From 6c78ebce628e029628b1e12473dea2cee8d78426 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 16 Sep 2017 18:10:43 +0800 Subject: [PATCH 001/663] Normalize `apt` tasks and check package variables format --- CHANGELOG.md | 1 + group_vars/all/main.yml | 3 ++ roles/common/defaults/main.yml | 20 +++++----- roles/common/tasks/main.yml | 38 +++++++++++++++++-- .../package_vars_wrong_format_msg.j2 | 4 ++ roles/fail2ban/tasks/main.yml | 6 +-- roles/ferm/tasks/main.yml | 6 +-- roles/mariadb/tasks/main.yml | 8 ++-- roles/memcached/defaults/main.yml | 7 ++++ roles/memcached/tasks/main.yml | 8 ++-- roles/nginx/tasks/main.yml | 5 ++- roles/php/defaults/main.yml | 30 +++++++-------- roles/php/tasks/main.yml | 9 +++-- roles/sshd/defaults/main.yml | 7 ++++ roles/sshd/tasks/main.yml | 10 ++--- roles/ssmtp/tasks/main.yml | 4 +- roles/xdebug/tasks/main.yml | 4 +- 17 files changed, 111 insertions(+), 59 deletions(-) create mode 100644 roles/common/templates/package_vars_wrong_format_msg.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 13240be9de..578361c15e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) * Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index bcc0f88483..68ef57b68e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,6 +2,9 @@ composer_keep_updated: true composer_global_packages: - { name: hirak/prestissimo } apt_cache_valid_time: 3600 +apt_package_state: present +apt_security_package_state: latest +apt_dev_package_state: latest ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 2a6d4a1f4f..3ec83ee973 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,17 +1,17 @@ ntp_timezone: Etc/UTC apt_packages_default: - - python-software-properties - - python-pycurl - - build-essential - - python-mysqldb - - curl - - git-core - - dbus - - libnss-myhostname + python-software-properties: "{{ apt_package_state }}" + python-pycurl: "{{ apt_package_state }}" + build-essential: "{{ apt_package_state }}" + python-mysqldb: "{{ apt_package_state }}" + curl: "{{ apt_package_state }}" + git-core: "{{ apt_package_state }}" + dbus: "{{ apt_package_state }}" + libnss-myhostname: "{{ apt_package_state }}" -apt_packages_custom: [] -apt_packages: "{{ apt_packages_default + apt_packages_custom }}" +apt_packages_custom: {} +apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f6a59531b8..072414cf12 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,36 @@ when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] +- name: Verify dict format for apt package component variables + fail: + msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" + when: package_vars_wrong_format | count + vars: + package_vars: + apt_packages_default: "{{ apt_packages_default }}" + apt_packages_custom: "{{ apt_packages_custom }}" + memcached_packages_default: "{{ memcached_packages_default }}" + memcached_packages_custom: "{{ memcached_packages_custom }}" + php_extensions_default: "{{ php_extensions_default }}" + php_extensions_custom: "{{ php_extensions_custom }}" + sshd_packages_default: "{{ sshd_packages_default }}" + sshd_packages_custom: "{{ sshd_packages_custom }}" + package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + tags: [sshd, memcached, php] + +- name: Verify dict format for apt package combined variables + fail: + msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" + when: package_vars_wrong_format | count + vars: + package_vars: + apt_packages: "{{ apt_packages }}" + memcached_packages: "{{ memcached_packages }}" + php_extensions: "{{ php_extensions }}" + sshd_packages: "{{ sshd_packages }}" + package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + tags: [sshd, memcached, php] + - name: Validate Ubuntu version debug: msg: | @@ -61,11 +91,11 @@ - name: Checking essentials apt: - name: "{{ item }}" - state: present - update_cache: true + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: "{{ apt_packages }}" + with_dict: "{{ apt_packages }}" - name: Validate timezone variable stat: diff --git a/roles/common/templates/package_vars_wrong_format_msg.j2 b/roles/common/templates/package_vars_wrong_format_msg.j2 new file mode 100644 index 0000000000..196368b904 --- /dev/null +++ b/roles/common/templates/package_vars_wrong_format_msg.j2 @@ -0,0 +1,4 @@ +The following variables must be formatted as dicts: + {{ package_vars_wrong_format | to_nice_yaml | indent(2) }} + +See: https://github.com/roots/trellis/pull/881 diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 3af663a73e..36a66609a7 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,9 +1,9 @@ --- - name: ensure fail2ban is installed apt: - pkg: fail2ban - state: latest - update_cache: true + name: fail2ban + state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" notify: - restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index b5d691868b..a84357dc08 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -8,9 +8,9 @@ - name: ensure ferm is installed apt: - pkg: ferm - state: latest - update_cache: true + name: ferm + state: "{{ ferm_package_state | default(apt_security_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no notify: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 5e998fde95..c19e9e4472 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -2,15 +2,17 @@ - name: Install MySQL client apt: name: mariadb-client - state: present - update_cache: true + state: "{{ mariadb_client_package_state | default(apt_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - block: - name: Install MySQL server apt: name: mariadb-server - state: present + state: "{{ mariadb_server_package_state | default(apt_package_state) }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" - name: Disable MariaDB binary logging template: diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index f5baaece22..11403dc688 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -4,3 +4,10 @@ memcached_fs_file_max: 756024 memcached_listen_ip: 127.0.0.1 memcached_max_conn: 1024 memcached_port: 11211 + +memcached_packages_default: + memcached: "{{ apt_package_state }}" + php-memcached: "{{ apt_package_state }}" + +memcached_packages_custom: {} +memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 2e2c5dff41..398866d5aa 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -1,13 +1,11 @@ --- - name: Install memcached apt: - name: "{{ item }}" - state: present + name: "{{ item.key }}" + state: "{{ item.value }}" update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: - - memcached - - php-memcached + with_dict: "{{ memcached_packages }}" - name: Copy the client configuration file template: diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index b042455fa0..83a3cff231 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -7,8 +7,9 @@ - name: Install Nginx apt: name: "{{ nginx_package }}" - state: present - force: yes + state: "{{ nginx_package_state | default(apt_package_state) }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" - name: Create SSL directory file: diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 518b6491b1..129bb128f5 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,22 +2,22 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - - php7.1-cli - - php7.1-common - - php7.1-curl - - php7.1-dev - - php7.1-fpm - - php7.1-gd - - php7.1-mbstring - - php7.1-mcrypt - - php7.1-mysql - - php7.1-opcache - - php7.1-xml - - php7.1-xmlrpc - - php7.1-zip + php7.1-cli: "{{ apt_package_state }}" + php7.1-common: "{{ apt_package_state }}" + php7.1-curl: "{{ apt_package_state }}" + php7.1-dev: "{{ apt_package_state }}" + php7.1-fpm: "{{ apt_package_state }}" + php7.1-gd: "{{ apt_package_state }}" + php7.1-mbstring: "{{ apt_package_state }}" + php7.1-mcrypt: "{{ apt_package_state }}" + php7.1-mysql: "{{ apt_package_state }}" + php7.1-opcache: "{{ apt_package_state }}" + php7.1-xml: "{{ apt_package_state }}" + php7.1-xmlrpc: "{{ apt_package_state }}" + php7.1-zip: "{{ apt_package_state }}" -php_extensions_custom: [] -php_extensions: "{{ php_extensions_default + php_extensions_custom }}" +php_extensions_custom: {} +php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" php_error_reporting: 'E_ALL & ~E_DEPRECATED & ~E_STRICT' php_display_errors: 'Off' diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index c88a1f10a2..0fe9f57f2d 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -6,10 +6,11 @@ - name: Install PHP 7.1 apt: - name: "{{ item }}" - state: present - force: yes - with_items: "{{ php_extensions }}" + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" + with_dict: "{{ php_extensions }}" - name: Start php7.1-fpm service service: diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 205420642a..deedd28e00 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -90,3 +90,10 @@ ssh_send_env: [] ssh_strict_host_key_checking: ask ssh_use_roaming: false + +sshd_packages_default: + openssh-server: "{{ apt_security_package_state }}" + openssh-client: "{{ apt_security_package_state }}" + +sshd_packages_custom: {} +sshd_packages: "{{ sshd_packages_default | combine(sshd_packages_custom) }}" diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 3fa0bcb6c8..985ccff86c 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,13 +1,11 @@ --- - name: Ensure latest SSH server and client are installed apt: - pkg: "{{ item }}" - state: latest - update_cache: true + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: - - openssh-server - - openssh-client + with_dict: "{{ sshd_packages }}" notify: restart ssh - name: Create a secure sshd_config diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 140402f1cf..0de14ea431 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -2,8 +2,8 @@ - name: Install ssmtp apt: name: ssmtp - state: present - update_cache: true + state: "{{ ssmtp_package_state | default(apt_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: ssmtp configuration diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 00fc2290a3..4351c026eb 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -3,8 +3,8 @@ - name: Install Xdebug apt: name: php-xdebug - state: latest - update_cache: true + state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Template the Xdebug configuration file From 38e03fb708dd3cc7bc430c2cf37d3922076283d1 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 1 Oct 2017 11:04:39 +0800 Subject: [PATCH 002/663] Remove `update_cache` parameter from `apt` tasks Ansible 2.4 implicitly sets `update_cache` when `cache_valid_time` is defined. --- roles/common/tasks/main.yml | 1 - roles/fail2ban/tasks/main.yml | 1 - roles/ferm/tasks/main.yml | 1 - roles/mariadb/tasks/main.yml | 2 -- roles/memcached/tasks/main.yml | 1 - roles/nginx/tasks/main.yml | 1 - roles/php/tasks/main.yml | 1 - roles/sshd/tasks/main.yml | 1 - roles/ssmtp/tasks/main.yml | 1 - roles/xdebug/tasks/main.yml | 1 - 10 files changed, 11 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 072414cf12..0c675079c6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -93,7 +93,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ apt_packages }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 36a66609a7..e2d9125d0d 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fail2ban state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" notify: - restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index a84357dc08..9ceca90cab 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -10,7 +10,6 @@ apt: name: ferm state: "{{ ferm_package_state | default(apt_security_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no notify: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index c19e9e4472..558ead5414 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: mariadb-client state: "{{ mariadb_client_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - block: @@ -11,7 +10,6 @@ apt: name: mariadb-server state: "{{ mariadb_server_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Disable MariaDB binary logging diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 398866d5aa..dc62343926 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ memcached_packages }}" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 83a3cff231..bb229149a3 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -8,7 +8,6 @@ apt: name: "{{ nginx_package }}" state: "{{ nginx_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Create SSL directory diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 0fe9f57f2d..c0c14d9794 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -8,7 +8,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 985ccff86c..acabc23938 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ sshd_packages }}" notify: restart ssh diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 0de14ea431..9499fd5d8a 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: ssmtp state: "{{ ssmtp_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: ssmtp configuration diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 4351c026eb..d55c8745dd 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -4,7 +4,6 @@ apt: name: php-xdebug state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Template the Xdebug configuration file From ed2f00026241248eedf75fc168c0cb6f55e1d699 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 1 Oct 2017 11:12:35 +0800 Subject: [PATCH 003/663] Extract package names from `apt` tasks into variables --- roles/fail2ban/defaults/main.yml | 2 ++ roles/fail2ban/tasks/main.yml | 2 +- roles/ferm/defaults/main.yml | 2 ++ roles/ferm/tasks/main.yml | 2 +- roles/mariadb/defaults/main.yml | 3 +++ roles/mariadb/tasks/main.yml | 4 ++-- roles/ssmtp/defaults/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 +- roles/xdebug/defaults/main.yml | 2 ++ roles/xdebug/tasks/main.yml | 2 +- 10 files changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index e75e2b194d..473ae8a0d5 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -1,4 +1,6 @@ --- +fail2ban_package: fail2ban + fail2ban_loglevel: INFO fail2ban_logtarget: /var/log/fail2ban.log fail2ban_socket: /var/run/fail2ban/fail2ban.sock diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index e2d9125d0d..dcc6adc5ab 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: ensure fail2ban is installed apt: - name: fail2ban + name: "{{ fail2ban_package }}" state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" notify: diff --git a/roles/ferm/defaults/main.yml b/roles/ferm/defaults/main.yml index edda2d9a98..17f623b5d0 100644 --- a/roles/ferm/defaults/main.yml +++ b/roles/ferm/defaults/main.yml @@ -1,4 +1,6 @@ --- +ferm_package: ferm + ferm_enabled: true ferm_limit_portscans: false diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 9ceca90cab..63b0b0a4d0 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -8,7 +8,7 @@ - name: ensure ferm is installed apt: - name: ferm + name: "{{ ferm_package }}" state: "{{ ferm_package_state | default(apt_security_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 95ad282f0c..9bbea9848e 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,3 +1,6 @@ +mariadb_client_package: mariadb-client +mariadb_server_package: mariadb-server + mysql_binary_logging_disabled: true mysql_root_user: root diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 558ead5414..84c8c45788 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Install MySQL client apt: - name: mariadb-client + name: "{{ mariadb_client_package }}" state: "{{ mariadb_client_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" - block: - name: Install MySQL server apt: - name: mariadb-server + name: "{{ mariadb_server_package }}" state: "{{ mariadb_server_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" diff --git a/roles/ssmtp/defaults/main.yml b/roles/ssmtp/defaults/main.yml index d373337628..2c684dbacf 100644 --- a/roles/ssmtp/defaults/main.yml +++ b/roles/ssmtp/defaults/main.yml @@ -1,3 +1,4 @@ +ssmtp_package: ssmtp ssmtp_auth_method: LOGIN ssmtp_from_override: 'Yes' ssmtp_start_tls: 'Yes' diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 9499fd5d8a..910451621a 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install ssmtp apt: - name: ssmtp + name: "{{ ssmtp_package }}" state: "{{ ssmtp_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 334b958b8c..b210759a30 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,3 +1,5 @@ +php_xdebug_package: php-xdebug + # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index d55c8745dd..1a3061426c 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -2,7 +2,7 @@ - block: - name: Install Xdebug apt: - name: php-xdebug + name: "{{ php_xdebug_package }}" state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" From 950fd7e637d50a052dc9b79908fc2540e27bf5c5 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 25 Sep 2017 07:42:35 +0800 Subject: [PATCH 004/663] Vagrant: Use DHCP by default --- CHANGELOG.md | 1 + vagrant.default.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 578361c15e..9b091aacbd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Vagrant: Use DHCP by default ([#898](https://github.com/roots/trellis/pull/898)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/vagrant.default.yml b/vagrant.default.yml index 53a06b2716..af3ba97089 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: '192.168.50.5' +vagrant_ip: dhcp vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' From a70566dcbef1b34057599cec6233abe261767143 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Oct 2017 20:01:43 -0400 Subject: [PATCH 005/663] Revert "Vagrant: Use DHCP by default" --- CHANGELOG.md | 1 - vagrant.default.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b091aacbd..578361c15e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ ### HEAD -* Vagrant: Use DHCP by default ([#898](https://github.com/roots/trellis/pull/898)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/vagrant.default.yml b/vagrant.default.yml index af3ba97089..53a06b2716 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: dhcp +vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' From d603d4540d15e7684f854863f0d0d8bfe4b47639 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 8 Oct 2017 12:37:23 -0600 Subject: [PATCH 006/663] Update placeholder deploy_build_before hook example [ci skip] --- deploy-hooks/build-before.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 44cce03693..6c483c3f75 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -1,11 +1,14 @@ -# Placeholder `deploy_build_before` hook for building theme assets locally -# and then copying the files to the remote server +# Placeholder `deploy_build_before` hook for building theme assets on the +# host machine and then copying the files to the remote server +# +# ⚠️ This example assumes your theme is using Sage 9 +# An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # # Uncomment the lines below and replace `sage` with your theme folder # # --- -# - name: Run yarn install -# command: yarn install +# - name: Install npm dependencies +# command: yarn # connection: local # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" @@ -21,7 +24,7 @@ # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # -# - name: Copy project local files +# - name: Copy production assets # synchronize: # src: "{{ project_local_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" From 0e9e1c51b348a9856186238775341a7b440abf85 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Tue, 17 Oct 2017 11:05:12 -0300 Subject: [PATCH 007/663] Update wp-cli to 1.4.0. --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 578361c15e..93d73c902f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 8d70ab8527..12217328ac 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.3.0 +wp_cli_version: 1.4.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From fb039a193f51cadf607d1badbc09078efa199f63 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Tue, 17 Oct 2017 14:57:59 -0300 Subject: [PATCH 008/663] Clarify DB task name. --- roles/wordpress-setup/tasks/database.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index bde2f14f30..61c74a5475 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -1,6 +1,6 @@ --- - block: - - name: Create database of sites + - name: Create databases for sites mysql_db: name: "{{ site_env.db_name }}" state: present From 1049fe8000e4d69ac07debf479cba894916c3623 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 29 Oct 2017 18:05:49 -0600 Subject: [PATCH 009/663] Bump Ansible version_tested_max to 2.4.1.0 (#911) --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- vagrant.default.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93d73c902f..5271f18bd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index fd6c7b4d4c..5e05494612 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.4.0.0' +version_tested_max = '2.4.1.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' diff --git a/vagrant.default.yml b/vagrant.default.yml index 53a06b2716..dd6baa3a77 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '<= 2.3.8' -vagrant_ansible_version: '2.4.0' +vagrant_ansible_version: '2.4.1.0' vagrant_skip_galaxy: false vagrant_install_plugins: true From dd4f154fb5901f0b928ca7c2544a0a968ebb396c Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 29 Oct 2017 19:23:24 -0600 Subject: [PATCH 010/663] Dynamically increase ansible_group_priority for selected env (#909) Otherwise when a host is in both the production and staging groups, Ansible will always use the staging group vars, even if a user specifies `-e env=production`. Without a differing ansible_group_priority, Ansible loads sibling groups in alphabetical order and variables from the last group loaded win out. --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/vars.py | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5271f18bd9..7e565cd8c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 42942bdca1..98773de710 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -89,6 +89,11 @@ def darwin_without_passlib(self): return True def v2_playbook_on_play_start(self, play): + env = play.get_variable_manager().get_vars(play=play).get('env', '') + env_group = next((group for key,group in play.get_variable_manager()._inventory.groups.iteritems() if key == env), False) + if env_group: + env_group.set_priority(20) + for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) From fb000df729ff9843a2d88550bed255405bd46867 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 31 Oct 2017 16:31:54 +0100 Subject: [PATCH 011/663] Update vagrant_box_version to current release --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index dd6baa3a77..e8fe2f441b 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '<= 2.3.8' +vagrant_box_version: '<= 201710.25.0' vagrant_ansible_version: '2.4.1.0' vagrant_skip_galaxy: false From f6c7d575936cbe1601f93b3afa03f5effd2bfd35 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 3 Nov 2017 19:16:08 -0400 Subject: [PATCH 012/663] Enable ioapic --- CHANGELOG.md | 1 + Vagrantfile | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e565cd8c7..77c4064243 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) diff --git a/Vagrantfile b/Vagrantfile index f50dce7543..a568e0e67d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -140,10 +140,11 @@ Vagrant.configure('2') do |config| vb.name = config.vm.hostname vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] vb.customize ['modifyvm', :id, '--memory', vconfig.fetch('vagrant_memory')] + vb.customize ['modifyvm', :id, '--ioapic', vconfig.fetch('vagrant_ioapic', 'on')] # Fix for slow external network connections - vb.customize ['modifyvm', :id, '--natdnshostresolver1', 'on'] - vb.customize ['modifyvm', :id, '--natdnsproxy1', 'on'] + vb.customize ['modifyvm', :id, '--natdnshostresolver1', vconfig.fetch('vagrant_natdnshostresolver', 'on')] + vb.customize ['modifyvm', :id, '--natdnsproxy1', vconfig.fetch('vagrant_natdnsproxy', 'on')] end # VMware Workstation/Fusion settings From 9d67ada3e4e9ababc08da9eeb5453ed6001f540c Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 6 Nov 2017 13:08:06 -0700 Subject: [PATCH 013/663] Fix raw_vars functionality for Ansible 2.4.1 (#915) In Ansible 2.4.1 only, the VariableManager get_vars() does not return group vars unless method parameters include a task object. Trellis raw_vars functionality did not pass a task and thus did not receive group vars and could not wrap the variable values in `{% raw %}`. Temporarily feed a dummy Task() to get_vars() as a temporary fix until the Trellis minimum Ansible requirement >= 2.4.2, when the issue should be resolved in upstream Ansible. --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/vars.py | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77c4064243..68ba61d4df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 98773de710..adcec79c37 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -10,6 +10,7 @@ from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.playbook.play_context import PlayContext +from ansible.playbook.task import Task from ansible.plugins.callback import CallbackBase from ansible.template import Templar @@ -95,7 +96,8 @@ def v2_playbook_on_play_start(self, play): env_group.set_priority(20) for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): - hostvars = play.get_variable_manager().get_vars(play=play, host=host) + # it should be ok to remove dummy Task() once minimum required Ansible >= 2.4.2 + hostvars = play.get_variable_manager().get_vars(play=play, host=host, task=Task()) self.raw_vars(play, host, hostvars) host.vars['ssh_args_default'] = PlayContext(play=play, options=self._options)._ssh_args.default host.vars['cli_options'] = self.cli_options() From c4706e0890b2cdd72a7ddb4467830b6d811dbb77 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 11:57:08 -0700 Subject: [PATCH 014/663] Remove outdated to_unicode import from plugin utils (#916) The to_unicode method as fallback is no longer needed. Ansible 2.2 deprecated to_unicode in favor of to_text. The to_text method has been available since 2.2 and Trellis now requires 2.4+. --- lib/trellis/utils/output.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 7cd54ba5c8..dd68f1f5d0 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -8,12 +8,7 @@ import textwrap from ansible import __version__ - -# to_unicode will no longer be needed once Trellis requires Ansible >= 2.2 -try: - from ansible.module_utils._text import to_text -except ImportError: - from ansible.utils.unicode import to_unicode as to_text +from ansible.module_utils._text import to_text def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry From 2d53e818c9b05c631228d65b681eaa662448fdce Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 11:59:05 -0700 Subject: [PATCH 015/663] Replace bare Dataloader() with pre-loaded play._loader (#917) The play._loader already exists. It is pre-loaded with play._loader._vault.secrets, play._loader.FILE_CACHE, etc. There's little point in creating a fresh Dataloader() and having to process or load it up. --- lib/trellis/plugins/callback/vars.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index adcec79c37..c0742ca2a3 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -7,7 +7,6 @@ from __main__ import cli from ansible.module_utils.six import iteritems from ansible.errors import AnsibleError -from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.playbook.play_context import PlayContext from ansible.playbook.task import Task @@ -22,7 +21,6 @@ class CallbackModule(CallbackBase): CALLBACK_NAME = 'vars' def __init__(self): - self.loader = DataLoader() self._options = cli.options if cli else None def raw_triage(self, key_string, item, patterns): @@ -43,7 +41,7 @@ def raw_vars(self, play, host, hostvars): if 'raw_vars' not in hostvars: return - raw_vars = Templar(variables=hostvars, loader=self.loader).template(hostvars['raw_vars']) + raw_vars = Templar(variables=hostvars, loader=play._loader).template(hostvars['raw_vars']) if not isinstance(raw_vars, list): raise AnsibleError('The `raw_vars` variable must be defined as a list.') From 112a88717c9ac82e87531a55242156d47f279501 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 12:57:35 -0700 Subject: [PATCH 016/663] Disallow duplicate site keys within a host's wordpress_sites (#910) If a user loads both staging and production sites on a single host, site keys must differ between environments to prevent conflict that would otherwise occur in resources built from site keys (e.g., Nginx conf filepaths). --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 20 ++++++++++++++++++++ roles/common/tasks/main.yml | 22 ++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68ba61d4df..625d40f306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 3ec83ee973..5e92f1487f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,5 +1,25 @@ ntp_timezone: Etc/UTC +env_groups: "{{ ['development', 'staging', 'production'] | intersect(group_names) }}" + +envs_with_wp_sites: "{{ + lookup('filetree', playbook_dir + '/group_vars') | + selectattr('path', 'match', '(' + env_groups | join('|') + ')/wordpress_sites\\.yml$') | + map(attribute='path') | map('regex_replace', '([^/]*)/.*', '\\1') | list +}}" + +site_keys_by_env_pair: "[ + {% for env_pair in envs_with_wp_sites | combinations(2) | list %} + { + 'env_pair': {{ env_pair }}, + 'site_keys': {{ + (vars[env_pair[0] + '_sites'].wordpress_sites | default({})).keys() | intersect( + (vars[env_pair[1] + '_sites'].wordpress_sites | default({})).keys()) + }} + }, + {% endfor %} +]" + apt_packages_default: python-software-properties: "{{ apt_package_state }}" python-pycurl: "{{ apt_package_state }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0c675079c6..7248ce50da 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,4 +1,26 @@ --- +- block: + - name: Load wordpress_sites.yml vars into _sites vars + include_vars: + file: group_vars/{{ item }}/wordpress_sites.yml + name: "{{ item }}_sites" + with_items: "{{ envs_with_wp_sites }}" + when: envs_with_wp_sites | count > 1 + + - name: Fail if there are duplicate site keys within host's wordpress_sites + fail: + msg: > + If you put multiple environments on `{{ inventory_hostname }}`, `wordpress_sites` + must use different site keys per environment. Adjust the following site keys that + are duplicated between the `{{ item.env_pair | join('` and `') }}` groups: + {{ item.site_keys | to_nice_yaml | indent(2) }} + when: item.site_keys | count + with_items: "{{ site_keys_by_env_pair }}" + + when: + - env_groups | count > 1 + - validate_site_keys | default(true) | bool + - name: Validate wordpress_sites fail: msg: "{{ lookup('template', 'wordpress_sites.j2') }}" From af9f63571494a16e6039f6889c6e45845552a67b Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Mon, 13 Nov 2017 14:14:53 -0400 Subject: [PATCH 017/663] Update to WP-CLI 1.4.1. --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 625d40f306..b22a7fb6f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 12217328ac..fcc8ab74d9 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.4.0 +wp_cli_version: 1.4.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From f759a11738a0f490ad52a04a8cd32dbd98ee73db Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 13 Nov 2017 20:10:11 -0500 Subject: [PATCH 018/663] 1.0.0-rc.2 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b22a7fb6f8..9a7cbb4d21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.0-rc.2: November 13th, 2017 * Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) From 5199022f772a729e79aa6838cddf1af3ff790579 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 13 Nov 2017 18:53:26 -0700 Subject: [PATCH 019/663] Enable select deploy configs to optionally vary by site (#919) --- roles/deploy/hooks/finalize-after.yml | 4 ++-- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/build.yml | 4 ++-- roles/deploy/tasks/share.yml | 12 ++++++------ roles/deploy/tasks/update.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index d60809d0da..987ac2a6c5 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -6,7 +6,7 @@ chdir: "{{ deploy_helper.current_path }}" register: site_transient_theme_roots changed_when: site_transient_theme_roots.stdout != '' - when: update_wp_theme_paths | default(true) | bool + when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool - name: Update WP theme paths command: > @@ -15,7 +15,7 @@ {% if project.multisite.enabled | default(false) %} --url={{ item[1].split(' ')[0] }}{% endif %} args: chdir: "{{ deploy_helper.current_path }}" - when: update_wp_theme_paths | default(true) | bool + when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool with_subelements: - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | default ([]) | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" - stdout_lines diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index ec40bc9ee2..d3fed2b46a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -26,7 +26,7 @@ failed_when: wp_template_root.stderr | default('') != '' when: - wp_installed.rc == 0 - - update_wp_theme_paths | default(true) | bool + - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool with_items: - template_root - stylesheet_root diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index c7cf9be7d2..0151fc0d8c 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -10,13 +10,13 @@ src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project_templates }}" + with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist stat: path: "{{ deploy_helper.current_path }}/{{ item }}" register: project_folder_paths - with_items: "{{ project_copy_folders }}" + with_items: "{{ project.project_copy_folders | default(project_copy_folders) }}" - name: Copy project folders command: cp -rp {{ deploy_helper.current_path }}/{{ item.item }} {{ deploy_helper.new_release_path }} diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 0537a8887f..294c05d4b9 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -10,7 +10,7 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory mode: "{{ item.mode | default('0755') }}" - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' - name: Ensure shared sources are present -- files' parent directories @@ -18,7 +18,7 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory mode: '0755' - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure shared sources are present -- files @@ -26,27 +26,27 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" state: directory - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Ensure shared paths are absent file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" state: absent - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Create shared symlinks file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" src: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: link - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - include_tasks: "{{ include_path }}" with_items: "{{ deploy_share_after | default([]) }}" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 1be9bc1ff8..672784b3f8 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -37,7 +37,7 @@ repo: "{{ project_git_repo }}" dest: "{{ project_source_path }}" version: "{{ project_version }}" - accept_hostkey: "{{ repo_accept_hostkey | default(true) }}" + accept_hostkey: "{{ project.repo_accept_hostkey | default(repo_accept_hostkey | default(true)) }}" ignore_errors: true no_log: true register: git_clone From 9a41f2d8894de094a0a718846edec401d71d2440 Mon Sep 17 00:00:00 2001 From: "Michael W. Delaney" Date: Wed, 15 Nov 2017 07:51:32 -0500 Subject: [PATCH 020/663] Update acme-tiny commit hash --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index b6ad540cc5..2bd7b12805 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr(' letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' +acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt From b99cde0bbcce48c8e85175652e5a12a276aa867b Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 18 Nov 2017 12:34:09 -0700 Subject: [PATCH 021/663] Close #580 - Switch from .dev to .test --- CHANGELOG.md | 3 +++ group_vars/development/wordpress_sites.yml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a7cbb4d21..63f569d852 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) + ### 1.0.0-rc.2: November 13th, 2017 * Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 5153ccc612..90009265e2 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -5,11 +5,11 @@ wordpress_sites: example.com: site_hosts: - - canonical: example.dev + - canonical: example.test redirects: - - www.example.dev + - www.example.test local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) - admin_email: admin@example.dev + admin_email: admin@example.test multisite: enabled: false ssl: From 4a82898d905e20cc6fd89d8817f5e44707fe467b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 18 Nov 2017 18:17:16 -0700 Subject: [PATCH 022/663] Expose the deploy_helper keep_releases option (#922) The default keep_releases = 5 may not fit all users. --- roles/deploy/tasks/finalize.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 996873919d..7ec6e32944 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -11,6 +11,7 @@ path: "{{ project_root }}" release: "{{ deploy_helper.new_release }}" state: finalize + keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" - include_tasks: "{{ include_path }}" with_items: "{{ deploy_finalize_after | default([]) }}" From 34f17182929ca4bdc55421ff1556c115238be24a Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 27 Nov 2017 17:03:44 -0700 Subject: [PATCH 023/663] Add Code of Conduct [ci skip] --- CODE_OF_CONDUCT.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 CODE_OF_CONDUCT.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..f663c4792c --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,74 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at team@roots.io. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + From e0fee339fd72123b7e7accab4a2367de895995a1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 29 Nov 2017 09:22:17 -0700 Subject: [PATCH 024/663] Remove cron_file if WP system cron disabled (#927) If a cron_file has already been created but then a user sets `multisite.cron: false`, these cron tasks should not skip. Rather, they should run with the parameter `state: absent` in order to remove the cron_file. --- roles/wordpress-setup/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 732d95e383..87400fc68c 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,8 +49,8 @@ user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" + state: "{{ (cron_enabled and not item.value.multisite.enabled) | ternary('present', 'absent') }}" with_dict: "{{ wordpress_sites }}" - when: cron_enabled and not item.value.multisite.enabled - name: Setup WP Multisite system cron cron: @@ -59,5 +59,5 @@ user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" + state: "{{ (cron_enabled and item.value.multisite.enabled) | ternary('present', 'absent') }}" with_dict: "{{ wordpress_sites }}" - when: cron_enabled and item.value.multisite.enabled From 9d1bdade43674d84051471fffd427d0ccda1ab92 Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Tue, 28 Nov 2017 08:43:27 -0800 Subject: [PATCH 025/663] Add MariaDB 10.2 PPA --- CHANGELOG.md | 1 + roles/mariadb/defaults/main.yml | 4 ++++ roles/mariadb/tasks/main.yml | 11 +++++++++++ 3 files changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63f569d852..3b6e8f6d19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) ### 1.0.0-rc.2: November 13th, 2017 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 9bbea9848e..fbb1a13579 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,3 +1,7 @@ +mariadb_keyserver: keyserver.ubuntu.com +mariadb_keyserver_id: "0xF1656F24C74CD1D8" +mariadb_ppa: "deb [arch=amd64,i386,ppc64el] http://ftp.osuosl.org/pub/mariadb/repo/10.2/ubuntu xenial main" + mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 84c8c45788..f4e21e561e 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,4 +1,15 @@ --- +- block: + - name: Add MariaDB APT key + apt_key: + keyserver: "{{ mariadb_keyserver }}" + id: "{{ mariadb_keyserver_id }}" + + - name: Add MariaDB PPA + apt_repository: + repo: "{{ mariadb_ppa }}" + update_cache: yes + - name: Install MySQL client apt: name: "{{ mariadb_client_package }}" From 7d81e08d921768f5a0c39976be2105694db2ff0e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 31 Dec 2017 12:31:38 -0700 Subject: [PATCH 026/663] Bump Ansible version_tested_max to 2.4.2.0 (#932) Callback events must interpret task status as `failed: true` based on the callback event type and not on any such status passed via the task `result`. --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- lib/trellis/utils/output.py | 7 +++---- vagrant.default.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b6e8f6d19..0cca88dc7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) * Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 5e05494612..273ae5f310 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.4.1.0' +version_tested_max = '2.4.2.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index dd68f1f5d0..7d45369e76 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -62,10 +62,9 @@ def display(obj, result): display = obj._display.display wrap_width = 77 first = obj.first_host and obj.first_item - failed = result.get('failed', False) or result.get('unreachable', False) # Only display msg if debug module or if failed (some modules have undesired 'msg' on 'ok') - if 'msg' in result and (failed or obj.action == 'debug'): + if 'msg' in result and (obj.task_failed or obj.action == 'debug'): msg = result.pop('msg', '') # Disable Ansible's verbose setting for debug module to avoid the CallbackBase._dump_results() @@ -73,7 +72,7 @@ def display(obj, result): del result['_ansible_verbose_always'] # Display additional info when failed - if failed: + if obj.task_failed: items = (item for item in ['reason', 'module_stderr', 'module_stdout', 'stderr'] if item in result and to_text(result[item]) != '') for item in items: msg = result[item] if msg == '' else '\n'.join([msg, result.pop(item, '')]) @@ -106,7 +105,7 @@ def display(obj, result): else: if not first: display(hr, 'bright gray') - display(msg, 'red' if failed else 'bright purple') + display(msg, 'red' if obj.task_failed else 'bright purple') def display_host(obj, result): if 'results' not in result._result: diff --git a/vagrant.default.yml b/vagrant.default.yml index e8fe2f441b..bd79ec9bab 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '<= 201710.25.0' -vagrant_ansible_version: '2.4.1.0' +vagrant_ansible_version: '2.4.2.0' vagrant_skip_galaxy: false vagrant_install_plugins: true From 2d4093b900ab75b5a3a5b86597425dc67b4d8e2e Mon Sep 17 00:00:00 2001 From: Ben Martinez-Bateman Date: Thu, 11 Jan 2018 14:24:46 -0800 Subject: [PATCH 027/663] Allow Trellis VMs to be created/provisioned in Windows Subsystem for Linux. WSL does not support NFS, but Trellis's checks to determine whether or not to use NFS for Vagrant shares assume that NFS is supported if the operating system is not reported to be Windows. Unfortunately this means that it attempts to use NFS in WSL and consequently fails.. This change simply adds an additional check: If Vagrant believes that it is being run from WSL, it syncs folders without NFS (just as though it was running in Windows without `vagrant-winnfsd`). Note: This applies to Vagrant when it is run as a Linux executable through WSL, *not* when the Windows `vagrant.exe` is run from WSL. --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index a568e0e67d..c4e5ac8697 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -69,7 +69,7 @@ Vagrant.configure('2') do |config| bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') - if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd' + if Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') trellis_config.wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] end From 6c5d37e264116b92b8d30584364bcbcb89b62fe7 Mon Sep 17 00:00:00 2001 From: Gorka Maiztegi Date: Fri, 12 Jan 2018 09:36:26 +0100 Subject: [PATCH 028/663] Support for IPv6 in Letsencrypt challenges When trying to validate the hostnames prior to the certificate generation process, it will fail if the IPv6 address is set for those hostnames and the server uses the protocol. This small fix should make this work. --- roles/letsencrypt/templates/nginx-challenge-site.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 index 2741378f79..ad476d9d3d 100644 --- a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 +++ b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 @@ -1,4 +1,5 @@ server { + listen [::]:80; listen 80; server_name {{ missing_hosts | join(' ') }}; include acme-challenge-location.conf; From 41064a2014120b72dbd7e83b90a996f90ed9f12b Mon Sep 17 00:00:00 2001 From: Ben Martinez-Bateman Date: Thu, 18 Jan 2018 20:37:00 -0800 Subject: [PATCH 029/663] Update Vagrant requirement to v2.0.1. This is necessary to support the changes introduced in commit 0015b95. Addressed on Discourse [here](https://discourse.roots.io/t/undefined-method-wsl/11351/4). --- README.md | 2 +- Vagrantfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 796f26f4d7..e1687f6d16 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 +* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.0.1 ## Installation diff --git a/Vagrantfile b/Vagrantfile index c4e5ac8697..a375341e4e 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,7 +19,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 1.8.5' +Vagrant.require_version '>= 2.0.1' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') From 3a6b64c8bced80d6dd308f6500f89a4a7ef059b3 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 19 Jan 2018 21:41:11 +0800 Subject: [PATCH 030/663] Update `vagrant_box_version` to `<= 201801.02.0` --- CHANGELOG.md | 1 + vagrant.default.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cca88dc7d..426d86d774 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update `vagrant_box_version` to `<= 201801.02.0` ([#938](https://github.com/roots/trellis/pull/938)) * Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) * Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) diff --git a/vagrant.default.yml b/vagrant.default.yml index bd79ec9bab..2d588500f8 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '<= 201710.25.0' +vagrant_box_version: '<= 201801.02.0' vagrant_ansible_version: '2.4.2.0' vagrant_skip_galaxy: false From d4596a7279a7eddbf7a565bd79378dba57f607cd Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 20 Jan 2018 00:40:08 +0800 Subject: [PATCH 031/663] Update `vagrant_box_version` to `>= 201801.02.0` Follow up on #938 --- CHANGELOG.md | 2 +- vagrant.default.