Setting permissions for your Gitlab CI Runner & W3 Total Cache

So in the last post on this, I looked at setting up auto deploy for a WordPress site using GitLab’s CI runner.  I also wanted the W3TC cache to be cleared, and thanks to WP-CLI, that was possible by adding:

to the end of the script node in .gitlab-ci.yml.

Now. “sudo?!?!?!?!” I hear you say? There’s a security risk if ever I saw one. Luckily this doesn’t have to be the case if things are set up right. Make a separate user for GitLab Runner and limit it to sudo-ing as only www-data and only running that command while doing so.

It’s a good idea to setup a separate user in general too, for security.

There wasn’t an awful lot of info on that when I Googled though, so (from inital user creation):

Done! Your CI script will now be able to run WP-CLI commands as www-data. No root access, no entering passwords.

Enable Root Login on Ubuntu Server

If you’re using Ubuntu as a web server, as the main admin there’s not much reason not to enable root login via SSH. Digital Ocean do it on their VMs by default for instance. So:

sudo passwd root # Set a new password
sudo nano /etc/ssh/sshd_config

Comment out PermitRootLogin without-password and add PermitRootLogin yes. Save it and reload the ssh config:

sudo service ssh reload

Job done! No more using sudo all the time to change your Nginx config!