WordPress Roots.io and Semantic UI Sass

After building a custom theme with Understrap and Material Design for Bootstrap 4 I wanted to quickly, i.e. within a few days, build a WordPress site using the Roots.io framework and Semantic UI.

Semantic UI has a community ownership model i.e. its not Facebook, or Google or Twitter or Microsoft and has ports into NPM, gems, Elm, Ember etc

Assign Domain OpenPlanetCulture.com

The website domain will be Open Planet Culture, openplanetculture.com. The idea for this project is a site about the planet Earth, but without the New Age baggage of Gaia Hypothesis and hopefully more accessible to the science on the subject. I want to try to use language that bridges the left-right culture-wars divide on subjects such as climate change etc. We assign the domain in Dynadot to Cloudflare and set-up DNSSEC.

Development Set-up on Mac Sierra

Install Trellis, the Ansible devops based toolchain. Locally for development it uses Vagrant and remotely on production uses Ansible.

We install Virtualbox, the Virtualbox extensions pack and Vagrant, direct from the vendor.

WordPress building on (a) Trellis

Trellis a dev-prod 12 factor app style toolchain.

We need to install Ansible which first requires PIP on Mac.

sudo easy_install pip
sudo pip install ansible

we also need Vagrant plugins

vagrant plugin install vagrant-bindfs
vagrant plugin install vagrant-hostmanager

we change the to Project directory, make our project folder

cd ~/Projects
mkdir www.openplanetculture.com
cd www.openplanetculture.com/

and now clone from Github and remove the .git folder, we dont need these .git history files

git clone --depth=1 [email protected]:roots/trellis.git && rm -rf trellis/.git

Bedrock a boilerplate base for WordPress site development

We now git clone Bedrock which contains boilerplate and modern development tools such as Facebook’s Nodejs client Yarn.

git clone --depth=1 [email protected]:roots/bedrock.git site && rm -rf site/.git

Next, we use Ansible Galaxy to install our Roots.io ecosystem roles, which are in turned sourced from the Ansible ecosystem of community roles.

cd trellis && ansible-galaxy install -r requirements.yml

install worked fine

cd trellis && ansible-galaxy install -r requirements.yml
- downloading role 'composer', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-composer/archive/1.5.0.tar.gz
- extracting composer to /Users/devekko/Projects/www.openplanetculture.com/trellis/vendor/roles/composer
- composer was installed successfully
- downloading role 'ntp', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-ntp/archive/1.3.0.tar.gz
- extracting ntp to /Users/devekko/Projects/ww.openplanetculture.com/trellis/vendor/roles/ntp
- ntp was installed successfully
- downloading role 'logrotate', owned by nickhammond
- downloading role from https://github.com/nickhammond/ansible-logrotate/archive/e7a498d.tar.gz
- extracting logrotate to /Users/devekko/Projects/www.openplanetculture.com/trellis/vendor/roles/logrotate
- logrotate was installed successfully
- downloading role 'swapfile', owned by kamaln7
- downloading role from https://github.com/kamaln7/ansible-swapfile/archive/0.4.tar.gz
- extracting swapfile to /Users/devekko/Projects/www.openplanetculture.com/trellis/vendor/roles/swapfile
- swapfile was installed successfully
- downloading role 'daemonize', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-daemonize/archive/1.1.1.tar.gz
- extracting geerlingguy.daemonize to /Users/devekko/Projects/www.openplanetculture.com/trellis/vendor/roles/geerlingguy.daemonize
- geerlingguy.daemonize was installed successfully
- downloading role 'mailhog', owned by geerlingguy
- downloading role from https://github.com/geerlingguy/ansible-role-mailhog/archive/2.1.0.tar.gz
- extracting mailhog to /Users/devekko/Projects/www.openplanetculture.com/trellis/vendor/roles/mailhog
- mailhog was installed successfully
- dependency geerlingguy.daemonize is already installed, skipping

WordPress Site development

Now we have our fundament, we have our Roots, our Trellis and our Bedrock, lets build a site.