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 426d86d774..5b5787ecfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ ### HEAD -* Update `vagrant_box_version` to `<= 201801.02.0` ([#938](https://github.com/roots/trellis/pull/938)) +* Update `vagrant_box_version` to `>= 201801.02.0` ([#939](https://github.com/roots/trellis/pull/939)) * Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) * Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) diff --git a/vagrant.default.yml b/vagrant.default.yml index 2d588500f8..3b2dfe891c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '<= 201801.02.0' +vagrant_box_version: '>= 201801.02.0' vagrant_ansible_version: '2.4.2.0' vagrant_skip_galaxy: false From a48c0c54ac8679a7d38d61224314b8ba8adcd84a Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 31 Jan 2018 22:56:41 -0400 Subject: [PATCH 032/663] Update wp-cli to 1.5.0 (#944) --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b5787ecfb..c3ebb57e3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.5.0 ([#944](https://github.com/roots/trellis/pull/944)) * Update `vagrant_box_version` to `>= 201801.02.0` ([#939](https://github.com/roots/trellis/pull/939)) * Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) * Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index fcc8ab74d9..7390b123bd 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.4.1 +wp_cli_version: 1.5.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From c8515b3586bbe8ce81bbf3911d54aa0d5d845d0e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 31 Jan 2018 23:09:40 -0700 Subject: [PATCH 033/663] Bump Ansible version_tested_max to 2.4.3.0 (#945) Also fix `replace_item_with_key()` custom output method to handle tasks that use `with_dict` and `no_log`. Prevents errors such as: [WARNING]: Failure using method (v2_runner_item_on_skipped) in callback plugin (): 'item' --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- lib/trellis/utils/output.py | 10 ++++++++-- vagrant.default.yml | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3ebb57e3b..9ab5f70bb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.4.3.0 ([#945](https://github.com/roots/trellis/pull/945)) * Update wp-cli to 1.5.0 ([#944](https://github.com/roots/trellis/pull/944)) * Update `vagrant_box_version` to `>= 201801.02.0` ([#939](https://github.com/roots/trellis/pull/939)) * Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 273ae5f310..d2a296aebf 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.4.2.0' +version_tested_max = '2.4.3.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 7d45369e76..cfb19176ad 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -45,8 +45,14 @@ def reset_task_info(obj, task=None): # Display dict key only, instead of full json dump def replace_item_with_key(obj, result): - if not obj._display.verbosity and 'label' not in result._task._ds.get('loop_control', {}): - item = '_ansible_item_label' if '_ansible_item_label' in result._result else 'item' + item = '_ansible_item_label' if '_ansible_item_label' in result._result else 'item' + should_replace = ( + not obj._display.verbosity + and 'label' not in result._task._ds.get('loop_control', {}) + and item in result._result + ) + + if should_replace: if 'key' in result._result[item]: result._result[item] = result._result[item]['key'] elif type(result._result[item]) is dict: diff --git a/vagrant.default.yml b/vagrant.default.yml index 3b2dfe891c..ddcaca4737 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' -vagrant_ansible_version: '2.4.2.0' +vagrant_ansible_version: '2.4.3.0' vagrant_skip_galaxy: false vagrant_install_plugins: true From 658c9ee2f74b71ae40b048afd9ba25be748b7ec7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 8 Feb 2018 19:52:03 -0700 Subject: [PATCH 034/663] Fix failed_when in template_root check with wp-cli 1.5.0 (#948) Previous wp-cli versions returned rc=1 and stderr='' for `wp option get template_root` when the option didn't exist. Version 1.5.0 uses a new stderr message. --- CHANGELOG.md | 1 + roles/deploy/hooks/finalize-before.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab5f70bb0..9ab909ebf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix `failed_when` in `template_root` check with wp-cli 1.5.0 ([#948](https://github.com/roots/trellis/pull/948)) * Bump Ansible `version_tested_max` to 2.4.3.0 ([#945](https://github.com/roots/trellis/pull/945)) * Update wp-cli to 1.5.0 ([#944](https://github.com/roots/trellis/pull/944)) * Update `vagrant_box_version` to `>= 201801.02.0` ([#939](https://github.com/roots/trellis/pull/939)) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index d3fed2b46a..dd23480bb1 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -23,7 +23,7 @@ chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false - failed_when: wp_template_root.stderr | default('') != '' + failed_when: not wp_template_root.stderr | default('') | match("(|.*Could not get '" + item + "' option\. Does it exist\?)") when: - wp_installed.rc == 0 - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool From a1b46230b78b054eab7ac2701845d0e6062f3360 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 5 Dec 2017 15:53:28 -0700 Subject: [PATCH 035/663] Update to PHP 7.2 --- CHANGELOG.md | 1 + README.md | 2 +- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/defaults/main.yml | 25 ++++++++++++------------- roles/php/tasks/main.yml | 10 +++++----- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/xdebug/tasks/main.yml | 10 +++++----- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 12 files changed, 33 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ab909ebf8..63b324b5bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update to PHP 7.2 ([#929](https://github.com/roots/trellis/pull/929)) * Fix `failed_when` in `template_root` check with wp-cli 1.5.0 ([#948](https://github.com/roots/trellis/pull/948)) * Bump Ansible `version_tested_max` to 2.4.3.0 ([#945](https://github.com/roots/trellis/pull/945)) * Update wp-cli to 1.5.0 ([#944](https://github.com/roots/trellis/pull/944)) diff --git a/README.md b/README.md index e1687f6d16..aaee368de8 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Trellis will configure a server with the following and more: * Ubuntu 16.04 Xenial LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.1 +* PHP 7.2 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt integration for free SSL certificates diff --git a/dev.yml b/dev.yml index 156e7fe0d4..b55f73df09 100644 --- a/dev.yml +++ b/dev.yml @@ -1,5 +1,5 @@ --- -- name: "WordPress Server: Install LEMP Stack with PHP 7.1 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.2 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index e2d615012f..7704ef18b7 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.1-fpm *" + - "/usr/sbin/service php7.2-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index cab7d53088..762b6caece 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.1-fpm + name: php7.2-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 987ac2a6c5..0ce90d3893 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.1-fpm reload + shell: sudo service php7.2-fpm reload args: warn: false diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 129bb128f5..b2ecaf87d1 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,19 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.1-cli: "{{ apt_package_state }}" - php7.1-common: "{{ apt_package_state }}" - php7.1-curl: "{{ apt_package_state }}" - php7.1-dev: "{{ apt_package_state }}" - php7.1-fpm: "{{ apt_package_state }}" - php7.1-gd: "{{ apt_package_state }}" - php7.1-mbstring: "{{ apt_package_state }}" - php7.1-mcrypt: "{{ apt_package_state }}" - php7.1-mysql: "{{ apt_package_state }}" - php7.1-opcache: "{{ apt_package_state }}" - php7.1-xml: "{{ apt_package_state }}" - php7.1-xmlrpc: "{{ apt_package_state }}" - php7.1-zip: "{{ apt_package_state }}" + php7.2-cli: "{{ apt_package_state }}" + php7.2-common: "{{ apt_package_state }}" + php7.2-curl: "{{ apt_package_state }}" + php7.2-dev: "{{ apt_package_state }}" + php7.2-fpm: "{{ apt_package_state }}" + php7.2-gd: "{{ apt_package_state }}" + php7.2-mbstring: "{{ apt_package_state }}" + php7.2-mysql: "{{ apt_package_state }}" + php7.2-opcache: "{{ apt_package_state }}" + php7.2-xml: "{{ apt_package_state }}" + php7.2-xmlrpc: "{{ apt_package_state }}" + php7.2-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index c0c14d9794..b8ec69a9c8 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,24 +1,24 @@ --- -- name: Add PHP 7.1 PPA +- name: Add PHP 7.2 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.1 +- name: Install PHP 7.2 apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.1-fpm service +- name: Start php7.2-fpm service service: - name: php7.1-fpm + name: php7.2-fpm state: started enabled: true - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.1/fpm/php.ini + dest: /etc/php/7.2/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 87400fc68c..1b2119b225 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,13 +26,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.1/fpm/pool.d/wordpress.conf + dest: /etc/php/7.2/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.1/fpm/pool.d/www.conf /etc/php/7.1/fpm/pool.d/www.disabled + command: mv /etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.disabled args: - creates: /etc/php/7.1/fpm/pool.d/www.disabled + creates: /etc/php/7.2/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 1a3061426c..79118f7d05 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,13 +9,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.1/mods-available/xdebug.ini + dest: /etc/php/7.2/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.1/mods-available/xdebug.ini - dest: /etc/php/7.1/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.2/mods-available/xdebug.ini + dest: /etc/php/7.2/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -23,12 +23,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.1/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.2/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.1/cli/conf.d/20-xdebug.ini + path: /etc/php/7.2/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index bd181f1f96..d4fb1b00c3 100644 --- a/server.yml +++ b/server.yml @@ -19,7 +19,7 @@ register: python_check changed_when: not python_check.stdout | search('/usr/bin/python') -- name: WordPress Server - Install LEMP Stack with PHP 7.1 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 355a334b06..a5e4dfb4e7 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -14,5 +14,5 @@ handlers: - name: reload php-fpm service: - name: php7.1-fpm + name: php7.2-fpm state: reloaded From 88c3b5b0db3062f1def4394fb82c2be3e4ca662b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 12 Feb 2018 20:41:26 -0500 Subject: [PATCH 036/663] Check and stop php7.1-fpm service --- roles/php/tasks/main.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index b8ec69a9c8..90f2bd5fcc 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -17,6 +17,20 @@ state: started enabled: true +- name: Check for existing php7.1-fpm service + stat: + path: /etc/init.d/php7.1-fpm + register: php71_status + +- name: Stop php7.1-fpm service if it exists + service: + name: php7.1-fpm + state: stopped + enabled: false + register: service_stopped + when: php71_status.stat.exists + notify: reload php-fpm + - name: PHP configuration file template: src: php.ini.j2 From e23822b437e130f486206723d8a403444a85bd4d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 12 Feb 2018 20:48:33 -0500 Subject: [PATCH 037/663] Set Vagrant's ansible compatibility_mode Avoid the warning from auto detection --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index a375341e4e..7d60048c13 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -117,6 +117,7 @@ Vagrant.configure('2') do |config| ansible.version = vconfig.fetch('vagrant_ansible_version') end + ansible.compatibility_mode = '2.0' ansible.playbook = File.join(provisioning_path, 'dev.yml') ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') From 661842464426b462acb7bd794eea97e47a15011d Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 20 Feb 2018 19:34:07 -0700 Subject: [PATCH 038/663] Add sponsors [ci skip] --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index aaee368de8..8d8bacab27 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,12 @@ A base Ubuntu 16.04 server is required for setting up remote servers. OS X users Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. +## Gold sponsors + +Help support our open-source development efforts by [contributing to Trellis on OpenCollective](https://opencollective.com/trellis). + +Kinsta Harness Software + ## Community Keep track of development and community news. From 1fca513cf5ca9f856a6ce3a0c04b45a7ce911038 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Thu, 1 Mar 2018 17:27:51 +0800 Subject: [PATCH 039/663] Git: Ignore `vagrant.local.yml` `vagrant.local.yml` is meant to be untracked as per https://github.com/roots/trellis/pull/828/commits/f6be4ac52183c5c491ac0720117d61573d6bd4e3 --- .gitignore | 1 + CHANGELOG.md | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index fd2a86f891..5168a936a0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .vault_pass .vagrant +vagrant.local.yml vendor/roles *.py[co] *.retry diff --git a/CHANGELOG.md b/CHANGELOG.md index 63b324b5bc..9aed92f1c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Git: Ignore `vagrant.local.yml`([#953](https://github.com/roots/trellis/pull/953)) * Update to PHP 7.2 ([#929](https://github.com/roots/trellis/pull/929)) * Fix `failed_when` in `template_root` check with wp-cli 1.5.0 ([#948](https://github.com/roots/trellis/pull/948)) * Bump Ansible `version_tested_max` to 2.4.3.0 ([#945](https://github.com/roots/trellis/pull/945)) From e07a2b3f1fb934beb27bc4582f7460a638d622e2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 3 Mar 2018 11:40:18 -0500 Subject: [PATCH 040/663] Disable memcached UDP support by default memcached can be exploited via UDP. This disables it by default. See https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ form more details. --- CHANGELOG.md | 1 + roles/memcached/defaults/main.yml | 1 + roles/memcached/templates/memcached.conf.j2 | 5 +++++ 3 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9aed92f1c7..d7885d8b12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Disable memcached UDP support by default ([#955](https://github.com/roots/trellis/pull/955)) * Git: Ignore `vagrant.local.yml`([#953](https://github.com/roots/trellis/pull/953)) * Update to PHP 7.2 ([#929](https://github.com/roots/trellis/pull/929)) * Fix `failed_when` in `template_root` check with wp-cli 1.5.0 ([#948](https://github.com/roots/trellis/pull/948)) diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 11403dc688..8bdd3e663a 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -4,6 +4,7 @@ memcached_fs_file_max: 756024 memcached_listen_ip: 127.0.0.1 memcached_max_conn: 1024 memcached_port: 11211 +memcached_port_udp: 0 memcached_packages_default: memcached: "{{ apt_package_state }}" diff --git a/roles/memcached/templates/memcached.conf.j2 b/roles/memcached/templates/memcached.conf.j2 index b3714fd712..b8755adc2b 100644 --- a/roles/memcached/templates/memcached.conf.j2 +++ b/roles/memcached/templates/memcached.conf.j2 @@ -10,6 +10,11 @@ # information. -d +# modifies the UDP port, defaulting to on. +# UDP is useful for fetching or setting small items, not as useful for manipulating large items. +# Setting this to 0 will disable it, if you're worried. +-U {{ memcached_port_udp }} + # Log memcached's output to /var/log/memcached logfile /var/log/memcached.log From f38b782717dee7a741fe0ac8451f164f54f9d57f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 6 Mar 2018 21:48:37 -0700 Subject: [PATCH 041/663] Add Nginx ssl.no-default.conf to drop requests for unknown hosts (#888) Based on h5bp/server-configs-nginx/sites-available/ssl.no-default. Adds ssl_certificate and ssl_certificate_key, required for Nginx to load properly. --- CHANGELOG.md | 1 + group_vars/all/helpers.yml | 1 + roles/letsencrypt/tasks/certificates.yml | 2 +- roles/nginx/defaults/main.yml | 2 -- roles/nginx/tasks/main.yml | 23 ++----------------- roles/wordpress-setup/defaults/main.yml | 14 +++++++++++ roles/wordpress-setup/tasks/nginx.yml | 19 +++++++++++++++ .../tasks/self-signed-certificate.yml | 7 ++++-- .../templates/no-default.conf.j2 | 0 .../templates/ssl.no-default.conf.j2 | 22 ++++++++++++++++++ 10 files changed, 65 insertions(+), 26 deletions(-) rename roles/{nginx => wordpress-setup}/templates/no-default.conf.j2 (100%) create mode 100644 roles/wordpress-setup/templates/ssl.no-default.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index d7885d8b12..91f6511a3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add Nginx `ssl.no-default.conf` to drop requests for unknown hosts ([#888](https://github.com/roots/trellis/pull/888)) * [BREAKING] Disable memcached UDP support by default ([#955](https://github.com/roots/trellis/pull/955)) * Git: Ignore `vagrant.local.yml`([#953](https://github.com/roots/trellis/pull/953)) * Update to PHP 7.2 ([#929](https://github.com/roots/trellis/pull/929)) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index d0ab088e3c..7b89c15ebf 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -17,3 +17,4 @@ multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(fa ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" +sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 74dd7e5997..ea22ced1ab 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -22,7 +22,7 @@ changed_when: false when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [wordpress, wordpress-setup, nginx-includes] + tags: [wordpress, wordpress-setup, nginx-includes, nginx-sites] - name: Generate CSRs shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index f70ca149a8..85178bb1c8 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -8,8 +8,6 @@ nginx_user: www-data www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k nginx_fastcgi_read_timeout: 120s -nginx_sites_confs: - - src: no-default.conf.j2 # Fastcgi cache params nginx_cache_path: /var/cache/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index bb229149a3..8df441628f 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -21,9 +21,9 @@ args: chdir: "{{ nginx_path }}/ssl" creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count + when: sites_use_ssl notify: reload nginx - tags: [diffie-hellman] + tags: [diffie-hellman, wordpress, wordpress-setup, nginx-includes, nginx-sites] - name: Grab h5bp/server-configs-nginx git: @@ -50,22 +50,3 @@ path: "{{ nginx_path }}/sites-enabled/default" state: absent notify: reload nginx - -- name: Create Nginx available sites - template: - src: "{{ item.src }}" - dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - with_items: "{{ nginx_sites_confs }}" - when: item.enabled | default(true) - notify: reload nginx - tags: nginx-sites - -- name: Enable or disable Nginx sites - file: - path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" - src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - state: "{{ item.enabled | default(true) | ternary('link', 'absent') }}" - force: yes - with_items: "{{ nginx_sites_confs }}" - notify: reload nginx - tags: nginx-sites diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index b34865ca89..928e61c02d 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -2,6 +2,20 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" nginx_wordpress_site_conf: wordpress-site.conf.j2 nginx_ssl_path: "{{ nginx_path }}/ssl" +ssl_default_site: + no_default: + site_hosts: + - canonical: example.com + ssl: + enabled: true + provider: self-signed + multisite: {} + +nginx_sites_confs: + - src: no-default.conf.j2 + - src: ssl.no-default.conf.j2 + enabled: "{{ sites_use_ssl }}" + # HSTS defaults nginx_hsts_max_age: 31536000 nginx_hsts_include_subdomains: true diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index e2d9b58cc8..ffb9fcb11f 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -19,6 +19,25 @@ - import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" +- name: Create Nginx available sites + template: + src: "{{ item.src }}" + dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + with_items: "{{ nginx_sites_confs }}" + when: item.enabled | default(true) + notify: reload nginx + tags: nginx-sites + +- name: Enable or disable Nginx sites + file: + path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" + src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + state: "{{ item.enabled | default(true) | ternary('link', 'absent') }}" + force: yes + with_items: "{{ nginx_sites_confs }}" + notify: reload nginx + tags: nginx-sites + - name: Create Nginx conf for challenges location template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 80c6600cb1..9410380fef 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -18,6 +18,9 @@ EOF\n executable: "/bin/bash" chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" - with_dict: "{{ wordpress_sites }}" - when: ssl_enabled and item.value.ssl.provider | default('manual') == 'self-signed' + with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" + when: + - sites_use_ssl + - ssl_enabled + - item.value.ssl.provider | default('manual') == 'self-signed' notify: reload nginx diff --git a/roles/nginx/templates/no-default.conf.j2 b/roles/wordpress-setup/templates/no-default.conf.j2 similarity index 100% rename from roles/nginx/templates/no-default.conf.j2 rename to roles/wordpress-setup/templates/no-default.conf.j2 diff --git a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 new file mode 100644 index 0000000000..a29b113dbd --- /dev/null +++ b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 @@ -0,0 +1,22 @@ +# {{ ansible_managed }} + +# Drop requests for unknown hosts +# +# If no default server is defined, nginx will use the first found server. +# To prevent host header attacks, or other potential problems when an unknown +# servername is used in a request, it's recommended to drop the request +# returning 444 "no response". + +server { + listen [::]:443 ssl default_server deferred; + listen 443 ssl default_server deferred; + + include h5bp/directive-only/ssl.conf; + ssl_dhparam /etc/nginx/ssl/dhparams.pem; + + ssl_certificate {{ nginx_path }}/ssl/no_default.cert; + ssl_trusted_certificate {{ nginx_path }}/ssl/no_default.cert; + ssl_certificate_key {{ nginx_path }}/ssl/no_default.key; + + return 444; +} From f7cc5cc9975961555c6b21950c01e3a8e75cd643 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 7 Mar 2018 18:52:53 -0700 Subject: [PATCH 042/663] Update Ansible default plugin paths in config files (#958) --- CHANGELOG.md | 1 + ansible.cfg | 6 +++--- lib/trellis/vagrant.rb | 8 ++++---- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91f6511a3e..8ae2fcff18 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Update Ansible default plugin paths in config files ([#958](https://github.com/roots/trellis/pull/958)) * Add Nginx `ssl.no-default.conf` to drop requests for unknown hosts ([#888](https://github.com/roots/trellis/pull/888)) * [BREAKING] Disable memcached UDP support by default ([#955](https://github.com/roots/trellis/pull/955)) * Git: Ignore `vagrant.local.yml`([#953](https://github.com/roots/trellis/pull/953)) diff --git a/ansible.cfg b/ansible.cfg index 3f42017488..c1a2890ca7 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,13 +1,13 @@ [defaults] -callback_plugins = ~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:lib/trellis/plugins/callback +callback_plugins = ~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:lib/trellis/plugins/callback stdout_callback = output -filter_plugins = ~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:lib/trellis/plugins/filter +filter_plugins = ~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:lib/trellis/plugins/filter force_color = True force_handlers = True inventory = hosts nocows = 1 roles_path = vendor/roles -vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars +vars_plugins = ~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:lib/trellis/plugins/vars [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 16cf2f3dd4..d991d71330 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -1,10 +1,10 @@ # Set Ansible paths relative to Ansible directory ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH -ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" -ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" -ENV['ANSIBLE_LIBRARY'] = "/usr/share/ansible:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" +ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" +ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" +ENV['ANSIBLE_LIBRARY'] = "~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') -ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" +ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" def ensure_plugins(plugins) logger = Vagrant::UI::Colored.new From cd26da47a719d52e939964fd88a860bfc1acad0a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 7 Mar 2018 18:59:02 -0700 Subject: [PATCH 043/663] Fix raw_vars feature to properly handle int values (#959) The raw_vars feature was processing only AnsibleUnicode values. It was not processing int values, replacing them with None. --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/vars.py | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ae2fcff18..6b42bf9b9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix `raw_vars` feature to properly handle int values ([#959](https://github.com/roots/trellis/pull/959)) * [BREAKING] Update Ansible default plugin paths in config files ([#958](https://github.com/roots/trellis/pull/958)) * Add Nginx `ssl.no-default.conf` to drop requests for unknown hosts ([#888](https://github.com/roots/trellis/pull/888)) * [BREAKING] Disable memcached UDP support by default ([#955](https://github.com/roots/trellis/pull/955)) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index c0742ca2a3..83ab22c505 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -37,6 +37,9 @@ def raw_triage(self, key_string, item, patterns): match = next((pattern for pattern in patterns if re.match(pattern, key_string)), None) return AnsibleUnicode(''.join(['{% raw %}', item, '{% endraw %}'])) if not item.startswith(('{% raw', '{%raw')) and match else item + else: + return item + def raw_vars(self, play, host, hostvars): if 'raw_vars' not in hostvars: return From 75518c1fc6bed541765de51b7b8a3191a7f064b6 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 11 Mar 2018 14:54:12 -0600 Subject: [PATCH 044/663] Ensure Diffie-Hellman group is generated for Let's Encrypt (#964) Add letsencrypt tag to task generating Diffie-Hellman group, ensuring task runs when playbook is run with --tags letsencrypt. --- CHANGELOG.md | 1 + roles/nginx/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b42bf9b9b..f1876f9229 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ensure Diffie-Hellman group is generated for Let's Encrypt ([#964](https://github.com/roots/trellis/pull/964)) * Fix `raw_vars` feature to properly handle int values ([#959](https://github.com/roots/trellis/pull/959)) * [BREAKING] Update Ansible default plugin paths in config files ([#958](https://github.com/roots/trellis/pull/958)) * Add Nginx `ssl.no-default.conf` to drop requests for unknown hosts ([#888](https://github.com/roots/trellis/pull/888)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 8df441628f..473d880427 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -23,7 +23,7 @@ creates: "{{ nginx_path }}/ssl/dhparams.pem" when: sites_use_ssl notify: reload nginx - tags: [diffie-hellman, wordpress, wordpress-setup, nginx-includes, nginx-sites] + tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] - name: Grab h5bp/server-configs-nginx git: From 6f5dd46c2d0f1769b384ebd5ac52af04169e130c Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Tue, 13 Mar 2018 13:04:44 -0700 Subject: [PATCH 045/663] Add support for includes.d on all sites --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 3b8905846e..d7a584bec1 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -108,6 +108,7 @@ server { {% endblock -%} {% block includes_d -%} + include includes.d/all/*.conf; include includes.d/{{ item.key }}/*.conf; {% endblock -%} From cf66ee3c7876db5fb78b930431e627464db1f3c9 Mon Sep 17 00:00:00 2001 From: Primoz Cigler Date: Fri, 16 Mar 2018 13:43:21 +0100 Subject: [PATCH 046/663] Refactor --subdomains flag in the Install WP task According to the [documentation](https://developer.wordpress.org/cli/commands/core/multisite-install/) the existance of the --subdomains is boolean value. If the item.value.multisite.subdomains was set to false (or not set) this task was treating it as it's set to true. This commit is fixing this. --- roles/wordpress-install/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 27e3458985..060f386d76 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -48,7 +48,9 @@ --url="{{ site_env.wp_home }}" {% if item.value.multisite.enabled | default(false) %} --base="{{ item.value.multisite.base_path | default('/') }}" - --subdomains="{{ item.value.multisite.subdomains | default('false') }}" + {% if item.value.multisite.subdomains | default('false') %} + --subdomains + {% endif %} {% endif %} --title="{{ item.value.site_title | default(item.key) }}" --admin_user="{{ item.value.admin_user | default('admin') }}" From d2cbd6f77af9c99418bb2a55edf0f860c13b258f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 17 Mar 2018 15:45:12 -0400 Subject: [PATCH 047/663] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1876f9229..fdec3e424f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD +* Add support for includes.d on all sites ([#966](https://github.com/roots/trellis/pull/966)) +* Fix `--subdomains` flag in the Install WP task ([#968](https://github.com/roots/trellis/pull/968)) * Ensure Diffie-Hellman group is generated for Let's Encrypt ([#964](https://github.com/roots/trellis/pull/964)) * Fix `raw_vars` feature to properly handle int values ([#959](https://github.com/roots/trellis/pull/959)) * [BREAKING] Update Ansible default plugin paths in config files ([#958](https://github.com/roots/trellis/pull/958)) From e43b15def1c1a2d404362d360d200dd5ca3b6023 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 29 Mar 2018 18:00:18 -0600 Subject: [PATCH 048/663] Add gold sponsor [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d8bacab27..cabf62b598 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [contributing to Trellis on OpenCollective](https://opencollective.com/trellis). -Kinsta Harness Software +Kinsta Harness Software KM Digital ## Community From 6a5a3256c774f76a28487d5998e4672908565279 Mon Sep 17 00:00:00 2001 From: Valentino Cossar Date: Fri, 30 Mar 2018 22:46:26 +0200 Subject: [PATCH 049/663] Add support for sSMTP revaliases configuration (#956) --- CHANGELOG.md | 1 + roles/ssmtp/defaults/main.yml | 10 ++++++++++ roles/ssmtp/tasks/main.yml | 5 +++++ roles/ssmtp/templates/revaliases.j2 | 9 +++++++++ 4 files changed, 25 insertions(+) create mode 100644 roles/ssmtp/templates/revaliases.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index fdec3e424f..0310189faa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add support for sSMTP revaliases configuration ([#956](https://github.com/roots/trellis/pull/956)) * Add support for includes.d on all sites ([#966](https://github.com/roots/trellis/pull/966)) * Fix `--subdomains` flag in the Install WP task ([#968](https://github.com/roots/trellis/pull/968)) * Ensure Diffie-Hellman group is generated for Let's Encrypt ([#964](https://github.com/roots/trellis/pull/964)) diff --git a/roles/ssmtp/defaults/main.yml b/roles/ssmtp/defaults/main.yml index 2c684dbacf..c7310cf09e 100644 --- a/roles/ssmtp/defaults/main.yml +++ b/roles/ssmtp/defaults/main.yml @@ -3,3 +3,13 @@ ssmtp_auth_method: LOGIN ssmtp_from_override: 'Yes' ssmtp_start_tls: 'Yes' ssmtp_tls: 'Yes' +# ssmtp_revaliases: +# - user: root +# from: from@example.com +# smtp_server: "{{ mail_smtp_server }}" +# - user: "{{ admin_user }}" +# from: from@example.com +# smtp_server: "{{ mail_smtp_server }}" +# - user: "{{ web_user }}" +# from: from@example.com +# smtp_server: "{{ mail_smtp_server }}" diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 910451621a..9d62055d4d 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,3 +9,8 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf + +- name: ssmtp revaliases configuration + template: + src: revaliases.j2 + dest: /etc/ssmtp/revaliases diff --git a/roles/ssmtp/templates/revaliases.j2 b/roles/ssmtp/templates/revaliases.j2 new file mode 100644 index 0000000000..2d66f62d04 --- /dev/null +++ b/roles/ssmtp/templates/revaliases.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} + +{% if ssmtp_revaliases is defined and ssmtp_revaliases is not none %} +{% for item in ssmtp_revaliases %} +{% if item.user is defined and item.user is not none and item.from is defined and item.from is not none and item.smtp_server is defined and item.smtp_server is not none %} +{{ item.user }}:{{ item.from }}:{{ item.smtp_server }} +{% endif %} +{% endfor %} +{% endif %} From 415cf230c5e608d158743db4bb24142ebdb6b377 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 30 Mar 2018 16:47:08 -0400 Subject: [PATCH 050/663] Vendor h5bp Nginx configs (#973) These configs rarely change (and haven't in almost a year) so there is no point in pulling them down from GitHub. It just makes it harder to edit them if need be. No behaviour changes with this commit. The templates/files included are from the same commit SHA. --- CHANGELOG.md | 1 + roles/nginx/tasks/main.yml | 15 ++---- .../cache-file-descriptors.conf | 19 ++++++++ .../directive-only/cross-domain-insecure.conf | 14 ++++++ .../h5bp/directive-only/extra-security.conf | 17 +++++++ .../h5bp/directive-only/no-transform.conf | 11 +++++ .../h5bp/directive-only/ssl-stapling.conf | 9 ++++ .../templates/h5bp/directive-only/ssl.conf | 47 +++++++++++++++++++ .../h5bp/directive-only/x-ua-compatible.conf | 2 + .../h5bp/location/cache-busting.conf | 10 ++++ .../h5bp/location/cross-domain-fonts.conf | 12 +++++ .../templates/h5bp/location/expires.conf | 45 ++++++++++++++++++ .../h5bp/location/protect-system-files.conf | 13 +++++ 13 files changed, 204 insertions(+), 11 deletions(-) create mode 100644 roles/nginx/templates/h5bp/directive-only/cache-file-descriptors.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/extra-security.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/no-transform.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/ssl.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/x-ua-compatible.conf create mode 100644 roles/nginx/templates/h5bp/location/cache-busting.conf create mode 100644 roles/nginx/templates/h5bp/location/cross-domain-fonts.conf create mode 100644 roles/nginx/templates/h5bp/location/expires.conf create mode 100644 roles/nginx/templates/h5bp/location/protect-system-files.conf diff --git a/CHANGELOG.md b/CHANGELOG.md index 0310189faa..7add358e39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) * Add support for sSMTP revaliases configuration ([#956](https://github.com/roots/trellis/pull/956)) * Add support for includes.d on all sites ([#966](https://github.com/roots/trellis/pull/966)) * Fix `--subdomains` flag in the Install WP task ([#968](https://github.com/roots/trellis/pull/968)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 473d880427..e38d61f526 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -25,17 +25,10 @@ notify: reload nginx tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] -- name: Grab h5bp/server-configs-nginx - git: - repo: "https://github.com/h5bp/server-configs-nginx.git" - dest: "{{ nginx_path }}/h5bp-server-configs" - version: c5c6602232e0976d9e69d69874aa84d2a2698265 - force: yes - -- name: Move h5bp configs - command: rsync -ac --delete --info=NAME {{ nginx_path }}/h5bp-server-configs/h5bp/ {{ nginx_path }}/h5bp - register: h5bp_nginx_sync - changed_when: h5bp_nginx_sync.stdout != '' +- name: Copy h5bp configs + copy: + src: templates/h5bp + dest: "{{ nginx_path }}" notify: reload nginx - name: Create nginx.conf diff --git a/roles/nginx/templates/h5bp/directive-only/cache-file-descriptors.conf b/roles/nginx/templates/h5bp/directive-only/cache-file-descriptors.conf new file mode 100644 index 0000000000..ed312c0068 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/cache-file-descriptors.conf @@ -0,0 +1,19 @@ +# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc. +# +# The upside of this is that Nginx can immediately begin sending data when a popular file is requested, +# and will also know to immediately send a 404 if a file is missing on disk, and so on. +# +# However, it also means that the server won't react immediately to changes on disk, which may be undesirable. +# +# In the below configuration, inactive files are released from the cache after 20 seconds, whereas +# active (recently requested) files are re-validated every 30 seconds. +# +# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time). +# +# A maximum of the 1000 most recently used file descriptors can be cached at any time. +# +# Production servers with stable file collections will definitely want to enable the cache. +open_file_cache max=1000 inactive=20s; +open_file_cache_valid 30s; +open_file_cache_min_uses 2; +open_file_cache_errors on; diff --git a/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf b/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf new file mode 100644 index 0000000000..e9373adc40 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf @@ -0,0 +1,14 @@ +# Cross domain AJAX requests + +# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header + +# **Security Warning** +# Do not use this without understanding the consequences. +# This will permit access from any other website. +# +add_header "Access-Control-Allow-Origin" "*"; + +# Instead of using this file, consider using a specific rule such as: +# +# Allow access based on [sub]domain: +# add_header "Access-Control-Allow-Origin" "subdomain.example.com"; diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf new file mode 100644 index 0000000000..0ac46aa295 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -0,0 +1,17 @@ +# The X-Frame-Options header indicates whether a browser should be allowed +# to render a page within a frame or iframe. +add_header X-Frame-Options SAMEORIGIN always; + +# MIME type sniffing security protection +# There are very few edge cases where you wouldn't want this enabled. +add_header X-Content-Type-Options nosniff always; + +# The X-XSS-Protection header is used by Internet Explorer version 8+ +# The header instructs IE to enable its inbuilt anti-cross-site scripting filter. +add_header X-XSS-Protection "1; mode=block" always; + +# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), +# you can tell the browser that it can only download content from the domains you explicitly allow +# CSP can be quite difficult to configure, and cause real issues if you get it wrong +# There is website that helps you generate a policy here http://cspisawesome.com/ +# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; diff --git a/roles/nginx/templates/h5bp/directive-only/no-transform.conf b/roles/nginx/templates/h5bp/directive-only/no-transform.conf new file mode 100644 index 0000000000..eda5464472 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/no-transform.conf @@ -0,0 +1,11 @@ +# Prevent mobile network providers from modifying your site +# +# (!) If you are using `ngx_pagespeed`, please note that setting +# the `Cache-Control: no-transform` response header will prevent +# `PageSpeed` from rewriting `HTML` files, and, if +# `pagespeed DisableRewriteOnNoTransform off` is not used, also +# from rewriting other resources. +# +# https://developers.google.com/speed/pagespeed/module/configuration#notransform + +add_header "Cache-Control" "no-transform"; diff --git a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf new file mode 100644 index 0000000000..d15bf972ba --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf @@ -0,0 +1,9 @@ +# OCSP stapling... +ssl_stapling on; +ssl_stapling_verify on; + +#trusted cert must be made up of your intermediate certificate followed by root certificate +#ssl_trusted_certificate /path/to/ca.crt; + +resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; +resolver_timeout 2s; diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf new file mode 100644 index 0000000000..cf5cfaa6cc --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -0,0 +1,47 @@ +# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add +# SSLv3 to the list of protocols below. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx +ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; +ssl_prefer_server_ciphers on; + +# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. +# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. +# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. +# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. +ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions +ssl_session_timeout 24h; + +# SSL buffer size was added in 1.5.9 +#ssl_buffer_size 1400; # 1400 bytes to fit in one MTU + +# Session tickets appeared in version 1.5.9 +# +# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and +# when a restart is performed the previous key is lost, which resets all previous +# sessions. The fix for this is to setup a manual rotation mechanism: +# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx +# +# Note that you'll have to define and rotate the keys securely by yourself. In absence +# of such infrastructure, consider turning off session tickets: +#ssl_session_tickets off; + +# Use a higher keepalive timeout to reduce the need for repeated handshakes +keepalive_timeout 300s; # up from 75 secs default + +# HSTS (HTTP Strict Transport Security) +# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS. +#add_header Strict-Transport-Security "max-age=31536000" always; +# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS +#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS +# Recommend is also to use preload service +#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + +# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). +# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. +#ssl_certificate /etc/nginx/default_ssl.crt; +#ssl_certificate_key /etc/nginx/default_ssl.key; + +# Consider using OCSP Stapling as shown in ssl-stapling.conf diff --git a/roles/nginx/templates/h5bp/directive-only/x-ua-compatible.conf b/roles/nginx/templates/h5bp/directive-only/x-ua-compatible.conf new file mode 100644 index 0000000000..a51bb31d47 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/x-ua-compatible.conf @@ -0,0 +1,2 @@ +# Force the latest IE version +add_header "X-UA-Compatible" "IE=Edge"; diff --git a/roles/nginx/templates/h5bp/location/cache-busting.conf b/roles/nginx/templates/h5bp/location/cache-busting.conf new file mode 100644 index 0000000000..6afe34abf9 --- /dev/null +++ b/roles/nginx/templates/h5bp/location/cache-busting.conf @@ -0,0 +1,10 @@ +# Built-in filename-based cache busting + +# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403 +# This will route all requests for /css/style.20120716.css to /css/style.css +# Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting +# This is not included by default, because it'd be better if you use the build +# script to manage the file names. +location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ { + try_files $uri $1.$2; +} diff --git a/roles/nginx/templates/h5bp/location/cross-domain-fonts.conf b/roles/nginx/templates/h5bp/location/cross-domain-fonts.conf new file mode 100644 index 0000000000..e0fa318f46 --- /dev/null +++ b/roles/nginx/templates/h5bp/location/cross-domain-fonts.conf @@ -0,0 +1,12 @@ +# Cross domain webfont access +location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { + include h5bp/directive-only/cross-domain-insecure.conf; + + # Also, set cache rules for webfonts. + # + # See http://wiki.nginx.org/HttpCoreModule#location + # And https://github.com/h5bp/server-configs/issues/85 + # And https://github.com/h5bp/server-configs/issues/86 + access_log off; + add_header Cache-Control "max-age=2592000"; +} diff --git a/roles/nginx/templates/h5bp/location/expires.conf b/roles/nginx/templates/h5bp/location/expires.conf new file mode 100644 index 0000000000..6766ef2217 --- /dev/null +++ b/roles/nginx/templates/h5bp/location/expires.conf @@ -0,0 +1,45 @@ +# Expire rules for static content + +# No default expire rule. This config mirrors that of apache as outlined in the +# html5-boilerplate .htaccess file. However, nginx applies rules by location, +# the apache rules are defined by type. A consequence of this difference is that +# if you use no file extension in the url and serve html, with apache you get an +# expire time of 0s, with nginx you'd get an expire header of one month in the +# future (if the default expire rule is 1 month). Therefore, do not use a +# default expire rule with nginx unless your site is completely static + +# cache.appcache, your document html and data +location ~* \.(?:manifest|appcache|html?|xml|json)$ { + add_header Cache-Control "max-age=0"; +} + +# Feed +location ~* \.(?:rss|atom)$ { + add_header Cache-Control "max-age=3600"; +} + +# Media: images, icons, video, audio, HTC +location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { + access_log off; + add_header Cache-Control "max-age=2592000"; +} + +# Media: svgz files are already compressed. +location ~* \.svgz$ { + access_log off; + gzip off; + add_header Cache-Control "max-age=2592000"; +} + +# CSS and Javascript +location ~* \.(?:css|js)$ { + add_header Cache-Control "max-age=31536000"; + access_log off; +} + +# WebFonts +# If you are NOT using cross-domain-fonts.conf, uncomment the following directive +# location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { +# add_header Cache-Control "max-age=2592000"; +# access_log off; +# } diff --git a/roles/nginx/templates/h5bp/location/protect-system-files.conf b/roles/nginx/templates/h5bp/location/protect-system-files.conf new file mode 100644 index 0000000000..128c49ab0b --- /dev/null +++ b/roles/nginx/templates/h5bp/location/protect-system-files.conf @@ -0,0 +1,13 @@ +# Prevent clients from accessing hidden files (starting with a dot) +# This is particularly important if you store .htpasswd files in the site hierarchy +# Access to `/.well-known/` is allowed. +# https://www.mnot.net/blog/2010/04/07/well-known +# https://tools.ietf.org/html/rfc5785 +location ~* /\.