skip to Main Content

Stedding – LEMP Stack for Laravel –  is a minimalistic LEMP Stack setup for Laravel PHP. It facilitates the setting up of Laravel apps on a well prepared Ubuntu based VPS using Ansible Playbooks. This page will cover all it has to offer and how it can help you provision a LEMP server to accommodate a Laravel App.

Click image below to check out the repo at Github:

Stedding Github Repo

Local Box Requirements

You need to have Ansible installed on your local computer. Ansible is the tool used for the provisining and all the instructions are in Ansible using yaml formatting. The setup of Ansible really differs from box to box See Ansible Documents for instructions. The best way to do it however is using Python’s pip:

pip install ansible

Pip makes it easy to switch Ansible versions when need be. See example in this Trellis related article.

Password Hashing

For hashing the password for the admin user you have to install passlib:

pip install passlib

Remote Server Requirements

To run Ansible Playbooks properly on Ubuntu 17.10+ we need to setup a sudo user and make sure Python and some other packages such as `ppa:ondrej/php` are available so Ansible can run. The setting up of a sudo user and adding of the SSH keys has been taken care of. So is the adding of Python and Ondrej’s PHP PPA. All you need is root access to the Ubuntu 17.10 box. Preferably access using an SSH key as that is the most secure way.

NB Gist with useful setup tips


  • Install prerequisites
  • Sudo user Creation
  • Web user Creation
  • LEMP Provisioning
  • Laravel Homebase Setup
  • Install Certbot Plugin and create Certs (in progress)

Ansible Roles

Geerllingguy Roles:

added where possible with:

ansible-galaxy install --roles-path . geerlingguy.rolename

inside roles folder.

Other roles:

Stedding Variables

Do not forget to adjust the vars in:

  • grousp_var/all and
  • vars/mainyml

where need be. Not all will have to be adjusted perhaps but some will have to. This is besides the addition of the hosts file as will be mentioned later on. The variables in vars/main.yml are for setting up PHP, MySQL and Nginx details based on Geerlingguy roles. The variables in `grousp_var/all` are for the user only at the moment.

Local Ansible Config Setup

We expect you to have installed Ansible on your own control box already. If not check out Ansible for instructions.

Adding Host to Hosts file

The Ansible config file is in the repository already. It checks for a hosts file the root of the project. It is put on .gitignore as we do not want to share host details. So you need to add it.
So create and open hosts file with nano using:

nano hosts

add php details using your non sudo user, laravel here, and the ip address to your server


Ansible Books Test

To do a test from your local computer – a MacBook Pro for example – you should run the following command:

ansible server -m ping

And when all is well you should get this response: | SUCCESS => {
 "changed": false,
 "ping": "pong"

Run Playbook

Then to run the script use the following:

ansible-playbook server.yml

This is run as root in most of our cases –ask-sudo-pass is not added here.

Server Packages

The current Ansible playbooks contain all the following server packages to run a Laravel app:

  • deployer
  • openssl (not active)
  • certbot
  • composer
  • git
  • memcached
  • mysql
  • nginx
  • nodejs
  • php
  • php mysql
  • laravel-setup (not active)
  • swapfile


Nginx details are stored in vars/main.yml . One host for the site being used for testing purposes has been added there. Do change it to work with the domain of your choice.

- listen: "443 ssl http2"
server_name: "{{domain}}"
root: "/var/www/{{domain}}/current/public"
index: "index.php index.html index.htm"
state: "present"
template: "{{ nginx_vhost_template }}"
#The filename defaults to the first domain in server_name
filename: "{{domain}}.conf"
extra_parameters: |
location / {
try_files $uri $uri/ /index.php$is_args$args;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
# certificates for when Let's Encrypt Certbot is not used
# ssl_certificate /etc/ssl/certs/domain_com-bundle.crt;
# ssl_certificate_key /etc/ssl/certs/domain_com.key;
# ssl_protocols TLSv1.1 TLSv1.2;
# ssl_ciphers HIGH:!aNULL:!MD5;
- listen: "80"
server_name: "{{domain}}"
return: "301 https://{{domain}}$request_uri"
state: "present"
filename: "{{domain}}.80.conf"


Using Geerlingguy’s Certbot role Let’s Encrypt’s Certbot has been added to the server. This allows the site to use Let’s Encrypt SSL certificate. This does however not adjust the Nginx’s domain configuration to server on 443 and redirect port 80 traffic to port 443. Tweaks for this are being made.

Nginx Certbot plugin has to be added using

sudo apt-get install python-certbot-nginx

This is an Ansible  task is in the works, but not done. So for now this has to be done from the command line on the server. Then you can run:

certbot --nginx

to start the installation using the certbot plugin. You will then be asked to choose a domain and whether you need a redirect or not (we already have one so no). Next, they will ask you to agree with the TOS and install all. Working on an incorporation on the server still.

