From 22c16e1ed3c51b1d234d30b4e0b64d2f81e816f0 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 29 Mar 2025 22:09:37 +0300
Subject: [PATCH] roles/caddy/templates: closer to supporting WordPress

I still wouldn't want to deploy WordPress on Caddy until it's more
obvious and standard to block paths that shouldn't be accessible.
It seems that this is still left as an exercise to the site admin.

This discussion has some tips, but it is four years old and hasn't
changed since I last looked.

See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575
---
 roles/caddy/templates/etc/caddy/conf.d/vhost.j2 | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2 b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
index 00bcb5a..b02e77d 100644
--- a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
+++ b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
@@ -33,7 +33,14 @@
     encode zstd gzip
 
     file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
 
     import security-headers
 }