(?!well-known\/) { + deny all; +} + +# Prevent clients from accessing to backup/config/source files +location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { + deny all; +} From f782e594cddfa78d0f44ae552a45f860ddb2724b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 31 Mar 2018 22:54:42 -0600 Subject: [PATCH 051/663] Fix path to h5bp/mime.types (#974) --- CHANGELOG.md | 1 + roles/nginx/templates/h5bp/mime.types | 138 ++++++++++++++++++++++++++ roles/nginx/templates/nginx.conf.j2 | 4 +- 3 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 roles/nginx/templates/h5bp/mime.types diff --git a/CHANGELOG.md b/CHANGELOG.md index 7add358e39..197bfd8ce4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) * Add support for sSMTP revaliases configuration ([#956](https://github.com/roots/trellis/pull/956)) * Add support for includes.d on all sites ([#966](https://github.com/roots/trellis/pull/966)) diff --git a/roles/nginx/templates/h5bp/mime.types b/roles/nginx/templates/h5bp/mime.types new file mode 100644 index 0000000000..7c3b1e7386 --- /dev/null +++ b/roles/nginx/templates/h5bp/mime.types @@ -0,0 +1,138 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + application/vnd.geo+json geojson; + application/xml rdf xml; + + + # JavaScript + + # Normalize to standard type. + # https://tools.ietf.org/html/rfc4329#section-7.2 + application/javascript js; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/jxr jxr hdp wdp; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + application/font-woff woff; + application/font-woff2 woff2; + application/vnd.ms-fontobject eot; + + # Browsers usually ignore the font media types and simply sniff + # the bytes to figure out the font type. + # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + # + # However, Blink and WebKit based browsers will show a warning + # in the console if the following font types are served with any + # other media types. + + application/x-font-ttf ttc ttf; + font/opentype otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/css css; + text/csv csv; + text/html htm html shtml; + text/markdown md; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 5a587d5434..3a0548a352 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -74,7 +74,7 @@ http { {% block mime_types -%} # Specify MIME types for files. - include h5bp-server-configs/mime.types; + include h5bp/mime.types; # Default: text/plain default_type application/octet-stream; @@ -199,7 +199,7 @@ http { # a specific directory, or on an individual server{} level. # gzip_static on; {% endblock %} - + {% block http_includes_d -%} include includes.d/http/*.conf; {% endblock -%} From 9dfddfd0d5f7d10886d2f434c02d3bd23edb8684 Mon Sep 17 00:00:00 2001 From: newloong Date: Tue, 3 Apr 2018 12:27:41 +0800 Subject: [PATCH 052/663] Support git url format ssh://user@host/path/to/repo (#975) --- CHANGELOG.md | 1 + deploy.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 197bfd8ce4..bad3e4d3a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) * Add support for sSMTP revaliases configuration ([#956](https://github.com/roots/trellis/pull/956)) diff --git a/deploy.yml b/deploy.yml index 0962b3e156..308c5bc4f0 100644 --- a/deploy.yml +++ b/deploy.yml @@ -28,6 +28,6 @@ Ensure that your site's `repo` variable is defined in `group_vars/{{ env }}/wordpress_sites.yml` and uses the SSH format (example: git@github.com:roots/bedrock.git) More info: > https://roots.io/trellis/docs/deploys/ - when: project.repo is not defined or not project.repo | match(".*@.*:.*\.git") + when: project.repo is not defined or not project.repo | match("^ssh://.+@.+|.+@.+:.+") roles: - deploy From 170594515710bf8867464bc42e288392e5dd3833 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 8 Apr 2018 13:34:00 -0600 Subject: [PATCH 053/663] Add gold sponsor [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cabf62b598..095957402f 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [contributing to Trellis on OpenCollective](https://opencollective.com/trellis). -Kinsta Harness Software KM Digital +Kinsta Harness Software KM Digital ThemeIsle ## Community From ac336ee512a2130934892a56d4cc4314e821060c Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 22 Apr 2018 17:59:56 -0700 Subject: [PATCH 054/663] Add xdebug.remote_autostart to simplify xdebug sessions --- group_vars/development/php.yml | 1 + roles/xdebug/defaults/main.yml | 1 + roles/xdebug/templates/xdebug.ini.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 7b9af47888..8df88dc533 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -7,3 +7,4 @@ php_opcache_enable: 0 xdebug_remote_enable: 1 xdebug_remote_connect_back: 1 +xdebug_remote_autostart: 1 diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index b210759a30..3efa2ccfb2 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -3,6 +3,7 @@ php_xdebug_package: php-xdebug # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 +xdebug_remote_autostart: 0 xdebug_remote_host: localhost xdebug_remote_port: 9000 xdebug_remote_log: /tmp/xdebug.log diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 72435a2bf8..3490bc1d9b 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -6,6 +6,7 @@ zend_extension=xdebug.so ; Remote Debugging xdebug.remote_enable={{ xdebug_remote_enable }} xdebug.remote_connect_back={{ xdebug_remote_connect_back }} +xdebug.remote_autostart={{ xdebug_remote_autostart }} xdebug.remote_host={{ xdebug_remote_host }} xdebug.remote_port={{ xdebug_remote_port }} xdebug.remote_handler=dbgp From 9d5b3c5b5ac73fa34de7043c4d6af7ad52daf967 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 24 Apr 2018 09:57:57 -0600 Subject: [PATCH 055/663] Update logrotate doc URL [ci skip] --- group_vars/all/logrotate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/logrotate.yml b/group_vars/all/logrotate.yml index 438947254c..c6d24962c6 100644 --- a/group_vars/all/logrotate.yml +++ b/group_vars/all/logrotate.yml @@ -1,4 +1,4 @@ -# Documentation: https://galaxy.ansible.com/list#/roles/1117 +# Documentation: https://github.com/nickhammond/ansible-logrotate logrotate_scripts: - name: wordpress-sites path: "{{ www_root }}/**/logs/*.log" From 6f2fff5e24772de9311e4a4bf54a9000416d17ea Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:53:08 -0300 Subject: [PATCH 056/663] Update WP-CLI to 1.5.1. --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 7390b123bd..0430d8cf2f 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.5.0 +wp_cli_version: 1.5.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From e3dff5f012f752a2e9be41f8e9df6dcca9073227 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:54:38 -0300 Subject: [PATCH 057/663] Update changelog. [ci skip] --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..4709a091f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 221ef605780f6b5ada034ddaeadfa29ab35e0a83 Mon Sep 17 00:00:00 2001 From: jeremy Date: Fri, 27 Apr 2018 07:18:44 -0700 Subject: [PATCH 058/663] Update geerlingguy.composer 1.6.1->1.7.0 (#983) Update from `1.6.1` -> `1.7.0` which addresses #943 ([DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated.) --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4709a091f2..cd12d3525b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) diff --git a/requirements.yml b/requirements.yml index a5dbaf621d..69d229acd6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.6.1 + version: 1.7.0 - name: ntp src: geerlingguy.ntp From 51bf9984ffc36cc9502d315c796ce068d95b8ec7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Apr 2018 08:48:46 -0600 Subject: [PATCH 059/663] Update geerlingguy.ntp 1.5.2->1.6.0 (#984) Avoids deprecation warnings introduced in Ansible 2.4: "The use of 'include' for tasks has been deprecated." --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd12d3525b..0fe1e5e105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) diff --git a/requirements.yml b/requirements.yml index 69d229acd6..eb6c001e06 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 1.5.2 + version: 1.6.0 - name: logrotate src: nickhammond.logrotate From ee8c43762a1076bccbe4f7463074d0d913630055 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Fri, 27 Apr 2018 08:05:01 -0700 Subject: [PATCH 060/663] Enable nginx to start on boot (#980) --- CHANGELOG.md | 1 + roles/nginx/tasks/main.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fe1e5e105..f18678f700 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e38d61f526..3f0202792c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -43,3 +43,10 @@ path: "{{ nginx_path }}/sites-enabled/default" state: absent notify: reload nginx + +- name: Enable Nginx to start on boot + service: + name: nginx + enabled: yes + state: started + use: service From 67e2bc585e31c1142035d7b67a6e38aba6946330 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 29 Apr 2018 14:44:59 -0700 Subject: [PATCH 061/663] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..d29016b224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 38e3b7a152719b2d7a08f094901e86e4c439e23c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 3 May 2018 13:23:56 -0600 Subject: [PATCH 062/663] 'yarn run' -> 'yarn' [ci skip] --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 6c483c3f75..bfad9d6847 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -19,7 +19,7 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn run build:production +# command: yarn build:production # connection: local # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From c6b258e5d938f9154911a6768f1bd38292a89d4b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:32:52 -0600 Subject: [PATCH 063/663] Issue warning for all Ubuntu releases that are not Xenial (#986) --- roles/common/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7248ce50da..94eaa73e0d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -78,8 +78,7 @@ Development via Vagrant: `vagrant destroy && vagrant up` Staging/Production: Create a new server with Ubuntu 16.04 and provision - when: ansible_distribution_release == 'trusty' - run_once: true + when: ansible_distribution_release != 'xenial' - name: Check whether passlib is needed fail: From 46d6a2a92b79816592af5d3af1fafd218aa3533f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:16 -0600 Subject: [PATCH 064/663] Clarify that changelog entry indicates Trellis version (#987) --- lib/trellis/utils/output.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index cfb19176ad..9bcd31c992 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -29,7 +29,7 @@ def system(vagrant_version=None): else: change = re.search(r'^\*\s?(\[BREAKING\])?([^\(\n\[]+)', str, re.M|re.I) if change is not None: - changelog_msg = '\n Trellis at "{0}"'.format(change.group(2).strip()) + changelog_msg = '\n Trellis version (per changelog): "{0}"'.format(change.group(2).strip()) # Vagrant info, if available vagrant = ' Vagrant {0};'.format(vagrant_version) if vagrant_version else '' From b556ccdb2b3183eba4a9530b206a402422deeca3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:44 -0600 Subject: [PATCH 065/663] Validate python version on control machine (#988) --- lib/trellis/plugins/vars/version.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index d2a296aebf..df943b9f26 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -6,6 +6,7 @@ from ansible.errors import AnsibleError from distutils.version import LooseVersion from operator import ge, gt +from sys import version_info try: from __main__ import display @@ -13,6 +14,10 @@ from ansible.utils.display import Display display = Display() +if version_info[0] > 2: + raise AnsibleError(('Trellis does not yet support Python {}.{}.{}. \n' + 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) + version_requirement = '2.4.0.0' version_tested_max = '2.4.3.0' From 60b38c0afc2b129ee23cba46451d4d8a0d712f46 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 18 May 2018 18:41:13 +0800 Subject: [PATCH 066/663] Common: Install `git` instead of `git-core` Because `git-core` is now a dummy package of `git`. See: http://git.661346.n2.nabble.com/git-core-vs-git-package-on-ubuntu-tp7576083p7576085.html --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91e16ce907..786005e2f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 5e92f1487f..f34f62e723 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,7 +26,7 @@ apt_packages_default: build-essential: "{{ apt_package_state }}" python-mysqldb: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" - git-core: "{{ apt_package_state }}" + git: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" From e3315fef63f290757e5ab249c96c01dadb84a8c2 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 17:31:14 -0600 Subject: [PATCH 067/663] Add CSP frame-ancestors, make X-Frame-Options conditional (#977) The X-Frame-Options header has been obsoleted by the frame-ancestors directive. Retain the X-Frame-Options header for older browsers. Return empty X-Frame-Options header for WordPress Customizer content to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM option that WordPress adds on its own (Safari browser). Discussion in https://core.trac.wordpress.org/ticket/40020 --- CHANGELOG.md | 1 + .../h5bp/directive-only/extra-security.conf | 2 +- .../templates/wordpress-site.conf.j2 | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 786005e2f4..3390c67e7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf index 0ac46aa295..eb10e06ca4 100644 --- a/roles/nginx/templates/h5bp/directive-only/extra-security.conf +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -1,6 +1,6 @@ # The X-Frame-Options header indicates whether a browser should be allowed # to render a page within a frame or iframe. -add_header X-Frame-Options SAMEORIGIN always; +# add_header X-Frame-Options SAMEORIGIN always; # MIME type sniffing security protection # There are very few edge cases where you wouldn't want this enabled. diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d7a584bec1..ec074aaca1 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -161,6 +161,20 @@ server { {% endblock %} + {% block embed_security -%} + {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%} + add_header Content-Security-Policy "frame-ancestors 'self'" always; + + # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved + set $x_frame_options SAMEORIGIN; + if ($arg_customize_changeset_uuid) { + set $x_frame_options ""; + } + add_header X-Frame-Options $x_frame_options always; + + {% endif -%} + {% endblock -%} + {% block location_php -%} location ~ \.php$ { {% block location_php_basic -%} From 8aa18e9bfd5747f5b5d8209b4a44534ad9359d8d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 19:08:12 -0600 Subject: [PATCH 068/663] Improve failed_when rule for Wordpress Installed check (#991) In rare cases the wp_installed registered var may be missing the stderr attribute, so add a default to avoid related error. The `wp core is-installed` command return code is 1 if WP is simply not installed. However, in rare cases the command may return some other return code indicative of true failure, so fail if rc > 1. --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index dd23480bb1..29ee76cc8a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -10,7 +10,7 @@ chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed changed_when: false - failed_when: wp_installed.stderr != "" + failed_when: wp_installed.stderr | default("") != "" or wp_installed.rc > 1 - name: Get WP theme template and stylesheet roots shell: > From c3e59f3221a896fe44fa4956df9c74137cb0aaa9 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 20 May 2018 09:13:10 +0800 Subject: [PATCH 069/663] deploy.sh: Return non-zero exit code when misuse (#990) - Exit with `127` when not enough arguments - Exit with `1` when hosts file not exist See: http://www.tldp.org/LDP/abs/html/exitcodes.html --- CHANGELOG.md | 1 + bin/deploy.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3390c67e7a..7d9fc5a222 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) diff --git a/bin/deploy.sh b/bin/deploy.sh index 79d72c37d4..0b346e8e34 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -21,7 +21,7 @@ Examples: " } -[[ $# -lt 2 ]] && { show_usage; exit 0; } +[[ $# -lt 2 ]] && { show_usage; exit 127; } for arg do @@ -39,7 +39,7 @@ if [[ ! -e $HOSTS_FILE ]]; then echo echo "Available environments:" ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) - exit 0 + exit 1 fi $DEPLOY_CMD From c06894054b9aea5c8393c78a49ff92ee5ddf8997 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 20:33:26 -0600 Subject: [PATCH 070/663] Skip Acme Challenge failure message for non-failed sites (#993) --- roles/letsencrypt/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 298524cc07..fa564947dc 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -60,5 +60,5 @@ Make sure that a valid DNS record exists for {{ item.failed_hosts | join(', ') }} and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details. - when: not item | skipped and letsencrypt_test_challenges | failed + when: item is not skipped and item is failed with_items: "{{ letsencrypt_test_challenges.results }}" From 30ae7fe95370b24b955f971f90b3c8fe99d6473f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 20 May 2018 13:01:51 -0600 Subject: [PATCH 071/663] Bump Ansible version_tested_max to 2.5.3 (#981) * Bump Ansible version_tested_max to 2.5.3 Convert Jinja2 tests from filter format to `var is testname` format. Encourage users on Ansible 2.5.0 to upgrade to avoid erroneous warnings fixed in ansible/ansible 37538 --- CHANGELOG.md | 1 + deploy.yml | 2 +- lib/trellis/plugins/vars/version.py | 8 ++++++-- roles/common/defaults/main.yml | 2 +- roles/connection/defaults/main.yml | 2 +- roles/connection/tasks/main.yml | 2 +- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/update.yml | 2 +- roles/letsencrypt/defaults/main.yml | 2 +- roles/letsencrypt/tasks/nginx.yml | 2 +- roles/users/tasks/main.yml | 2 +- roles/wordpress-install/tasks/main.yml | 2 +- roles/xdebug-tunnel/tasks/main.yml | 4 ++-- server.yml | 2 +- vagrant.default.yml | 2 +- 15 files changed, 21 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d9fc5a222..ac328cd77a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) diff --git a/deploy.yml b/deploy.yml index 308c5bc4f0..e391a1b641 100644 --- a/deploy.yml +++ b/deploy.yml @@ -28,6 +28,6 @@ Ensure that your site's `repo` variable is defined in `group_vars/{{ env }}/wordpress_sites.yml` and uses the SSH format (example: git@github.com:roots/bedrock.git) More info: > https://roots.io/trellis/docs/deploys/ - when: project.repo is not defined or not project.repo | match("^ssh://.+@.+|.+@.+:.+") + when: project.repo is not defined or project.repo is not match("^ssh://.+@.+|.+@.+:.+") roles: - deploy diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index df943b9f26..ada7aeaf63 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -5,7 +5,7 @@ from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion -from operator import ge, gt +from operator import eq, ge, gt from sys import version_info try: @@ -19,7 +19,7 @@ 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) version_requirement = '2.4.0.0' -version_tested_max = '2.4.3.0' +version_tested_max = '2.5.3' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' @@ -29,6 +29,10 @@ u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) +if eq(LooseVersion(__version__), LooseVersion('2.5.0')): + display.warning(u'You Ansible version is {}. Consider upgrading your Ansible version to avoid ' + u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) + # Import BaseVarsPlugin after Ansible version check. # Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. from ansible.plugins.vars import BaseVarsPlugin diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index f34f62e723..c97104a18e 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -33,7 +33,7 @@ apt_packages_default: apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" -openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" +openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml index f6c42a8444..70219ac2e1 100644 --- a/roles/connection/defaults/main.yml +++ b/roles/connection/defaults/main.yml @@ -1,5 +1,5 @@ ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}" ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}" ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}" -openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.5', '>=') }}" +openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.5', '>=') }}" host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}" diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 92ba31315d..de07be3538 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -60,7 +60,7 @@ debug: msg: | Note: Ansible will attempt connections as user = {{ ansible_user }} - {% if not preferred_host_key_algorithms | skipped %} + {% if preferred_host_key_algorithms is not skipped %} Note: The host `{{ ansible_host }}` was not detected in known_hosts so Trellis prompted the host to offer a key type that will work with diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 29ee76cc8a..4c46ed35ea 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -23,7 +23,7 @@ chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false - failed_when: not wp_template_root.stderr | default('') | match("(|.*Could not get '" + item + "' option\. Does it exist\?)") + failed_when: wp_template_root.stderr | default('') is not match("(|.*Could not get '" + item + "' option\. Does it exist\?)") when: - wp_installed.rc == 0 - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 672784b3f8..0a456b0b10 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -49,7 +49,7 @@ More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding - when: git_clone | failed + when: git_clone is failed - include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 2bd7b12805..52b628fc7a 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" -letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" +letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index fa564947dc..c0578e4933 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -36,7 +36,7 @@ notify: disable temporary challenge sites - import_tasks: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" - when: challenge_site_confs | changed or challenge_sites_enabled | changed + when: challenge_site_confs is changed or challenge_sites_enabled is changed - name: Create test Acme Challenge file shell: touch {{ acme_tiny_challenges_directory }}/ping.txt diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e1487bc5c6..a9313429fe 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -67,5 +67,5 @@ tags: [connection-tests, sshd] - import_tasks: connection-warnings.yml - when: not admin_user_status | skipped and admin_user_status.rc != 0 + when: admin_user_status is not skipped and admin_user_status.rc != 0 tags: [connection-tests, sshd] diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 060f386d76..58b1f88f95 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -68,7 +68,7 @@ args: chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" with_items: "{{ wp_install.results }}" - when: item | changed + when: item is changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index b015c11099..9147f73733 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -20,9 +20,9 @@ SSH tunnel already closed! {% endif %} {{ xdebug_tunnel.stderr | default('Unknown error in handling Xdebug SSH tunnel') }} - when: xdebug_tunnel | failed or 'already' in xdebug_tunnel.stderr | default('') + when: xdebug_tunnel is failed or 'already' in xdebug_tunnel.stderr | default('') - name: Announce Xdebug SSH tunnel status debug: msg: SSH Tunnel was {{ xdebug_remote_enable | bool | ternary('created', 'closed') }}! - when: xdebug_tunnel | changed + when: xdebug_tunnel is changed diff --git a/server.yml b/server.yml index d4fb1b00c3..ac86b53f93 100644 --- a/server.yml +++ b/server.yml @@ -17,7 +17,7 @@ - name: Install Python 2.x raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson register: python_check - changed_when: not python_check.stdout | search('/usr/bin/python') + changed_when: python_check.stdout is not search('/usr/bin/python') - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} diff --git a/vagrant.default.yml b/vagrant.default.yml index ddcaca4737..c73a622a1c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' -vagrant_ansible_version: '2.4.3.0' +vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false vagrant_install_plugins: true From eb20979b7181d5eb800c15f031f804335918fbc7 Mon Sep 17 00:00:00 2001 From: Bradley Date: Mon, 21 May 2018 13:29:32 +1000 Subject: [PATCH 072/663] Add option to enable FastCGI background updates (#962) Enabled by default --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac328cd77a..0c032478c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 928e61c02d..8d622fb89a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,6 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in +nginx_cache_background_update: on # Nginx includes nginx_includes_templates_path: nginx-includes diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ec074aaca1..d731acad03 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -189,6 +189,7 @@ server { fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; + fastcgi_cache_background_update {{ item.value.cache.background_update | default(nginx_cache_background_update) }}; {% endif -%} {% endblock -%} From 54a108e2a5d9a9e0cf2c9c7c13e136b256622460 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 21 May 2018 11:00:50 -0600 Subject: [PATCH 073/663] Add quotes to nginx_cache_background_update value "on" Quotes prevent Ansible from interpolating the variable value as True. True is an invalid value for fastcgi_cache_background_update and would would make Nginx unable to reload. --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 8d622fb89a..5b2e1768ee 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,7 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in -nginx_cache_background_update: on +nginx_cache_background_update: "on" # Nginx includes nginx_includes_templates_path: nginx-includes From d52893c2e3759bd7a48a692b2321240a61005b12 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 3 Jun 2018 20:27:54 +0800 Subject: [PATCH 074/663] Verify `wp-cli.phar` checksum --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 1 + roles/wp-cli/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c032478c0..9b85267035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 0430d8cf2f..b1f1acf604 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,5 @@ wp_cli_version: 1.5.1 +wp_cli_phar_checksum: "sha512:8dd68c98c6fa00e1acc5e036f9393c8b052937045b5232e4aa0eb4f15773908eae48760607bc853a4f951bd5ba69e5050337e5d9dcfa48df87a12cebb1de3432" wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index c3f6770953..8888ff40d6 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -3,6 +3,7 @@ get_url: url: "{{ wp_cli_phar_url }}" dest: /tmp/wp-cli-{{ wp_cli_version }}.phar + checksum: "{{ wp_cli_phar_checksum }}" - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} From 571fa2379757a51092165f861a78fa93c2a42620 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 6 Jun 2018 20:41:52 +0800 Subject: [PATCH 075/663] build-bedore: Checkout project source code to local temporary directory --- CHANGELOG.md | 1 + deploy-hooks/build-before.yml | 15 ++++++++++++--- roles/deploy/defaults/main.yml | 3 +-- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b85267035..8e860a1f87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* build-before: Checkout project source code to local temporary directory ([#997](https://github.com/roots/trellis/pull/997)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index bfad9d6847..1e3405458c 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -7,11 +7,20 @@ # Uncomment the lines below and replace `sage` with your theme folder # # --- +# - name: Clone project files +# git: +# repo: "{{ project_git_repo }}" +# version: "{{ project_version }}" +# dest: "{{ project_build_path }}" +# force: yes +# no_log: true +# connection: local +# # - name: Install npm dependencies # command: yarn # connection: local # args: -# chdir: "{{ project_local_path }}/web/app/themes/sage" +# chdir: "{{ project_build_path }}/web/app/themes/sage" # # - name: Install Composer dependencies # command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts @@ -22,11 +31,11 @@ # command: yarn build:production # connection: local # args: -# chdir: "{{ project_local_path }}/web/app/themes/sage" +# chdir: "{{ project_build_path }}/web/app/themes/sage" # # - name: Copy production assets # synchronize: -# src: "{{ project_local_path }}/web/app/themes/sage/dist" +# src: "{{ project_build_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 8e04496fff..58d9222bb7 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -51,8 +51,7 @@ update_db_on_deploy: true # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" -project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" - +project_build_path: "{{ lookup('env', 'TMPDIR') | default('/tmp/', true) }}trellis/{{ site }}/{{ env }}" # Deploy hooks # For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks From f578bc9c613d2e8f62b4b01854c664c1840b7e06 Mon Sep 17 00:00:00 2001 From: Jason Hee Date: Mon, 11 Jun 2018 17:25:50 +0800 Subject: [PATCH 076/663] Change swap role --- requirements.yml | 4 ++-- server.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.yml b/requirements.yml index eb6c001e06..0f8ced04bc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,8 +11,8 @@ version: e7a498d - name: swapfile - src: kamaln7.swapfile - version: 4850d8a + src: tersmitten.swapfile + version: v2.0.6 - name: mailhog src: geerlingguy.mailhog diff --git a/server.yml b/server.yml index ac86b53f93..cabcadec85 100644 --- a/server.yml +++ b/server.yml @@ -24,7 +24,7 @@ become: yes roles: - { role: common, tags: [common] } - - { role: swapfile, swapfile_size: 1GB, tags: [swapfile] } + - { role: swapfile, swapfile_size: 1GB, swapfile_file: /swapfile, tags: [swapfile] } - { role: fail2ban, tags: [fail2ban] } - { role: ferm, tags: [ferm] } - { role: ntp, tags: [ntp] } From 63cf66fd4701309ee972b31d5505c3c9289e723a Mon Sep 17 00:00:00 2001 From: Bill Ruddock Date: Thu, 14 Jun 2018 13:56:10 +0100 Subject: [PATCH 077/663] Allow local configuration of vagrant_mount_type In some circumstances it is not possible to use an NFS (e.g. in combination with ecryptfs). Allow user to configure vagrant mount type in vagrant.local.yml --- Vagrantfile | 11 +++++++---- vagrant.default.yml | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 7d60048c13..9758a3935d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -69,13 +69,16 @@ Vagrant.configure('2') do |config| bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') - if Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + vagrant_mount_type = vconfig.fetch('vagrant_mount_type') + + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] + config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type end - config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'] - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'] + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type + config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type else if !Vagrant.has_plugin? 'vagrant-bindfs' fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" diff --git a/vagrant.default.yml b/vagrant.default.yml index c73a622a1c..8820eaf08f 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -6,6 +6,7 @@ vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false +vagrant_mount_type: 'nfs' vagrant_install_plugins: true vagrant_plugins: From 04041e9e3d1495dbb752bb835a78d0f4cb91d186 Mon Sep 17 00:00:00 2001 From: Bill Ruddock Date: Thu, 14 Jun 2018 13:56:41 +0100 Subject: [PATCH 078/663] Rubocop fixes for Vagrantfile --- Vagrantfile | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 9758a3935d..e06ac3f5f7 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,7 @@ # vi: set ft=ruby : ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine -ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis' # absolute path to Ansible directory on virtual machine +ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis'.freeze # absolute path to Ansible directory on virtual machine require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'vagrant') require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'config') @@ -29,7 +29,7 @@ Vagrant.configure('2') do |config| # Fix for: "stdin: is not a tty" # https://github.com/mitchellh/vagrant/issues/1673#issuecomment-28288042 - config.ssh.shell = %{bash -c 'BASH_ENV=/etc/profile exec bash'} + config.ssh.shell = %(bash -c 'BASH_ENV=/etc/profile exec bash') # Required for NFS to work if vconfig.fetch('vagrant_ip') == 'dhcp' @@ -39,7 +39,7 @@ Vagrant.configure('2') do |config| config.hostmanager.ip_resolver = proc do |vm, _resolving_vm| if cached_addresses[vm.name].nil? if vm.communicate.ready? - vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |type, contents| + vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |_type, contents| cached_addresses[vm.name] = contents.split("\n").first[/(\d+\.\d+\.\d+\.\d+)/, 1] end end @@ -71,7 +71,7 @@ Vagrant.configure('2') do |config| vagrant_mount_type = vconfig.fetch('vagrant_mount_type') - if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? && !Vagrant.has_plugin?('vagrant-winnfsd')) vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type @@ -79,19 +79,17 @@ Vagrant.configure('2') do |config| config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type + elsif !Vagrant.has_plugin?('vagrant-bindfs') + fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else - if !Vagrant.has_plugin? 'vagrant-bindfs' - fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" - else - trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' - config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' - end - - config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' - config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' - config.bindfs.bind_folder bin_path, bin_path, perms: '0755' + trellis_config.wordpress_sites.each_pair do |name, site| + config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' + config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end + + config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' + config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' + config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end vconfig.fetch('vagrant_synced_folders', []).each do |folder| @@ -133,7 +131,7 @@ Vagrant.configure('2') do |config| ansible.tags = ENV['ANSIBLE_TAGS'] ansible.extra_vars = { 'vagrant_version' => Vagrant::VERSION } - if vars = ENV['ANSIBLE_VARS'] + if (vars = ENV['ANSIBLE_VARS']) extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] ansible.extra_vars.merge!(extra_vars) end @@ -152,8 +150,8 @@ Vagrant.configure('2') do |config| end # VMware Workstation/Fusion settings - ['vmware_fusion', 'vmware_workstation'].each do |provider| - config.vm.provider provider do |vmw, override| + %w(vmware_fusion vmware_workstation).each do |provider| + config.vm.provider provider do |vmw, _override| vmw.name = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') @@ -161,7 +159,7 @@ Vagrant.configure('2') do |config| end # Parallels settings - config.vm.provider 'parallels' do |prl, override| + config.vm.provider 'parallels' do |prl, _override| prl.name = config.vm.hostname prl.cpus = vconfig.fetch('vagrant_cpus') prl.memory = vconfig.fetch('vagrant_memory') From b2415fa49ce760c4272ee0792ff2de47ab579292 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 19 Jun 2018 12:54:51 -0400 Subject: [PATCH 079/663] Revert "build-before: Checkout project source code to local temporary directory" --- CHANGELOG.md | 1 - deploy-hooks/build-before.yml | 15 +++------------ roles/deploy/defaults/main.yml | 3 ++- 3 files changed, 5 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e860a1f87..9b85267035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ ### HEAD -* build-before: Checkout project source code to local temporary directory ([#997](https://github.com/roots/trellis/pull/997)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 1e3405458c..bfad9d6847 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -7,20 +7,11 @@ # Uncomment the lines below and replace `sage` with your theme folder # # --- -# - name: Clone project files -# git: -# repo: "{{ project_git_repo }}" -# version: "{{ project_version }}" -# dest: "{{ project_build_path }}" -# force: yes -# no_log: true -# connection: local -# # - name: Install npm dependencies # command: yarn # connection: local # args: -# chdir: "{{ project_build_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Install Composer dependencies # command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts @@ -31,11 +22,11 @@ # command: yarn build:production # connection: local # args: -# chdir: "{{ project_build_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Copy production assets # synchronize: -# src: "{{ project_build_path }}/web/app/themes/sage/dist" +# src: "{{ project_local_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 58d9222bb7..8e04496fff 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -51,7 +51,8 @@ update_db_on_deploy: true # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" -project_build_path: "{{ lookup('env', 'TMPDIR') | default('/tmp/', true) }}trellis/{{ site }}/{{ env }}" +project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" + # Deploy hooks # For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks From 1925b1cb631016c9de8d31dda9787fea97bd5de5 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 24 Jun 2018 22:40:17 -0700 Subject: [PATCH 080/663] update xdebug tunnel configuration: update ssh connections to allow tcp forwarding, updating ip address used to form the tunnel --- bin/xdebug-tunnel.sh | 4 +++- roles/xdebug-tunnel/defaults/main.yml | 2 +- xdebug-tunnel.yml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh index 8f475677ac..112e7effe2 100755 --- a/bin/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -16,8 +16,10 @@ Examples: " } +ENABLE_TCP_FORWARDING= if [[ $1 == "open" ]]; then REMOTE_ENABLE=1 + ENABLE_TCP_FORWARDING="-e sshd_allow_tcp_forwarding=yes" elif [[ $1 == "close" ]]; then REMOTE_ENABLE=0 else @@ -39,4 +41,4 @@ if [[ -n $DEBUG ]]; then PARAMS="$PARAMS ${VERBOSITY:--vvvv}" fi -ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $SSH_HOST $PARAMS +ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $ENABLE_TCP_FORWARDING $SSH_HOST $PARAMS diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml index c9a52a144a..764f6a43fa 100644 --- a/roles/xdebug-tunnel/defaults/main.yml +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -6,5 +6,5 @@ xdebug_tunnel_control_identity: "{{ ansible_user_id }}" xdebug_tunnel_port_mapping: "{{ xdebug_tunnel_remote_port }}:{{ xdebug_tunnel_host }}:{{ xdebug_tunnel_local_port }}" xdebug_tunnel_ssh_user: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_user'] | default(admin_user) }}" -xdebug_tunnel_ssh_host: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_host'] | default(xdebug_tunnel_inventory_host) }}" +xdebug_tunnel_ssh_host: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_default_ipv4']['address'] | default(xdebug_tunnel_inventory_host) }}" xdebug_tunnel_user_at_host: "{{ xdebug_tunnel_ssh_user }}@{{ xdebug_tunnel_ssh_host }}" diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index a5e4dfb4e7..0c5d7eae17 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -9,6 +9,7 @@ hosts: "{{ xdebug_tunnel_inventory_host }}" become: yes roles: + - { role: sshd, tags: [sshd] } - { role: xdebug, tags: [xdebug] } - { role: xdebug-tunnel, tags: [xdebug-tunnel] } handlers: From c304a5f8aaa07d53ebe052248554c50e9660bb41 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 24 Jun 2018 22:43:24 -0700 Subject: [PATCH 081/663] update the changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b85267035..0c95738429 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) From 1c871b46e2de73b91448772ae953c305862a1747 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Tue, 26 Jun 2018 12:10:12 -0700 Subject: [PATCH 082/663] Disabling Xdebug requests in development Unless you're actively debugging, the remote feature of Xdebug isn't necessary. We'll disable by default. --- group_vars/development/php.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 8df88dc533..f1f28604ae 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,7 +4,3 @@ php_display_startup_errors: 'On' php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 - -xdebug_remote_enable: 1 -xdebug_remote_connect_back: 1 -xdebug_remote_autostart: 1 From ad47593a2eec8be76ae5658446e0fd638d99e27c Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Tue, 26 Jun 2018 14:34:03 -0700 Subject: [PATCH 083/663] Re-enable xdebug remote Got a little red happy in the previous commit. It was unnecessary to remove the xdebug remote defaults in development. This keeps it on for development with the ability to trigger debug requests with an HTTP param or Cookie without performance degradation. --- group_vars/development/php.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index f1f28604ae..7b9af47888 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,3 +4,6 @@ php_display_startup_errors: 'On' php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 + +xdebug_remote_enable: 1 +xdebug_remote_connect_back: 1 From 9cebffe6d74ecc7e4ecd967b00adb33ba5ec8c8d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 2 Jul 2018 21:34:13 +0800 Subject: [PATCH 084/663] Deploy: Remove obsoleted `git` remote checking Remove obsoleted `git` remote checking tasks introduced in #299 because recent Ansible versions are able to detect/handle `git` remote changes. See: https://discourse.roots.io/t/do-we-still-need-git-remote-checking-during-deploy/12639 --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 20 +------------------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c95738429..9d454e4a3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 0a456b0b10..4170f658db 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -13,31 +13,13 @@ state: "{{ item.state | default('present') }}" with_items: "{{ known_hosts | default([]) }}" -- name: Check whether project source path is a git repo - stat: - path: "{{ project_source_path }}/.git" - register: git_project - -- name: Get current git remote URL - command: git config --get remote.origin.url - args: - chdir: "{{ project_source_path }}" - register: remote_origin_url - when: git_project.stat.exists - changed_when: false - -- name: Update git remote URL - command: git remote set-url origin {{ project_git_repo }} - args: - chdir: "{{ project_source_path }}" - when: git_project.stat.exists and remote_origin_url.stdout != project_git_repo - - name: Clone project files git: repo: "{{ project_git_repo }}" dest: "{{ project_source_path }}" version: "{{ project_version }}" accept_hostkey: "{{ project.repo_accept_hostkey | default(repo_accept_hostkey | default(true)) }}" + force: yes ignore_errors: true no_log: true register: git_clone From d4c4bad61137b2e520caa805393e34290ce0f73b Mon Sep 17 00:00:00 2001 From: "Gargano, Matthew" Date: Mon, 9 Jul 2018 17:54:00 -0400 Subject: [PATCH 085/663] #1011 change name of swapfile ansible requirement to match updated name on github --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0f8ced04bc..c7f1fbf3c9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,7 +11,7 @@ version: e7a498d - name: swapfile - src: tersmitten.swapfile + src: oefenweb.swapfile version: v2.0.6 - name: mailhog From 8bebf37e0a8ea1fa55171889cb5d1cde0aa8ee28 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 12 Aug 2018 22:26:23 +0800 Subject: [PATCH 086/663] Update wp-cli to 2.0.0 and verify its PGP signature --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 7 +++++-- roles/wp-cli/tasks/main.yml | 23 +++++++++++++++++++++-- roles/wp-cli/templates/wp-cli.pgp.gpg | Bin 0 -> 1233 bytes 4 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 roles/wp-cli/templates/wp-cli.pgp.gpg diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d454e4a3a..b67cdb2c9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index b1f1acf604..6dde088af1 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,7 +1,10 @@ -wp_cli_version: 1.5.1 -wp_cli_phar_checksum: "sha512:8dd68c98c6fa00e1acc5e036f9393c8b052937045b5232e4aa0eb4f15773908eae48760607bc853a4f951bd5ba69e5050337e5d9dcfa48df87a12cebb1de3432" +gpg2_package: gnupg2 +wp_cli_version: 2.0.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" +wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" +# Note: wp_cli_pgp_public_key must be in binary format +wp_cli_pgp_public_key: "{{ playbook_dir }}/roles/wp-cli/templates/wp-cli.pgp.gpg" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" wp_cli_completion_path: /etc/bash_completion.d/wp-completion.bash wp_cli_packages: [] diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 8888ff40d6..3916221cd0 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -1,9 +1,28 @@ --- -- name: Download WP-CLI +- name: Ensure gpg2 is installed + apt: + name: "{{ gpg2_package }}" + state: "{{ gpg2_package_state | default(apt_security_package_state) }}" + cache_valid_time: "{{ apt_cache_valid_time }}" + +- name: Download WP-CLI Phar get_url: url: "{{ wp_cli_phar_url }}" dest: /tmp/wp-cli-{{ wp_cli_version }}.phar - checksum: "{{ wp_cli_phar_checksum }}" + +- name: Download WP-CLI Phar Signature + get_url: + url: "{{ wp_cli_phar_asc_url }}" + dest: /tmp/wp-cli-{{ wp_cli_version }}.phar.asc + +- name: Copy WP-CLI release team public key + synchronize: + src: "{{ wp_cli_pgp_public_key }}" + dest: /tmp/wp-cli.pgp.gpg + +- name: Verify WP-CLI Phar Signature + command: gpg2 --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + changed_when: false - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} diff --git a/roles/wp-cli/templates/wp-cli.pgp.gpg b/roles/wp-cli/templates/wp-cli.pgp.gpg new file mode 100644 index 0000000000000000000000000000000000000000..dfc7b7bca0cc4a23fa5a8e1b9cd55c0151287f74 GIT binary patch literal 1233 zcmbQq$jcHfARx)e!Ej%KqtJP8ct)rBRgJ?RFT3A+>bvDf{Y@o~*0yswr;kXlUSaf{ ze|yEDO_hrOzIU-X)yd4iUclnEAWSwxE#t|Tb1tHN2P)@9e0%qHMT2qocY(!sKC}7v zE_*BZ;zQaN*QuHgyQgvAo*8?7Qg748KGqxezL_fB($aVCjPE(9C!a0emTunjN7;L?