debops.wpcli default variables

APT packages


List of useful APT packages to install with WP-CLI.

wpcli__base_packages: [ 'bash-completion' ]

List of additional APT packages to install with WP-CLI.

wpcli__packages: []

WP-CLI installation from upstream


The fingerprint of the GPG key used to sign the WP-CLI releases.

wpcli__gpg_key_id: '63AF 7AA1 5067 C056 16FD  DD88 A3A2 E8F2 26F0 BC06'

The version of the WP-CLI framework to install. On changes, remember to update the meta/watch-wp-cli file as well.

wpcli__version: '2.2.0'

List of files corresponding to a given WP-CLI version which should be downloaded to the source directory. The parameters have the same meaning as the get_url Ansible module parameters. The *.phar.gpg file will be decrypted and verified via the gpg command before installation.


  - url: ''
    dest: '{{ wpcli__src }}/wp-cli-2.2.0.phar.gpg'
    checksum: 'sha256:6ed3c78adea2801ce900f3dc8f09ce799958955cc842b5f8d17d8ffb74eca7a2'
    version: '2.2.0'

  - url: ''
    dest: '{{ wpcli__src }}/wp-cli-2.2.0.completion.bash'
    checksum: 'sha256:443ca0610ccae8d2d6aceba0ec4aa7929b87ed6cf54f666afed18d663a18a395'
    version: '2.2.0'

Absolute path to the directory on the remote host, where the WP-CLI source files will be stored.

wpcli__src: '{{ (ansible_local.fhs.src | d("/usr/local/src"))
                + "/wpcli" }}'

Absolute path where the WP-CLI script will be installed. The wp command is hardcoded all over the place, therefore changing the name could result in issues during usage.

wpcli__binary: '/usr/local/bin/wp'

Absolute path where the bash completion functions for WP-CLI script will be installed.

wpcli__bash_completion: '/etc/bash_completion.d/wp-completion'

Security of the wp-config.php files

WordPress installer creates the wp-config.php configuration files with insecure, world-writeable permissions (0666, the mode of the Beast). The debops.wpcli role by default creates a cron job that looks for such files once a day and changes their permission to 0600 to improve security in shared environments.

See also:


Enable or disable a cron job which will secure all wp-config.php files found on the server.

wpcli__secure_wpconfig_enabled: True

The command that will be executed by cron as root to find all wp-config.php files and secure them. System administrators will receive e-mail messages when permissions of found files are changed.

wpcli__secure_wpconfig_command: 'find /home /srv -type f -iname "wp-config.php" -perm /o+r -exec chmod -v 600 "{}" \;'

The cron interval to use to look for insecure wp-config.php files on the server. Supported intervals: hourly, daily, weekly, monthly.

wpcli__secure_wpconfig_interval: 'daily'

Configuration for other Ansible roles


Configuration for the debops.keyring Ansible role.


  # This key will be installed in the 'root' GPG keyring
  - '{{ wpcli__gpg_key_id }}'

List of PHP packages to install by debops.php role.


  - 'mysql'