubuntu 17.10 box. Preferably access using an SSH key as that is the most secure way.
NB Gist with useful setup tips
Playbooks
- Install prerequisites
- Sudo user Creation
- Web user Creation
- LEMP Provisioning
- Laravel Homebase Setup
-
Install Certbot Plugin and create Certs (in progress)
Ansible Roles
Geerllingguy Roles:
added where possible with:
ansible-galaxy install --roles-path . geerlingguy.rolename
inside roles folder.
Other roles:
- Ansible Deployer by jverdeyen
- Ansible Swapfile by Kamaln7
Stedding Variables
Do not forget to adjust the vars in:
- grousp_var/all and
- vars/main.yml
where need be. Not all will have to be adjusted perhaps but some will have to. This is besides the addition of the hosts file as will be mentioned later on. The variables in vars/main.yml are for setting up PHP, MySQL and Nginx details based on Geerlingguy roles. The variables in `grousp_var/all` are for the user only at the moment.
Local Ansible Config Setup
We expect you to have installed Ansible on your own control box already. If not check out Ansible for instructions.
Adding Host to Hosts file
The Ansible config file is in the repository already. It checks for a hosts file the root of the project. It is put on .gitignore as we do not want to share host details. So you need to add it.
So create and open hosts file with nano using:
nano hosts
add php details using your non sudo user, laravel here, and the ip address to your server
[web] xxx.xxx.xx.xxx
Ansible Books Test
To do a test from your local computer – a MacBook Pro for example – you should run the following command:
ansible server -m ping
And when all is well you should get this response:
xxx.xxx.xx.xxx | SUCCESS => { "changed": false, "ping": "pong" }
Run Playbook
Then to run the script use the following:
ansible-playbook server.yml
This is run as root in most of our cases –ask-sudo-pass is not added here.
Server Packages
The current Ansible playbooks contain all the following server packages to run a Laravel app:
- deployer
- openssl (not active)
- certbot
- composer
- git
- memcached
- mysql
- nginx
- nodejs
- php
- php mysql
- laravel-setup (not active)
- swapfile
Nginx
Nginx details are stored in vars/main.yml . One host for the site being used for testing purposes has been added there. Do change it to work with the domain of your choice in group_vars/all.
- listen: "80 default_server" server_name: "{{domain}}" root: "/var/www/{{domain}}/current/public" index: "index.php index.html index.htm" state: "present" template: "{{ nginx_vhost_template }}" extra_parameters: | location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; }
We also have two block for when you would like to work with self signed certificates. These may be added to a new separate Stedding version in the future. When you use these two block you cannot use Let’s Encrypt’s bot. With the block above you can. That is because it will fail on seeing port 443 and SSL up already instead of port 80 and a basic setup. Here below the two blocks for a Self Signed Certificate creating two separate vhost files on the server:
nginx_vhosts: - listen: "443 ssl http2" server_name: "{{domain}}" root: "/var/www/{{domain}}/current/public" index: "index.php index.html index.htm" state: "present" template: "{{ nginx_vhost_template }}" #The filename defaults to the first domain in server_name filename: "{{domain}}.conf" extra_parameters: | location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php/php7.1-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # certificates for when Let's Encrypt Certbot is not used # ssl_certificate /etc/ssl/certs/domain_com-bundle.crt; # ssl_certificate_key /etc/ssl/certs/domain_com.key; # ssl_protocols TLSv1.1 TLSv1.2; # ssl_ciphers HIGH:!aNULL:!MD5; - listen: "80" server_name: "{{domain}}" return: "301 https://{{domain}}$request_uri" state: "present" filename: "{{domain}}.80.conf"
Certbot
Using Geerlingguy’s Certbot role Let’s Encrypt’s Certbot has been added to the server. This allows the site to use Let’s Encrypt SSL certificate. This does however not adjust the Nginx’s domain configuration to server on 443 and redirect port 80 traffic to port 443. Tweaks for this are being made.
Nginx Certbot plugin has to be added using
sudo apt-get install python-certbot-nginx
This is an Ansible task is in the works, but not done. So for now this has to be done from the command line on the server. Then you can run:
certbot --nginx
to start the installation using the certbot plugin. You will then be asked to choose a domain and whether you need a redirect or not (we already have one so no). Next, they will ask you to agree with the TOS and install all. Working on an incorporation on the server still.