@i{=O$yq~IkU-Rc7F1$qtP0Zv_4MoeS_q&wN65ZM4)9`rz4A@dI&}xxVx>2r@D-Zcz;n&~^6lR0vAVNlh$HEmp88g0dXS z3v`onGWGI{((O7K{aA#7VP?T3&CJTp$-&OVCd$Fd#m&Sb#>C9XB*(}k-XNyPlDxiZ zVLx_`dk9+M@Y9={Gv)s*5 z>=iVg&N}Vd_k!7pA$5}BN2YY7?mE*v_fwu{Y~;O3X+o#0iJ^MrV3OBpB zC!Y_h2KT+sn9&(OXL`o`CpsbK&8KdOa_#z7HHXj0Tk^JD@=J%f-Nic*>2PnVq><$kvH`{OD4?}jp}=IOY`DOzt604uXeM@X^Z4I|M()V#Z$Pk#`EBx)3fJH z-r7>ge)V^Hil9Jr#n~+8$z7gG-`D+I5yxltZBm7rEuZ79M`5>i=LwyC{C;cp#)NFy z_($eZV6$EYPQF1Fb=F(IgSh0uyvwOd-g!AIvwGoSoeYUQ z!{(phblAyg#v%bsU*nmw~4J8qS91UoJ7 z@p_l}KzwcQ)_zL6 z`+TX*x3j04_|CmguzxJ~y2W^l^HUp-2G1>#Ei&zTuNa>!Y7x78@5Pd$rrw>ORtsGC zrz&xGzsCH1!EpsABX=AUwU}(I8eFX+ukEVyA?&1Sg^%G1si`7*{|>l6U$UEvw@>%P r1onWk4ci{(eq)a9dZhfhEu{H9hZFmY&>ufmw4UA)^xG-7rB@IDCGj|< literal 0 HcmV?d00001 From d85e67e89fdb74e9f472f1b783bfdf90e701a908 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Aug 2018 03:14:51 +0800 Subject: [PATCH 087/663] Add `--lock-never` to "Verify WP-CLI Phar Signature" task Fix https://github.com/roots/trellis/pull/1014#issuecomment-412357451 --- roles/wp-cli/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 3916221cd0..60fece125a 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -21,7 +21,7 @@ dest: /tmp/wp-cli.pgp.gpg - name: Verify WP-CLI Phar Signature - command: gpg2 --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar changed_when: false - name: Install WP-CLI From fc39721ff59344feff6f6d91e118a861f9695dc2 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Aug 2018 03:16:01 +0800 Subject: [PATCH 088/663] Use `copy` instead of `synchronize` Because `synchronize` uses `sudo rsync` under the hood while `copy` doesn't require `sudo`. --- roles/wp-cli/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 60fece125a..675596e141 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -16,7 +16,7 @@ dest: /tmp/wp-cli-{{ wp_cli_version }}.phar.asc - name: Copy WP-CLI release team public key - synchronize: + copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg From 978e97f3000fcc5710334d4d873954839ced62c0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 30 Aug 2018 13:37:18 -0600 Subject: [PATCH 089/663] Patreon --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 095957402f..9b49bd9dd2 100644 --- a/README.md +++ b/README.md @@ -92,11 +92,11 @@ A base Ubuntu 16.04 server is required for setting up remote servers. OS X users Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. -## Gold sponsors +## Trellis sponsors -Help support our open-source development efforts by [contributing to Trellis on OpenCollective](https://opencollective.com/trellis). +Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital ThemeIsle +Kinsta Harness Software KM Digital ThemeIsle ## Community From e661df1529d6d273d42b363ea055712f77279d36 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 31 Aug 2018 22:17:34 +0800 Subject: [PATCH 090/663] Update wp-cli to 2.0.1 --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b67cdb2c9c..31345cf62a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 6dde088af1..4ce281bd85 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.0.0 +wp_cli_version: 2.0.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From d49acb3d4606b6a51021034cc58dca117acf24d6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 3 Sep 2018 11:20:59 -0600 Subject: [PATCH 091/663] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b49bd9dd2..4740cb29c5 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital ThemeIsle +Kinsta Harness Software KM Digital ## Community From 30bc359fcbef8547994554045687a77f6670c5c8 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 30 Sep 2018 22:57:28 +0800 Subject: [PATCH 092/663] Allow customizing Nginx `worker_connections` --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 1 + roles/nginx/templates/nginx.conf.j2 | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31345cf62a..2412e5e9ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 85178bb1c8..ed07b1c505 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -3,6 +3,7 @@ nginx_ppa: "ppa:nginx/development" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx +nginx_worker_connections: 8000 nginx_logs_root: /var/log/nginx nginx_user: www-data www-data nginx_fastcgi_buffers: 8 8k diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 3a0548a352..f4ef92d394 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -32,7 +32,7 @@ events { # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. # Should be < worker_rlimit_nofile. # Default: 512 - worker_connections 8000; + worker_connections {{ nginx_worker_connections }}; } {% endblock %} From 7c393a429ef7b78f22de1dc551d83e411b16e48d Mon Sep 17 00:00:00 2001 From: Mat Gargano Date: Sun, 11 Nov 2018 14:35:06 -0500 Subject: [PATCH 093/663] #1027 make output_buffering optional (#1028) Add output_buffering variable for PHP config --- roles/php/defaults/main.yml | 1 + roles/php/templates/php.ini.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index b2ecaf87d1..0e40746fd5 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -34,6 +34,7 @@ php_session_cookie_secure: 'Off' php_upload_max_filesize: 25M php_track_errors: 'Off' php_timezone: '{{ ntp_timezone }}' +php_output_buffering: 'Off' php_opcache_enable: 1 php_opcache_enable_cli: 1 diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php.ini.j2 index 3b899e7c91..84fe207c2e 100644 --- a/roles/php/templates/php.ini.j2 +++ b/roles/php/templates/php.ini.j2 @@ -17,6 +17,7 @@ track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off date.timezone = {{ php_timezone }} +output_buffering = {{ php_output_buffering }} [mysqlnd] mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} From 61b1ed9509f61c5e018db8279475e5cbacbbaef0 Mon Sep 17 00:00:00 2001 From: Barry Els Date: Wed, 14 Nov 2018 11:36:01 +0200 Subject: [PATCH 094/663] Update README.md For first time users it might be useful to be explicit about which directory they should be in before running `vagrant up`, else Vagrant will display an error (`A Vagrant environment or target machine is required to run this command.`) when the `Vagrantfile` is not found. --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4740cb29c5..36a8aac7fd 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,8 @@ Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) fo ## Local development setup 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` -2. Run `vagrant up` +2. Ensure you're in the trellis directory: `cd trellis` +3. Run `vagrant up` [Read the local development docs](https://roots.io/trellis/docs/local-development-setup/) for more information. From 4c69ace545647e8a5d3612811865e349a0b51725 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 22 Nov 2018 11:33:42 -0700 Subject: [PATCH 095/663] Add CodeFirst --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 36a8aac7fd..4d63869349 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital +Kinsta Harness Software KM Digital CodeFirst ## Community From 834966fc73f3524974d77d0d7078e73ef76c3eef Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 26 Nov 2018 11:35:15 -0700 Subject: [PATCH 096/663] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d63869349..36a8aac7fd 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital CodeFirst +Kinsta Harness Software KM Digital ## Community From 07710171cc047536ce0b6748029266e4041ec9fa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:14 -0500 Subject: [PATCH 097/663] Update python version requirement Support both 2 and 3 but check for Ansible version --- lib/trellis/plugins/vars/version.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index ada7aeaf63..d2fd307abc 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,12 +14,13 @@ from ansible.utils.display import Display display = Display() -if version_info[0] > 2: - raise AnsibleError(('Trellis does not yet support Python {}.{}.{}. \n' - 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) - version_requirement = '2.4.0.0' version_tested_max = '2.5.3' +python3_required_version = '2.5.3' + +if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): + raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' + 'Either downgrade to Python 2 or update your Ansible version to {}.').format(__version__, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' From e7f7ebbd00c0234e121b275ea06488452bb26c27 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:46 -0500 Subject: [PATCH 098/663] Fix unicode reference --- lib/trellis/utils/output.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 9bcd31c992..89b073b9c7 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -9,6 +9,7 @@ from ansible import __version__ from ansible.module_utils._text import to_text +from ansible.module_utils.six import string_types def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry @@ -89,7 +90,7 @@ def display(obj, result): # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks if isinstance(msg, list): msg = '\n'.join([to_text(x) for x in msg]) - elif not isinstance(msg, unicode): + elif not isinstance(msg, string_types): msg = to_text(msg) # Wrap text From 5b9b6586ad01b58cda26dccc26a30ad461caae00 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:55 -0500 Subject: [PATCH 099/663] Update iteritems usage It no longer exists in Python 3. We can use `items()` which both have and pipe to `list` in Jinja. --- roles/common/tasks/main.yml | 4 ++-- roles/letsencrypt/defaults/main.yml | 2 +- roles/mariadb/defaults/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 94eaa73e0d..212df3c2de 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -48,7 +48,7 @@ php_extensions_custom: "{{ php_extensions_custom }}" sshd_packages_default: "{{ sshd_packages_default }}" sshd_packages_custom: "{{ sshd_packages_custom }}" - package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [sshd, memcached, php] - name: Verify dict format for apt package combined variables @@ -61,7 +61,7 @@ memcached_packages: "{{ memcached_packages }}" php_extensions: "{{ php_extensions }}" sshd_packages: "{{ sshd_packages }}" - package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [sshd, memcached, php] - name: Validate Ubuntu version diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 52b628fc7a..e7f6c7a742 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,4 +1,4 @@ -sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" +sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index fbb1a13579..576ade7076 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -8,4 +8,4 @@ mariadb_server_package: mariadb-server mysql_binary_logging_disabled: true mysql_root_user: root -sites_using_remote_db: "[{% for name, site in wordpress_sites.iteritems() if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" +sites_using_remote_db: "[{% for name, site in wordpress_sites.items() | list if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" From 8f265c1b9c4a6da35a7e4c3b8cd31ead024db568 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 19:05:51 -0500 Subject: [PATCH 100/663] Update logrotate Old version was using `iteritems()` which doesnt work in Python 3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c7f1fbf3c9..c8d23a67ca 100644 --- a/requirements.yml +++ b/requirements.yml @@ -8,7 +8,7 @@ - name: logrotate src: nickhammond.logrotate - version: e7a498d + version: v0.0.5 - name: swapfile src: oefenweb.swapfile From 046881a7bd397d66582c4ee29e763258138e0cf1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 1 Dec 2018 19:13:11 -0500 Subject: [PATCH 101/663] Support Python 3 HTTP imports --- roles/letsencrypt/library/test_challenges.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py index 8c075cc5a8..d7f4a8cc2c 100644 --- a/roles/letsencrypt/library/test_challenges.py +++ b/roles/letsencrypt/library/test_challenges.py @@ -2,7 +2,12 @@ # -*- coding: utf-8 -*- import socket -from httplib import HTTPConnection, HTTPException + +try: + from httplib import HTTPConnection, HTTPException +except ImportError: + # Python 3 + from http.client import HTTPConnection, HTTPException DOCUMENTATION = ''' --- From c67d78b2dc07455d7e02f7271a27171217ce2d53 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 1 Dec 2018 20:05:01 -0500 Subject: [PATCH 102/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2412e5e9ed..c3173b8c1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) From 771d4ec5b145f4513a2f16fe12906947e72adcda Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Dec 2018 22:12:04 -0500 Subject: [PATCH 103/663] Python version compatibility fixes This fixes some more Python 2/3 compatibility issues. --- deploy-hooks/build-before.yml | 4 ++-- deploy.yml | 4 ++-- lib/trellis/plugins/callback/vars.py | 6 +++--- roles/common/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 2 +- roles/xdebug-tunnel/tasks/main.yml | 2 +- server.yml | 15 +++++++++++---- 7 files changed, 21 insertions(+), 14 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index bfad9d6847..e6893432ba 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -9,7 +9,7 @@ # --- # - name: Install npm dependencies # command: yarn -# connection: local +# delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # @@ -20,7 +20,7 @@ # # - name: Compile assets for production # command: yarn build:production -# connection: local +# delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # diff --git a/deploy.yml b/deploy.yml index e391a1b641..4d88bb2151 100644 --- a/deploy.yml +++ b/deploy.yml @@ -16,12 +16,12 @@ remote_user: "{{ web_user }}" pre_tasks: - name: Ensure site is valid - connection: local + delegate_to: localhost fail: msg: "Site `{{ site | default('') }}` is not valid. Available sites to deploy: {{ wordpress_sites.keys() | join(', ') }}" when: wordpress_sites[site | default('')] is not defined - name: Ensure repo is valid - connection: local + delegate_to: localhost fail: msg: | Invalid Git repository. diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 83ab22c505..b4e079983a 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -26,7 +26,7 @@ def __init__(self): def raw_triage(self, key_string, item, patterns): # process dict values if isinstance(item, AnsibleMapping): - return AnsibleMapping(dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in item.iteritems())) + return AnsibleMapping(dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in iteritems(item))) # process list values elif isinstance(item, AnsibleSequence): @@ -68,7 +68,7 @@ def cli_options(self): '--vault-password-file': 'vault_password_file', } - for option,value in strings.iteritems(): + for option,value in iteritems(strings): if getattr(self._options, value, False): options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) @@ -92,7 +92,7 @@ def darwin_without_passlib(self): def v2_playbook_on_play_start(self, play): env = play.get_variable_manager().get_vars(play=play).get('env', '') - env_group = next((group for key,group in play.get_variable_manager()._inventory.groups.iteritems() if key == env), False) + env_group = next((group for key,group in iteritems(play.get_variable_manager()._inventory.groups) if key == env), False) if env_group: env_group.set_priority(20) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 212df3c2de..85ac087664 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -145,7 +145,7 @@ - name: Retrieve SSH client IP ipify_facts: - connection: local + delegate_to: localhost become: no when: env != 'development' and ssh_client_ip_lookup | default(true) tags: [fail2ban, ferm] diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index a9859b0afb..960a82fdf1 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -7,7 +7,7 @@ pattern: "*.conf.j2" recurse: yes become: no - connection: local + delegate_to: localhost register: nginx_includes_templates - name: Warn about deprecated Nginx includes directory diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 9147f73733..86a84909c0 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -6,7 +6,7 @@ {% else %} ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' {% endif %} - connection: local + delegate_to: localhost become: no register: xdebug_tunnel ignore_errors: true diff --git a/server.yml b/server.yml index cabcadec85..3fb35be82c 100644 --- a/server.yml +++ b/server.yml @@ -14,10 +14,17 @@ gather_facts: false become: yes tasks: - - name: Install Python 2.x - raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson - register: python_check - changed_when: python_check.stdout is not search('/usr/bin/python') + - block: + - name: Find path to python interpreter + raw: which python3 || which python + register: python_path + changed_when: false + - name: Set path to python interpreter on remote + set_fact: + ansible_python_interpreter: "{{ python_path.stdout }}" + when: python_path.rc == 0 + when: ansible_python_interpreter is not defined + tags: always - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} From 51bda7eddae277f323cdb24e9776c56906176fb6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Dec 2018 22:16:48 -0500 Subject: [PATCH 104/663] Add Python 3.6 to Travis --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b1da0a6349..59ec6f6dce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,7 @@ language: python -python: 2.7 +python: + - 2.7 + - 3.6 sudo: false cache: pip install: From 56994310b762d52ef752315505305a18762b5251 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Dec 2018 16:35:16 -0500 Subject: [PATCH 105/663] Remove ansible_python_interpreter in server.yml This was changing the interpreter/version of Python used on remote hosts in `server.yml` to support Python 2 or 3. However, this doesn't work in all cases yet because we're installing Python 2 specific packages on servers. So for now Python 3 support is limited to the host/control machine which is the bigger issue anyway. Even Ubuntu 18.04 still defaults to Python 2. --- server.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/server.yml b/server.yml index 3fb35be82c..45b574a6c4 100644 --- a/server.yml +++ b/server.yml @@ -9,23 +9,6 @@ roles: - { role: connection, tags: [connection, always] } -- name: Install prerequisites - hosts: web:&{{ env }} - gather_facts: false - become: yes - tasks: - - block: - - name: Find path to python interpreter - raw: which python3 || which python - register: python_path - changed_when: false - - name: Set path to python interpreter on remote - set_fact: - ansible_python_interpreter: "{{ python_path.stdout }}" - when: python_path.rc == 0 - when: ansible_python_interpreter is not defined - tags: always - - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} become: yes From 446afe4802b165d442c5d848f3a24c9e284a588e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:36:15 -0400 Subject: [PATCH 106/663] Update Vagrant box to ubuntu-18.04 --- vagrant.default.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 8820eaf08f..24b4360407 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,8 +2,8 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '>= 201801.02.0' +vagrant_box: 'bento/ubuntu-18.04' +vagrant_box_version: '>= 201807.12.0' vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From d97c176e25b7d32b1a00694fa0039a6e74642fd5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:36:31 -0400 Subject: [PATCH 107/663] Remove invalid sshd macs --- roles/sshd/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index deedd28e00..2936d98ffc 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -46,11 +46,9 @@ sshd_login_grace_time: 30 sshd_macs_default: - hmac-sha2-512-etm@openssh.com - hmac-sha2-256-etm@openssh.com - - hmac-ripemd160-etm@openssh.com - umac-128-etm@openssh.com - hmac-sha2-512 - hmac-sha2-256 - - hmac-ripemd160 sshd_macs_extra: [] From 4621471f0b37fecc03c6112e1e87dbc08c659f7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:08 -0400 Subject: [PATCH 108/663] Update Mariadb --- roles/mariadb/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 576ade7076..89f7b57ea0 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ -mariadb_keyserver: keyserver.ubuntu.com +mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64,i386,ppc64el] http://ftp.osuosl.org/pub/mariadb/repo/10.2/ubuntu xenial main" +mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From b757fcf12a047d5b136ce73d68d8408959e5389c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:28 -0400 Subject: [PATCH 109/663] Python version compatibility --- roles/common/defaults/main.yml | 20 +++++++++++++++----- server.yml | 17 +++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index c97104a18e..9a6f6693c3 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -20,16 +20,26 @@ site_keys_by_env_pair: "[ {% endfor %} ]" -apt_packages_default: - python-software-properties: "{{ apt_package_state }}" - python-pycurl: "{{ apt_package_state }}" +_apt_packages_default: build-essential: "{{ apt_package_state }}" - python-mysqldb: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" - git: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" + git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" +apt_packages_python: + '2': + python-software-properties: "{{ apt_package_state }}" + python-mysqldb: "{{ apt_package_state }}" + python-pycurl: "{{ apt_package_state }}" + '3': + python3-software-properties: "{{ apt_package_state }}" + python3-mysqldb: "{{ apt_package_state }}" + python3-pycurl: "{{ apt_package_state }}" + +python_major_version: "{{ ansible_python_version[0] }}" +apt_packages_default: "{{ _apt_packages_default | combine(apt_packages_python[python_major_version]) }}" + apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" diff --git a/server.yml b/server.yml index 45b574a6c4..1656b3ec88 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,23 @@ roles: - { role: connection, tags: [connection, always] } +- name: Set ansible_python_interpreter + hosts: web:&{{ env }} + gather_facts: false + become: yes + tasks: + - block: + - name: Get Ubuntu release + raw: lsb_release -cs + register: ubuntu_release + changed_when: false + - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + set_fact: + ansible_python_interpreter: python3 + when: ubuntu_release.stdout_lines[0] == 'bionic' + when: ansible_python_interpreter is not defined + tags: always + - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} become: yes From c76ca569e5d5442dcf834df1c8c63a5332e00bed Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:47 -0400 Subject: [PATCH 110/663] Update Ubuntu version validation --- roles/common/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 85ac087664..f4535561de 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -67,7 +67,7 @@ - name: Validate Ubuntu version debug: msg: | - Trellis is built for Ubuntu 16.04 Xenial as of https://github.com/roots/trellis/pull/626 + Trellis is built for Ubuntu 18.04 Bionic as of https://github.com/roots/trellis/pull/992 Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} @@ -77,8 +77,8 @@ Development via Vagrant: `vagrant destroy && vagrant up` - Staging/Production: Create a new server with Ubuntu 16.04 and provision - when: ansible_distribution_release != 'xenial' + Staging/Production: Create a new server with Ubuntu 18.04 and provision + when: ansible_distribution_release != 'bionic' - name: Check whether passlib is needed fail: From 28e9850f69c7e83e5cd4ec5888274e8f6fec6db6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 10 Dec 2018 18:19:21 -0500 Subject: [PATCH 111/663] Add CHANGELOG entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3173b8c1a..6c3fa6e880 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) From ac4b511d6a6b37bb89f5d2014364f1bacc57e480 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 11 Dec 2018 23:15:37 -0500 Subject: [PATCH 112/663] Update README for 18.04 --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 36a8aac7fd..d3e0f729c6 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -* Ubuntu 16.04 Xenial LTS +* Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) * PHP 7.2 * MariaDB (a drop-in MySQL replacement) @@ -71,7 +71,9 @@ Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) fo For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. -A base Ubuntu 16.04 server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. +A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. + +Note: Ubuntu 16.04 (Xenial) is still supported as well. See [#992](https://github.com/roots/trellis/pull/992) for details on the minor changes needed to run it. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` From ff496aeeb1a6fed1d50723386a5afac89844add3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 20:00:56 -0500 Subject: [PATCH 113/663] Set ansible_python_interpreter in dev Via new python_interpreter role --- dev.yml | 7 +++++++ roles/python_interpreter/tasks/main.yml | 11 +++++++++++ server.yml | 14 ++------------ 3 files changed, 20 insertions(+), 12 deletions(-) create mode 100644 roles/python_interpreter/tasks/main.yml diff --git a/dev.yml b/dev.yml index b55f73df09..dfe6e8dc06 100644 --- a/dev.yml +++ b/dev.yml @@ -1,4 +1,11 @@ --- +- name: Set ansible_python_interpreter + hosts: web:&development + gather_facts: false + become: yes + roles: + - { role: python_interpreter, tags: [always] } + - name: "WordPress Server: Install LEMP Stack with PHP 7.2 and MariaDB MySQL" hosts: web:&development become: yes diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml new file mode 100644 index 0000000000..8935abe901 --- /dev/null +++ b/roles/python_interpreter/tasks/main.yml @@ -0,0 +1,11 @@ +- block: + - name: Get Ubuntu release + raw: lsb_release -cs + register: ubuntu_release + changed_when: false + - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + set_fact: + ansible_python_interpreter: python3 + when: ubuntu_release.stdout | trim == 'bionic' + when: ansible_python_interpreter is not defined + tags: always diff --git a/server.yml b/server.yml index 1656b3ec88..57ce25288b 100644 --- a/server.yml +++ b/server.yml @@ -13,18 +13,8 @@ hosts: web:&{{ env }} gather_facts: false become: yes - tasks: - - block: - - name: Get Ubuntu release - raw: lsb_release -cs - register: ubuntu_release - changed_when: false - - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic - set_fact: - ansible_python_interpreter: python3 - when: ubuntu_release.stdout_lines[0] == 'bionic' - when: ansible_python_interpreter is not defined - tags: always + roles: + - { role: python_interpreter, tags: [always] } - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} From df38788d8b267f863c603fc8812876128b3d1aa0 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 23:46:23 -0500 Subject: [PATCH 114/663] Fix Python 3 compat error message --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index d2fd307abc..38127cd9a2 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -20,7 +20,7 @@ if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' - 'Either downgrade to Python 2 or update your Ansible version to {}.').format(__version__, python3_required_version)) + 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' From d6f24119773bb235f8b77fed470a48adc26f5f6d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 23:56:22 -0500 Subject: [PATCH 115/663] Fix python 3 Ansible compatibility check >= 2.5.3 is only required if you're running Python 3 on the host. --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 38127cd9a2..86b6b8b14b 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -18,7 +18,7 @@ version_tested_max = '2.5.3' python3_required_version = '2.5.3' -if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): +if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) From 4587eca602aa0e9ca7c764afcbd1b7f7ceefcfbc Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 14:17:51 -0700 Subject: [PATCH 116/663] Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` --- CHANGELOG.md | 1 + Vagrantfile | 15 +++++++++++---- bin/ssh-vagrant-config.sh | 8 ++++++++ bin/xdebug-tunnel.sh | 3 +-- 4 files changed, 21 insertions(+), 6 deletions(-) create mode 100755 bin/ssh-vagrant-config.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c3fa6e880..af490d2498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) diff --git a/Vagrantfile b/Vagrantfile index e06ac3f5f7..b4e57ca282 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,6 +1,3 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis'.freeze # absolute path to Ansible directory on virtual machine @@ -135,9 +132,19 @@ Vagrant.configure('2') do |config| extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] ansible.extra_vars.merge!(extra_vars) end + + if !Vagrant::Util::Platform.windows? + config.trigger.after :up do |trigger| + # Add Vagrant ssh-config to ~/.ssh/config + trigger.run = { + path: File.join(provisioning_path, 'bin/ssh-vagrant-config.sh'), + args: [main_hostname] + } + end + end end - # Virtualbox settings + # VirtualBox settings config.vm.provider 'virtualbox' do |vb| vb.name = config.vm.hostname vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] diff --git a/bin/ssh-vagrant-config.sh b/bin/ssh-vagrant-config.sh new file mode 100755 index 0000000000..77ea4ddd50 --- /dev/null +++ b/bin/ssh-vagrant-config.sh @@ -0,0 +1,8 @@ +#!/bin/bash +vagrant_host=$1 + +# Add Vagrant ssh-config to ~/.ssh/config +sed "/^$/d;s/Host /$NL&/" ~/.ssh/config | sed '/^Host '"$vagrant_host"'$/,/^$/d;' > config && +cat config > ~/.ssh/config && +rm config && +vagrant ssh-config --host ${vagrant_host} >> ~/.ssh/config diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh index 112e7effe2..e60e4d48bb 100755 --- a/bin/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -1,5 +1,4 @@ -#!/usr/bin/env bash - +#!/bin/bash show_usage() { echo " Usage: bin/xdebug-tunnel.sh From 30eafb1e58060bacfd678cb3a53abc7c18a0f59c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 13 Dec 2018 21:07:40 -0500 Subject: [PATCH 117/663] Fix keys usage for Python 2/3 compat --- roles/common/tasks/disable_challenge_sites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml index 455d7f0cad..7995565b3a 100644 --- a/roles/common/tasks/disable_challenge_sites.yml +++ b/roles/common/tasks/disable_challenge_sites.yml @@ -3,5 +3,5 @@ file: path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item }}.conf" state: absent - with_items: "{{ wordpress_sites.keys() }}" + with_items: "{{ wordpress_sites.keys() | list }}" notify: reload nginx From ec94e94e423a1b1ec4ecf5351789f12679c0969b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 13 Dec 2018 21:20:36 -0500 Subject: [PATCH 118/663] Don't force install Ansible Galaxy in dev By default Vagrant runs `ansible-galaxy` with the `--force` option causing every Galaxy role to be re-downloaded *every* time. This is annoying, slow, and wasteful. This customizes the `galaxy_command` to run without the `--force` flag. --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index b4e57ca282..949d7bba1b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -119,6 +119,7 @@ Vagrant.configure('2') do |config| ansible.playbook = File.join(provisioning_path, 'dev.yml') ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') + ansible.galaxy_command = 'ansible-galaxy install --role-file=%{role_file} --roles-path=%{roles_path}' ansible.groups = { 'web' => ['default'], From fc86158dae2e5985b6b55c55dad89746b024e8e6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 19:49:01 -0700 Subject: [PATCH 119/663] Ansible 2.7 compatibility --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- roles/connection/tasks/main.yml | 2 +- vagrant.default.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af490d2498..2338fcc498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 86b6b8b14b..81e0e28365 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.5.3' +version_tested_max = '2.7.5' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index de07be3538..0675e77bf4 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -53,7 +53,7 @@ - block: - name: Set remote user for each host set_fact: - ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot']) | count) | ternary('root', admin_user)) }}" + ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot', '\e[0;33mroot']) | count) | ternary('root', admin_user)) }}" check_mode: no - name: Announce which user was selected diff --git a/vagrant.default.yml b/vagrant.default.yml index 24b4360407..03ff4689b6 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.5.3' +vagrant_ansible_version: '2.7.5' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 9a26f30e7187a22a2a69bb9153ab1115596105bf Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 19:57:32 -0700 Subject: [PATCH 120/663] Require Vagrant >= 2.1.0 --- CHANGELOG.md | 1 + README.md | 2 +- Vagrantfile | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2338fcc498..6b134c2bda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) diff --git a/README.md b/README.md index d3e0f729c6..5f11d40657 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.0.1 +* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 ## Installation diff --git a/Vagrantfile b/Vagrantfile index b4e57ca282..f672a2373f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.0.1' +Vagrant.require_version '>= 2.1.0' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') From c122be4c8b5ac23b69d72d9bdd1cf39849e64060 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 14 Dec 2018 13:28:20 +0000 Subject: [PATCH 121/663] Allow overriding rollback variables --- CHANGELOG.md | 1 + roles/rollback/defaults/main.yml | 2 ++ rollback.yml | 5 ----- 3 files changed, 3 insertions(+), 5 deletions(-) create mode 100644 roles/rollback/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b134c2bda..9c781f4c32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) diff --git a/roles/rollback/defaults/main.yml b/roles/rollback/defaults/main.yml new file mode 100644 index 0000000000..08d321ee62 --- /dev/null +++ b/roles/rollback/defaults/main.yml @@ -0,0 +1,2 @@ +project_root: "{{ www_root }}/{{ site }}" +project_current_path: "{{ wordpress_sites[site].current_path | default('current') }}" diff --git a/rollback.yml b/rollback.yml index f3e0405a92..47a01bbc38 100644 --- a/rollback.yml +++ b/rollback.yml @@ -14,10 +14,5 @@ - name: Rollback a Deploy hosts: web:&{{ env }} remote_user: "{{ web_user }}" - - vars: - project_root: "{{ www_root }}/{{ site }}" - project_current_path: "{{ wordpress_sites[site].current_path | default('current') }}" - roles: - rollback From fdd9b7372a1439062b06ad0ad3672aa20fac7f7c Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 16 Dec 2018 15:55:32 +0000 Subject: [PATCH 122/663] Add `vault_wordpress_env_defaults` --- CHANGELOG.md | 1 + group_vars/all/helpers.yml | 2 +- group_vars/all/main.yml | 1 + group_vars/all/vault.yml | 6 ++++++ 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c781f4c32..60cf069c92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 7b89c15ebf..11bb881d43 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -9,7 +9,7 @@ wordpress_env_defaults: wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" domain_current_site: "{{ site_hosts_canonical | first }}" -site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 68ef57b68e..e7f9bd85fc 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -20,4 +20,5 @@ raw_vars: - vault_mysql_root_password - vault_users.*.password - vault_users.*.salt + - vault_wordpress_env_defaults - vault_wordpress_sites diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 19a21ae41e..fc11d9d9c2 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,2 +1,8 @@ # Documentation: https://roots.io/trellis/docs/vault/ vault_mail_password: smtp_password + +# Variables to accompany `wordpress_env_defaults` in `group_vars/all/helpers.yml` +# Note: These values can be overriden by `vault_wordpress_sites.*.env` +# +# vault_wordpress_env_defaults: +# my_api_key: 'available to all environments' From 83f716307ec5d18186724245e94e52cceeeea3c1 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 17 Dec 2018 10:19:17 +0000 Subject: [PATCH 123/663] Fix: `vault_wordpress_env_defaults` not populated during deploy Follow up on #1048 --- CHANGELOG.md | 1 + roles/deploy/vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60cf069c92..995696ef3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index cb51f14823..aea2f70a6e 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -8,4 +8,4 @@ wordpress_env_defaults: wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" -site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 56df5b56c6ab39ba07654e36f241c726dcbeb66f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 17 Dec 2018 19:43:02 -0500 Subject: [PATCH 124/663] Fix Vagrant trigger path This path should always be local on the host. --- CHANGELOG.md | 1 + Vagrantfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 995696ef3a..e13054cb2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) diff --git a/Vagrantfile b/Vagrantfile index f672a2373f..1ce9f4be4c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -137,7 +137,7 @@ Vagrant.configure('2') do |config| config.trigger.after :up do |trigger| # Add Vagrant ssh-config to ~/.ssh/config trigger.run = { - path: File.join(provisioning_path, 'bin/ssh-vagrant-config.sh'), + path: File.join(ANSIBLE_PATH, 'bin/ssh-vagrant-config.sh'), args: [main_hostname] } end From c0bef6d42217de099fd1f765076111f921dc0114 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 19 Dec 2018 14:04:32 -0700 Subject: [PATCH 125/663] Update to PHP 7.3 --- CHANGELOG.md | 1 + README.md | 2 +- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/defaults/main.yml | 24 ++++++++++++------------ roles/php/tasks/main.yml | 22 +++++++++++----------- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/xdebug/tasks/main.yml | 10 +++++----- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 12 files changed, 39 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e13054cb2d..4b02e34136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) diff --git a/README.md b/README.md index 5f11d40657..8ba7beb4b2 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Trellis will configure a server with the following and more: * Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.2 +* PHP 7.3 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt integration for free SSL certificates diff --git a/dev.yml b/dev.yml index dfe6e8dc06..4159951902 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.2 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.3 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 7704ef18b7..2290fea7de 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.2-fpm *" + - "/usr/sbin/service php7.3-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 762b6caece..ad0488c90b 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.2-fpm + name: php7.3-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 0ce90d3893..f7c2a1f756 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.2-fpm reload + shell: sudo service php7.3-fpm reload args: warn: false diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 0e40746fd5..f59a03b044 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,18 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.2-cli: "{{ apt_package_state }}" - php7.2-common: "{{ apt_package_state }}" - php7.2-curl: "{{ apt_package_state }}" - php7.2-dev: "{{ apt_package_state }}" - php7.2-fpm: "{{ apt_package_state }}" - php7.2-gd: "{{ apt_package_state }}" - php7.2-mbstring: "{{ apt_package_state }}" - php7.2-mysql: "{{ apt_package_state }}" - php7.2-opcache: "{{ apt_package_state }}" - php7.2-xml: "{{ apt_package_state }}" - php7.2-xmlrpc: "{{ apt_package_state }}" - php7.2-zip: "{{ apt_package_state }}" + php7.3-cli: "{{ apt_package_state }}" + php7.3-common: "{{ apt_package_state }}" + php7.3-curl: "{{ apt_package_state }}" + php7.3-dev: "{{ apt_package_state }}" + php7.3-fpm: "{{ apt_package_state }}" + php7.3-gd: "{{ apt_package_state }}" + php7.3-mbstring: "{{ apt_package_state }}" + php7.3-mysql: "{{ apt_package_state }}" + php7.3-opcache: "{{ apt_package_state }}" + php7.3-xml: "{{ apt_package_state }}" + php7.3-xmlrpc: "{{ apt_package_state }}" + php7.3-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 90f2bd5fcc..ceaf843c05 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,38 +1,38 @@ --- -- name: Add PHP 7.2 PPA +- name: Add PHP 7.3 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.2 +- name: Install PHP 7.3 apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.2-fpm service +- name: Start php7.3-fpm service service: - name: php7.2-fpm + name: php7.3-fpm state: started enabled: true -- name: Check for existing php7.1-fpm service +- name: Check for existing php7.2-fpm service stat: - path: /etc/init.d/php7.1-fpm - register: php71_status + path: /etc/init.d/php7.2-fpm + register: php72_status -- name: Stop php7.1-fpm service if it exists +- name: Stop php7.2-fpm service if it exists service: - name: php7.1-fpm + name: php7.2-fpm state: stopped enabled: false register: service_stopped - when: php71_status.stat.exists + when: php72_status.stat.exists notify: reload php-fpm - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.2/fpm/php.ini + dest: /etc/php/7.3/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 1b2119b225..59e3dc60f4 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,13 +26,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.2/fpm/pool.d/wordpress.conf + dest: /etc/php/7.3/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.disabled + command: mv /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.disabled args: - creates: /etc/php/7.2/fpm/pool.d/www.disabled + creates: /etc/php/7.3/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 79118f7d05..deadc88c50 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,13 +9,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.2/mods-available/xdebug.ini + dest: /etc/php/7.3/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.2/mods-available/xdebug.ini - dest: /etc/php/7.2/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.3/mods-available/xdebug.ini + dest: /etc/php/7.3/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -23,12 +23,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.2/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.3/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.2/cli/conf.d/20-xdebug.ini + path: /etc/php/7.3/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index 57ce25288b..7c44723477 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 0c5d7eae17..2c8a975438 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.2-fpm + name: php7.3-fpm state: reloaded From d59eb8ca6e0ee9cde03c1702a84c1d7c8c771db9 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Wed, 19 Dec 2018 20:04:34 -0800 Subject: [PATCH 126/663] Enable ability to change users role `update_password` value (#767) --- CHANGELOG.md | 1 + roles/users/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e13054cb2d..41ff298cfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a9313429fe..8c1403c0be 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -36,7 +36,7 @@ password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' state: present shell: /bin/bash - update_password: always + update_password: "{{ item.update_password | default('always') }}" with_items: "{{ users }}" - name: Add web user sudoers items for services From 60975e0899ce3f1e9567a638667621a8f30f2e70 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 20 Dec 2018 19:16:54 -0700 Subject: [PATCH 127/663] Update README [ci skip] --- README.md | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5f11d40657..43f1c56297 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. - Local development environment with Vagrant - High-performance production servers -- One-command deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites +- Zero-downtime deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites ## What's included @@ -17,15 +17,14 @@ Trellis will configure a server with the following and more: * PHP 7.2 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) -* Let's Encrypt integration for free SSL certificates +* Let's Encrypt for free SSL certificates * HTTP/2 support (requires SSL) * Composer * WP-CLI * sSMTP (mail delivery) * MailHog * Memcached -* Fail2ban -* ferm +* Fail2ban and ferm ## Documentation @@ -35,6 +34,7 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: +* [Composer](https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx) * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 @@ -53,9 +53,18 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). -1. Create a new project directory: `$ mkdir example.com && cd example.com` -2. Clone Trellis: `$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git` -3. Clone Bedrock: `$ git clone --depth=1 git@github.com:roots/bedrock.git site && rm -rf site/.git` +1. Create a new project directory: +```plain +$ mkdir example.com && cd example.com +``` +2. Install Trellis: +```plain +$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git +``` +3. Install Bedrock into the `site` directory: +```plain +$ composer create-project roots/bedrock site +``` Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). @@ -73,8 +82,6 @@ For remote servers, installing Ansible locally is an additional requirement. See A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. -Note: Ubuntu 16.04 (Xenial) is still supported as well. See [#992](https://github.com/roots/trellis/pull/992) for details on the minor changes needed to run it. - 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) From a5bc6e0c7ce3914a982b5861af18a4f260d08f05 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 19 Dec 2018 21:54:06 -0500 Subject: [PATCH 128/663] Use Ruby for ssh-config trigger --- CHANGELOG.md | 1 + Vagrantfile | 8 ++++---- bin/ssh-vagrant-config.sh | 8 -------- lib/trellis/vagrant.rb | 21 +++++++++++++++++++++ 4 files changed, 26 insertions(+), 12 deletions(-) delete mode 100755 bin/ssh-vagrant-config.