Drupal VM can be made to manage a production environment. The security of your servers is your responsibility, and such usage should be considered experimental and unsupported.

(See companion blog post to this documentation: Soup to Nuts: Using Drupal VM to build local and prod.)

If you want to try managing a production environment (or other non-local environments) with Drupal VM, please see the following suggestions for making these servers more secure and easier to manage.

Note: As of Drupal VM 5.0.0, the example production configuration files are no longer included with Drupal VM. You would need to download Drupal VM 4.9.1 and copy the examples/prod directory into your Drupal VM codebase to make the example commands work with a newer version of Drupal VM.

Production specific overrides.

Drupal VM supports loading configuration files depending on the environment variable DRUPALVM_ENV and using this feature you can have different configurations between development and production environments.

# Loads vagrant.config.yml if available (default).
vagrant provision

# Loads prod.config.yml if available.
DRUPALVM_ENV=prod vagrant provision --provisioner=aws

If you're issuing a provision directly through ansible-playbook as you would do for most production environments you can either set the DRUPALVM_ENV variable on your host, or on the remote production machine.

# By default it doesn't try to load any other config file.
ansible-playbook -i examples/prod/inventory provisioning/playbook.yml --become --ask-become-pass

# Loads prod.config.yml if available.
DRUPALVM_ENV=prod ansible-playbook -i examples/prod/inventory provisioning/playbook.yml --become --ask-become-pass

If you add DRUPALVM_ENV=prod to the /etc/environment file on your production environment:

# Loads prod.config.yml if available.
ansible-playbook -i examples/prod/inventory provisioning/playbook.yml --become --ask-become-pass

Note: Having the variable set locally takes precedence over having it on the remote machine.

As a precaution not to accidentally provision a production server with insecure configurations, you should set your security hardening configurations in config.yml, your local development overrides in vagrant.config.yml and finally any additional production specific overrides in prod.config.yml. This way, a production environment will never be provisioned with development tools, even if the prod.config.yml is not read.

Ansible Vault support

Drupal VM will include a secrets.yml file included in your VM's configuration directory (alongside config.yml, local.config.yml, etc.) that you can use to store sensitive variables (e.g. MySQL's root password, Drupal's admin password). For extra security, you can encrypt this file, and require a password whenever the variable is used.

First, you'd create an Ansible Vault encrypted file:

$ ansible-vault create secrets.yml

Create the file inside your VM's configuration directory, and save the following inside (replacing the actual passwords with your own secure ones!):

drupal_account_pass: add-your-secure-password-1-here
drupal_db_password: add-your-secure-password-2-here                                                                  
mysql_root_password: add-your-secure-password-3-here

Ansible Vault will encrypt the file, and you can edit the file using ansible-vault edit.

When running vagrant commands, make sure you tell the Ansible provisioner to use --ask-vault-pass, e.g.:

DRUPALVM_ANSIBLE_ARGS='--ask-vault-pass' vagrant [command]

And if you need to override one of the secrets stored in that file, you can do so through an environment-specific config file, for example:

vagrant.config.yml
prod.config.yml
[etc.]

Example: Drupal VM on DigitalOcean

The examples/prod directory contains an example production configuration for Drupal VM which can be used to deploy Drupal VM to a production environment on a cloud provider like DigitalOcean, Linode, or AWS.

This guide contains instructions for how you can build a Drupal environment with Drupal VM on DigitalOcean.

Create a DigitalOcean Droplet

If you don't already have a DigitalOcean account, create one (you can use geerlingguy's affiliate link to sign up, otherwise, visit the normal DigitalOcean Sign Up form.

Make sure you have an SSH key you can use to connect to your DigitalOcean droplets, and if you don't already have one set up, or if you need to add your existing key to your account, follow the instructions in this guide: How to use SSH keys with DigitalOcean Droplets.

Once you are logged into DigitalOcean and have added your SSH key, click the 'Create Droplet' button on your Droplets page. For the Droplet, choose the following options:

  • Image: Choose Ubuntu 18.04.x x64
  • Size: 1 GB / 1 CPU (currently $5/month; you can choose a higher plan if needed)
  • Region: Choose whatever region is geographically nearest to you and your site visitors
  • Settings: (Nothing here affects how Drupal VM works, choose what you'd like)
  • Add SSH Keys: Select the SSH key you added to your account earlier.
  • Hostname: Choose a hostname for your site (e.g. example.drupalvm.com)

Click 'Create Droplet', and wait a minute or so while the Droplet is booted. Once it's booted, make sure you can log into it from your local computer:

ssh root@[droplet-hostname-or-ip]

(Make sure you replace [droplet-hostname-or-ip]) with the hostname or IP address of your Droplet!)