NB May not be necessary if you run your own certs only. See further down on SSL


Current PHP configuration details added to `vars/main.yml` are:

 php_memory_limit: "512M"
 php_max_execution_time: "90"
 php_upload_max_filesize: "256M"
 php_version: "7.1"
 php_packages_state: latest
 - php7.1-apcu
 - php7.1-common
 - php7.1-intl
 - php7.1-cli
 - php7.1-dev
 - php7.1-fpm
 - libpcre3-dev
 - php7.1-gd
 - php7.1-curl
 - php7.1-imap
 - php7.1-json
 - php-mbstring
 - php7.1-mcrypt
 - php7.1-opcache
 - php7.1-pdo
 - php7.1-xml
 - php7.1-mbstring
 - php7.1-zip
 - php7.1-mysql
 php_date_timezone: "UTC"
 php_webserver_daemon: "nginx"
 php_fpm_daemon: php7.1-fpm

To work with PHP 7.1. Ondrej’s PHP PPA is added in requirements playbook using:

 - name: Add repository for PHP 7.
 apt_repository: repo='ppa:ondrej/php'

And to make sure all the Ubuntu PHP related config files get all the settings we have to add:

 - /etc/php/7.1/fpm
 - /etc/php/7.1/cli

 - /etc/php/7.1/fpm/conf.d
 - /etc/php/7.1/cli/conf.d

PHP Packages

Current list of PHP packages as listed above is pretty large at the moment and not all are needed to run Laravel. In the future some of these packages may be removed.

PHP OpCache

For pre compiling PHP scripts Stedding uses PHP OpCache. For quick emptying OpCache use /etc/init.d/php7.1-fpm restart . Read more on it at


“Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.” More information at their wiki.


The MariaDB details added to `vars/main.yml` so far are only for adding a dummy database:

 mysql_root_password: super-secure-password
 - name: example_db
 encoding: latin1
 collation: latin1_general_ci
 - name: example_user
 host: "%"
 password: similarly-secure-password
 priv: "example_db.*:ALL"

That and for setting the MySQL package up with MariaDB:

 - mariadb-client
 - mariadb-server
 - python-mysqldb

More details will most probably be added at a later stage.


Composer is added and binary is put in the directory of the web user. Laravel is also added as a globally required package so it can be used.

 - { name: laravel/installer }
 composer_home_path: '/home/web/.composer'
 composer_home_owner: web
 composer_home_group: www-data
 composer_add_to_path: true

NB Composer is added to the web user’s path using the web user role


To set up your Laravel application to work with Mailgun for sending out emails which is used in this repo check out this [Laravel document You will need:

To use the Mailgun driver, first install Guzzle (installed when Laravel was installed using `laravel new` ), then set the driver option in your `config/mail.php` configuration file to mailgun.

Next, verify that your `config/services.php` configuration file contains the following options:

'mailgun' => [
 'domain' => 'your-mailgun-domain',
 'secret' => 'your-mailgun-key',

The server will not be setup to deal with email clients nor will work as an email server. For that we recommend Google Mail.


Nodejs role is installed and we automatically add the following global packages:


 - name: yarn
 - name: bower
 - name: grunt
 - name: gulp

Bower and Grunt will probably be removed in the future.

Laravel Homebase Setup

To run your Laravel application from a specific project directory, the one added to your Nginx configuration, we have added a separate playbook. One we will expand upon soon with other tasks. For now the project directory is created only using this task:

- name: Project Folder Creation
 file: dest=/var/www/{{domain}} mode=2755 state=directory owner=web group=www-data

The domain can be set in group_vars/all. GUID has been set as well so all files and directories added will all be under group www-data. User web should be used to add files in the project folder preferably as it is the owner of the project directory.


Deployment script using []( has been added as a role to this Ansible package. It is using the latest role version that is available on Github. The repository with the deploy.php script that has been tested with the Laravel app Larastudio can be found [here]( Here is the code:

 ->set('deploy_path', '/var/www/');

Just add it locally to your Laravel app, make sure your added Deployer locally with composer using composer global require deployer/deployer. And of course make sure you use your own details.


Kamal’s swapfile role has been added with default configuration. This to add some more RAM in the form of a swapfile which is especially useful when you are using a 512MB Droplet at Digital Ocean for example.

Let’s Encrypt or Commercial SSL Certificates

OpenSSL role has been added so self signed certificates can be added when you would like to. Current Stedding setup is aimed at working with Let’s Encrypt so this role has not been activated. The path to own SSL certificates have been commented out:

 # ssl_certificate /etc/ssl/certs/domain_com-bundle.crt;
 # ssl_certificate_key /etc/ssl/certs/domain_com.key;
 # ssl_protocols TLSv1.1 TLSv1.2;
 # ssl_ciphers HIGH:!aNULL:!MD5;

As you will see there are two server blocks. One is for port 80, the second one should be for port 443 and both in different files:

 - listen: "80"
 server_name: ""
 return: "301$request_uri"
 filename: ""

Let’s Encrypt task for auto renewal has also been added :

 certbot_auto_renew_user: root
 certbot_auto_renew_minute: 20
 certbot_auto_renew_hour: 5

NB Only use it when you are using Let’s Encrypt instead of your own certs. Beginning 2018 we should have wildcard certs so things will be much more interesting.

Back To Top