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index cef32c0613..7911a595af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) diff --git a/Vagrantfile b/Vagrantfile index cb6616dcbc..3b2ce8a521 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -137,10 +137,10 @@ Vagrant.configure('2') do |config| if !Vagrant::Util::Platform.windows? config.trigger.after :up do |trigger| # Add Vagrant ssh-config to ~/.ssh/config - trigger.run = { - path: File.join(ANSIBLE_PATH, 'bin/ssh-vagrant-config.sh'), - args: [main_hostname] - } + trigger.info = "Adding vagrant ssh-config for #{main_hostname } to ~/.ssh/config" + trigger.ruby do + update_ssh_config(main_hostname) + end end end end diff --git a/bin/ssh-vagrant-config.sh b/bin/ssh-vagrant-config.sh deleted file mode 100755 index 77ea4ddd50..0000000000 --- a/bin/ssh-vagrant-config.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -vagrant_host=$1 - -# Add Vagrant ssh-config to ~/.ssh/config -sed "/^$/d;s/Host /$NL&/" ~/.ssh/config | sed '/^Host '"$vagrant_host"'$/,/^$/d;' > config && -cat config > ~/.ssh/config && -rm config && -vagrant ssh-config --host ${vagrant_host} >> ~/.ssh/config diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index d991d71330..980004caa5 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -76,3 +76,24 @@ def which(cmd) system("#{path} --help", %i(out err) => File::NULL) end end + +def update_ssh_config(main_hostname) + regexp = /(Host #{Regexp.quote(main_hostname)}(?:(?!^Host).)*)/m + config_file = File.expand_path('~/.ssh/config') + vagrant_ssh_config = `vagrant ssh-config --host #{main_hostname}`.chomp + + if File.exists?(config_file) + FileUtils.cp(config_file, "#{config_file}.trellis_backup") + ssh_config = File.read(config_file) + + content = if ssh_config =~ regexp + ssh_config.gsub(regexp, vagrant_ssh_config) + else + ssh_config << "\n#{vagrant_ssh_config}" + end + + File.write(config_file, content) + else + File.write(config_file, vagrant_ssh_config) + end +end From 929d31f53396ddca8da49969c968f0ed6f110afb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 27 Dec 2018 10:22:13 -0700 Subject: [PATCH 129/663] 1.0.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7911a595af..09c7a5820e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.0: December 27th, 2018 * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) From 32778c53bf3dcbaa3d1e7e73c245b3c80311ba43 Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Thu, 27 Dec 2018 11:18:14 -0800 Subject: [PATCH 130/663] Hyper-V and SMB folder sync compatibility (#1035) --- Vagrantfile | 24 +++++++++++++++++++++--- lib/trellis/vagrant.rb | 8 ++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 3b2ce8a521..7302b3b126 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -68,14 +68,23 @@ Vagrant.configure('2') do |config| vagrant_mount_type = vconfig.fetch('vagrant_mount_type') + extra_options = if vagrant_mount_type == 'smb' + { + smb_username: vconfig.fetch('vagrant_smb_username', 'vagrant'), + smb_password: vconfig.fetch('vagrant_smb_password', 'vagrant'), + } + else + {} + end + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? && !Vagrant.has_plugin?('vagrant-winnfsd')) vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type + config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: mount_options(vagrant_mount_type, dmode: 776, fmode: 775), type: vagrant_mount_type, **extra_options end - config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 644), type: vagrant_mount_type, **extra_options + config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 755), type: vagrant_mount_type, **extra_options elsif !Vagrant.has_plugin?('vagrant-bindfs') fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else @@ -173,4 +182,13 @@ Vagrant.configure('2') do |config| prl.memory = vconfig.fetch('vagrant_memory') prl.update_guest_tools = true end + + # Hyper-V settings + config.vm.provider 'hyperv' do |h| + h.vmname = config.vm.hostname + h.cpus = vconfig.fetch('vagrant_cpus') + h.memory = vconfig.fetch('vagrant_memory') + h.enable_virtualization_extensions = true + h.linked_clone = true + end end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 980004caa5..be53f5790c 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -49,6 +49,14 @@ def nfs_path(path) "/vagrant-nfs-#{File.basename(path)}" end +def mount_options(mount_type, dmode:, fmode:) + if mount_type == 'smb' + ["vers=3.02", "mfsymlinks", "dir_mode=0#{dmode}", "file_mode=0#{fmode}", "sec=ntlm"] + else + ["dmode=#{dmode}", "fmode=#{fmode}"] + end +end + def post_up_message msg = 'Your Trellis Vagrant box is ready to use!' msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine" From cda4d06aea1104c187c4c5ddb6c86b9635bbbd68 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 27 Dec 2018 15:38:00 -0700 Subject: [PATCH 131/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09c7a5820e..7556991b0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### 1.0.0: December 27th, 2018 +* Hyper-V and SMB folder sync compatibility ([#1035](https://github.com/roots/trellis/pull/1035)) * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) From fb8ec64110c7c55a474ca5a41bce73a031e22fc0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 2 Jan 2019 14:50:39 -0600 Subject: [PATCH 132/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02634cf40c..a55700a457 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital +Kinsta Harness Software KM Digital itineris Hébergement Web Québec ## Community From 899455ec836b122828066ffd1e699a427e384266 Mon Sep 17 00:00:00 2001 From: ouun <32090713+ouun@users.noreply.github.com> Date: Mon, 7 Jan 2019 16:18:57 +0100 Subject: [PATCH 133/663] Let's Encrypt compatibility with python3 (#1057) --- roles/letsencrypt/templates/renew-certs.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 88cd133419..22a6640641 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import os import sys @@ -15,15 +15,15 @@ if os.access(cert_path, os.F_OK): stat = os.stat(cert_path) - print 'Certificate file ' + cert_path + ' already exists' + print('Certificate file ' + cert_path + ' already exists') if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' + print('The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') continue - print 'Generating certificate for ' + site + print('Generating certificate for ' + site) - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' @@ -35,19 +35,19 @@ cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print 'Error while generating certificate for ' + site - print e.output + print('Error while generating certificate for ' + site) + print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(cert_path, 'wb') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(''.join([cert, intermediate_cert])) + with open(bundled_cert_path, 'wb') as bundled_file: + bundled_file.write(b''.join(b[cert, intermediate_cert])) - print 'Created certificate for ' + site + print('Created certificate for ' + site) if failed: sys.exit(1) From a721ef61b95adc9e56d974b73de81c2cfbb1e4c7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 7 Jan 2019 19:15:07 -0500 Subject: [PATCH 134/663] Fix renew-certs.py We don't need to deal with bytes and binary modes here. The solution was to set `universal_newlines=True` on `check_output` to ensure we get back a string and not bytes. --- roles/letsencrypt/templates/renew-certs.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 22a6640641..c6fe3014b8 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -32,20 +32,20 @@ ).format(site, letsencrypt_cert_ids[site]) try: - cert = check_output(cmd, stderr=STDOUT, shell=True) + cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) except CalledProcessError as e: failed = True print('Error while generating certificate for ' + site) print(e.output) else: - with open(cert_path, 'wb') as cert_file: + with open(cert_path, 'w') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'wb') as bundled_file: - bundled_file.write(b''.join(b[cert, intermediate_cert])) + with open(bundled_cert_path, 'w') as bundled_file: + bundled_file.write(cert.join([intermediate_cert])) print('Created certificate for ' + site) From 4ea4c94636341fab171e4cc2f14077f83ee1f48f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 13:58:23 -0700 Subject: [PATCH 135/663] Revert "Merge pull request #1059 from roots/renew-certs-fix" This reverts commit 8ffc7b83ea806f158ab8ab63147c1e675f65c5b7, reversing changes made to 899455ec836b122828066ffd1e699a427e384266. --- roles/letsencrypt/templates/renew-certs.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index c6fe3014b8..22a6640641 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -32,20 +32,20 @@ ).format(site, letsencrypt_cert_ids[site]) try: - cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) + cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True print('Error while generating certificate for ' + site) print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(cert_path, 'wb') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(cert.join([intermediate_cert])) + with open(bundled_cert_path, 'wb') as bundled_file: + bundled_file.write(b''.join(b[cert, intermediate_cert])) print('Created certificate for ' + site) From 51e8f74460caa669054297613963480c9ea3b76c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 13:58:37 -0700 Subject: [PATCH 136/663] Revert "Let's Encrypt compatibility with python3 (#1057)" This reverts commit 899455ec836b122828066ffd1e699a427e384266. --- roles/letsencrypt/templates/renew-certs.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 22a6640641..88cd133419 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python import os import sys @@ -15,15 +15,15 @@ if os.access(cert_path, os.F_OK): stat = os.stat(cert_path) - print('Certificate file ' + cert_path + ' already exists') + print 'Certificate file ' + cert_path + ' already exists' if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print('The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') + print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' continue - print('Generating certificate for ' + site) + print 'Generating certificate for ' + site - cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' @@ -35,19 +35,19 @@ cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print('Error while generating certificate for ' + site) - print(e.output) + print 'Error while generating certificate for ' + site + print e.output else: - with open(cert_path, 'wb') as cert_file: + with open(cert_path, 'w') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'wb') as bundled_file: - bundled_file.write(b''.join(b[cert, intermediate_cert])) + with open(bundled_cert_path, 'w') as bundled_file: + bundled_file.write(''.join([cert, intermediate_cert])) - print('Created certificate for ' + site) + print 'Created certificate for ' + site if failed: sys.exit(1) From a34df5d71e264c9a75bf7b042e85a48c15f29855 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 14:45:40 -0700 Subject: [PATCH 137/663] Add Python 2 explicitly --- CHANGELOG.md | 3 +++ roles/common/defaults/main.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7556991b0a..89dad22fe6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) + ### 1.0.0: December 27th, 2018 * Hyper-V and SMB folder sync compatibility ([#1035](https://github.com/roots/trellis/pull/1035)) * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 9a6f6693c3..18dd294ade 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,6 +26,8 @@ _apt_packages_default: dbus: "{{ apt_package_state }}" git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" + python2.7-minimal: "{{ apt_package_state }}" + unzip: "{{ apt_package_state }}" apt_packages_python: '2': From c5a4f7ec42672bf642596df70b970bb5257e8dda Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 20:20:01 -0700 Subject: [PATCH 138/663] Use python package --- roles/common/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 18dd294ade..1dcdd38d15 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,7 +26,7 @@ _apt_packages_default: dbus: "{{ apt_package_state }}" git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" - python2.7-minimal: "{{ apt_package_state }}" + python: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" apt_packages_python: From ad6cb1511ef504a76030e0773a6de15ecacfd1b1 Mon Sep 17 00:00:00 2001 From: Mockey Date: Sun, 13 Jan 2019 22:03:37 +0100 Subject: [PATCH 139/663] Don't add hsts header for self-signed --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d731acad03..93e55511ee 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -78,7 +78,9 @@ server { ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU + {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + {% endif -%} {% if item.value.ssl.client_cert_url is defined -%} ssl_verify_client on; From bd05a61d4c00e99db9332b431ead1cec248a7889 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 16 Jan 2019 17:24:27 -0700 Subject: [PATCH 140/663] 1.0.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89dad22fe6..d02af4cb87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.1: January 16th, 2019 * Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) ### 1.0.0: December 27th, 2018 From 4ee90a1aebd96e0697c6fe86f100a49b37e9e8d6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 21 Jan 2019 21:47:44 -0500 Subject: [PATCH 141/663] Revert "Don't force install Ansible Galaxy in dev" --- Vagrantfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 7302b3b126..307c0b7f56 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -128,7 +128,6 @@ Vagrant.configure('2') do |config| ansible.playbook = File.join(provisioning_path, 'dev.yml') ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') - ansible.galaxy_command = 'ansible-galaxy install --role-file=%{role_file} --roles-path=%{roles_path}' ansible.groups = { 'web' => ['default'], From c3bb86a0df3ea0c5915542374d5edf09d579705d Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Sun, 3 Feb 2019 14:52:30 -0800 Subject: [PATCH 142/663] Update Nginx Mainline ppa --- roles/nginx/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index ed07b1c505..c82941bcc7 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,5 +1,5 @@ --- -nginx_ppa: "ppa:nginx/development" +nginx_ppa: "ppa:nginx/mainline" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From 005577460c9229329ad67157db32c1d35bb6a0eb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 21 Feb 2019 16:42:46 -0700 Subject: [PATCH 143/663] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a55700a457..2bb3fea9c0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ Make sure all dependencies have been installed before moving on: * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +**Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. + ## Installation The recommended directory structure for a Trellis project looks like: @@ -66,8 +68,6 @@ $ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git $ composer create-project roots/bedrock site ``` -Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). - ## Local development setup 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` From e6b29b7a926a8953513670adc0e4de70c012fb01 Mon Sep 17 00:00:00 2001 From: Louis-Michel Couture Date: Wed, 27 Feb 2019 20:47:51 -0500 Subject: [PATCH 144/663] Mark vars that shouldn't be templated with AnsibleUnsafe instead of raw --- lib/trellis/plugins/callback/vars.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index b4e079983a..a93a9ae79b 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -12,6 +12,7 @@ from ansible.playbook.task import Task from ansible.plugins.callback import CallbackBase from ansible.template import Templar +from ansible.utils.unsafe_proxy import wrap_var class CallbackModule(CallbackBase): @@ -35,7 +36,7 @@ def raw_triage(self, key_string, item, patterns): # wrap values if they match raw_vars pattern elif isinstance(item, AnsibleUnicode): match = next((pattern for pattern in patterns if re.match(pattern, key_string)), None) - return AnsibleUnicode(''.join(['{% raw %}', item, '{% endraw %}'])) if not item.startswith(('{% raw', '{%raw')) and match else item + return wrap_var(item) if match else item else: return item From 19b0ce6da683d7038484e55b6a312776057a04a6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 10 Mar 2019 22:36:42 -0400 Subject: [PATCH 145/663] Update CHANGELOG --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d02af4cb87..bea8c90b7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) +* Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) +* [REVERT] Don't force install Ansible Galaxy in dev ([#1064](https://github.com/roots/trellis/pull/1064)) + ### 1.0.1: January 16th, 2019 * Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) From 7493db663afde2ab88d694af428dd1bdafd3ba18 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 12 Mar 2019 16:36:23 -0600 Subject: [PATCH 146/663] Remove community health files so that defaults from roots/.github are used --- .github/CONTRIBUTING.md | 1 - .github/ISSUE_TEMPLATE.md | 65 ---------------------------------- CODE_OF_CONDUCT.md | 74 --------------------------------------- 3 files changed, 140 deletions(-) delete mode 100644 .github/CONTRIBUTING.md delete mode 100644 .github/ISSUE_TEMPLATE.md delete mode 100644 CODE_OF_CONDUCT.md diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md deleted file mode 100644 index 5867feed23..0000000000 --- a/.github/CONTRIBUTING.md +++ /dev/null @@ -1 +0,0 @@ -Please read [Contributing to Roots Projects](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md deleted file mode 100644 index 425c793cf0..0000000000 --- a/.github/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,65 +0,0 @@ -## Submit a feature request or bug report - -- [ ] I've read the [guidelines for Contributing to Roots Projects](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) -- [ ] This is a feature request -- [ ] This is a bug report -- [ ] This request isn't a duplicate of an [existing issue](https://github.com/roots/trellis/issues) -- [ ] I've read the [docs](https://roots.io/trellis/docs) and followed them (if applicable) -- [ ] This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/c/trellis) forums - -Replace any `X` with your information. - ---- - -**What is the current behavior?** - -X - - -**What is the expected or desired behavior?** - -X - ---- - -## Bug report - -(delete this section if not applicable) - -**Please provide steps to reproduce, including full log output:** - -X - -**Please describe your local environment:** - -Ansible version: X - -OS: X - -Vagrant version: X - -**Where did the bug happen? Development or remote servers?** - -X - -**Please provide a repository or your `wordpress_sites` config (if possible):** - -X - -**Is there a related [Discourse](https://discourse.roots.io/) thread or were any utilized (please link them)?** - -X - ---- - -## Feature Request - -(delete this section if not applicable) - -**Please provide use cases for changing the current behavior:** - -X - -**Other relevant information:** - -X diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index f663c4792c..0000000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,74 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of experience, -nationality, personal appearance, race, religion, or sexual identity and -orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at team@roots.io. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html - -[homepage]: https://www.contributor-covenant.org - From 2e5bc068b3607cf3dc95f5b1f075ee6201d2a990 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 13 Mar 2019 10:16:27 -0600 Subject: [PATCH 147/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bea8c90b7c..c8eb748e1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.2: March 13th, 2019 * Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) * Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) * [REVERT] Don't force install Ansible Galaxy in dev ([#1064](https://github.com/roots/trellis/pull/1064)) From 06618ae5b068783ce21f57f240f4f7e7feebb5a9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Wed, 13 Mar 2019 22:11:23 -0500 Subject: [PATCH 148/663] Prevent direct access for .blade.php files --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 93e55511ee..2067ee1701 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -121,6 +121,13 @@ server { deny all; } {% endblock %} + + {% block blade_php -%} + # Prevent .blade.php files from being accessed directly. + location ~* \.(blade.php)$ { + deny all; + } + {% endblock %} {% block location_primary -%} location / { From b93146aefe01336c7e87506223970d8706b14f4f Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:18:51 -0500 Subject: [PATCH 149/663] Prevent Twig files --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2067ee1701..8767ee9e57 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -122,9 +122,9 @@ server { } {% endblock %} - {% block blade_php -%} - # Prevent .blade.php files from being accessed directly. - location ~* \.(blade.php)$ { + {% block blade_twig_php -%} + # Prevent Blade and Twig files from being accessed directly. + location ~* \.(blade.php|twig)$ { deny all; } {% endblock %} From b6e4f1bd35fd6de8631a8db4cfe637da05fe4ba3 Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:21:12 -0500 Subject: [PATCH 150/663] Minor wording change --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 8767ee9e57..28d16562ae 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -122,8 +122,8 @@ server { } {% endblock %} - {% block blade_twig_php -%} - # Prevent Blade and Twig files from being accessed directly. + {% block blade_twig_templates -%} + # Prevent Blade and Twig templates from being accessed directly. location ~* \.(blade.php|twig)$ { deny all; } From b428092dec172fd2181be3876b66099e9afc08b6 Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:50:38 -0500 Subject: [PATCH 151/663] Escape period --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 28d16562ae..b9fd7205ca 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,7 +124,7 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade.php|twig)$ { + location ~* \.(blade\.php|twig)$ { deny all; } {% endblock %} From c877b575c01757c005e10458b848984ae2e581e9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Tue, 26 Mar 2019 00:37:06 -0500 Subject: [PATCH 152/663] Handle traversed requested paths Return a 401 in all cases to prevent snooping --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b9fd7205ca..6d7b49dc2f 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,8 +124,8 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php|twig)$ { - deny all; + location ~* \.(blade\.php)(/.*)?$ { + return 401; } {% endblock %} From f41e400648f97eedc4ff59c806955d51b27c1026 Mon Sep 17 00:00:00 2001 From: Brandon Date: Tue, 26 Mar 2019 00:37:47 -0500 Subject: [PATCH 153/663] Re-add Twig support --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 6d7b49dc2f..0579f91dfd 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,7 +124,7 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php)(/.*)?$ { + location ~* \.(blade\.php|twig)(/.*)?$ { return 401; } {% endblock %} From 978d46f4584029bdf2577760167ed27adb48a269 Mon Sep 17 00:00:00 2001 From: Brandon Date: Fri, 29 Mar 2019 03:14:18 -0500 Subject: [PATCH 154/663] Revert to original regex Revert to a 403 (`deny all`) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 0579f91dfd..b9fd7205ca 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,8 +124,8 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php|twig)(/.*)?$ { - return 401; + location ~* \.(blade\.php|twig)$ { + deny all; } {% endblock %} From 0517fd70a4e9ce3995b95ebc8467047338a9a5b8 Mon Sep 17 00:00:00 2001 From: Igor Buyanov Date: Thu, 11 Apr 2019 11:22:20 +0300 Subject: [PATCH 155/663] Show custom error message if external IP resolution fails --- roles/common/tasks/main.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f4535561de..514767e8f0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -144,8 +144,12 @@ when: env == 'development' - name: Retrieve SSH client IP - ipify_facts: - delegate_to: localhost - become: no - when: env != 'development' and ssh_client_ip_lookup | default(true) - tags: [fail2ban, ferm] + block: + - ipify_facts: + delegate_to: localhost + become: no + when: env != 'development' and ssh_client_ip_lookup | default(true) + tags: [fail2ban, ferm] + rescue: + - fail: + msg: "External IP resolution failed. Check that your DNS servers are working. Try to disable DNSCrypt if you are using it." From 512d8f93607593a6c56227db3e71893efbf32c2c Mon Sep 17 00:00:00 2001 From: Nathan Knowler Date: Fri, 12 Apr 2019 11:03:48 -0600 Subject: [PATCH 156/663] Use all canonical site hosts for Landrush TLD (#1077) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Use all canonical site hosts for Landrush TLD This is useful if you want to use WordPress’ multisite domain mapping locally and if you’ve specified canonical hosts which are not sub-domains of the main canonical host. * Filter subdomains for Landrush TLD resolver This filters out subdomains of the main hostname for the Landrush TLD(s). This way it only adds necessary resolvers. For example, of the following: - `example.test` (main hostname) - `subdomain.example.test` - `client.test` We tell Landrush (dnsmaq) to only create: - `/etc/resolver/example.test` - `/etc/resolver/client.test` Because `example.test` handles `subdomain.example.test`. --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 307c0b7f56..698415ba9b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -58,7 +58,7 @@ Vagrant.configure('2') do |config| config.hostmanager.aliases = hostnames + redirects elsif Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? config.landrush.enabled = true - config.landrush.tld = config.vm.hostname + config.landrush.tld = trellis_config.site_hosts_canonical.reject { |host| host.end_with?(".#{main_hostname}") } hostnames.each { |host| config.landrush.host host, vconfig.fetch('vagrant_ip') } else fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" From f293d7aed7389805ddfe8e69346df5e9d2894de4 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 30 Apr 2019 14:08:54 -0600 Subject: [PATCH 157/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8eb748e1c..dbc7c82cac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### 1.0.3: April 30th, 2019 +* Prevent direct access for `.blade.php` files ([#1075](https://github.com/roots/trellis/pull/1075)) +* Show custom error message if external IP resolution fails ([#1078](https://github.com/roots/trellis/pull/1078)) +* Use all canonical site hosts for Landrush TLD ([#1077](https://github.com/roots/trellis/pull/1077)) + ### 1.0.2: March 13th, 2019 * Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) * Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) From 2eba500eefea91c5b87a8a7b6d625bc5276cca0d Mon Sep 17 00:00:00 2001 From: Alyson Melo Date: Thu, 13 Jun 2019 09:11:35 -0600 Subject: [PATCH 158/663] Update apt packages before checking essentials This step will prevent errors such as: No package matching 'build-essential' is available --- roles/common/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 514767e8f0..aeff82462d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -110,6 +110,10 @@ when: openssh_6_8_plus and validate_ssh | default(true) tags: [sshd] +- name: Update apt packages + apt: + update_cache: yes + - name: Checking essentials apt: name: "{{ item.key }}" From 3121d4c02a4e53f5596874ab1873292f5214267a Mon Sep 17 00:00:00 2001 From: Richard Smolenski Date: Tue, 18 Jun 2019 17:50:45 -0700 Subject: [PATCH 159/663] Fixed Vagrant VMware provider display name --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 698415ba9b..2343d732ef 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -168,7 +168,7 @@ Vagrant.configure('2') do |config| # VMware Workstation/Fusion settings %w(vmware_fusion vmware_workstation).each do |provider| config.vm.provider provider do |vmw, _override| - vmw.name = config.vm.hostname + vmw.vmx['displayName'] = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') end From 5c995c6fcb2b59dcc62244e5d8968b736b09fbf2 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 13 Jul 2019 11:21:44 -0600 Subject: [PATCH 160/663] Update README [ci skip] --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2bb3fea9c0..25cc040669 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) [![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) +[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From e489fe793062d012569e7879541809fd2b220f7b Mon Sep 17 00:00:00 2001 From: QWp6t Date: Mon, 15 Jul 2019 09:28:44 -0700 Subject: [PATCH 161/663] chore(readme): Use brand color for Twitter follow badge [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 25cc040669..8bc578df13 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) [![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) -[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square)](https://twitter.com/rootswp) +[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From a4828e559e7d60deb13916bb8b6c9b3c83e9cd2c Mon Sep 17 00:00:00 2001 From: Brandon Date: Sun, 21 Jul 2019 16:44:18 -0500 Subject: [PATCH 162/663] Move to CircleCI (#1092) --- .circleci/config.yml | 100 +++++++++++++++++++++++++++++++++++++++++++ .gitattributes | 2 + .travis.yml | 13 ------ 3 files changed, 102 insertions(+), 13 deletions(-) create mode 100644 .circleci/config.yml create mode 100644 .gitattributes delete mode 100644 .travis.yml diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000000..92bb47d633 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,100 @@ +version: 2.1 + +orbs: + trellis: + executors: + python-2: + docker: + - image: 'circleci/python:2-stretch' + python-3: + docker: + - image: 'circleci/python:3-stretch' + + jobs: + syntax-check: + parameters: + ansible-version: + type: string + python-version: + type: enum + enum: ['3', '2'] + executor: python-<< parameters.python-version >> + steps: + - run: python --version + - checkout + - restore_cache: + keys: + - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + - run: + name: Install Python dependencies in a venv + command: | + virtualenv venv + . venv/bin/activate + pip install ansible<< parameters.ansible-version >> + ansible --version + - run: + name: Install Galaxy roles + command: | + . venv/bin/activate + ansible-galaxy install -r requirements.yml + - save_cache: + key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + paths: + - venv + - vendor + - run: + name: Check Playbook syntax + command: | + . venv/bin/activate + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + +workflows: + syntax-check: + jobs: + - trellis/syntax-check: + name: syntax-check-python-3-ansible-latest + python-version: '3' + ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.8 + python-version: '3' + ansible-version: ~=2.8.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.7 + python-version: '3' + ansible-version: ~=2.7.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.6 + python-version: '3' + ansible-version: ~=2.6.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.5 + python-version: '3' + ansible-version: ~=2.5.0 + + - trellis/syntax-check: + name: syntax-check-python-2-ansible-latest + python-version: '2' + ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.8 + python-version: '2' + ansible-version: ~=2.8.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.7 + python-version: '2' + ansible-version: ~=2.7.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.6 + python-version: '2' + ansible-version: ~=2.6.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.5 + python-version: '2' + ansible-version: ~=2.5.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.4 + python-version: '2' + ansible-version: ~=2.4.0 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..41c1519e9f --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +/.circleci export-ignore +/.gitattributes export-ignore diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 59ec6f6dce..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,13 +0,0 @@ -language: python -python: - - 2.7 - - 3.6 -sudo: false -cache: pip -install: - - pip install ansible -script: - - ansible-galaxy install --force -r requirements.yml -p vendor/roles - - ansible-playbook --syntax-check -e env=development deploy.yml - - ansible-playbook --syntax-check -e env=development dev.yml - - ansible-playbook --syntax-check -e env=development server.yml From e5ff8d907c44206b1124b79f6c85a35b289b7c98 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 16:20:51 +0100 Subject: [PATCH 163/663] Deploy: Setup composer authentications --- roles/deploy/hooks/build-after.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 6c8c462984..ca0c45e82c 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -17,6 +17,14 @@ no_log: true when: project.packagist_token is defined +- name: Setup composer authentications + composer: + command: config + arguments: --auth http-basic.{{ item.hostname }} {{ item.username }} {{ item.password }} + working_dir: "{{ deploy_helper.new_release_path }}" + no_log: true + loop: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + - name: Install Composer dependencies composer: no_scripts: yes From 2ae64fbb432d5d1026231cfc562f80fc25902174 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:33:07 +0100 Subject: [PATCH 164/663] wordpress-install: Setup composer authentications --- .../tasks/composer-authentications.yml | 10 ++++++++++ roles/wordpress-install/tasks/main.yml | 8 ++++++++ 2 files changed, 18 insertions(+) create mode 100644 roles/wordpress-install/tasks/composer-authentications.yml diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml new file mode 100644 index 0000000000..d1b344f6f3 --- /dev/null +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -0,0 +1,10 @@ +--- +- name: "Setup composer authentications - {{ site }}" + composer: + command: config + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} + working_dir: "{{ working_dir }}" + no_log: true + loop: "{{ composer_authentications }}" + loop_control: + loop_var: composer_authentication diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 58b1f88f95..da13e0252c 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -34,6 +34,14 @@ when: item.value.packagist_token is defined with_dict: "{{ wordpress_sites }}" +- include_tasks: tasks/composer-authentications.yml + vars: + site: "{{ item.key }}" + working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + no_log: true + with_dict: "{{ wordpress_sites }}" + - name: Install Dependencies with Composer composer: no_dev: no From c6228174a5f689df95bde698c4065d3ca6894a77 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:37:27 +0100 Subject: [PATCH 165/663] Bump ansible `version_requirement` to `2.5.0.0` --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 81e0e28365..360017b1e8 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.4.0.0' +version_requirement = '2.5.0.0' version_tested_max = '2.7.5' python3_required_version = '2.5.3' From 162595f870a5ad422cd4fe406fc0bfa6da262a2b Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:51:09 +0100 Subject: [PATCH 166/663] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbc7c82cac..0fe094747a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) + ### 1.0.3: April 30th, 2019 * Prevent direct access for `.blade.php` files ([#1075](https://github.com/roots/trellis/pull/1075)) * Show custom error message if external IP resolution fails ([#1078](https://github.com/roots/trellis/pull/1078)) From bfb1e11dbd03e9e49d86103549aa9f39d03bfe7d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 21 Jul 2019 16:28:11 +0100 Subject: [PATCH 167/663] Remove `Setup packagist.com authentication` task See: https://github.com/roots/trellis/pull/1091#issuecomment-504694388 --- group_vars/all/helpers.yml | 6 ++++++ roles/deploy/hooks/build-after.yml | 18 ++++++++---------- .../tasks/composer-authentications.yml | 4 ++++ roles/wordpress-install/tasks/main.yml | 10 ---------- 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 11bb881d43..20a70ecf80 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -18,3 +18,9 @@ ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default( ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" + +# For backward compatibility, to be removed in Trellis v2. +site_packagist_org_authentications: + - { hostname: repo.packagist.com, username: token, password: "{{ vault_wordpress_sites[site].packagist_token | default('') }}" } +site_composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" +composer_authentications: "{{ site_packagist_org_authentications + site_composer_authentications }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index ca0c45e82c..50546933ac 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -9,21 +9,19 @@ msg: "Unable to find a `composer.json` file in the root of '{{ deploy_helper.new_release_path }}'. Make sure your repo has a `composer.json` file in its root or edit `repo_subtree_path` for '{{ site }}' in `wordpress_sites.yml` so it points to the directory with a `composer.json` file." when: not composer_json.stat.exists -- name: Setup packagist.com authentication - composer: - command: config - arguments: --auth http-basic.repo.packagist.com token {{ project.packagist_token }} - working_dir: "{{ deploy_helper.new_release_path }}" - no_log: true - when: project.packagist_token is defined - - name: Setup composer authentications composer: command: config - arguments: --auth http-basic.{{ item.hostname }} {{ item.username }} {{ item.password }} + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true - loop: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + when: + - composer_authentication.hostname is defined and composer_authentication.hostname != "" + - composer_authentication.username is defined and composer_authentication.username != "" + - composer_authentication.password is defined and composer_authentication.password != "" + loop: "{{ composer_authentications }}" + loop_control: + loop_var: composer_authentication - name: Install Composer dependencies composer: diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index d1b344f6f3..86a5d914c1 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -5,6 +5,10 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ working_dir }}" no_log: true + when: + - composer_authentication.hostname is defined and composer_authentication.hostname != "" + - composer_authentication.username is defined and composer_authentication.username != "" + - composer_authentication.password is defined and composer_authentication.password != "" loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index da13e0252c..5b32fcbe33 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -25,20 +25,10 @@ become: no with_items: "{{ known_hosts | default([]) }}" -- name: Setup packagist.com authentication - composer: - command: config - arguments: --auth http-basic.repo.packagist.com token {{ item.value.packagist_token }} - working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - no_log: true - when: item.value.packagist_token is defined - with_dict: "{{ wordpress_sites }}" - - include_tasks: tasks/composer-authentications.yml vars: site: "{{ item.key }}" working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" no_log: true with_dict: "{{ wordpress_sites }}" From 05ed27bb4049c7fe7549f69092e03054b9f38f3b Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 22 Jul 2019 13:13:45 +0100 Subject: [PATCH 168/663] CircleCI: Remove ansible 2.4 from the test matrix --- .circleci/config.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 92bb47d633..fb4e7afafd 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -94,7 +94,3 @@ workflows: name: syntax-check-python-2-ansible-2.5 python-version: '2' ansible-version: ~=2.5.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.4 - python-version: '2' - ansible-version: ~=2.4.0 From 4ceb95ba2e2254bf2156802239d7934d5b1095ab Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 24 Jul 2019 12:24:07 +0100 Subject: [PATCH 169/663] Setup composer authentications: Add label --- roles/deploy/hooks/build-after.yml | 1 + roles/wordpress-install/tasks/composer-authentications.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 50546933ac..6626ab24f5 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -22,6 +22,7 @@ loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication + label: "{{ composer_authentication.hostname }}" - name: Install Composer dependencies composer: diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 86a5d914c1..10dd26efb8 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -12,3 +12,4 @@ loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication + label: "{{ composer_authentication.hostname }}" From 9c5ac561a8df49bfa3c5294dea543687f74ed18a Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 24 Jul 2019 12:26:26 +0100 Subject: [PATCH 170/663] Setup composer authentications: Set `changed_when` to `false` --- roles/deploy/hooks/build-after.yml | 1 + roles/wordpress-install/tasks/composer-authentications.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 6626ab24f5..c637d12882 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -15,6 +15,7 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true + changed_when: false when: - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 10dd26efb8..9d0a8368d3 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -5,6 +5,7 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ working_dir }}" no_log: true + changed_when: false when: - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" From faaf213ae2186c6ccf55159becd8910e20c82bf1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 24 Jul 2019 08:44:27 -0400 Subject: [PATCH 171/663] Update CHANGELOG for #1086 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fe094747a..1e46c793a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) ### 1.0.3: April 30th, 2019 From 7971ad8b76b61724d1a24f81cdeda2b10d8488a3 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 31 Jul 2019 20:00:13 -0600 Subject: [PATCH 172/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8bc578df13..ce5e901a91 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital itineris Hébergement Web Québec +Kinsta KM Digital Hébergement Web Québec ## Community From 207c5f461a4981ac1f351839091fa9c1594929d0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 1 Aug 2019 10:12:02 -0600 Subject: [PATCH 173/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ce5e901a91..ccfdc9c748 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Hébergement Web Québec +Kinsta KM Digital ## Community From e86edb8f9ee2bd4a4c4572c4d4b9c644fd0e65c9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Sat, 3 Aug 2019 08:23:24 -0500 Subject: [PATCH 174/663] Change build badge to CircleCI [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ccfdc9c748..b0463db682 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) -[![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) +[![Build Status](https://img.shields.io/circleci/build/gh/roots/trellis?style=flat-square)](https://circleci.com/gh/roots/trellis) [![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From 4d135203f6d485a098214f783e39b5490685d92b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 21 Jun 2019 13:09:42 -0400 Subject: [PATCH 175/663] Ensure ssh config dir exists before writing file This assumed `~/.ssh/` would exist and just the file didn't. Now it will create the directory as well if it doesn't exist. --- lib/trellis/vagrant.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index be53f5790c..fa60ad0112 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -102,6 +102,7 @@ def update_ssh_config(main_hostname) File.write(config_file, content) else + FileUtils.mkdir_p(File.dirname(config_file), mode: 0700) File.write(config_file, vagrant_ssh_config) end end From d0c7ece9fc1e53465d23abb508cd33b064d9dc01 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:31:06 -0400 Subject: [PATCH 176/663] Add .trellis dir This will be used for trellis-cli integration --- .gitignore | 1 + .trellis/.gitkeep | 0 2 files changed, 1 insertion(+) create mode 100644 .trellis/.gitkeep diff --git a/.gitignore b/.gitignore index 5168a936a0..d0fc5f0aa7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ vagrant.local.yml vendor/roles *.py[co] *.retry +.trellis/virtualenv diff --git a/.trellis/.gitkeep b/.trellis/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From 846041dac3c400041e8492d4fffea85dde3b53a3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:33:01 -0400 Subject: [PATCH 177/663] Rename requirements.yml to galaxy.yml --- .circleci/config.yml | 6 +++--- Vagrantfile | 2 +- requirements.yml => galaxy.yml | 0 3 files changed, 4 insertions(+), 4 deletions(-) rename requirements.yml => galaxy.yml (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index fb4e7afafd..78cb92c462 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -24,7 +24,7 @@ orbs: - checkout - restore_cache: keys: - - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - run: name: Install Python dependencies in a venv command: | @@ -36,9 +36,9 @@ orbs: name: Install Galaxy roles command: | . venv/bin/activate - ansible-galaxy install -r requirements.yml + ansible-galaxy install -r galaxy.yml - save_cache: - key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} paths: - venv - vendor diff --git a/Vagrantfile b/Vagrantfile index 2343d732ef..33e41fdfd3 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -126,7 +126,7 @@ Vagrant.configure('2') do |config| ansible.compatibility_mode = '2.0' ansible.playbook = File.join(provisioning_path, 'dev.yml') - ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] + ansible.galaxy_role_file = File.join(provisioning_path, 'galaxy.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') ansible.groups = { diff --git a/requirements.yml b/galaxy.yml similarity index 100% rename from requirements.yml rename to galaxy.yml From 634f4aa2136ad3db218889402e603bd8243c0622 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:41:21 -0400 Subject: [PATCH 178/663] Add pip requirements.txt --- requirements.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000000..76b46f967b --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +ansible>=2.5.0.0,<=2.7.5 +passlib From 9c6878c4222ac595b096e97b54e82887632615cc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 11:42:11 -0400 Subject: [PATCH 179/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e46c793a3..adfdd8bf49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) * Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) From 6e384cbca417e8bd7beb4435fe2ef5f513c41a84 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 11:47:40 -0400 Subject: [PATCH 180/663] Bump swapfile role to v2.0.22 Fixes #1098 --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index c8d23a67ca..1674a7c9e7 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.6 + version: v2.0.22 - name: mailhog src: geerlingguy.mailhog From 37608dc822664e040c8cf4c5b7cb36e60945d4f9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 23:46:20 -0400 Subject: [PATCH 181/663] Add issue closer action --- .github/workflows/issues.