If you get a warning like "the authenticity of the host can't be established", answer yes to the prompt and hit enter. You should now be logged into the Droplet. Log back out by typing exit at the prompt and hitting return.

Your DigitalOcean Droplet is booted and ready to have Drupal VM installed on it.

Customize config.yml for production

Copy examples/prod/prod.config.yml to config.yml, and by looking at default.config.yml add any other overrides you'd like. Whatever variables you have set in config.yml will override the defaults set by default.config.yml.

The changes outlined in the example prod.config.yml disable development-environment tools (like Adminer) and add extra security hardening configuration (via the extra_security_enabled variable).

You now have Drupal VM configured for production by default. This is the recommended and safest way, so that you can't accidentally provision a production server with development tools. If desired you can also use the environment variable DRUPALVM_ENV to load an additional <ENV>.config.yml with production specific overrides. In most cases this is not needed though.

Customize vagrant.config.yml for local development

To re-use the same setup for local development, copy default.config.yml to vagrant.config.yml and configure it so that you override the security hardening configurations that were added in config.yml. Read about how configuration files are read under Configuring Drupal VM

Customize inventory for production

The only other thing you need to do is copy the inventory file example.inventory to inventory (so it is located at prod/inventory). By default, it reads:

[drupalvm]
1.2.3.4 ansible_ssh_user=my_admin_username

Change the host 1.2.3.4 to either the IP address or the hostname of your DigitalOcean Droplet. Remember that if you would like to use a hostname, you need to make sure the hostname actually resolves to your Droplet's IP address, either in your domain's public DNS configuration, or via your local hosts file.

Initialize the server with an administrative account

Note: This guide assumes you have Ansible installed on your host machine.

The first step in setting up Drupal VM on the cloud server is to initialize the server with an administrative account (which is separate from the root user account for better security).

Inside the examples/prod/bootstrap folder, copy the example.vars.yml file to vars.yml and update the variables in that file for your own administrative account (make sure especially to update the admin_password value!).

Then, run the following command within Drupal VM's root directory (the folder containing the Vagrantfile):

ansible-playbook -i examples/prod/inventory examples/prod/bootstrap/init.yml -e "ansible_ssh_user=root"

Once the initialization is complete, you can test your new admin login with ssh my_admin_username@droplet-hostname-or-ip. You should be logged in via your existing SSH key. Log back out with exit.

Provision Drupal VM on the Droplet

Run the following command within Drupal VM's root directory (the folder containing the Vagrantfile):

DRUPALVM_ENV=prod ansible-playbook -i examples/prod/inventory provisioning/playbook.yml --become --ask-become-pass

Note: If you have installed Drupal VM as a Composer dependency you also need to specify the path of the config directory where you have your config.yml located.

DRUPALVM_ENV=prod ansible-playbook -i config/prod/inventory vendor/geerlingguy/drupal-vm/provisioning/playbook.yml -e "config_dir=$(pwd)/config" --become --ask-become-pass

Ansible will prompt you for your admin account's sudo password (the same as the password you encrypted and saved as admin_password). Enter it and press return.

After a few minutes, your Drupal-VM-in-the-cloud Droplet should be fully configured to match your local development environment! You can visit your Droplet and access the fresh Drupal site just like you would locally (e.g. http://example.drupalvm.com/).

Known issues

  • You may need to manually create the drupal_core_path directory on the server at this time; it's not always created automatically due to permissions errors.
  • The files folder that is generated during the initial Drupal installation is set to be owned by the admin account; to make it work (and to allow Drupal to generate stylesheets and files correctly), you have to manually log into the server and run the following two commands after provisioning is complete:

    $ sudo chown -R www-data /var/www/drupalvm/drupal/sites/default/files $ sudo chmod -R 0700 /var/www/drupalvm/drupal/sites/default/files

  • You can't synchronize folders between your host machine and DigitalOcean (at least not in any sane way); so you'll need to either have Drupal VM install a site from a given Drush make file or composer.json, or deploy the site via Git, using the geerlingguy.drupal role's git deployment options.

  • Drupal VM doesn't include any kind of backup system. You should use one if you have any kind of important data on your server!

Go Further

You can use Ubuntu Ubuntu 18.04, Debian 10, or CentOS 8 when you build the DigitalOcean Droplet. Just like with Drupal VM running locally, you can customize almost every aspect of the server!

You may want to customize your configuration even further, to make sure Drupal VM is tuned for your specific Drupal site's needs, or you may want to change things and make the server configuration more flexible, etc. For all that, the book Ansible for DevOps will give you a great introduction to using Ansible to make Drupal VM and the included Ansible configuration do exactly what you need!