Getting started with Trellis for multiple domains

newbieguy · April 12, 2017, 4:54am

Hello,
I just started with trellis and following the documentation here:

and I want to setup an environment for managing different domains and deploy to 1 droplet on digitalocean. For example:
domain1.com
domain2.com
domain3.com

but the documentation has one example.com directory. Do I have to create a trellis project for every domain?

I also looked at the github examples:

but the example is only for 1 domain, I am really confused about how to manage multiple domains using one trellis.

Sorry if the question is dumb and noob, but can someone please explain this to me?
thanks

fullyint · April 12, 2017, 5:51am

Welcome @newbieguy!

That’s excellent you’ve reviewed the docs and the example project. You’ll find many/most answers to subsequent questions like this by also searching discourse.

The following discourse thread may be a good starting point for addressing your question:

Use resources like the above to work out as much as you can, then feel free to post a question if you get stuck.

newbieguy · April 18, 2017, 6:05am

Thank you for the reply. I have been reading and watching videos and I getting there.
I read the topic you referred to but I am confused as I dont have the ansible folder

you mentioned this structure:
salons/
├── ansible/
├── allclips/
├── beautiesalon/
└── cutswell/

when installing trellis I got two folders:
Trellis and Site

I am so confused, I have been using CPanel and I create different sites on the same server, I want to be able to do the same thing using Trellis. So have many sites to 1 digital ocean droplet.

I watched this video: https://www.youtube.com/watch?v=Ls30HGKru8A and there were some comments about multi sites on single droplet but no reference to how to actually do it.

has anyone deployed more than 1 site on a single droplet?
thanks

fullyint · April 18, 2017, 4:43pm

Since the time that post was written, the ansible folder has been renamed trellis (folder names are just recommendations anyway). So, when you read, translate ansible to trellis and figure that your current site directory corresponds to any one of the salon names in the example, but is renamed after the salon name. Need another salon? Just copy site and rename it to the new salon name.

Generally, I do think it is better to keep sites on different droplets, one Trellis project per site. But if you find a compelling reason that all sites are part of a group and should be on one droplet, I suppose it could be justified under some circumstances.

Here’s another example of the potential folder structure on your local machine:

site-group-1/
├── trellis/
├── domain1/    (copy of bedrock `site` directory)
├── domain2/    (copy of bedrock `site` directory)
└── domain3/    (copy of bedrock `site` directory)

newbieguy · April 18, 2017, 5:54pm

thank you, I will start again and hopefully I can set it up
also, regarding your suggestion about running each site on one droplet, I have like 4 websites and they are not heavy traffic websites so it would be waste of money to run each on its own droplet.

Would this cause any security issues if one of the websites is compromised? since I will have all of them in one droplet.

newbieguy · April 18, 2017, 8:29pm

@fullyint okay so I was able to run a website with this structure:

allsites/
├── trellis/
├── site/
├── sitez/

and in wordpress_sites.yml I added this:

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: example.dev
        redirects:
          - www.example.dev
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    admin_email: admin@example.dev
    multisite:
      enabled: false
    ssl:
      enabled: false
      provider: self-signed
    cache:
      enabled: false
  siteexample.com:
    site_hosts:
      - canonical: site.dev
        redirects:
          - www.site.dev
    local_path: ../sitez # path targeting local Bedrock site directory (relative to Ansible root)
    admin_email: admin@example.dev
    multisite:
      enabled: false
    ssl:
      enabled: false
      provider: self-signed
    cache:
      enabled: false

and valut.yml :

vault_wordpress_sites:
  example.com:
    admin_password: admin
    env:
      db_password: example_dbpassword
  siteexample.com:
    admin_password: admin_email
    env:
      db_password: example_db

and when I do vagrant_up I can access example.dev but not site.dev.
Site.dev gives this error:

This page isn’t working

site.dev didn’t send any data.
ERR_EMPTY_RESPONSE

I even shut down vagrant and launched it again but still cant access the second site.

also when ssh to vagrant I could see the sites:

vagrant@example:/srv/www$ ls
example.com  siteexample.com

fullyint · April 18, 2017, 9:16pm

ERR_EMPTY_RESPONSE makes it sound like there isn’t a functional nginx conf for site.dev. The nginx conf would be created/updated in the wordpress-setup role, so we really only need to run the wordpress tags of the playbook. Try this:

SKIP_GALAXY=true ANSIBLE_TAGS=wordpress vagrant reload --provision

then run

vagrant hostmanager

then try loading site.dev in a new browser tab. If it still doesn’t work, you could vagrant ssh and inspect the nginx confs in /etc/nginx/sites-enabled to ensure they look correct to you.

Notes on the commands:

SKIP_GALAXY saves some time because you already have those roles installed
ANSIBLE_TAGS runs only the relevant roles
reload is to ensure that vagrant has synced up the two bedrock site directories
--provision is so that it runs the dev.yml playbook and its roles tagged wordpress
vagrant hostmanager updates the entries in /etc/hosts to ensure your browser will serve from the VM instead of real public DNS.

As for the security risks of multiple sites on the same server, I’m not a pro on the topic, but it seems safe to say that the nature of the risk depends on the nature of the compromise. In general, of course, any given site would be safer on its own separate server, unless that means the caretaker is overwhelmed and not being as vigilant. I’m not aware of Trellis attempting any special sandboxing between sites on the server, however.

newbieguy · April 18, 2017, 10:36pm

Thank you,
it is working

so every time I add a new site I have to run this command:
SKIP_GALAXY=true ANSIBLE_TAGS=wordpress vagrant reload --provision

for the security question what I was thinking was that when using Cpanel, every site has its own FTP and login information, so if one of the websites is hacked, the person can’t access all other sites even if they are in the same server (I think that is true, please correct me if I am wrong). Would something like that apply to trellis sites? can we lock down each website so it doesnt give access to the entire files?

fullyint · April 18, 2017, 10:54pm

As for a presentation of the security issues regarding multiple sites on a single Trellis server, I’ll yield to the community or to your research and testing on the topic.

Trellis doesn’t set up FTP by default, but you could set up specific FTP-only users with access to specific sites only, customizing the sshd role with FTP settings. You’d be doing it manually with sshd_config, vs. using Cpanel (no Cpanel with Trellis).

The sites’ files aren’t sandboxed because Trellis loads all the sites in the same web root, which is owned by the single web user. I don’t think Trellis intends to build an environment like shared hosting with sandboxed web roots.

This isn’t a topic I’ll be researching at present, but I’d be interested to read someone’s review of the details and implications of setting up something like this. One slightly related security topic with Trellis is roots/trellis#368