Beginner's guide to server administration with bedrock-ansible

Hello, first I need to say that the Roots projects are amazing. I began using them a month ago after using VVV for local WordPress themes development for a year and the Bedrock, bedrock-ansbile and Sage combination made me learn so much already. Thanks!

I provisioned a 512mb DO droplet and deployed a website with bedrock-ansible and the site is online and fine. As I am totally new to cloud servers and VPS, I would like to get a head start by asking what other steps would be recommended to update/maintain/optimize/secure my DO droplet that’s already in « production ».

The website won’t have hundreds of visitors at the same time but should get at least a hundred per day during the summer.

Here is a list of questions that could help me further my research :

  1. Is provisioning a DO droplet with the bedrock-ansible scripts makes it good enough for production?
  2. Can I or should I update the DO server by provisioning it again?
  3. Other than removing root ssh to secure the droplet, is there other security steps I should take?
  4. If I try the nginx built-in caching method described here (Best Caching Practices) or if I make any change to the server, would it be a good idea to add the steps to my bedrock-ansible scripts?
  5. If I want to monitor usage of the website (google analytics already in use) and load on the servers at different time of the day and weeks, where should I look?

Any suggestions for a beginner sysadmin is appreciated. :slight_smile:


I’m also very interested in this. Thank you for your very good questions.

Great questions!

  1. That’s our goal and we believe it’s currently good enough. There’s a few things missing like monitoring but the important things are there.
  2. You can re-provision your server whenever you want an update we make to bedrock-ansible. Some of these don’t matter for existing servers so it’s mostly up to you.
  3. There’s a few already taken care of like fail2ban and ferm (firewall). That should take care of the most common/important security issues.
  4. Yes any change you make to the server should be done through Ansible. That way you can always re-create your server or scale and add more.
  5. There’s nothing built-in for this but there’s a ton of software you could install. Services like are also good since they provide WordPress/application monitoring as well.

Thanks for the quick answer. That’s helpful! It confirms my assumptions and I understand that if I want to customize the server, I should do it through the ansible scripts.

Another question came to my mind by reading other articles on the Digital Ocean website… Is there a reason why there is no swapfile setup on the server provisioned by bedrock-ansible?

About monitoring : my concern is to look at the performance of the website on a 512mb server. I installed the New Relic agent for APM and Server monitoring (thanks for the suggestion). Everything seems to work fine, although New Relic provides a lot of data and it’s taking me time to digest it all. I will see how useful it is after the 14 day trial as their services is too expensive for my client. But it’s a good start to see what kind of monitoring I find useful and I might try to find open source software that I could install on the server eventually.

I actually thought there was a swapfile since it was brought up over a month ago. I just did a new PR here so that will be merged in very soon.

New Relic is expensive. Unfortunately most other services like it are expensive too.