Actools: A CLI-Driven Drupal 11 Installer with Automated Security Auditing
These articles are AI-generated summaries. Please check the original sources for full details.
I built a Drupal installer that tells you if your site is safe to ship
Actools is a Drupal 11 installer designed for Hetzner VPS that automates the deployment of a full stack including Caddy 2 and Redis 7. It differentiates itself by including a CLI audit tool that performs 25 health checks and generates an honest security score.
Why This Matters
Many Drupal installers focus exclusively on successful service initialization, leaving critical vulnerabilities like unconfigured trusted_host_patterns or publicly accessible private files undetected. Actools addresses the disconnect between a running site and a secure site by forcing developers to confront configuration gaps in Redis caching, TLS certificate validity, and container health through a CLI-driven truth mechanism rather than passive dashboards.
Key Insights
- The actools audit command performs 25 specific checks across four categories to prevent common deployment failures like cache poisoning.
- A fresh installation intentionally yields an honest score of 6/10 to highlight missing backups and unlinked Redis backends.
- Shell escaping across Docker layers was resolved using a quoted heredoc pattern to ensure configuration injections survive multi-layer bash execution.
- The stack utilizes Caddy 2 for automated HTTPS and security headers, alongside MariaDB 11.4 and PHP 8.3-FPM on Ubuntu 24.04.
- Idempotency checks for settings.php must use anchored regex to avoid matching commented-out default configuration lines.
Working Examples
A quoted heredoc pattern used to inject configuration into a Docker container without shell escaping conflicts.
docker compose exec -T "$php_svc" bash -c "cat > /tmp/php_inject.php << 'EOF'
\$settings['trusted_host_patterns'] = array('^${domain_escaped}\$', '^.*\\.${domain_escaped}\$');
// trusted_host_patterns_active
EOF
cat /tmp/php_inject.php >> /path/to/settings.php
rm -f /tmp/php_inject.php"Anchored idempotency check to ensure configuration is actually set rather than matching commented-out defaults.
grep -q "^\$settings\['file_private_path'\]"Practical Applications
- System Deployment: Automating Drupal 11 stacks on Hetzner CX22 instances with pre-configured MariaDB 11.4 and Redis 7.
- Pitfall: Relying on simple grep checks in settings.php which leads to the installer skipping injections because it matches commented-out lines.
- Post-Deployment: Running actools audit to detect expired TLS certificates or unconfigured private file paths that leave data publicly accessible.
- Pitfall: Updating settings.php via script without executing ‘drush cr’, causing Drupal to ignore the new security configurations.
References:
Continue reading
Next article
Deploying .NET 8 APIs for Free: A Guide to Render, Supabase, and Upstash Integration
Related Content
Introducing SSH Secure Audit: A Lightweight Open-Source SSH Security Scanner for Linux
SSH Secure Audit is a new open-source tool that quickly identifies risky SSH configurations on Linux systems.
Automating Drupal Security Patching for Enterprise Architectures
Victorstackai details reducing Drupal patch deployment from 72 hours to 45 minutes across 20+ sites using automated CI/CD and visual regression.
Automating SSL Remediation: Moving Beyond Passive Alerting for Infrastructure Security
EdgeIQ Labs launches an auto-fix engine that remediates SSL issues and hardens headers for $9/month, eliminating manual 2am intervention.