According to the excellent Roots docs, the “site” is the basic unit of organization and a server can host 1 or more, sites.

This is excellent !

We control the sites using Ansible Group Variables and other settings, so our code is our infrastructure.

Site and Secrets organization

Sounds a bit like a spy novel, but instead we have sites defined in

and the sites secrets in www.openplanetculture.com/trellis/group_vars/development/vault.yml

Personally, I am not convinced Ansible Vault is not a risk, but its widely used and we will go with it for now. Its certainly better than clear text passwords.

Lets generate some passwords using command line pwgen, or alternatively, my preference Password Safe.

brew install pwgen

and set them in our secrets (which I changed after publishing this blog post!)

vault_mysql_root_password: uoquiGh8Sego2hee

admin_password: admin
db_password: oonaNgo5eeP4eich

Notice, also that Roots.io preferences openplanetculture.com as canonical, NOT www.openplanetculture.com. This is actually not recommended by Cloudflare, but let’s go with this for now, we “should” be able to just change config and it will work, but for now, lets stay close to defaults so we don’t trip ourselves up.

There are loads of Ansible settings that we can use as we progress.

Complete Local Development Setup

We complete our local dev setup from the detailed official docs.

We check-list ourselves and looks good, so lets run vagrant up, I’ll grab a coffee and expect to do some further trouble-shooting. Vagrant rarely works the first time imho….

Dev site installed

Now I can visit the site on http://openplanetculture.dev

Open Planet Culture DEV site
Open Planet Culture DEV site

Create a new theme with Sage

Sage is the custom starter theme and its used by some interesting sites, including Data.gov.

cd /Users/devekko/Projects/openplanetculture.com/site/web/app/themes

lets install Sage master (9-dev) and we first need Composer installed globally

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"\nphp -r "if (hash_file('SHA384', 'composer-setup.php') === '55d6ead61b29c7bdee5cccfb50076874187bd9f21f65d8991d46ec5cc90518f447387fb9f76ebae1fbbacf329e583e30') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"\nphp composer-setup.php\nphp -r "unlink('composer-setup.php');"
mv composer.phar /usr/local/bin/composer

now we install using Composer and the interactive prompts

composer create-project roots/sage openplanetculture.com dev-master
Installing roots/sage (dev-master 35edef6ae75280d060f3ef022feaf77b6d1cdb54)
- Installing roots/sage (dev-master master) Cloning master from cache
Created project in openplanetculture.com
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Package operations: 14 installs, 0 updates, 0 removals
- Installing composer/installers (v1.2.0) Downloading: 100%
- Installing doctrine/inflector (v1.1.0) Downloading: 100%
- Installing paragonie/random_compat (v2.0.7) Downloading: 100%
- Installing illuminate/contracts (v5.4.13) Downloading: 100%
- Installing illuminate/support (v5.4.13) Downloading: 100%
- Installing illuminate/config (v5.4.13) Downloading: 100%
- Installing psr/log (1.0.2) Downloading: 100%
- Installing symfony/debug (v3.2.4) Downloading: 100%
- Installing symfony/finder (v3.2.4) Downloading: 100%
- Installing illuminate/filesystem (v5.4.13) Downloading: 100%
- Installing illuminate/container (v5.4.13) Downloading: 100%
- Installing illuminate/events (v5.4.13) Downloading: 100%
- Installing illuminate/view (v5.4.13) Downloading: 100%
- Installing squizlabs/php_codesniffer (2.8.0) Downloading: 100%
paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.)
illuminate/support suggests installing symfony/process (Required to use the composer class (~3.2).)
illuminate/support suggests installing symfony/var-dumper (Required to use the dd function (~3.2).)
illuminate/filesystem suggests installing league/flysystem (Required to use the Flysystem local and FTP drivers (~1.0).)
illuminate/filesystem suggests installing league/flysystem-aws-s3-v3 (Required to use the Flysystem S3 driver (~1.0).)
illuminate/filesystem suggests installing league/flysystem-rackspace (Required to use the Flysystem Rackspace driver (~1.0).)
Generating autoload files
Do you want to remove the existing VCS (.git, .svn..) history? [Y,n]? Y