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/issues.yml diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml new file mode 100644 index 0000000000..f2b2474ec3 --- /dev/null +++ b/.github/workflows/issues.yml @@ -0,0 +1,14 @@ +name: Issue closer +on: [issues] +jobs: + autoclose: + runs-on: ubuntu-latest + steps: + - name: Autoclose issues that did not follow issue template + uses: roots/issue-closer@v1.1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-close-message: "Hi @${issue.user.login}, +It looks like the issue template is missing from this issue. Please take a look at the [Contribution Guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md), which will tell you **exactly** what your ticket has to contain in order to be processable. +Please **do not** use the issue tracker for personal support requests. Use [Roots Discourse](https://discourse.roots.io/) to ask the Roots community for help, or [hire someone from the community](https://discourse.roots.io/c/jobs)." + issue-pattern: ".*guidelines for Contributing.*" From e776cc0ad94cb0c4caf8550695fcb828cac1eb29 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 23:52:59 -0400 Subject: [PATCH 182/663] 1.1.0 changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index adfdd8bf49..380db5525c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### Head +### 1.1.0: September 1st, 2019 +* Update swapfile role to v2.0.22 ([#1101](https://github.com/roots/trellis/pull/1101)) * Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) * Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) From 66d1445b0d72ee81631c4d55b287b8da72e3747f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 11:16:07 -0400 Subject: [PATCH 183/663] Bump ansible requirement to 2.7.12 --- lib/trellis/plugins/vars/version.py | 4 ++-- requirements.txt | 2 +- vagrant.default.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 360017b1e8..2eabc291f2 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,8 +14,8 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.5.0.0' -version_tested_max = '2.7.5' +version_requirement = '2.7.12' +version_tested_max = '2.7.13' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 76b46f967b..24d75f725e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.5.0.0,<=2.7.5 +ansible>=2.7.12,<2.8 passlib diff --git a/vagrant.default.yml b/vagrant.default.yml index 03ff4689b6..64b48f7dfe 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.7.5' +vagrant_ansible_version: '2.7.12' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 32a33749bc98c99a09b59ab0a13561a03a7b260e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 13:21:15 -0400 Subject: [PATCH 184/663] Remove old versions on CI --- .circleci/config.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 78cb92c462..5ab3ba4cdf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -65,14 +65,6 @@ workflows: name: syntax-check-python-3-ansible-2.7 python-version: '3' ansible-version: ~=2.7.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.6 - python-version: '3' - ansible-version: ~=2.6.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.5 - python-version: '3' - ansible-version: ~=2.5.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-latest @@ -86,11 +78,3 @@ workflows: name: syntax-check-python-2-ansible-2.7 python-version: '2' ansible-version: ~=2.7.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.6 - python-version: '2' - ansible-version: ~=2.6.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.5 - python-version: '2' - ansible-version: ~=2.5.0 From 143be087cf133c9f202b8c6f6de6dd1dd90bdbaf Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 3 Sep 2019 19:43:31 -0400 Subject: [PATCH 185/663] Fix issues with Vagrant ansible_local provisioner --- Vagrantfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 33e41fdfd3..8e2e4ec215 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -117,9 +117,23 @@ Vagrant.configure('2') do |config| provisioner = local_provisioning? ? :ansible_local : :ansible provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH + # Fix for https://github.com/hashicorp/vagrant/issues/10914 + if local_provisioning? + config.vm.provision 'shell', inline: <<~SHELL + sudo apt-get update -y -qq && + sudo dpkg-reconfigure libc6 && + export DEBIAN_FRONTEND=noninteractive && + sudo -E apt-get -q --option \"Dpkg::Options::=--force-confold\" --assume-yes install libssl1.1 + SHELL + end + config.vm.provision provisioner do |ansible| if local_provisioning? ansible.install_mode = 'pip' + if Vagrant::VERSION >= '2.2.4' + # Fix for https://github.com/hashicorp/vagrant/issues/10950 + ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' + end ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end From f825790e9e4c030b4e421709191c7b46198d0573 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 3 Sep 2019 19:55:22 -0400 Subject: [PATCH 186/663] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 380db5525c..a794203afd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) +* Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) + ### 1.1.0: September 1st, 2019 * Update swapfile role to v2.0.22 ([#1101](https://github.com/roots/trellis/pull/1101)) * Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) From cd4f9151194c705e9bd3e101ff17b2648733448e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 19:49:45 -0400 Subject: [PATCH 187/663] Update galaxy packages --- galaxy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 1674a7c9e7..dbebc804ac 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,10 +1,10 @@ - name: composer src: geerlingguy.composer - version: 1.7.0 + version: 1.7.6 - name: ntp src: geerlingguy.ntp - version: 1.6.0 + version: 1.6.4 - name: logrotate src: nickhammond.logrotate @@ -16,4 +16,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.1.3 + version: 2.1.4 From 967658cef61c044bbdd327b262834fd1d50e6e67 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 19:53:26 -0400 Subject: [PATCH 188/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a794203afd..a95784b614 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) * Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) From 129ad95aa9233d2d866631c828adeda8c9214500 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 13:19:44 -0400 Subject: [PATCH 189/663] Update callback plugin CLI options changed a lot in 2.8. This updates our callback plugin to support both 2.7 and 2.8 by normalizing each case into a dict. Ref: https://github.com/ansible/ansible/pull/50069 --- lib/trellis/plugins/callback/vars.py | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index a93a9ae79b..338d8f9597 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -22,7 +22,14 @@ class CallbackModule(CallbackBase): CALLBACK_NAME = 'vars' def __init__(self): - self._options = cli.options if cli else None + super(CallbackModule, self).__init__() + + # handle Ansible 2.7 and 2.8 cases by normalizing each into a dict + try: + from ansible import context + self._options = context.CLIARGS + except ImportError: + self._options = vars(cli.options) if cli else {} def raw_triage(self, key_string, item, patterns): # process dict values @@ -70,13 +77,13 @@ def cli_options(self): } for option,value in iteritems(strings): - if getattr(self._options, value, False): - options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) + if self._options.get(value, False): + options.append("{0}='{1}'".format(option, str(self._options.get(value)))) - for inventory in getattr(self._options, 'inventory'): + for inventory in self._options.get('inventory'): options.append("--inventory='{}'".format(str(inventory))) - if getattr(self._options, 'ask_vault_pass', False): + if self._options.get('ask_vault_pass', False): options.append('--ask-vault-pass') return ' '.join(options) @@ -98,11 +105,10 @@ def v2_playbook_on_play_start(self, play): env_group.set_priority(20) for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): - # it should be ok to remove dummy Task() once minimum required Ansible >= 2.4.2 - hostvars = play.get_variable_manager().get_vars(play=play, host=host, task=Task()) + hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) - host.vars['ssh_args_default'] = PlayContext(play=play, options=self._options)._ssh_args.default + host.vars['ssh_args_default'] = PlayContext(play=play)._ssh_args.default host.vars['cli_options'] = self.cli_options() - host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) - host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) + host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) + host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) host.vars['darwin_without_passlib'] = self.darwin_without_passlib() From a2fa7df5ef423805bc2235e1c6caa498dfc14bc5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 20:42:27 -0400 Subject: [PATCH 190/663] Relaxy ansible version constraints --- lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 2eabc291f2..93c325ab34 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.7.12' -version_tested_max = '2.7.13' +version_tested_max = '2.8.4' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 24d75f725e..eb776ef0e2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.7.12,<2.8 +ansible>=2.7.12,<2.9 passlib From d4922a31cef884f6f5eca23c94ae14fd99ae57ba Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 12 Sep 2019 22:29:01 -0400 Subject: [PATCH 191/663] CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a95784b614..8911db48bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible 2.8.x support ([#1103](https://github.com/roots/trellis/pull/1103)) * Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) * Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) From 96eac3b54c58d87cc5df51552d58d12752324d04 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 27 Sep 2019 13:06:21 +0100 Subject: [PATCH 192/663] Update WP CLI to v 2.3.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 4ce281bd85..13fe52b49f 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.0.1 +wp_cli_version: 2.3.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 757a4c5642b5d67b4343ba9149569d2abb1a0f78 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 30 Sep 2019 17:36:49 -0600 Subject: [PATCH 193/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b0463db682..874f792a8e 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital +Kinsta KM Digital KM Digital ## Community From a36eb264024b6eb2e34b863509020dee9de64631 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 30 Sep 2019 19:13:42 -0600 Subject: [PATCH 194/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 874f792a8e..447222f7da 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital KM Digital +Kinsta KM Digital Scale Dynamix ## Community From dda882ae6d0b5bbefe426e597e1f437e6ceb7485 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 5 Oct 2019 15:48:05 +0100 Subject: [PATCH 195/663] Ansible 2.8 support: Generate self-signed certificates --- .../tasks/self-signed-certificate.yml | 33 ++++++++++++------- .../templates/self-signed-openssl-config.j2 | 7 ++++ 2 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 roles/wordpress-setup/templates/self-signed-openssl-config.j2 diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 9410380fef..64e355fce2 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -1,18 +1,24 @@ --- +- name: Ensure openssl configs directory are present + file: + path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" + state: directory + mode: "0755" + +- name: Template openssl configs + template: + src: self-signed-openssl-config.j2 + dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" + with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" + when: + - sites_use_ssl + - ssl_enabled + - item.value.ssl.provider | default('manual') == 'self-signed' + - name: Generate self-signed certificates shell: "openssl req -new -newkey rsa:2048 \ -days 3650 -nodes -x509 -sha256 \ - -extensions req_ext -config <( \ -cat <<' EOF'\n -[req]\n -prompt = no\n -distinguished_name = req_dn\n -[req_dn]\n -commonName = {{ item.value.site_hosts[0].canonical }}\n -[req_ext]\n -subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }}\n -EOF\n - ) \ + -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: executable: "/bin/bash" @@ -24,3 +30,8 @@ EOF\n - ssl_enabled - item.value.ssl.provider | default('manual') == 'self-signed' notify: reload nginx + +- name: Clean up openssl configs directory + file: + path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" + state: absent diff --git a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 new file mode 100644 index 0000000000..8babe10d98 --- /dev/null +++ b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 @@ -0,0 +1,7 @@ +[req] +prompt = no +distinguished_name = req_dn +[req_dn] +commonName = {{ item.value.site_hosts[0].canonical }} +[req_ext] +subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }} From 16d2cf8e96ed01357386ed8f4a498d5e713836ce Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Oct 2019 23:36:07 -0400 Subject: [PATCH 196/663] Lets Encrypt ACME v2 support --- roles/letsencrypt/defaults/main.yml | 8 ++--- roles/letsencrypt/tasks/certificates.yml | 2 +- roles/letsencrypt/tasks/setup.yml | 6 ---- roles/letsencrypt/templates/renew-certs.py | 40 +++++++++------------- 4 files changed, 20 insertions(+), 36 deletions(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index e7f6c7a742..4b9d9b26b8 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr(' letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' +acme_tiny_commit: 'cb094cf3efa34acef8c7139c8480e2135422e755' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt @@ -24,14 +24,10 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" # KWXliiWjUORxDxI1c56Rw2VCIExnFjWJAdSLv6/XaQWo2T7U28bkKbAlCF9= # -----END RSA PRIVATE KEY----- -letsencrypt_ca: 'https://acme-v01.api.letsencrypt.org' +letsencrypt_ca: 'https://acme-v02.api.letsencrypt.org' letsencrypt_account_key: '{{ acme_tiny_data_directory }}/account.key' -letsencrypt_intermediate_cert_path: /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem -letsencrypt_intermediate_cert_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem' -letsencrypt_intermediate_cert_sha256sum: 'e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a' - letsencrypt_keys_dir: "{{ nginx_ssl_path }}/letsencrypt" letsencrypt_certs_dir: "{{ nginx_ssl_path }}/letsencrypt" diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index ea22ced1ab..480d910253 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -15,7 +15,7 @@ - name: Generate Lets Encrypt certificate IDs shell: | - echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit, letsencrypt_intermediate_cert_sha256sum] | join('\n') }}" | + echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit] | join('\n') }}" | cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - | md5sum | cut -c -7 register: generate_cert_ids diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 6c0d6afcc7..6d3cd762aa 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -37,9 +37,3 @@ args: creates: "{{ letsencrypt_account_key }}" when: letsencrypt_account_key_source_content is not defined and letsencrypt_account_key_source_file is not defined - -- name: Download intermediate certificate - get_url: - url: "{{ letsencrypt_intermediate_cert_url }}" - dest: "{{ letsencrypt_intermediate_cert_path }}" - sha256sum: "{{ letsencrypt_intermediate_cert_sha256sum }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 88cd133419..6d4b5f0304 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -10,44 +10,38 @@ letsencrypt_cert_ids = {{ letsencrypt_cert_ids }} for site in {{ sites_using_letsencrypt }}: - cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '.cert') bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '-bundled.cert') - if os.access(cert_path, os.F_OK): - stat = os.stat(cert_path) - print 'Certificate file ' + cert_path + ' already exists' + if os.access(bundled_cert_path, os.F_OK): + stat = os.stat(bundled_cert_path) + print('Certificate file ' + bundled_cert_path + ' already exists') if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' + print(' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') continue - print 'Generating certificate for ' + site + print('Generating certificate for ' + site) - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' - '--quiet ' - '--ca {{ letsencrypt_ca }} ' - '--account-key {{ letsencrypt_account_key }} ' - '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' - '--acme-dir {{ acme_tiny_challenges_directory }}' - ).format(site, letsencrypt_cert_ids[site]) + cmd = ( + '/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + '--quiet ' + '--ca {{ letsencrypt_ca }} ' + '--account-key {{ letsencrypt_account_key }} ' + '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' + '--acme-dir {{ acme_tiny_challenges_directory }}' + ).format(site, letsencrypt_cert_ids[site]) try: cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print 'Error while generating certificate for ' + site - print e.output + print('Error while generating certificate for ' + site) + print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(bundled_cert_path, 'w') as cert_file: cert_file.write(cert) - with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: - intermediate_cert = intermediate_cert_file.read() - - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(''.join([cert, intermediate_cert])) - - print 'Created certificate for ' + site + print('Created certificate for ' + site) if failed: sys.exit(1) From 61a4faaa7ed0082c386112a51a81ff3e997e8bda Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 11 Oct 2019 20:25:44 -0400 Subject: [PATCH 197/663] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8911db48bd..24046b21d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ### HEAD +* Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) +* Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) +* Update WP CLI to v2.3.0 ([#1109](https://github.com/roots/trellis/pull/1109)) * Ansible 2.8.x support ([#1103](https://github.com/roots/trellis/pull/1103)) * Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) From 7287d177569917cf9f853cc9dc26c8a1cb65a2ab Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 11 Oct 2019 20:27:27 -0400 Subject: [PATCH 198/663] 1.2.0 Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24046b21d9..fe208741e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) * Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) * Update WP CLI to v2.3.0 ([#1109](https://github.com/roots/trellis/pull/1109)) From c279a99335e90f5226dcb842f798c4849e0ffe57 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 14 Oct 2019 22:09:49 -0400 Subject: [PATCH 199/663] Fix Vagrant pip_install_cmd conditional `pip_install_cmd` only exists in 2.2.5+ --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 8e2e4ec215..dc23764f3a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -130,7 +130,7 @@ Vagrant.configure('2') do |config| config.vm.provision provisioner do |ansible| if local_provisioning? ansible.install_mode = 'pip' - if Vagrant::VERSION >= '2.2.4' + if Vagrant::VERSION >= '2.2.5' # Fix for https://github.com/hashicorp/vagrant/issues/10950 ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' end From e35e23034729ab9651db64238043f3d60fe8c390 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 13 Oct 2019 22:11:13 +0100 Subject: [PATCH 200/663] wordpress-setup: Block dependency manager files by Nginx Block these dependency managers: - composer - npm - yarn - bundler --- CHANGELOG.md | 3 ++ .../templates/wordpress-site.conf.j2 | 30 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe208741e4..ebc06bfd63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* wordpress-setup: Block dependency manager files by Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) + ### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) * Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b9fd7205ca..ab0c182dc7 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -129,6 +129,36 @@ server { } {% endblock %} + {% block dependency_managers -%} + # composer + location ~* composer\.(json|lock)$ { + deny all; + } + + location ~* auth\.json$ { + deny all; + } + + # npm + location ~* package(-lock)?\.json$ { + deny all; + } + + # yarn + location ~* yarn\.lock$ { + deny all; + } + + # bundler + location ~* Gemfile(\.lock)?$ { + deny all; + } + + location ~* gems\.(rb|locked)?$ { + deny all; + } + {% endblock %} + {% block location_primary -%} location / { try_files $uri $uri/ /index.php?$args; From b2dbf594ccd5bbad8f56e98b8618078bbc4919a9 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 9 Nov 2019 18:06:41 +0000 Subject: [PATCH 201/663] Remove unused optional block arguments --- Vagrantfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index dc23764f3a..d59cdb3b5a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -33,7 +33,7 @@ Vagrant.configure('2') do |config| config.vm.network :private_network, type: 'dhcp', hostsupdater: 'skip' cached_addresses = {} - config.hostmanager.ip_resolver = proc do |vm, _resolving_vm| + config.hostmanager.ip_resolver = proc do |vm| if cached_addresses[vm.name].nil? if vm.communicate.ready? vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |_type, contents| @@ -181,7 +181,7 @@ Vagrant.configure('2') do |config| # VMware Workstation/Fusion settings %w(vmware_fusion vmware_workstation).each do |provider| - config.vm.provider provider do |vmw, _override| + config.vm.provider provider do |vmw| vmw.vmx['displayName'] = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') @@ -189,7 +189,7 @@ Vagrant.configure('2') do |config| end # Parallels settings - config.vm.provider 'parallels' do |prl, _override| + config.vm.provider 'parallels' do |prl| prl.name = config.vm.hostname prl.cpus = vconfig.fetch('vagrant_cpus') prl.memory = vconfig.fetch('vagrant_memory') From 0efcf58b9a9436bee1b848233ac3efc64321f5c1 Mon Sep 17 00:00:00 2001 From: Rob Record Date: Thu, 14 Nov 2019 14:02:36 +0000 Subject: [PATCH 202/663] Change self-signed certificate expiry time from 3650 days to 825, the new maximum time allowed under macOS Catalina --- roles/wordpress-setup/tasks/self-signed-certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 64e355fce2..fa995d15cc 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -17,7 +17,7 @@ - name: Generate self-signed certificates shell: "openssl req -new -newkey rsa:2048 \ - -days 3650 -nodes -x509 -sha256 \ + -days 825 -nodes -x509 -sha256 \ -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: From 77729cf5991afcb14f693015a157176b6b6942ae Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 15:31:40 -0500 Subject: [PATCH 203/663] Add git_sha and release_version to .env on deploy This will provide `GIT_SHA` and `RELEASE_VERSION` env variables. They can be useful for many purposes including application/error monitoring software. --- roles/deploy/vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index aea2f70a6e..7015d3451b 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -7,5 +7,7 @@ wordpress_env_defaults: wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" + git_sha: "{{ git_clone.after }}" + release_version: "{{ deploy_helper.new_release }}" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 22adab323123dd3ea3cc315aa3d0bfadc9cdd29d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 17:43:10 -0500 Subject: [PATCH 204/663] Update CHANGELOG --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebc06bfd63..4ef86f10ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ -### Head -* wordpress-setup: Block dependency manager files by Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) +### HEAD +* Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) +* Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) +* Block dependency manager files in Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) ### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) From 3eff48a99706e0367325cb46b783812e3b84b180 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 17:44:24 -0500 Subject: [PATCH 205/663] v1.3.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ef86f10ba..84e59ca325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) * Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) * Block dependency manager files in Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) From 4fe4e66e4e4d77a780d5217577e0bd31f00eb12e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 11 Dec 2019 22:39:48 -0500 Subject: [PATCH 206/663] Fix subjectAltName for self-signed certificates In some cases the `subjectAltName` for self-signed SSL certificates were invalid due to `DNS:` being both prepended *and* appended to each domain when it should only be a prefix. This tweaks `regex_replace` to anchor at the start of the string only. Before: ``` subjectAltName = DNS:example.testDNS:,DNS:www.example.testDNS: ``` After: ``` subjectAltName = DNS:example.test,DNS:www.example.test ``` --- roles/wordpress-setup/templates/self-signed-openssl-config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 index 8babe10d98..9ba1054aef 100644 --- a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 +++ b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 @@ -4,4 +4,4 @@ distinguished_name = req_dn [req_dn] commonName = {{ item.value.site_hosts[0].canonical }} [req_ext] -subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }} +subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(^.*$)', 'DNS:\\1') | join(',') }} From 2801a8b58ad35703647a574c6a9a723e4f7c06aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 11 Dec 2019 21:26:34 -0500 Subject: [PATCH 207/663] Use modern SSL config for Nginx Based off of h5bp's config: https://github.com/h5bp/server-configs-nginx/blob/611ed7507bc200b81867423f6061fe79b2f606e8/h5bp/ssl/policy_modern.conf Drops TLSv1 and TLSv2.1 and updates the cipher suite. Cipher suite compatibility details: https://cryptcheck.fr/suite/ECDHE+AES:!SHA TLS 1.2 compatibility: https://caniuse.com/#feat=tls1-2 TLS 1.3 compatibility: https://caniuse.com/#feat=tls1-3 --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index cf5cfaa6cc..0b67f328f1 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -1,10 +1,6 @@ -# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add -# SSLv3 to the list of protocols below. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx -ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; -ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers EECDH+CHACHA20:EECDH+AES; +ssl_prefer_server_ciphers on; # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. From bd8912edb8abaa20b12f02984f8e23fd33c3c446 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 09:32:37 -0500 Subject: [PATCH 208/663] Disable ssl_session_tickets --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index 0b67f328f1..bb8bd0aa76 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -21,7 +21,7 @@ ssl_session_timeout 24h; # # Note that you'll have to define and rotate the keys securely by yourself. In absence # of such infrastructure, consider turning off session tickets: -#ssl_session_tickets off; +ssl_session_tickets off; # Use a higher keepalive timeout to reduce the need for repeated handshakes keepalive_timeout 300s; # up from 75 secs default From b6cae7844f704353132cdcae18088e6adf8560b6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 09:32:45 -0500 Subject: [PATCH 209/663] Update stapling config --- .../h5bp/directive-only/ssl-stapling.conf | 35 ++++++++++++++++--- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf index d15bf972ba..95cc175ce4 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf @@ -1,9 +1,34 @@ -# OCSP stapling... +# ---------------------------------------------------------------------- +# | Online Certificate Status Protocol stapling | +# ---------------------------------------------------------------------- + +# OCSP is a lightweight, only one record to help clients verify the validity of +# the server certificate. +# OCSP stapling allows the server to send its cached OCSP record during the TLS +# handshake, without the need of 3rd party OCSP responder. +# +# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling +# https://tools.ietf.org/html/rfc6066#section-8 +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling +# +# (1) Use Cloudflare 1.1.1.1 DNS resolver +# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ +# +# (2) Use Google 8.8.8.8 DNS resolver +# https://developers.google.com/speed/public-dns/docs/using +# +# (3) Use Dyn DNS resolver +# https://help.dyn.com/internet-guide-setup/ + ssl_stapling on; ssl_stapling_verify on; -#trusted cert must be made up of your intermediate certificate followed by root certificate -#ssl_trusted_certificate /path/to/ca.crt; - -resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; +resolver + # (1) + 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] + # (2) + 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] + # (3) + # 216.146.35.35 216.146.36.36 + valid=60s; resolver_timeout 2s; From 258c8843371b95b77bdd7322f06ee338e2b08e4d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 11:16:22 -0500 Subject: [PATCH 210/663] Update roles/nginx/templates/h5bp/directive-only/ssl.conf Co-Authored-By: Austin Pray --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index bb8bd0aa76..20d98766b3 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -1,6 +1,6 @@ ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES; -ssl_prefer_server_ciphers on; +ssl_prefer_server_ciphers off; # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. From 5c09ae9cec67dcc87bb7371774888bd2721c7f65 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 5 Jan 2020 00:31:28 +0000 Subject: [PATCH 211/663] Update `wp_cli_version` to 2.4.0 See: https://make.wordpress.org/cli/2019/11/12/wp-cli-v2-4-0-release-notes/ --- CHANGELOG.md | 3 +++ roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84e59ca325..fac73c5b2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) + ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) * Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 13fe52b49f..f13bd98c4a 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.3.0 +wp_cli_version: 2.4.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 2c6476c102f55f5897aa9ecf95b39c5fcbda2230 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 11 Jan 2020 17:01:54 +0000 Subject: [PATCH 212/663] Allow `composer install` without `--no-scripts` during deploy --- CHANGELOG.md | 1 + roles/deploy/defaults/main.yml | 3 +++ roles/deploy/hooks/build-after.yml | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fac73c5b2e..8c7dc9b85a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) +* Allow `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 8e04496fff..5f4f68cc02 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -48,6 +48,9 @@ project_current_path: "{{ project.current_path | default('current') }}" # Whether to run `wp core update-db` at end of each deploy update_db_on_deploy: true +# Most scripts are used in development instead of remote servers. Use with caution. +composer_no_scripts: true + # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index c637d12882..bf2d649c73 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -27,5 +27,5 @@ - name: Install Composer dependencies composer: - no_scripts: yes + no_scripts: "{{ composer_no_scripts }}" working_dir: "{{ deploy_helper.new_release_path }}" From 6caea96afa66b12d27d43c7ede7850070a659d57 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Jan 2020 15:59:56 +0000 Subject: [PATCH 213/663] CircleCI: Test `rollback.yml` --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5ab3ba4cdf..9a4413ab93 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,6 +49,7 @@ orbs: ansible-playbook --syntax-check -e env=development deploy.yml ansible-playbook --syntax-check -e env=development dev.yml ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml workflows: syntax-check: From 7299d378be52cd3d5967db72469555525b98a47c Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:27:34 +0000 Subject: [PATCH 214/663] Lint: Fix `[501] become_user requires become to work as expected` --- roles/wp-cli/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 675596e141..fe3d85c62d 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -46,6 +46,7 @@ - name: Install WP-CLI packages command: wp package install {{ item }} + become: true become_user: "{{ web_user }}" register: wp_cli_packages_installed changed_when: From 5c3df4ec187f1fc45aabf3052534abfd021ea61f Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:35:03 +0000 Subject: [PATCH 215/663] Lint: Fix `[601] Don't compare to literal True/False` --- roles/rollback/tasks/user-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rollback/tasks/user-release.yml b/roles/rollback/tasks/user-release.yml index 6e356e1bc0..073506659e 100644 --- a/roles/rollback/tasks/user-release.yml +++ b/roles/rollback/tasks/user-release.yml @@ -13,7 +13,7 @@ - name: Fail if user-specified release doesn't exist or is already active fail: msg: "Cannot switch to release {{ release }}. Either it does not exist or it is the active release." - when: specified.stat.isdir | default(False) == False or current_release.stdout_lines[0] == release + when: not (specified.stat.isdir | default(False)) or current_release.stdout_lines[0] == release - name: Create new_release_path variable set_fact: From cb70709791c0e349415ae5ee113b483a3bf8d3fc Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:43:57 +0000 Subject: [PATCH 216/663] Lint: Fix `[504] Do not use 'local_action', use 'delegate_to: localhost'` --- roles/connection/tasks/main.yml | 5 +++-- roles/users/tasks/main.yml | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 0675e77bf4..86ba0476a1 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -16,9 +16,10 @@ - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} - local_action: | - command ansible {{ inventory_hostname }} -m raw -a whoami + command: | + ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv + delegate_to: localhost environment: ANSIBLE_SSH_ARGS: "{{ ssh_args_default }} {{ ansible_ssh_extra_args | default('') }}" failed_when: false diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 8c1403c0be..e84f720333 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -58,7 +58,8 @@ - keys - name: Check whether Ansible can connect as admin_user - local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} + command: ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} + delegate_to: localhost failed_when: false changed_when: false become: no From 34689c23b82e1b5b58526c7dff03b34dcff65589 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:07:39 +0000 Subject: [PATCH 217/663] Lint: Fix `[602] Don't compare to empty string` --- roles/connection/tasks/main.yml | 2 +- roles/wordpress-install/tasks/composer-authentications.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 0675e77bf4..5381a9fa1f 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - ansible_ssh_extra_args | default('') == '' + - not (not ansible_ssh_extra_args) - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 9d0a8368d3..8d8445fa86 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -7,9 +7,9 @@ no_log: true changed_when: false when: - - composer_authentication.hostname is defined and composer_authentication.hostname != "" - - composer_authentication.username is defined and composer_authentication.username != "" - - composer_authentication.password is defined and composer_authentication.password != "" + - not (not composer_authentication.hostname) + - not (not composer_authentication.username) + - not (not composer_authentication.password) loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication From 2686136c9c635fa56991647ffd6635933438f523 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:28:38 +0000 Subject: [PATCH 218/663] Lint: Fix `[305] Use shell only when shell functionality is required` --- roles/letsencrypt/tasks/nginx.yml | 8 ++++---- roles/wordpress-setup/tasks/self-signed-certificate.yml | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index c0578e4933..20b97e63b1 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -39,10 +39,10 @@ when: challenge_site_confs is changed or challenge_sites_enabled is changed - name: Create test Acme Challenge file - shell: touch {{ acme_tiny_challenges_directory }}/ping.txt - args: - creates: "{{ acme_tiny_challenges_directory }}/ping.txt" - warn: false + file: + path: "{{ acme_tiny_challenges_directory }}/ping.txt" + state: touch + mode: '0644' - name: Test Acme Challenges test_challenges: diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index fa995d15cc..35e04f712b 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -16,12 +16,11 @@ - item.value.ssl.provider | default('manual') == 'self-signed' - name: Generate self-signed certificates - shell: "openssl req -new -newkey rsa:2048 \ + command: "openssl req -new -newkey rsa:2048 \ -days 825 -nodes -x509 -sha256 \ -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: - executable: "/bin/bash" chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" From 0da67ad1b63acf22945f8da805cc79e8053a1af8 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 14:48:42 +0000 Subject: [PATCH 219/663] CircleCI: Test `xdebug-tunnel.yml` --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9a4413ab93..f71bbe5faf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -50,6 +50,7 @@ orbs: ansible-playbook --syntax-check -e env=development dev.yml ansible-playbook --syntax-check -e env=development server.yml ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml workflows: syntax-check: From 8ac97859a0a52daf5a5475d563802dad2da21d55 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:14:21 +0000 Subject: [PATCH 220/663] Lint: Fix `[502] All tasks should be named` --- roles/common/tasks/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index aeff82462d..1559a76a89 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -147,13 +147,14 @@ generate_ssh_key: yes when: env == 'development' -- name: Retrieve SSH client IP - block: - - ipify_facts: +- block: + - name: Retrieve SSH client IP + ipify_facts: delegate_to: localhost become: no when: env != 'development' and ssh_client_ip_lookup | default(true) tags: [fail2ban, ferm] rescue: - - fail: + - name: Fail when unable to retrieve SSH client IP + fail: msg: "External IP resolution failed. Check that your DNS servers are working. Try to disable DNSCrypt if you are using it." From 00524b0f9daf84d13e35bc3a433fdc38a25a2ac6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:59:21 +0000 Subject: [PATCH 221/663] Lint: Fix `[303] rsync used in place of synchronize module` --- roles/wordpress-install/tasks/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 5b32fcbe33..d5491a2808 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -11,10 +11,12 @@ with_dict: "{{ wordpress_sites }}" - name: Copy .env file into web root - command: rsync -ac --info=NAME /tmp/{{ item.key }}.env {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env + synchronize: + src: "/tmp/{{ item.key }}.env" + dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" + checksum: true with_dict: "{{ wordpress_sites }}" - register: env_file - changed_when: env_file.stdout == item.key + '.env' + delegate_to: "{{ inventory_hostname }}" - name: Add known_hosts known_hosts: From 11c51eeff34c0217ef5427c54fa03edd218f4464 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 19 Jan 2020 13:57:12 +0000 Subject: [PATCH 222/663] `composer install` with `--classmap-authoritative` during deploy See: - https://getcomposer.org/doc/articles/autoloader-optimization.md#optimization-level-2-a-authoritative-class-maps - https://docs.ansible.com/ansible/latest/modules/composer_module.html#parameters --- CHANGELOG.md | 3 ++- deploy-hooks/build-before.yml | 2 +- roles/deploy/defaults/main.yml | 2 ++ roles/deploy/hooks/build-after.yml | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c7dc9b85a..2019359cd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) -* Allow `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) +* `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) +* Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index e6893432ba..a42b124490 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -14,7 +14,7 @@ # chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Install Composer dependencies -# command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts +# command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts --classmap-authoritative # args: # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 5f4f68cc02..b6b5e6c74d 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -50,6 +50,8 @@ update_db_on_deploy: true # Most scripts are used in development instead of remote servers. Use with caution. composer_no_scripts: true +# Whether to autoload classes from classmap only. +composer_classmap_authoritative: true # Helpers project: "{{ wordpress_sites[site] }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index bf2d649c73..8e7daf91dc 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -28,4 +28,5 @@ - name: Install Composer dependencies composer: no_scripts: "{{ composer_no_scripts }}" + classmap_authoritative: "{{ composer_classmap_authoritative }}" working_dir: "{{ deploy_helper.new_release_path }}" From 6cc4fc763dd7be8ad4a430a0b31dc05833d7be73 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 21 Jan 2020 19:48:02 +0000 Subject: [PATCH 223/663] Fix `DEPLOY_UNFINISHED` not being copied over to `release` The tar generated by git archive doesn't include `DEPLOY_UNFINISHED` https://github.com/roots/trellis/blob/ab70d8ed84ef54054de2024e5c2639e047c0b905/roles/deploy/tasks/prepare.yml#L29-L39 --- CHANGELOG.md | 1 + roles/deploy/tasks/prepare.yml | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2019359cd1..bd0ee3b14d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 9181b43f51..2d05f4df8e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -5,11 +5,6 @@ loop_var: include_path tags: deploy-prepare-before -- name: write unfinished file - file: - path: "{{ project_source_path }}/{{ deploy_helper.unfinished_filename }}" - state: touch - - name: Check for project repo subtree stat: path: "{{ project_source_path }}/{{ project.repo_subtree_path }}" @@ -38,6 +33,11 @@ chdir: "{{ project_source_path }}" when: project.repo_subtree_path is defined +- name: write unfinished file + file: + path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" + state: touch + - include_tasks: "{{ include_path }}" with_items: "{{ deploy_prepare_after | default([]) }}" loop_control: From 283ff5846653a30712cb51188ef048fc20040dad Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 21 Jan 2020 19:51:31 +0000 Subject: [PATCH 224/663] Deploy: Remove untracked files from project folder --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2019359cd1..09318ae2c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 4170f658db..61bb72013a 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -24,6 +24,13 @@ no_log: true register: git_clone +- name: Remove untracked files from project folder + command: git clean -fdx + args: + chdir: "{{ project_source_path }}" + register: git_clean + changed_when: not not(git_clean.stdout) + - name: Failed connection to remote repo fail: msg: | From be72a6b3f2dab4a31d4fa6fa59c811387d4b6400 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 26 Jan 2020 13:00:31 -0500 Subject: [PATCH 225/663] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b29818aa5a..8a64e6a704 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,9 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) +* Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) From e3c41b6f77582af6864867161ef11d9456e9f052 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 26 Jan 2020 13:18:25 -0500 Subject: [PATCH 226/663] Add trellis-cli instructions to README --- README.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 77 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 447222f7da..7d056980af 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. - Local development environment with Vagrant - High-performance production servers - Zero-downtime deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites +- [trellis-cli](https://github.com/roots/trellis-cli) for easier management ## What's included @@ -35,14 +36,23 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: -* [Composer](https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx) * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +* **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) **Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. ## Installation +### Using trellis-cli + +Create a new project: +```bash +$ trellis new example.com +``` + +### Manual + The recommended directory structure for a Trellis project looks like: ```shell @@ -56,6 +66,8 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). + + 1. Create a new project directory: ```plain $ mkdir example.com && cd example.com @@ -71,6 +83,18 @@ $ composer create-project roots/bedrock site ## Local development setup +### Using trellis-cli + +1. Review the automatically created site in `group_vars/development/wordpress_sites.yml` +2. Customize settings if necessary + +Start the Vagrant virtual machine: +```bash +$ trellis up +``` + +### Manual + 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` @@ -79,23 +103,68 @@ $ composer create-project roots/bedrock site ## Remote server setup (staging/production) -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. - -A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. +A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) -4. Run `ansible-playbook server.yml -e env=` to provision the server + +### Using trellis-cli + +Initialize Trellis (Virtualenv) environment: +```bash +$ trellis init +``` + +Provision the server: +```bash +$ trellis provision production +``` + +Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet *and* provision it in a single command: +```bash +$ trellis droplet create production +``` + +### Manual + +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. + +Provision the server: +```bash +$ ansible-playbook server.yml -e env= +``` [Read the remote server docs](https://roots.io/trellis/docs/remote-server-setup/) for more information. ## Deploying to remote servers 1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars//wordpress_sites.yml` file -2. Set the `branch` you want to deploy -3. Run `./bin/deploy.sh ` -4. To rollback a deploy, run `ansible-playbook rollback.yml -e "site= env="` +2. Set the `branch` you want to deploy (defaults to `master`) + +### Using trellis-cli + +Deploy a site: +```bash +$ trellis deploy +``` + +Rollback a deploy: +```bash +$ trellis rollback +``` + +### Manual + +Deploy a site: +```bash +$ ./bin/deploy.sh +``` + +Rollback a deploy: +```bash +$ ansible-playbook rollback.yml -e "site= env=" +``` [Read the deploys docs](https://roots.io/trellis/docs/deploys/) for more information. From 099962c416ad59ba4b436eda9828693e16a6feef Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 27 Jan 2020 12:24:27 +0000 Subject: [PATCH 227/663] Nginx: Block `composer/installed.json` --- CHANGELOG.md | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a64e6a704..872957ed6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) +* Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ab0c182dc7..0e3b1270df 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -121,7 +121,7 @@ server { deny all; } {% endblock %} - + {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. location ~* \.