NB May not be necessary if you run your own certs only. See further down on SSL
PHP
Current PHP configuration details added to `vars/main.yml` are:
php_memory_limit: "512M" php_max_execution_time: "90" php_upload_max_filesize: "256M" php_version: "7.1" php_packages_state: latest php_packages: - php7.1-apcu - php7.1-common - php7.1-intl - php7.1-cli - php7.1-dev - php7.1-fpm - libpcre3-dev - php7.1-gd - php7.1-curl - php7.1-imap - php7.1-json - php-mbstring - php7.1-mcrypt - php7.1-opcache - php7.1-pdo - php7.1-xml - php7.1-mbstring - php7.1-zip - php7.1-mysql php_date_timezone: "UTC" php_webserver_daemon: "nginx" php_fpm_daemon: php7.1-fpm
To work with PHP 7.1. Ondrej’s PHP PPA is added in requirements playbook using:
- name: Add repository for PHP 7. apt_repository: repo='ppa:ondrej/php'
And to make sure all the Ubuntu PHP related config files get all the settings we have to add:
php_conf_paths: - /etc/php/7.1/fpm - /etc/php/7.1/cli php_extension_conf_paths: - /etc/php/7.1/fpm/conf.d - /etc/php/7.1/cli/conf.d
PHP Packages
Current list of PHP packages as listed above is pretty large at the moment and not all are needed to run Laravel. In the future some of these packages may be removed.
PHP OpCache
For pre compiling PHP scripts Stedding uses PHP OpCache. For quick emptying OpCache use /etc/init.d/php7.1-fpm restart . Read more on it at Ma.ttias.be
Memcached
“Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.” More information at their wiki.
MariaDB
The MariaDB details added to `vars/main.yml` so far are only for adding a dummy database:
mysql_root_password: super-secure-password mysql_databases: - name: example_db encoding: latin1 collation: latin1_general_ci mysql_users: - name: example_user host: "%" password: similarly-secure-password priv: "example_db.*:ALL"
That and for setting the MySQL package up with MariaDB:
mysql_packages: - mariadb-client - mariadb-server - python-mysqldb
More details will most probably be added at a later stage.
Composer
Composer is added and binary is put in the directory of the web user. Laravel is also added as a globally required package so it can be used.
composer_global_packages: - { name: laravel/installer } composer_home_path: '/home/web/.composer' composer_home_owner: web composer_home_group: www-data composer_add_to_path: true
NB Composer is added to the web user’s path using the web user role
To set up your Laravel application to work with Mailgun for sending out emails which is used in this repo check out this [Laravel document You will need:
To use the Mailgun driver, first install Guzzle (installed when Laravel was installed using `laravel new` ), then set the driver option in your `config/mail.php` configuration file to mailgun.
Next, verify that your `config/services.php` configuration file contains the following options:
'mailgun' => [ 'domain' => 'your-mailgun-domain', 'secret' => 'your-mailgun-key', ],
The server will not be setup to deal with email clients nor will work as an email server. For that we recommend Google Mail.
Nodejs
Nodejs role is installed and we automatically add the following global packages:
nodejs_npm_global_packages: - name: yarn - name: bower - name: grunt - name: gulp
Bower and Grunt will probably be removed in the future.
Laravel Homebase Setup
To run your Laravel application from a specific project directory, the one added to your Nginx configuration, we have added a separate playbook. One we will expand upon soon with other tasks. For now the project directory is created only using this task:
- name: Project Folder Creation file: dest=/var/www/{{domain}} mode=2755 state=directory owner=web group=www-data
The domain can be set in group_vars/all. GUID has been set as well so all files and directories added will all be under group www-data. User web should be used to add files in the project folder preferably as it is the owner of the project directory.
Deployment
Deployment script using [Deployer.org](https://deployer.org/) has been added as a role to this Ansible package. It is using the latest role version that is available on Github. The repository with the deploy.php script that has been tested with the Laravel app Larastudio can be found [here](https://github.com/jasperf/larastudio). Here is the code:
->forwardAgent() ->stage('production') ->set('deploy_path', '/var/www/larastud.io');
Just add it locally to your Laravel app, make sure your added Deployer locally with composer using composer global require deployer/deployer. And of course make sure you use your own details.
Swapfile
Kamal’s swapfile role has been added with default configuration. This to add some more RAM in the form of a swapfile which is especially useful when you are using a 512MB Droplet at Digital Ocean for example.
Let’s Encrypt or Commercial SSL Certificates
OpenSSL role has been added so self signed certificates can be added when you would like to. Current Stedding setup is aimed at working with Let’s Encrypt so this role has not been activated. The path to own SSL certificates have been commented out:
# ssl_certificate /etc/ssl/certs/domain_com-bundle.crt; # ssl_certificate_key /etc/ssl/certs/domain_com.key; # ssl_protocols TLSv1.1 TLSv1.2; # ssl_ciphers HIGH:!aNULL:!MD5;
As you will see there are two server blocks. One is for port 80, the second one should be for port 443 and both in different files:
- listen: "80" server_name: "example.com www.example.com" return: "301 https://example.com$request_uri" filename: "example.com.80.conf"
Let’s Encrypt task for auto renewal has also been added :
certbot_auto_renew_user: root certbot_auto_renew_minute: 20 certbot_auto_renew_hour: 5
NB Only use it when you are using Let’s Encrypt instead of your own certs. Beginning 2018 we should have wildcard certs so things will be much more interesting.