Define theme headers. Press enter key for default.
Theme Name [Sage Starter Theme]: Open Planet Culture
Theme URI [https://roots.io/sage/]: http://openplanetculture.com
Theme Description [Sage is a WordPress starter theme.]: Open Planet Culture Sage 9-dev theme
Theme Version [9.0.0-beta.2]:
Theme Author [Roots]: Devekko
Theme Author URI [https://roots.io/]: http://blog.devekko.com
Select a CSS framework (Default: Bootstrap)
[0] Bootstrap
[1] Foundation
[2] None
Add Font Awesome? [y,N]? y
Configure build settings. Press enter key for default.
Path to theme directory (eg. /wp-content/themes/sage) [/app/themes/openplanetculture.com]:
Local development URL of WP site [http://example.dev]: http://openplanetculture.dev

tree tells us we have a nice theme

tree openplanetculture.com / -L 1
├── LICENSE.md
├── README.md
├── assets
├── composer.json
├── composer.lock
├── functions.php
├── index.php
├── package.json
├── phpcs.xml
├── screenshot.png
├── src
├── style.css
├── templates
├── vendor
└── yarn.lock

Buy the Book

There is lots more about Sage, and the best way is buy the book and support the project!

Sage 9-dev with yarn npm package manager

cd /Users/devekko/Projects/openplanetculture.com/site/web/app/themes/openplanetculture.com
brew install zsh
brew install yarn

now we use yarn as a replace npm client, no more nom install

openplanetculture.com yarn
yarn install v0.21.3
[1/4] 🔍 Resolving packages...
[2/4] 🚚 Fetching packages...
[3/4] 🔗 Linking dependencies...
[4/4] 📃 Building fresh packages...
success Saved lockfile.
✨ Done in 38.09s.

now we run yarn run start

yarn run start
yarn run v0.21.3
$ webpack --hide-modules --watch --config assets/build/webpack.config.js

Webpack is watching the files…

[BS] [HTML Injector] Running...
[BS] Proxying: http://openplanetculture.dev
[BS] Access URLs:

   Local: http://localhost:3000

      UI: http://localhost:3001

UI External:

[BS] Watching files...

now we have our SASS compiled into CSS and we have the basic setup for theming with Sage 9-dev and Trellis and Roots


Adding Semantic UI

I want to try Semantic UI and use yarn

openplanetculture.com yarn add semantic-ui-sass
yarn add v0.21.3
[1/4] 🔍 Resolving packages...
[2/4] 🚚 Fetching packages...
[3/4] 🔗 Linking dependencies...
[4/4] 📃 Building fresh packages...
success Saved lockfile.
success Saved 1 new dependency.
└─ [email protected]
✨ Done in 8.38s.

next steps will be getting Semantic UI working with Sage

Data.gov as a reference

next few days I will theme and build the Open Planet Culture site, probably referencing Data.gov

Debops or the NSA for complete devops solution to network security

bastion debops

Production Ready Configuration Management Suites

As far as I know, in the entire world, there are two open source, production-based, bespoke configuration management systems.

In other words, if you want to run a full data center, network, production system and you want a system that has been designed and built and TESTED in production already to work, you only have two options.

Sure you can make your own system and test everything together, you can make a bricolage of existing roles and custom roles and make it work. But there will always be a long tail of implementation issues.

One such project comes from the US federal government, the NSA, SIMP, is based on Redhat and uses Puppet. There is excellent documentation and its compliant with the highest security standards (docs).

The other comes from a medical university in Europe and is based on Debian. Being an Ubuntu user, I’ll start with the Debian system. The second system is called Debops, the Debian data center in a box.