(blade\.php|twig)$ { @@ -135,6 +135,10 @@ server { deny all; } + location ~* composer/installed\.json$ { + deny all; + } + location ~* auth\.json$ { deny all; } @@ -143,12 +147,12 @@ server { location ~* package(-lock)?\.json$ { deny all; } - + # yarn location ~* yarn\.lock$ { deny all; } - + # bundler location ~* Gemfile(\.lock)?$ { deny all; From ca56ae5f0b2b262af173d4a0b025e2f69d883621 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 11 Feb 2020 15:45:05 -0700 Subject: [PATCH 228/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d056980af..797441b887 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Scale Dynamix +Kinsta KM Digital Nestify ## Community From 24b40b6c3880943097202f1d31cd73e6f8bad518 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Thu, 13 Feb 2020 17:55:18 +0000 Subject: [PATCH 229/663] Run `git clean` after checking `git clone` is successful --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 872957ed6f..5f9d9836f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) +* Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 61bb72013a..305bc82f59 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -24,13 +24,6 @@ no_log: true register: git_clone -- name: Remove untracked files from project folder - command: git clean -fdx - args: - chdir: "{{ project_source_path }}" - register: git_clean - changed_when: not not(git_clean.stdout) - - name: Failed connection to remote repo fail: msg: | @@ -40,6 +33,13 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed +- name: Remove untracked files from project folder + command: git clean -fdx + args: + chdir: "{{ project_source_path }}" + register: git_clean + changed_when: not not(git_clean.stdout) + - include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" loop_control: From e2a532dc4b2f4183d9e151475d60ebfdb1c5d199 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 16 Feb 2020 17:27:18 +0000 Subject: [PATCH 230/663] Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` --- CHANGELOG.md | 1 + roles/xdebug-tunnel/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f9d9836f9..8dee7ada8b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) +* Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 86a84909c0..88a8dd9b60 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create or close Xdebug SSH tunnel command: | {% if xdebug_remote_enable | bool %} - ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host}} '{{ xdebug_tunnel_control_identity }}' + ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host }} '{{ xdebug_tunnel_control_identity }}' {% else %} ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' {% endif %} From 88dc16004b17088b14c72ccbbb57ef5e9b3dcef9 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:51:07 +0000 Subject: [PATCH 231/663] Lint: Fix `[301] Commands should not change things if nothing needs doing` --- roles/common/tasks/reload_nginx.yml | 1 + roles/rollback/tasks/prior-release.yml | 2 ++ roles/rollback/tasks/user-release.yml | 1 + roles/xdebug-tunnel/tasks/main.yml | 1 + 4 files changed, 5 insertions(+) diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index 952a6082e0..5e30a58704 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -2,6 +2,7 @@ - name: reload nginx command: nginx -t notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" + changed_when: false - name: perform nginx reload service: diff --git a/roles/rollback/tasks/prior-release.yml b/roles/rollback/tasks/prior-release.yml index 1788aeebe8..402ee77d20 100644 --- a/roles/rollback/tasks/prior-release.yml +++ b/roles/rollback/tasks/prior-release.yml @@ -4,6 +4,7 @@ args: chdir: "{{ project_root }}" register: current_release_position + changed_when: false - name: Fail if current release is the oldest available release fail: @@ -15,6 +16,7 @@ args: chdir: "{{ project_root }}" register: releases + changed_when: false - name: Create new_release_path variable set_fact: diff --git a/roles/rollback/tasks/user-release.yml b/roles/rollback/tasks/user-release.yml index 073506659e..d360cccda3 100644 --- a/roles/rollback/tasks/user-release.yml +++ b/roles/rollback/tasks/user-release.yml @@ -9,6 +9,7 @@ args: chdir: "{{ project_root }}" register: current_release + changed_when: false - name: Fail if user-specified release doesn't exist or is already active fail: diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 88a8dd9b60..2a23b104c0 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -10,6 +10,7 @@ become: no register: xdebug_tunnel ignore_errors: true + changed_when: false - name: Interpret and present Xdebug SSH tunnel errors fail: From c54aebf6690b0cdd1956a0d3a4dba768a2dd43ce Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 16:21:30 +0000 Subject: [PATCH 232/663] `nginx -t` awlays changed to trigger `notify` --- roles/common/tasks/reload_nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index 5e30a58704..9d30718aa9 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -2,7 +2,7 @@ - name: reload nginx command: nginx -t notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" - changed_when: false + changed_when: true - name: perform nginx reload service: From 78ebc8100101a0f863ff5360c21ff723962168ec Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 16:26:47 +0000 Subject: [PATCH 233/663] `Create or close Xdebug SSH tunnel` awlays changed to trigger `notify` --- roles/xdebug-tunnel/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 2a23b104c0..84ec403faf 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -10,7 +10,7 @@ become: no register: xdebug_tunnel ignore_errors: true - changed_when: false + changed_when: true - name: Interpret and present Xdebug SSH tunnel errors fail: From c46da697badfb96b53a0ab3a25734beca1a56696 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 16 Feb 2020 18:10:10 +0000 Subject: [PATCH 234/663] Lint: Fix: `[306] Shells that use pipes should set the pipefail option` --- CHANGELOG.md | 1 + roles/deploy/tasks/prepare.yml | 10 ++++++++-- roles/letsencrypt/tasks/certificates.yml | 3 +++ roles/rollback/tasks/prior-release.yml | 5 ++++- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..fb29d1a7b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Lint: Fix: `[306] Shells that use pipes should set the pipefail option ([#1153](https://github.com/roots/trellis/pull/1153)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2d05f4df8e..3befa99dac 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -22,15 +22,21 @@ state: directory - name: Run git archive to populate new build dir - shell: git archive {{ project_version }} | tar xf - -C {{ deploy_helper.new_release_path }} + shell: | + set -eo pipefail + git archive {{ project_version }} | tar xf - -C {{ deploy_helper.new_release_path }} args: chdir: "{{ project_source_path }}" + executable: /bin/bash when: project.repo_subtree_path is not defined - name: Run git archive with subdirectory to populate new build dir - shell: git archive {{ project_version }} {{ project.repo_subtree_path }} | tar -x --strip-components {{ project.repo_subtree_path.split('/') | count }} -f - -C {{ deploy_helper.new_release_path }} + shell: | + set -eo pipefail + git archive {{ project_version }} {{ project.repo_subtree_path }} | tar -x --strip-components {{ project.repo_subtree_path.split('/') | count }} -f - -C {{ deploy_helper.new_release_path }} args: chdir: "{{ project_source_path }}" + executable: /bin/bash when: project.repo_subtree_path is defined - name: write unfinished file diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 480d910253..ea5780d4e5 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -15,9 +15,12 @@ - name: Generate Lets Encrypt certificate IDs shell: | + set -eo pipefail echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit] | join('\n') }}" | cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - | md5sum | cut -c -7 + args: + executable: /bin/bash register: generate_cert_ids changed_when: false when: site_uses_letsencrypt diff --git a/roles/rollback/tasks/prior-release.yml b/roles/rollback/tasks/prior-release.yml index 1788aeebe8..8ea0271e85 100644 --- a/roles/rollback/tasks/prior-release.yml +++ b/roles/rollback/tasks/prior-release.yml @@ -1,8 +1,11 @@ --- - name: Get list position of current symlinked release - shell: "ls releases | grep -n $(basename $(readlink {{ project_current_path }})) | cut -f1 -d:" + shell: | + set -eo pipefail + ls releases | grep -n $(basename $(readlink {{ project_current_path }})) | cut -f1 -d: args: chdir: "{{ project_root }}" + executable: /bin/bash register: current_release_position - name: Fail if current release is the oldest available release From 37ab5d5da0f86cea806400fae6bf5294d3d09f6d Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 17:17:30 +0000 Subject: [PATCH 235/663] Void rolled back releases --- CHANGELOG.md | 1 + roles/rollback/tasks/main.yml | 29 +++++++++++++++++++---------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..1810e62e73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Void rolled back releases ([#1148](https://github.com/roots/trellis/pull/1148)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index 4185f2729b..cdf03f52d5 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -1,22 +1,31 @@ --- +- name: Get real path of current symlinked release + command: "readlink {{ project_current_path }}" + args: + chdir: "{{ project_root }}" + register: current_release_readlink_result + +- name: Clean up old and failed releases + deploy_helper: + state: clean + path: "{{ project_root }}" + current_path: "{{ project_current_path }}" + release: "{{ current_release_readlink_result.stdout }}" + keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" + - import_tasks: user-release.yml when: release is defined - import_tasks: prior-release.yml when: release is not defined -- name: Check whether target release was from a successful deploy - stat: - path: "{{ new_release_path }}/DEPLOY_UNFINISHED" - register: target - -- name: Fail if target release was from failed deploy - fail: - msg: "Cannot switch to release at {{ new_release_path }}. It is from an unfinished deploy. You may manually specify a different release using --extra-vars='release=12345678901234'." - when: target.stat.exists | default(False) - - name: Link 'current' directory to target release file: path: "{{ project_root }}/{{ project_current_path }}" src: "{{ new_release_path }}" state: link + +- name: Write unfinished file to old symlinked release + file: + path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" + state: touch From 0dab6ddb9250e48f476f96aa324638ed86a4d411 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 17:35:09 +0000 Subject: [PATCH 236/663] Update change log entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..f1873d3a90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Lint: Fix `[301] Commands should not change things if nothing needs doing ([#1139](https://github.com/roots/trellis/pull/1139)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) From a63d72706d8537edb4705c35a188c5ce1c7ae2f6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 13 Jan 2020 15:49:47 +0000 Subject: [PATCH 237/663] CircleCI: `ansible-lint` playbooks Taken from https://github.com/ItinerisLtd/trellis_install_wp_cli_via_composer/blob/a1bc936d033641cc54556da5a7501d0685f8361d/.circleci/config.yml#L24-L32 --- .ansible-lint | 3 +++ .circleci/config.yml | 12 ++++++++++++ roles/deploy/tasks/update.yml | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000000..93b07a23e5 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,3 @@ +--- +skip_list: + - 204 # Lines should be no longer than 160 chars diff --git a/.circleci/config.yml b/.circleci/config.yml index f71bbe5faf..a08cadd5ff 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -52,6 +52,15 @@ orbs: ansible-playbook --syntax-check -e env=development rollback.yml ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml + lint: + executor: python-3 + steps: + - run: python --version + - checkout + - run: sudo pip install ansible-lint + - run: ansible-lint --version + - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml + workflows: syntax-check: jobs: @@ -80,3 +89,6 @@ workflows: name: syntax-check-python-2-ansible-2.7 python-version: '2' ansible-version: ~=2.7.0 + lint: + jobs: + - trellis/lint diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 305bc82f59..fcbe6b4e52 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -33,7 +33,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed -- name: Remove untracked files from project folder +- name: Remove untracked files from project folder # noqa 303 command: git clean -fdx args: chdir: "{{ project_source_path }}" From f5784335e9b2db8d1b0a546d09ad5fbd061e5b76 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 18:01:59 +0000 Subject: [PATCH 238/663] Lint: Fix: `[301] Commands should not change things if nothing needs doing` --- roles/rollback/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index cdf03f52d5..f8bd6f80c3 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -4,6 +4,7 @@ args: chdir: "{{ project_root }}" register: current_release_readlink_result + changed_when: false - name: Clean up old and failed releases deploy_helper: From 95aa21293474f1ada30716dcd8c581583233596c Mon Sep 17 00:00:00 2001 From: Adam Tomat Date: Mon, 2 Mar 2020 19:55:01 +0000 Subject: [PATCH 239/663] Prevent search engines indexing any non-production environments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add “X-Robots-Tag: noindex, nofollow” header to nginx conf for all requests when on staging. See: https://make.wordpress.org/core/2019/09/02/changes-to-prevent-search-engines-indexing-sites/ --- roles/wordpress-setup/defaults/main.yml | 5 +++++ roles/wordpress-setup/templates/wordpress-site.conf.j2 | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 5b2e1768ee..d20ca05bb9 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -50,6 +50,11 @@ h5bp_cross_domain_fonts_enabled: "{{ h5bp.cross_domain_fonts | default(true) }}" h5bp_expires_enabled: "{{ h5bp.expires | default(false) }}" h5bp_protect_system_files_enabled: "{{ h5bp.protect_system_files | default(true) }}" +# X-Robots-Tag Header helpers +not_prod: "{{ env != 'production' }}" +robots_tag_header: "{{ item.value.robots_tag_header | default({}) }}" +robots_tag_header_enabled: "{{ robots_tag_header.enabled | default(not_prod) }}" + # PHP FPM php_fpm_pm_max_children: 10 php_fpm_pm_start_servers: 1 diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 0e3b1270df..73830f31a5 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -218,6 +218,14 @@ server { {% endif -%} {% endblock -%} + {% block robots_tag_header -%} + {% if robots_tag_header_enabled -%} + # Prevent search engines from indexing non-production environments + add_header X-Robots-Tag "noindex, nofollow" always; + + {% endif -%} + {% endblock -%} + {% block location_php -%} location ~ \.php$ { {% block location_php_basic -%} From 1f4b10aef6d9b610ab425d01b1fe1faeb3250f50 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 14 Mar 2020 17:04:45 +0000 Subject: [PATCH 240/663] Add `WP_DEBUG_LOG` to `.env` --- CHANGELOG.md | 1 + group_vars/all/helpers.yml | 1 + roles/deploy/vars/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 997d4fa0dc..d69eea7eaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Lint: Fix: `[306] Shells that use pipes should set the pipefail option ([#1153](https://github.com/roots/trellis/pull/1153)) * Lint: Fix `[301] Commands should not change things if nothing needs doing ([#1139](https://github.com/roots/trellis/pull/1139)) * Void rolled back releases ([#1148](https://github.com/roots/trellis/pull/1148)) +* Add `WP_DEBUG_LOG` to `.env` on deploy ([#1160](https://github.com/roots/trellis/pull/1160)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 20a70ecf80..1e56f5c083 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -8,6 +8,7 @@ wordpress_env_defaults: wp_home: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" domain_current_site: "{{ site_hosts_canonical | first }}" + wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index 7015d3451b..c01bfc82c6 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -9,5 +9,6 @@ wordpress_env_defaults: domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" git_sha: "{{ git_clone.after }}" release_version: "{{ deploy_helper.new_release }}" + wp_debug_log: "{{ project_root }}/logs/debug.log" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From d9ac670f7136e98101bc37cb5dbe9931f26cb271 Mon Sep 17 00:00:00 2001 From: Mark Jaquith Date: Tue, 31 Mar 2020 13:17:12 -0400 Subject: [PATCH 241/663] Update to PHP 7.4 fixes #1163 --- CHANGELOG.md | 1 + README.md | 2 +- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/defaults/main.yml | 24 ++++++++++++------------ roles/php/tasks/main.yml | 24 +++++++++++++++++++----- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/xdebug/tasks/main.yml | 10 +++++----- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 12 files changed, 47 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d69eea7eaa..5e920fe203 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) diff --git a/README.md b/README.md index 797441b887..2f73ebdab3 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Trellis will configure a server with the following and more: * Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.3 +* PHP 7.4 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt for free SSL certificates diff --git a/dev.yml b/dev.yml index 4159951902..f6658d9f58 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.3 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.4 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 2290fea7de..b61f4342cc 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.3-fpm *" + - "/usr/sbin/service php7.4-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ad0488c90b..a42884d2d3 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.3-fpm + name: php7.4-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index f7c2a1f756..751c27e0f3 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.3-fpm reload + shell: sudo service php7.4-fpm reload args: warn: false diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index f59a03b044..169df595ce 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,18 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.3-cli: "{{ apt_package_state }}" - php7.3-common: "{{ apt_package_state }}" - php7.3-curl: "{{ apt_package_state }}" - php7.3-dev: "{{ apt_package_state }}" - php7.3-fpm: "{{ apt_package_state }}" - php7.3-gd: "{{ apt_package_state }}" - php7.3-mbstring: "{{ apt_package_state }}" - php7.3-mysql: "{{ apt_package_state }}" - php7.3-opcache: "{{ apt_package_state }}" - php7.3-xml: "{{ apt_package_state }}" - php7.3-xmlrpc: "{{ apt_package_state }}" - php7.3-zip: "{{ apt_package_state }}" + php7.4-cli: "{{ apt_package_state }}" + php7.4-common: "{{ apt_package_state }}" + php7.4-curl: "{{ apt_package_state }}" + php7.4-dev: "{{ apt_package_state }}" + php7.4-fpm: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" + php7.4-mbstring: "{{ apt_package_state }}" + php7.4-mysql: "{{ apt_package_state }}" + php7.4-opcache: "{{ apt_package_state }}" + php7.4-xml: "{{ apt_package_state }}" + php7.4-xmlrpc: "{{ apt_package_state }}" + php7.4-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index ceaf843c05..3914ab70ed 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,22 +1,36 @@ --- -- name: Add PHP 7.3 PPA +- name: Add PHP 7.4 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.3 +- name: Install PHP 7.4 apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.3-fpm service +- name: Start php7.4-fpm service service: - name: php7.3-fpm + name: php7.4-fpm state: started enabled: true +- name: Check for existing php7.3-fpm service + stat: + path: /etc/init.d/php7.3-fpm + register: php73_status + +- name: Stop php7.3-fpm service if it exists + service: + name: php7.3-fpm + state: stopped + enabled: false + register: service_stopped + when: php73_status.stat.exists + notify: reload php-fpm + - name: Check for existing php7.2-fpm service stat: path: /etc/init.d/php7.2-fpm @@ -34,5 +48,5 @@ - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.3/fpm/php.ini + dest: /etc/php/7.4/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 59e3dc60f4..561811eba7 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,13 +26,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.3/fpm/pool.d/wordpress.conf + dest: /etc/php/7.4/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.disabled + command: mv /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.disabled args: - creates: /etc/php/7.3/fpm/pool.d/www.disabled + creates: /etc/php/7.4/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index deadc88c50..6463d234e0 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,13 +9,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.3/mods-available/xdebug.ini + dest: /etc/php/7.4/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.3/mods-available/xdebug.ini - dest: /etc/php/7.3/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -23,12 +23,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.3/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.4/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.3/cli/conf.d/20-xdebug.ini + path: /etc/php/7.4/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index 7c44723477..cb6db5ca53 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.4 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 2c8a975438..d85a1c59cb 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.3-fpm + name: php7.4-fpm state: reloaded From bf0cf3bdfe99e40bc4600ebcbe4f678e3d174239 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 2 Apr 2020 09:56:41 -0400 Subject: [PATCH 242/663] v1.4.0 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e920fe203..2f0d820ecb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,11 @@ -### Head +### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) * Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) -* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) +* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder ([#1145](https://github.com/roots/trellis/pull/1145)) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) From acf2e7cfc4b60bd8264c6fb2a45fd903b1862243 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 17:53:25 -0400 Subject: [PATCH 243/663] Bump version_tested_max to 2.8.10 --- CHANGELOG.md | 3 +++ lib/trellis/plugins/vars/version.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f0d820ecb..a3c666b90a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) + ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 93c325ab34..85bbc64a32 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.7.12' -version_tested_max = '2.8.4' +version_tested_max = '2.8.10' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From 2f198e5efac5e78fc5e821a1d6334b675d5c6e08 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 21:18:38 -0400 Subject: [PATCH 244/663] Fix Callback plugin for Ansible 2.9 --- lib/trellis/plugins/callback/output.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 9bb2cbede6..7344b803aa 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -5,6 +5,14 @@ import os.path import sys +DOCUMENTATION = ''' + callback: output + type: stdout + short_description: Custom output for Trellis + extends_documentation_fragment: + - default_callback +''' + from ansible.plugins.callback.default import CallbackModule as CallbackModule_default try: From be670b165b207932957f1b87d28242e7f898a5dc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 5 Apr 2020 11:05:44 -0400 Subject: [PATCH 245/663] Use no_log for passwords --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f4e21e561e..15db772874 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -39,6 +39,7 @@ password: "{{ mysql_root_password }}" check_implicit_admin: yes state: present + no_log: true with_items: - "{{ inventory_hostname }}" - 127.0.0.1 From 6b8aed676869dc77ab03c13d27ed0eb361fa5b9c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 5 Apr 2020 11:05:58 -0400 Subject: [PATCH 246/663] Coerce value to string --- roles/memcached/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index dc62343926..359ee645f3 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -15,7 +15,7 @@ - name: Set the max open file descriptors sysctl: name: fs.file-max - value: "{{ memcached_fs_file_max }}" + value: "{{ memcached_fs_file_max | string }}" state: present - name: Start the memcached service From 1a7f473105260c631a140441fb40fcb191016f77 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 22 Jan 2020 05:05:23 +0000 Subject: [PATCH 247/663] Bump ansible requirement to 2.8.0 https://github.com/roots/trellis/pull/1141 bases on https://github.com/ansible/ansible-lint/issues/457#issuecomment-455038475 which depends on https://github.com/ansible/ansible/pull/51030 which merged into anisble v2.8.0. --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- vagrant.default.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3c666b90a..969d7b1bb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) +* Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 85bbc64a32..afdcf34f60 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.7.12' +version_requirement = '2.8.0' version_tested_max = '2.8.10' python3_required_version = '2.5.3' diff --git a/requirements.txt b/requirements.txt index eb776ef0e2..05cb7d2920 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.7.12,<2.9 +ansible>=2.8.0,<2.9 passlib diff --git a/vagrant.default.yml b/vagrant.default.yml index 64b48f7dfe..a41258b078 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.7.12' +vagrant_ansible_version: '2.8.0' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 5f60808e5078e7369e013a1a182411ee00430cf3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 17:17:56 -0400 Subject: [PATCH 248/663] Remove 2.7 cli options compat code --- lib/trellis/plugins/callback/vars.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 338d8f9597..9cd0f941e2 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -13,6 +13,7 @@ from ansible.plugins.callback import CallbackBase from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var +from ansible import context class CallbackModule(CallbackBase): @@ -23,13 +24,7 @@ class CallbackModule(CallbackBase): def __init__(self): super(CallbackModule, self).__init__() - - # handle Ansible 2.7 and 2.8 cases by normalizing each into a dict - try: - from ansible import context - self._options = context.CLIARGS - except ImportError: - self._options = vars(cli.options) if cli else {} + self._options = context.CLIARGS def raw_triage(self, key_string, item, patterns): # process dict values From 980b1425b96c9d9e80acaab5e7a777d41cd9df27 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 6 Apr 2020 12:59:35 +0100 Subject: [PATCH 249/663] CircleCI: Drop ansible 2.7 tests --- .circleci/config.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a08cadd5ff..88679c8332 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -72,10 +72,6 @@ workflows: name: syntax-check-python-3-ansible-2.8 python-version: '3' ansible-version: ~=2.8.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.7 - python-version: '3' - ansible-version: ~=2.7.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-latest @@ -85,10 +81,6 @@ workflows: name: syntax-check-python-2-ansible-2.8 python-version: '2' ansible-version: ~=2.8.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.7 - python-version: '2' - ansible-version: ~=2.7.0 lint: jobs: - trellis/lint From d2d7e93f652290e13cdb3ff8dfd0db03f80d9e2a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 6 Apr 2020 09:18:31 -0400 Subject: [PATCH 250/663] Remove nginx_includes_deprecated feature This has been deprecated for almost 4 years now. The proper solution is documented at https://roots.io/docs/trellis/master/nginx-includes/. --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 3 +-- roles/wordpress-setup/tasks/nginx-includes.yml | 6 ------ 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3c666b90a..5fa60a310b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) ### 1.4.0: April 2nd, 2020 diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index d20ca05bb9..7bbf3961dc 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -34,8 +34,7 @@ nginx_cache_background_update: "on" # Nginx includes nginx_includes_templates_path: nginx-includes -nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d -nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" +nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }})/(.*)\\.j2$" nginx_includes_d_cleanup: true # h5bp helpers diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 960a82fdf1..0b350dd262 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -3,18 +3,12 @@ find: paths: - "{{ nginx_includes_templates_path }}" - - "{{ nginx_includes_deprecated }}" pattern: "*.conf.j2" recurse: yes become: no delegate_to: localhost register: nginx_includes_templates -- name: Warn about deprecated Nginx includes directory - debug: - msg: "[DEPRECATION WARNING]: The `{{ nginx_includes_deprecated }}` directory for Trellis Nginx includes templates is deprecated and will no longer function beginning with Trellis 1.0. Please move these templates to a directory named `{{ nginx_includes_templates_path }}` in the root of this project. For more information, see https://roots.io/trellis/docs/nginx-includes/" - when: True in nginx_includes_templates.files | map(attribute='path') | map('search', nginx_includes_deprecated | regex_escape) | list - - name: Create includes.d directories file: path: "{{ nginx_path }}/includes.d/{{ item }}" From aa9f17dd6dcff0fc12dafbf0cbe6837466a4a214 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 19:19:41 -0400 Subject: [PATCH 251/663] Support Ansible 2.9 --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 665eaa7e4c..eae5fa5774 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) * Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index afdcf34f60..6c14527cc6 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.8.10' +version_tested_max = '2.9.6' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 05cb7d2920..cecd05381d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<2.9 +ansible>=2.8.0,<3.0 passlib From 67eee56a5134a626bf05f7f347a1a5babf800c28 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 6 Apr 2020 12:51:13 +0100 Subject: [PATCH 252/663] CircleCI: Add ansible 2.9 tests --- .circleci/config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 88679c8332..4c4e865bce 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -68,6 +68,10 @@ workflows: name: syntax-check-python-3-ansible-latest python-version: '3' ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.9 + python-version: '3' + ansible-version: ~=2.9.0 - trellis/syntax-check: name: syntax-check-python-3-ansible-2.8 python-version: '3' @@ -77,6 +81,10 @@ workflows: name: syntax-check-python-2-ansible-latest python-version: '2' ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.9 + python-version: '2' + ansible-version: ~=2.9.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-2.8 python-version: '2' From 136a6a8cc6fc79105052c888e8e2e55bb8a91ddb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 6 Apr 2020 22:54:10 -0400 Subject: [PATCH 253/663] Fix bare variable deprecation warnings --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 4b9d9b26b8..eeb772209d 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,5 +1,5 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' +site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" From f5609babe37064bc9288bc2b35d8986958268ffd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 7 Apr 2020 22:14:01 -0400 Subject: [PATCH 254/663] Fix site_uses_letsencrypt https://github.com/roots/trellis/pull/1175 wasn't entirely correct. This need parens around the actual conditional. --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index eeb772209d..3d924c6678 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,5 +1,5 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' | bool }}" +site_uses_letsencrypt: "{{ (ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt') | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" From a8bfb35a88413373710d83701cd41d9f3ea9516e Mon Sep 17 00:00:00 2001 From: Brandon Date: Sat, 25 Apr 2020 17:11:12 -0500 Subject: [PATCH 255/663] enhance(readme): Refactor README fix(readme): Fix documentation URL's --- README.md | 137 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 97 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 2f73ebdab3..834d3e8999 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,51 @@ -# Trellis -[![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) -[![Build Status](https://img.shields.io/circleci/build/gh/roots/trellis?style=flat-square)](https://circleci.com/gh/roots/trellis) -[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) +

+ + Trellis + +

+ +

+ + MIT License + + + + Release + + + + Build Status + + + + Follow Roots + +

+ +

+ Ansible-powered LEMP stack for WordPress +
+ Built with ❤️ +

+ +

+ Official Website | Documentation | Change Log +

+ +## Supporting + +**Trellis** is an open source project and completely free to use. + +However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below: + +
+ +[![Donate via Patreon](https://img.shields.io/badge/donate-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) +[![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) + +
+ +## Overview Ansible playbooks for setting up a LEMP stack for WordPress. @@ -14,39 +58,40 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -* Ubuntu 18.04 Bionic LTS -* Nginx (with optional FastCGI micro-caching) -* PHP 7.4 -* MariaDB (a drop-in MySQL replacement) -* SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) -* Let's Encrypt for free SSL certificates -* HTTP/2 support (requires SSL) -* Composer -* WP-CLI -* sSMTP (mail delivery) -* MailHog -* Memcached -* Fail2ban and ferm +- Ubuntu 18.04 Bionic LTS +- Nginx (with optional FastCGI micro-caching) +- PHP 7.4 +- MariaDB (a drop-in MySQL replacement) +- SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) +- Let's Encrypt for free SSL certificates +- HTTP/2 support (requires SSL) +- Composer +- WP-CLI +- sSMTP (mail delivery) +- MailHog +- Memcached +- Fail2ban and ferm ## Documentation -Full documentation is available at [https://roots.io/trellis/docs/](https://roots.io/trellis/docs/). +Full documentation is available at [https://roots.io/docs/trellis/master/installation/](https://roots.io/docs/trellis/master/installation/). ## Requirements Make sure all dependencies have been installed before moving on: -* [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 -* **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) +- [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 +- [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +- **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) -**Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. +**Windows user?** [Read the Windows getting started docs](https://roots.io/docs/getting-started/windows/#working-with-trellis) for slightly different installation instructions. ## Installation ### Using trellis-cli Create a new project: + ```bash $ trellis new example.com ``` @@ -55,7 +100,7 @@ $ trellis new example.com The recommended directory structure for a Trellis project looks like: -```shell +```bash example.com/ # → Root folder for the project ├── trellis/ # → Your clone of this repository └── site/ # → A Bedrock-based WordPress site @@ -66,18 +111,21 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). - - 1. Create a new project directory: -```plain + +```bash $ mkdir example.com && cd example.com ``` + 2. Install Trellis: -```plain + +```bash $ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git ``` + 3. Install Bedrock into the `site` directory: -```plain + +```bash $ composer create-project roots/bedrock site ``` @@ -89,6 +137,7 @@ $ composer create-project roots/bedrock site 2. Customize settings if necessary Start the Vagrant virtual machine: + ```bash $ trellis up ``` @@ -99,43 +148,47 @@ $ trellis up 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` -[Read the local development docs](https://roots.io/trellis/docs/local-development-setup/) for more information. +[Read the local development docs](https://roots.io/docs/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. -1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) +1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` -3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) +3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/docs/trellis/master/ssh-keys/)) ### Using trellis-cli Initialize Trellis (Virtualenv) environment: + ```bash $ trellis init ``` Provision the server: + ```bash $ trellis provision production ``` -Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet *and* provision it in a single command: +Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet _and_ provision it in a single command: + ```bash $ trellis droplet create production ``` ### Manual -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/docs/trellis/master/remote-server-setup/#requirements) for more information. Provision the server: + ```bash $ ansible-playbook server.yml -e env= ``` -[Read the remote server docs](https://roots.io/trellis/docs/remote-server-setup/) for more information. +[Read the remote server docs](https://roots.io/docs/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers @@ -145,11 +198,13 @@ $ ansible-playbook server.yml -e env= ### Using trellis-cli Deploy a site: + ```bash $ trellis deploy ``` Rollback a deploy: + ```bash $ trellis rollback ``` @@ -157,16 +212,18 @@ $ trellis rollback ### Manual Deploy a site: + ```bash $ ./bin/deploy.sh ``` Rollback a deploy: + ```bash $ ansible-playbook rollback.yml -e "site= env=" ``` -[Read the deploys docs](https://roots.io/trellis/docs/deploys/) for more information. +[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. ## Contributing @@ -182,8 +239,8 @@ Help support our open-source development efforts by [becoming a patron](https:// Keep track of development and community news. -* Participate on the [Roots Discourse](https://discourse.roots.io/) -* Follow [@rootswp on Twitter](https://twitter.com/rootswp) -* Read and subscribe to the [Roots Blog](https://roots.io/blog/) -* Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) -* Listen to the [Roots Radio podcast](https://roots.io/podcast/) +- Participate on the [Roots Discourse](https://discourse.roots.io/) +- Follow [@rootswp on Twitter](https://twitter.com/rootswp) +- Read and subscribe to the [Roots Blog](https://roots.io/blog/) +- Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) +- Listen to the [Roots Radio podcast](https://roots.io/podcast/) From 77e947b5f8bcbd97d182a62ec10051053c2f29cc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 6 May 2020 22:32:16 -0400 Subject: [PATCH 256/663] Update size --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 834d3e8999..ef884d53b6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- Trellis + Trellis

From 78980fc1f8cf4f535c61c1a19c4eb821fab4494d Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 9 May 2020 12:20:27 -0600 Subject: [PATCH 257/663] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ef884d53b6..daa24d2507 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- Trellis + Trellis