Debops is a Debian Data Center in a Box

Debops is based on the concept of an Ansible controller, i.e. a desktop or laptop which acts as the controller for the entire network.

I am going to install a bastion server, a VMware based VM which will be encrypted and also act as the bastion server for the entire network. This way my laptop does not become the weakest link in the entire chain.

I am running the VMware bastion VM from the RAID drive, and will give it a static IP, from within the VM and also at the router. My Comcast business router has annoying IP reassignment settings that kick in at very unfortunate times, such as after a power out etc. I force them to stick with dedicated IP.

Bastion set-up

I installed the operating system on the server, configure bridged, static public and private IP, setup DNS with Cloudflare, VNC access and openssh-server. I also install Ubuntu Desktop, 1, because I have loads of RAM and 2 I want the flexibility of using VNC if needed. I know, shell purists roll their eyes now.

Install openssh-server, keygens, and then allow root login with keys, create a root password, and then connect locally and remotely ssh [email protected] This is super important as otherwise you will be locked out of ssh from remote and can only use VNC. Also when you run debops for the first time you debops adds root to the users for remote logins. I also had to su devekko to change from root to my main sudo user to run the debops python scripts.

ssh-copy-id [email protected]
ssh-copy-id [email protected]

Debops Install

Debops has excellent, if dense, docs, and we use the Install docs

sudo -H apt install python-pip

let’s also upgrade pip

sudo -H pip install --upgrade pip

Next we install Debops itself with PIP

sudo -H pip install debops

Install Ansible

Debops uses Ansible and we need that installed now, but let’s install the latest development version via GIT and run from source

cd /home/devekko
sudo apt install -y git wget curl
sudo apt install -y build-essential libssl-dev libffi-dev python-dev
sudo -H pip install paramiko PyYAML Jinja2 httplib2 six
git clone git://github.com/ansible/ansible.git --recursive
cd ./ansible
source /home/devekko/ansible/hacking/env-setup

now we have a Ansible running from source

ansible --version
ansible 2.3.0 (devel bd036c15e0) last updated 2017/02/19 16:06:37 (GMT -700)
config file =
configured module search path = Default w/o overrides

Starting Debops project

Now we begin our Debops project. Debops is designed to have separate projects for separate networks of servers and applications. From Getting Started installs the Debops roles, playbooks and some handy Python scripts for shortcuts to standard verbose Ansible

cd /home/devekko

DebOps playbooks have not been found, installing into /home/devekko/.local/share/debops/debops-playbooks

for a total of 107 playbooks

Initiate Project

debops-init /home/devekko/devekko-io
Creating new DebOps project in /home/devekko/devekko-io ...


We now add our bastion server to the inventory

cd devekko-io
vi ansible/inventory/hosts
bastion ansible_connection=local

Now we run Debops on our Bastion server


PLAY RECAP ******************************************************************************************
bastion : ok=218 changed=124 unreachable=0 failed=0

TASK: debops.dhparam : Generate Diffie-Hellman params on Ansible Controller - 224.43s
TASK: debops.apt : Update APT cache ------------------------------------ 19.12s
TASK: debops.apt_install : Install requested APT packages -------------- 13.19s
TASK: debops.core : Install required core packages --------------------- 12.88s
TASK: debops.sshd : Ensure OpenSSH support is installed ---------------- 10.40s
TASK: debops.ferm : Configure ip(6)tables rules ------------------------- 8.98s
TASK: debops.ferm : Ensure ferm is installed ---------------------------- 7.39s
TASK: debops.nullmailer : Install required packages --------------------- 6.48s
TASK: debops.auth : Install auth-related packages ----------------------- 5.56s
TASK: debops.atd : Install atd ------------------------------------------ 5.09s

now, Debops runs 107 playbooks and bootstraps your Bastion server as the Ansible controller

we now have Debops installed as a Bastion server which we can encrypt and backup and access from across the network

bastion debops
bastion debops