@@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Nestify +Kinsta KM Digital ## Community From 8fa441b891f68725f11f6977c842009d74f416cf Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 22 Apr 2020 23:11:58 +0200 Subject: [PATCH 258/663] Make Fail2ban services list extensible enable adding custom services in 'group_vars/'; rename default list to 'fail2ban_services_default'; create 'fail2ban_services_default'; combine 'default' & 'custom'. --- roles/fail2ban/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index 473ae8a0d5..eebd75bc29 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -19,8 +19,11 @@ fail2ban_chain: INPUT fail2ban_action: action_ -fail2ban_services: +fail2ban_services_default: - name: ssh port: ssh filter: sshd logpath: /var/log/auth.log + +fail2ban_services_custom: [] +fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" From 0997eaf0e27393a29b75d19568a0f2cedcae5959 Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 22 Apr 2020 23:20:57 +0200 Subject: [PATCH 259/663] Make Fail2ban filters pluggable enable adding custom Fail2ban filters; task style inspired from 'nginx-includes' task in 'wordpress-setup' role; add tasks to copy Fail2ban filter configurations; set default folder 'fail2ban-filters'. --- roles/fail2ban/defaults/main.yml | 3 +++ roles/fail2ban/tasks/main.yml | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index eebd75bc29..47138736a5 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -27,3 +27,6 @@ fail2ban_services_default: fail2ban_services_custom: [] fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" + +fail2ban_filter_templates_path: fail2ban_filters +fail2ban_filter_templates_pattern: "^({{ fail2ban_filter_templates_path | regex_escape }})/(.*)\\.j2$" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index dcc6adc5ab..e109366255 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -17,6 +17,28 @@ notify: - restart fail2ban +- name: build list of fail2ban filter templates + find: + paths: + - "{{ fail2ban_filter_templates_path }}" + pattern: "*.conf.j2" + become: no + delegate_to: localhost + register: fail2ban_filter_templates + +- name: ensure configuration directory exists + file: + path: /etc/fail2ban/filter.d/ + state: directory + mode: 0755 + +- name: template fail2ban filters + template: + src: "{{ item }}" + dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" + notify: restart fail2ban + - name: ensure fail2ban starts on a fresh reboot service: name: fail2ban From beaff2e0f6268b82d8399cd8e183386740ae2739 Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 6 May 2020 23:42:35 +0200 Subject: [PATCH 260/663] Improve the README Add new variables and their description. Explain how to add services and filters in `group_vars` and `fail2ban_filters` respectively. --- roles/fail2ban/README.md | 68 +++++++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md index a3aa07b68e..16b707fc8a 100644 --- a/roles/fail2ban/README.md +++ b/roles/fail2ban/README.md @@ -1,19 +1,17 @@ -## What is ansible-fail2ban? +## What is this role? -It is an [ansible](http://www.ansible.com/home) role to install and configure fail2ban. +This role installs and configures [Fail2ban](https://github.com/fail2ban/fail2ban). -### What problem does it solve and why is it useful? - -Security is important and fail2ban is an excellent tool to harden your server with minimal or even no configuration. +Fail2ban is an excellent tool to harden your server with minimal configuration. ## Role variables -Below is a list of default values along with a description of what they do. +Below is a list of available variables, their description and their default value within Trellis. -``` +```yaml # Which log level should it be output as? -# Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: ERROR -fail2ban_loglevel: WARNING +# Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. +fail2ban_loglevel: INFO # Where should log outputs be sent to? # SYSLOG, STDERR, STDOUT, file @@ -56,10 +54,25 @@ fail2ban_chain: INPUT # action_, action_mw, action_mwl fail2ban_action: action_ -# What services should fail2ban monitor? -# You can define fail2ban_services as an empty string to not monitor anything. +# Trellis by default only monitors SSH connections +# For available parameters, see fail2ban_services_custom below. +fail2ban_services_default: + - name: ssh + port: ssh + filter: sshd + logpath: /var/log/auth.log + +# In which folder did you place custom filters? +# Filters MUST have .conf.j2 extension to copied to the servers. +fail2ban_filter_templates_path: fail2ban_filters +``` + +The following list variable is available for custom services (to be set up in `group_vars`): + +```yaml +# Which additional services should fail2ban monitor? # You can define multiple services as a standard yaml list. -fail2ban_services: +fail2ban_services_custom: # The name of the service # REQUIRED. - name: ssh @@ -77,11 +90,11 @@ fail2ban_services: # OPTIONAL: Defaults to the protocol listed above. protocol: tcp - # What filter should it use? + # Which filter should it use? # REQUIRED. filter: sshd - # Which log path should it monitor? + # Which log file should it monitor? # REQUIRED. logpath: /var/log/auth.log @@ -96,24 +109,29 @@ fail2ban_services: # How should the ban be applied? # OPTIONAL: Defaults to the banaction listed above. banaction: iptables-multiport + ``` -## Example playbook +## Custom Settings -Let's say you want to edit a few values, you can do this by opening `group_vars/all` and then add the following: +To add services, you might add the following to `group_vars/all/security.yml`, e.g.: -``` -fail2ban_services: - - name: ssh - port: ssh - filter: sshd +```yaml +fail2ban_services_custom: + - name: wordpress + filter: wordpress logpath: /var/log/auth.log - - name: postfix - port: smtp,ssmtp - filter: postfix - logpath: /var/log/mail.log + maxretry: 2 ``` +To add the corresponding filter, add it to the folder specified in `fail2ban_filter_templates_path`, i.e. `fail2ban_filters` per default (next to the `group_vars` folder). The filter configuration must be of `.conf.j2` extension for Trellis to recognize it. + +Filters might be provided by plugins as `.conf` files: it is then enough to simply append the file name with `.j2`. It is not required to modify these provided filters, but you may customize them to your liking. + +To develop custom filters, refer to the Fail2ban wiki: [How Fail2ban works](https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works) and [How to ban something…](https://github.com/fail2ban/fail2ban/wiki/How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc.) for simple filter rules or [Developing Filters](https://fail2ban.readthedocs.io/en/latest/filters.html) for complex setups. + +If you need to edit the default services, copy the `fail2ban_services_default` list from `roles/fail2ban/defaults/main.yml` to `group_vars/all/security.yml` and edit as needed. + ## Attribution Many thanks to [nickjj](https://github.com/nickjj/) for creating the [original version](https://github.com/nickjj/ansible-fail2ban/) of this role. From 2fbed9d8b54d7d67fe0a494fede6e9eb33b91d4c Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Sun, 10 May 2020 23:09:02 +0200 Subject: [PATCH 261/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eae5fa5774..326b71b838 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) From 2ba823f2ecffe2642f791f0e824caf55ac4b5b4b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 12 May 2020 21:08:18 -0400 Subject: [PATCH 262/663] Improve ip_whitelist in development Fixes #1181 `ansible_default_ipv4.gateway` wasn't a good default as it wasn't the actual Vagrant external IP (`192.168.50.5`). `ansible_all_ipv4_addresses` is the replacement which includes that IP. This also moves the development specific override to the proper development config. --- CHANGELOG.md | 1 + group_vars/all/main.yml | 2 +- group_vars/development/main.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 326b71b838..d4d29e8cf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) +* Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e7f9bd85fc..42349954d0 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -9,7 +9,7 @@ ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www ip_whitelist: - - "{{ (env == 'development') | ternary(ansible_default_ipv4.gateway, ipify_public_ip | default('')) }}" + - "{{ ipify_public_ip | default('') }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index 8d7c15913c..b922a41a5f 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,5 +1,6 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development ferm_enabled: false +ip_whitelist: "{{ ansible_all_ipv4_addresses }}" mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml web_user: vagrant From 6968b444b8b109885c6004277f4e4585cf205efc Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 2 May 2017 17:24:16 -0600 Subject: [PATCH 263/663] Remove unnecessary ID from Let's Encrypt bundled cert filename The CSR and cert_file use an ID in their filenames to ensure they are regenerated in response to changes in relevant conditions. However, an ID in the bundled cert filename serves no purpose. This commit removes the ID from the bundled cert filename, offering other programs a more stable and static path for the bundled cert. This commit also rsyncs existing ID-in-filename bundled certs to their non-ID counterparts. This ensures the non-ID certs exist when users happen to run only the `wordpress` tag and not the `letsencrypt` tag. In such a scenario, the wordpress-site.conf files would be regenerated with non-ID filenames but such files would not exist without an rsync effective under the same Ansible tag. --- CHANGELOG.md | 1 + roles/letsencrypt/tasks/certificates.yml | 4 +- roles/letsencrypt/templates/renew-certs.py | 67 ++++++++++++------- .../templates/wordpress-site.conf.j2 | 2 +- 4 files changed, 46 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4d29e8cf9..eb1d766389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index ea5780d4e5..efc86dc568 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -25,7 +25,7 @@ changed_when: false when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [wordpress, wordpress-setup, nginx-includes, nginx-sites] + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate CSRs shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" @@ -40,6 +40,7 @@ src: renew-certs.py dest: "{{ acme_tiny_data_directory }}/renew-certs.py" mode: 0700 + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate the certificates command: ./renew-certs.py @@ -48,3 +49,4 @@ register: generate_certs changed_when: generate_certs.stdout is defined and 'Created' in generate_certs.stdout notify: reload nginx + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 6d4b5f0304..991c1fce61 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,5 +1,7 @@ #!/usr/bin/env python +from __future__ import print_function + import os import sys import time @@ -10,38 +12,51 @@ letsencrypt_cert_ids = {{ letsencrypt_cert_ids }} for site in {{ sites_using_letsencrypt }}: - bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '-bundled.cert') + csr_path = os.path.join('{{ acme_tiny_data_directory }}', 'csrs', '{}-{}.csr'.format(site, letsencrypt_cert_ids[site])) + bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', '{}-bundled.cert'.format(site)) + bundled_hashed_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', '{}-{}-bundled.cert'.format(site, letsencrypt_cert_ids[site])) - if os.access(bundled_cert_path, os.F_OK): - stat = os.stat(bundled_cert_path) - print('Certificate file ' + bundled_cert_path + ' already exists') + # Generate or update root cert if needed + if not os.access(csr_path, os.F_OK): + failed = True + print('The required CSR file {} does not exist. This could happen if you changed site_hosts and have ' + 'not yet rerun the letsencrypt role. Create the CSR file by re-provisioning (running the Trellis ' + 'server.yml playbook) with `--tags letsencrypt`'.format(csr_path), file=sys.stderr) + continue - if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print(' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') - continue + elif os.access(bundled_hashed_cert_path, os.F_OK) and time.time() - os.stat(bundled_hashed_cert_path).st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: + print('Certificate file {} already exists and is younger than {{ letsencrypt_min_renewal_age }} days. ' + 'Not creating a new certificate.'.format(bundled_hashed_cert_path)) - print('Generating certificate for ' + site) + else: + cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + '--quiet ' + '--ca {{ letsencrypt_ca }} ' + '--account-key {{ letsencrypt_account_key }} ' + '--csr {} ' + '--acme-dir {{ acme_tiny_challenges_directory }}' + ).format(csr_path) + + try: + new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True) + except CalledProcessError as e: + failed = True + print('Error while generating certificate for {}\n{}'.format(site, e.output), file=sys.stderr) + continue + else: + with open(bundled_hashed_cert_path, 'w') as bundled_hashed_cert_file: + bundled_hashed_cert_file.write(new_bundled_cert) + with open(bundled_cert_path, 'w') as bundled_cert_file: + bundled_cert_file.write(new_bundled_cert) - cmd = ( - '/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' - '--quiet ' - '--ca {{ letsencrypt_ca }} ' - '--account-key {{ letsencrypt_account_key }} ' - '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' - '--acme-dir {{ acme_tiny_challenges_directory }}' - ).format(site, letsencrypt_cert_ids[site]) + if not os.access(bundled_cert_path, os.F_OK): + with open(bundled_hashed_cert_path, 'rb') as bundled_hashed_cert_file: + bundled_hashed_cert = bundled_hashed_cert_file.read() - try: - cert = check_output(cmd, stderr=STDOUT, shell=True) - except CalledProcessError as e: - failed = True - print('Error while generating certificate for ' + site) - print(e.output) - else: - with open(bundled_cert_path, 'w') as cert_file: - cert_file.write(cert) + with open(bundled_cert_path, 'w') as bundled_cert_file: + bundled_cert_file.write(bundled_hashed_cert) + print('Created bundled certificate {}'.format(bundled_cert_path)) - print('Created certificate for ' + site) if failed: sys.exit(1) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 73830f31a5..61d06356f9 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -92,7 +92,7 @@ server { ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; {% elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%} - ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}-bundled.cert; + ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-bundled.cert; ssl_certificate_key {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key; {% elif item.value.ssl.provider | default('manual') == 'self-signed' -%} From 11b9874962ac4ef78c748f4ac7a477c86c494ca0 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 17 May 2020 09:31:29 +0800 Subject: [PATCH 264/663] Update CircleCI Config --- .circleci/config.yml | 206 ++++++++++++++++++++++++++----------------- CHANGELOG.md | 1 + 2 files changed, 125 insertions(+), 82 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4c4e865bce..ab6df8e3e3 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,94 +1,136 @@ version: 2.1 orbs: - trellis: - executors: - python-2: - docker: - - image: 'circleci/python:2-stretch' - python-3: - docker: - - image: 'circleci/python:3-stretch' + python: circleci/python@0.3 - jobs: - syntax-check: - parameters: - ansible-version: - type: string - python-version: - type: enum - enum: ['3', '2'] - executor: python-<< parameters.python-version >> - steps: - - run: python --version - - checkout - - restore_cache: - keys: - - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - - run: - name: Install Python dependencies in a venv - command: | - virtualenv venv - . venv/bin/activate - pip install ansible<< parameters.ansible-version >> - ansible --version - - run: - name: Install Galaxy roles - command: | - . venv/bin/activate - ansible-galaxy install -r galaxy.yml - - save_cache: - key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - paths: - - venv - - vendor - - run: - name: Check Playbook syntax - command: | - . venv/bin/activate - ansible-playbook --syntax-check -e env=development deploy.yml - ansible-playbook --syntax-check -e env=development dev.yml - ansible-playbook --syntax-check -e env=development server.yml - ansible-playbook --syntax-check -e env=development rollback.yml - ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml +commands: + install-pip-package: + parameters: + package: + type: string + python-version: + type: string + steps: + - restore_cache: + name: Restore pip Cache + keys: + - pip-v2-<>-<>- + - run: + name: Install pip Package + command: pip install --user --upgrade <> + - save_cache: + name: Save pip Cache + key: pip-v2-<>-<>-{{ epoch }} + paths: + - /home/circleci/.local/bin/ + - /home/circleci/.local/lib/ + - /home/circleci/.cache/pip/ + install-galaxy-roles: + steps: + - restore_cache: + name: Restore Galaxy Role Cache + keys: + - galaxy-role-v2-{{ checksum "galaxy.yml" }} + - run: + name: Install Galaxy Roles + command: ansible-galaxy install -r galaxy.yml + - save_cache: + name: Save Galaxy Role Cache + key: galaxy-role-v2-{{ checksum "galaxy.yml" }} + paths: + - vendor/ + check-playbook-syntax: + steps: + - run: + name: Check Playbook Syntax + command: | + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml + +jobs: + syntax-check: + parameters: + ansible-version: + type: string + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - install-pip-package: + package: ansible<< parameters.ansible-version >> + python-version: <> + - run: ansible --version + - install-galaxy-roles + - check-playbook-syntax - lint: - executor: python-3 - steps: - - run: python --version - - checkout - - run: sudo pip install ansible-lint - - run: ansible-lint --version - - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml + syntax-check-with-requirements-txt: + parameters: + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - restore_cache: + name: Restore pip Cache + keys: + - pip-v2-<>-{{ checksum "requirements.txt" }}- + - run: + name: Install packages from requirements.txt (or any other file) via Pip. + command: pip install --user --upgrade --requirement requirements.txt + - save_cache: + name: Save pip Cache + key: pip-v2-<>-{{ checksum "requirements.txt" }}-{{ epoch }} + paths: + - /home/circleci/.local/bin/ + - /home/circleci/.local/lib/ + - /home/circleci/.cache/pip + - run: ansible --version + - install-galaxy-roles + - check-playbook-syntax + + lint: + parameters: + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - install-pip-package: + package: ansible-lint + python-version: <> + - run: ansible-lint --version + - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml workflows: syntax-check: jobs: - - trellis/syntax-check: - name: syntax-check-python-3-ansible-latest - python-version: '3' - ansible-version: '' - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.9 - python-version: '3' - ansible-version: ~=2.9.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.8 - python-version: '3' - ansible-version: ~=2.8.0 + - syntax-check: + name: syntax-check-python-<>-ansible<> + matrix: + parameters: + python-version: ["3.7", "2.7"] + ansible-version: ["~=2.9.0", "~=2.8.0"] + - syntax-check-with-requirements-txt: + name: syntax-check-python-<>-requirements-txt + matrix: + parameters: + python-version: ["3.7", "2.7"] - - trellis/syntax-check: - name: syntax-check-python-2-ansible-latest - python-version: '2' - ansible-version: '' - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.9 - python-version: '2' - ansible-version: ~=2.9.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.8 - python-version: '2' - ansible-version: ~=2.8.0 lint: jobs: - - trellis/lint + - lint: + name: lint-python-3.7 + python-version: "3.7" diff --git a/CHANGELOG.md b/CHANGELOG.md index eb1d766389..f7e662bc69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) * Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) +* Update CircleCI Config ([#1184](https://github.com/roots/trellis/pull/1184)) ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) From 6465b7d7f7b8ff860ff4b7ce957f5b188973b0ea Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 18 May 2020 19:33:36 -0600 Subject: [PATCH 265/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index daa24d2507..15469de21f 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital +Kinsta KM Digital Carrot ## Community From 71a298b68ee6a70512f61178f3537b859cbd4932 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 00:43:38 +0200 Subject: [PATCH 266/663] Update `oefenweb.swapfile` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..7cf262b99f 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.22 + version: v2.0.26 - name: mailhog src: geerlingguy.mailhog From df097d7f4376daf75c91587d7c9a8b3e6969de3c Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 00:41:20 +0200 Subject: [PATCH 267/663] Update `geerlingguy.ntp` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..6c09114c0d 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 1.6.4 + version: 2.0.0 - name: logrotate src: nickhammond.logrotate From 9b68f21b27d59e155b0f81b7ab54ab56a8bde766 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 19:42:50 +0200 Subject: [PATCH 268/663] Update `geerlingguy.mailhog` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..32926539fc 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,4 +16,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.1.4 + version: 2.2.0 From 286fafe036208f95c3e2ea0ed6828176d4d8e8cd Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 19:53:45 +0200 Subject: [PATCH 269/663] Silence Ansible warning ``` TASK [mariadb : Delete anonymous MySQL server users] ************************************************************************************************************************************** ok: [staging_host] => (item=localhost) ok: [staging_host] => (item=staging_host) ok: [staging_host] => (item=******) [WARNING]: Module did not set no_log for update_password ``` I do not actually know why Ansible complains here. I guess it is just yet another "It's not a bug, it's a feature". --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 15db772874..8404f805f0 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -59,6 +59,7 @@ user: "" host: "{{ item }}" state: absent + no_log: true with_items: - localhost - "{{ inventory_hostname }}" From 66990db2e9b107ebafbdd6443e450426698f2ef2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Thu, 28 May 2020 18:06:34 +0200 Subject: [PATCH 270/663] Fix #888 & #1189 to comply with [RFC2606](https://tools.ietf.org/html/rfc2606#section-2) ".invalid" is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid. --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 7bbf3961dc..4684d17a67 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -5,7 +5,7 @@ nginx_ssl_path: "{{ nginx_path }}/ssl" ssl_default_site: no_default: site_hosts: - - canonical: example.com + - canonical: request.is.invalid ssl: enabled: true provider: self-signed From cf7c653e2c1e4922750bb49bd384d4fe3694d940 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 8 Jun 2020 15:38:23 +0200 Subject: [PATCH 271/663] Fix Ansible deprecation warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `[DEPRECATION WARNING]: evaluating `[…]` as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future.` --- roles/ferm/handlers/main.yml | 2 +- roles/ferm/tasks/main.yml | 2 +- roles/mariadb/tasks/main.yml | 2 +- roles/nginx/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 2 +- roles/wordpress-setup/tasks/self-signed-certificate.yml | 8 ++++---- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/ferm/handlers/main.yml b/roles/ferm/handlers/main.yml index 16985eb8f5..2af34d8500 100644 --- a/roles/ferm/handlers/main.yml +++ b/roles/ferm/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: restart ferm service: name=ferm state=restarted - when: ferm_enabled \ No newline at end of file + when: ferm_enabled | bool diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 63b0b0a4d0..bdbaa0b53d 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -65,7 +65,7 @@ - name: ensure iptables rules are enabled command: ferm --slow /etc/ferm/ferm.conf changed_when: false - when: ferm_enabled + when: ferm_enabled | bool - name: ensure iptables rules are disabled command: ferm --flush /etc/ferm/ferm.conf diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 8404f805f0..205e0eea04 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,7 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root - when: mysql_binary_logging_disabled + when: mysql_binary_logging_disabled | bool notify: restart mysql server - name: Set root user password diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3f0202792c..e2e53d230a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -21,7 +21,7 @@ args: chdir: "{{ nginx_path }}/ssl" creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: sites_use_ssl + when: sites_use_ssl | bool notify: reload nginx tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 0b350dd262..0ea756a397 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -33,7 +33,7 @@ pattern: "*.conf" recurse: yes register: nginx_includes_existing - when: nginx_includes_d_cleanup + when: nginx_includes_d_cleanup | bool - name: Remove unmanaged files from includes.d file: diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 35e04f712b..193415e7d9 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -11,8 +11,8 @@ dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - - sites_use_ssl - - ssl_enabled + - sites_use_ssl | bool + - ssl_enabled | bool - item.value.ssl.provider | default('manual') == 'self-signed' - name: Generate self-signed certificates @@ -25,8 +25,8 @@ creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - - sites_use_ssl - - ssl_enabled + - sites_use_ssl | bool + - ssl_enabled | bool - item.value.ssl.provider | default('manual') == 'self-signed' notify: reload nginx From f2cb87ee58f2def3929d2dc928127e1b72f69a8f Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 10 Jun 2020 19:03:06 +0200 Subject: [PATCH 272/663] Silence Ansible warning ``` TASK [wordpress-setup : Create/assign database user to db and grant permissions] ********* ok: [development_host] => (item=******) [WARNING]: Module did not set no_log for update_password ``` --- roles/wordpress-setup/tasks/database.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 61c74a5475..8b1f885a98 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -20,6 +20,7 @@ login_host: "{{ site_env.db_host }}" login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" + no_log: true with_dict: "{{ wordpress_sites }}" when: site_uses_local_db and item.value.db_create | default(true) From 8d5289a5c88fe541840f0179663278957c89582b Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 14 Jun 2020 22:19:24 +0200 Subject: [PATCH 273/663] On development, whitelist all local IP ranges in Fail2ban & Ferm (#1190) --- group_vars/all/main.yml | 2 -- group_vars/all/security.yml | 4 ++++ group_vars/development/main.yml | 2 -- group_vars/development/security.yml | 6 ++++++ roles/fail2ban/defaults/main.yml | 2 +- 5 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 group_vars/development/security.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 42349954d0..333aae75df 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -8,8 +8,6 @@ apt_dev_package_state: latest ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www -ip_whitelist: - - "{{ ipify_public_ip | default('') }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index 2d9df3d3b9..0aa2b604ba 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -15,3 +15,7 @@ ferm_input_list: # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) sshd_permit_root_login: true sshd_password_authentication: false + +ip_whitelist: + - 127.0.0.0/8 + - "{{ ipify_public_ip | default('') }}" diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index b922a41a5f..1a3d9f3bd2 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,6 +1,4 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development -ferm_enabled: false -ip_whitelist: "{{ ansible_all_ipv4_addresses }}" mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml web_user: vagrant diff --git a/group_vars/development/security.yml b/group_vars/development/security.yml new file mode 100644 index 0000000000..fe079a2f7e --- /dev/null +++ b/group_vars/development/security.yml @@ -0,0 +1,6 @@ +ferm_enabled: false +ip_whitelist: + - 127.0.0.0/8 + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index 47138736a5..b1aa62d1a1 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -5,7 +5,7 @@ fail2ban_loglevel: INFO fail2ban_logtarget: /var/log/fail2ban.log fail2ban_socket: /var/run/fail2ban/fail2ban.sock -fail2ban_ignoreip: 127.0.0.1/8 {{ ip_whitelist | join(' ') }} +fail2ban_ignoreip: "{{ ip_whitelist | join(' ') }}" fail2ban_bantime: 600 fail2ban_maxretry: 6 From 92fbe6c6c1e903658ae5024bf6ee316d76209e28 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:14:03 +0200 Subject: [PATCH 274/663] Fix Ansible deprecation warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `[DEPRECATION WARNING]: evaluating `[…]` as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future.` --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e84f720333..6ac64ff1ae 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -47,7 +47,7 @@ owner: root group: root validate: "/usr/sbin/visudo -cf %s" - when: web_sudoers + when: web_sudoers | bool - name: Add SSH keys authorized_key: From 3316adc7ccb3f2245a64cd77073b44e7f89e28ff Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:16:38 +0200 Subject: [PATCH 275/663] Bump Ansible max tested version --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 6c14527cc6..c4356aeb7d 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.6' +version_tested_max = '2.9.9' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From a6fe14dd5b1428900224a61516edd876f0b0a2c5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:18:50 +0200 Subject: [PATCH 276/663] Silence Ansible warning ``` TASK [letsencrypt : Install cronjob for key generation] **************************************************************** [WARNING]: The value 30 (type int) in a string field was converted to '30' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. [WARNING]: The value 4 (type int) in a string field was converted to '4' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. ``` --- roles/letsencrypt/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 27c4b86ac7..939eeee771 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -10,6 +10,6 @@ user: root job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && /usr/sbin/service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" - hour: 4 - minute: 30 + hour: "4" + minute: "30" state: present From a9b65f05cbb3adf2d004dcf0cb95b3cff2af7fb8 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 23 Jun 2020 00:51:36 +0200 Subject: [PATCH 277/663] Typo --- lib/trellis/plugins/vars/version.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index c4356aeb7d..e27ef8d784 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -26,12 +26,12 @@ raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) elif gt(LooseVersion(__version__), LooseVersion(version_tested_max)): - display.warning(u'You Ansible version is {} but this version of Trellis has only been tested for ' + display.warning(u'Your Ansible version is {} but this version of Trellis has only been tested for ' u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) if eq(LooseVersion(__version__), LooseVersion('2.5.0')): - display.warning(u'You Ansible version is {}. Consider upgrading your Ansible version to avoid ' + display.warning(u'Your Ansible version is {}. Consider upgrading your Ansible version to avoid ' u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) # Import BaseVarsPlugin after Ansible version check. From fb7f592e8a6ea9ed81c3b525665ce2166690faf2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 23 Jun 2020 00:51:45 +0200 Subject: [PATCH 278/663] Bump Ansible max tested version --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index e27ef8d784..3511c78774 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.9' +version_tested_max = '2.9.10' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From 71360373a3ac910a9409f25b0de3353dbb4f9fe0 Mon Sep 17 00:00:00 2001 From: nextgenthemes Date: Tue, 23 Jun 2020 13:03:52 +0200 Subject: [PATCH 279/663] | bool thing #1199 Regarding #1199 but there may be other places where a `list` type got a `| bool` added that needs fixing. I guess this is the way to do it. Not an Ansible expert though. Could also add another check if the item is actually not empty and a string or something but ... --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 6ac64ff1ae..a628ee17f9 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -47,7 +47,7 @@ owner: root group: root validate: "/usr/sbin/visudo -cf %s" - when: web_sudoers | bool + when: web_sudoers[0] is defined - name: Add SSH keys authorized_key: From b69bfb21cebb32a4cf994c8de5bed3f0512240e7 Mon Sep 17 00:00:00 2001 From: schuhwerk Date: Thu, 25 Jun 2020 13:52:15 +0200 Subject: [PATCH 280/663] Move creation and copying of .env-file to file --- roles/wordpress-install/tasks/dotenv.yml | 16 ++++++++++++++++ roles/wordpress-install/tasks/main.yml | 17 ++--------------- 2 files changed, 18 insertions(+), 15 deletions(-) create mode 100644 roles/wordpress-install/tasks/dotenv.yml diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml new file mode 100644 index 0000000000..7b6945a762 --- /dev/null +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -0,0 +1,16 @@ +--- +- name: Create .env file + template: + src: "env.j2" + dest: "/tmp/{{ item.key }}.env" + owner: "{{ web_user }}" + group: "{{ web_group }}" + with_dict: "{{ wordpress_sites }}" + +- name: Copy .env file into web root + synchronize: + src: "/tmp/{{ item.key }}.env" + dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" + checksum: true + with_dict: "{{ wordpress_sites }}" + delegate_to: "{{ inventory_hostname }}" diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index d5491a2808..25bb07f0ce 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -2,21 +2,8 @@ - import_tasks: directories.yml tags: wordpress-install-directories -- name: Create .env file - template: - src: "env.j2" - dest: "/tmp/{{ item.key }}.env" - owner: "{{ web_user }}" - group: "{{ web_group }}" - with_dict: "{{ wordpress_sites }}" - -- name: Copy .env file into web root - synchronize: - src: "/tmp/{{ item.key }}.env" - dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" - checksum: true - with_dict: "{{ wordpress_sites }}" - delegate_to: "{{ inventory_hostname }}" +- import_tasks: dotenv.yml + tags: dotenv - name: Add known_hosts known_hosts: From d0fdd8133425b2f6e589ab96e17c1d04472ea65f Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 10 Jul 2020 18:46:37 +0200 Subject: [PATCH 281/663] Ansible `file` module expects a string for `mode` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://docs.ansible.com/ansible/latest/modules/file_module.html#parameter-mode Comments say that octal numbers are tolerated, but parameter asks for string only, and so do linters… --- roles/fail2ban/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index e109366255..278f0811ab 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -30,7 +30,7 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: 0755 + mode: '0755' - name: template fail2ban filters template: From 4172a4cf42b2a1eadba882c5d5cd89c7b8521ef6 Mon Sep 17 00:00:00 2001 From: Dale Grant Date: Thu, 9 Jul 2020 13:10:08 +1000 Subject: [PATCH 282/663] Check hooked deploy scripts exists before including tasks --- roles/deploy/tasks/build.yml | 16 ++++++++++++++-- roles/deploy/tasks/finalize.yml | 16 ++++++++++++++-- roles/deploy/tasks/initialize.yml | 16 ++++++++++++++-- roles/deploy/tasks/main.yml | 16 ++++++++++++++-- roles/deploy/tasks/prepare.yml | 16 ++++++++++++++-- roles/deploy/tasks/share.yml | 16 ++++++++++++++-- roles/deploy/tasks/update.yml | 16 ++++++++++++++-- 7 files changed, 98 insertions(+), 14 deletions(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 0151fc0d8c..32554ea622 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_build_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_build_before_paths with_items: "{{ deploy_build_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_build_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-build-before - name: Copy project templates @@ -23,8 +29,14 @@ with_items: "{{ project_folder_paths.results }}" when: item.stat.exists -- include_tasks: "{{ include_path }}" +- name: Check if deploy_build_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_build_after_paths with_items: "{{ deploy_build_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_build_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-build-after diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 7ec6e32944..885ba7ac6e 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_finalize_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_finalize_before_paths with_items: "{{ deploy_finalize_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_finalize_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-finalize-before - name: Finalize the deploy @@ -13,10 +19,16 @@ state: finalize keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" -- include_tasks: "{{ include_path }}" +- name: Check if deploy_finalize_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_finalize_after_paths with_items: "{{ deploy_finalize_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_finalize_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-finalize-after - debug: diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index a78fefab90..dfacf8c5ab 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_initialize_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_initialize_before_paths with_items: "{{ deploy_initialize_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_initialize_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-initialize-before - name: Initialize @@ -11,8 +17,14 @@ path: "{{ project_root }}" state: present -- include_tasks: "{{ include_path }}" +- name: Check if deploy_initialize_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_initialize_after_paths with_items: "{{ deploy_initialize_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_initialize_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-initialize-after diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 2e6b5c27f7..ee83e8c2f6 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_before_paths with_items: "{{ deploy_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-before - import_tasks: initialize.yml @@ -12,8 +18,14 @@ - import_tasks: share.yml - import_tasks: finalize.yml -- include_tasks: "{{ include_path }}" +- name: Check if deploy_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_after_paths with_items: "{{ deploy_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-after diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 3befa99dac..0a38225d2f 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_prepare_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_prepare_before_paths with_items: "{{ deploy_prepare_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_prepare_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-prepare-before - name: Check for project repo subtree @@ -44,8 +50,14 @@ path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" state: touch -- include_tasks: "{{ include_path }}" +- name: Check if deploy_prepare_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_prepare_after_paths with_items: "{{ deploy_prepare_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_prepare_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-prepare-after diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 294c05d4b9..ae936e870a 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_share_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_share_before_paths with_items: "{{ deploy_share_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_share_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-share-before - name: Ensure shared sources are present -- directories @@ -48,8 +54,14 @@ state: link with_items: "{{ project.project_shared_children | default(project_shared_children) }}" -- include_tasks: "{{ include_path }}" +- name: Check if deploy_share_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_share_after_paths with_items: "{{ deploy_share_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_share_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-share-after diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index fcbe6b4e52..8dcc882a4c 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_update_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_update_before_paths with_items: "{{ deploy_update_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_update_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-update-before - name: Add known_hosts @@ -40,8 +46,14 @@ register: git_clean changed_when: not not(git_clean.stdout) -- include_tasks: "{{ include_path }}" +- name: Check if deploy_update_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_update_after_paths with_items: "{{ deploy_update_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_update_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-update-after From 89ffcda7c350c6f96d3b6314e4d7cc361f21e841 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 15:51:24 -0400 Subject: [PATCH 283/663] Bump circleci python orb version --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ab6df8e3e3..9e5a99435b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - python: circleci/python@0.3 + python: circleci/python@0.3.2 commands: install-pip-package: From a4103469b2b48f3a11d8bf4c4a8fba55285672b5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 15:53:21 -0400 Subject: [PATCH 284/663] Bump Python version --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9e5a99435b..c932078d10 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -121,16 +121,16 @@ workflows: name: syntax-check-python-<>-ansible<> matrix: parameters: - python-version: ["3.7", "2.7"] + python-version: ["3.7.8", "2.7"] ansible-version: ["~=2.9.0", "~=2.8.0"] - syntax-check-with-requirements-txt: name: syntax-check-python-<>-requirements-txt matrix: parameters: - python-version: ["3.7", "2.7"] + python-version: ["3.7.8", "2.7"] lint: jobs: - lint: name: lint-python-3.7 - python-version: "3.7" + python-version: "3.7.8" From c3ab4ce15913c6d565db0779eda010536b9cfb7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 16 Jul 2020 17:50:38 -0400 Subject: [PATCH 285/663] Support branch variable for deploys This allows the branch to be specified via a command line argument to `ansible-playbook` (and eventually trellis-cli). Often this makes sense for staging environments where feature branches are deployed instead of a fixed one. --- CHANGELOG.md | 1 + roles/deploy/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7e662bc69..6baa20ac01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index b6b5e6c74d..35cc39d58c 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -2,7 +2,7 @@ # - you must set a repository (no default) project_git_repo: "{{ project.repo }}" # - you can set the git ref to deploy (can be a branch, tag or commit hash) -project_version: "{{ project.branch | default('master') }}" +project_version: "{{ branch is defined | ternary(branch, project.branch) | default('master') }}" # The source_path is used to fetch the tags from git, or synchronise via rsync. This way # you do not have to download/sync the entire project on every deploy From 7224811bb73bd21cf370d2f0f24f7254b7f9ea85 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 23:38:30 -0400 Subject: [PATCH 286/663] Add support for Lets Encrypt contact emails Let's Encrypt sends certificate expiry notice emails if a contact email is provided during account creation. Unfortunately Trellis never did this up until now; if there was a problem with the cron renewal script, there was no easy way to get notified. This adds a new required `letsencrypt_contact_emails` variable which is passed to the acme-tiny script which it passes along to Let's Encrypt. Let's Encrypt sends emails 20 days, 10 days, and finally 1 day before expiry. Since Trellis tries to renew certificates 30 days before renewal (by default), these expiry notice emails should never be sent unless something has gone wrong. --- CHANGELOG.md | 1 + roles/letsencrypt/tasks/setup.yml | 22 ++++++++++++++++++++++ roles/letsencrypt/templates/renew-certs.py | 1 + 3 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6baa20ac01..5a993193a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) * Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 6d3cd762aa..dd6c9f721d 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -1,4 +1,26 @@ --- +- name: Fail if letsencrypt_contact_emails is not defined + fail: + msg: > + Error: the required `letsencrypt_contact_emails` variable is not defined. + + + Please define it in `groups_vars/all/main.yml` with at least one email: + + letsencrypt_contact_emails: + - changeme@example.com + + The contact email is used by Let's Encrypt to send expiry notices when a certificate is coming up for renewal. + + + See https://letsencrypt.org/docs/expiration-emails/ for more information. + + + Since Trellis attempts to renew certificates after {{ letsencrypt_min_renewal_age }} days ({{ 90 - letsencrypt_min_renewal_age }} days before renewal), + getting an expiry notice email means something has gone wrong giving you enough notice to fix the problem. + + when: letsencrypt_contact_emails is not defined + - name: Create directories and set permissions file: mode: "{{ item.mode | default(omit) }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 991c1fce61..1dc215f298 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -34,6 +34,7 @@ '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' '--csr {} ' + '--contact {{ letsencrypt_contact_emails | map('regex_replace', '(^.*$)', 'mailto:\\1') | join (' ') }} ' '--acme-dir {{ acme_tiny_challenges_directory }}' ).format(csr_path) From 65927822b5bd85f6dfefd6838b8a22d983e42fd5 Mon Sep 17 00:00:00 2001 From: Breno Alves Date: Tue, 21 Jul 2020 14:34:18 -0300 Subject: [PATCH 287/663] Fixes nginx reload run even if some of the certificates renewals has failed. --- roles/letsencrypt/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 939eeee771..b65a534087 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -8,7 +8,7 @@ cron_file: letsencrypt-certificate-renewal name: letsencrypt certificate renewal user: root - job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && /usr/sbin/service nginx reload + job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py ; /usr/sbin/service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" hour: "4" minute: "30" From a23126c0da8d3dc193da0b8f9924ac9ec8c7c613 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Jul 2020 22:48:09 -0400 Subject: [PATCH 288/663] Update local_action to delegate_to --- roles/deploy/tasks/build.yml | 8 ++++++-- roles/deploy/tasks/finalize.yml | 8 ++++++-- roles/deploy/tasks/initialize.yml | 8 ++++++-- roles/deploy/tasks/main.yml | 8 ++++++-- roles/deploy/tasks/prepare.yml | 8 ++++++-- roles/deploy/tasks/share.yml | 8 ++++++-- roles/deploy/tasks/update.yml | 8 ++++++-- 7 files changed, 42 insertions(+), 14 deletions(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 32554ea622..d5a99316c5 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_build_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_build_before_paths with_items: "{{ deploy_build_before | default([]) }}" @@ -30,7 +32,9 @@ when: item.stat.exists - name: Check if deploy_build_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_build_after_paths with_items: "{{ deploy_build_after | default([]) }}" diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 885ba7ac6e..824c44f3e5 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_finalize_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_finalize_before_paths with_items: "{{ deploy_finalize_before | default([]) }}" @@ -20,7 +22,9 @@ keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" - name: Check if deploy_finalize_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_finalize_after_paths with_items: "{{ deploy_finalize_after | default([]) }}" diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index dfacf8c5ab..5b1d48cc16 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_initialize_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_initialize_before_paths with_items: "{{ deploy_initialize_before | default([]) }}" @@ -18,7 +20,9 @@ state: present - name: Check if deploy_initialize_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_initialize_after_paths with_items: "{{ deploy_initialize_after | default([]) }}" diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index ee83e8c2f6..5478676a7b 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_before_paths with_items: "{{ deploy_before | default([]) }}" @@ -19,7 +21,9 @@ - import_tasks: finalize.yml - name: Check if deploy_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_after_paths with_items: "{{ deploy_after | default([]) }}" diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 0a38225d2f..ecd635aaf3 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_prepare_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_prepare_before_paths with_items: "{{ deploy_prepare_before | default([]) }}" @@ -51,7 +53,9 @@ state: touch - name: Check if deploy_prepare_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_prepare_after_paths with_items: "{{ deploy_prepare_after | default([]) }}" diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index ae936e870a..279fdcf2d5 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_share_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_share_before_paths with_items: "{{ deploy_share_before | default([]) }}" @@ -55,7 +57,9 @@ with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Check if deploy_share_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_share_after_paths with_items: "{{ deploy_share_after | default([]) }}" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 8dcc882a4c..d85ff6a963 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_update_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_update_before_paths with_items: "{{ deploy_update_before | default([]) }}" @@ -47,7 +49,9 @@ changed_when: not not(git_clean.stdout) - name: Check if deploy_update_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_update_after_paths with_items: "{{ deploy_update_after | default([]) }}" From 2376349d7b239d5af5225f49e64625275b4e5037 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 5 Aug 2020 22:12:55 -0400 Subject: [PATCH 289/663] v1.5.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a993193a0..e1436f3d62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.5.0: August 5th, 2020 +* Improve Nginx reloading for failed Let's Encrypt certificates ([#1207](https://github.com/roots/trellis/pull/1207)) * Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) * Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) From c6f648f30b91bf5444a17ef27de5699617eff0a2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Jul 2020 22:33:08 -0400 Subject: [PATCH 290/663] Use official Nginx packages --- CHANGELOG.md | 3 +++ roles/nginx/defaults/main.yml | 4 +++- roles/nginx/tasks/main.yml | 13 +++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1436f3d62..59dcd4be7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) + ### 1.5.0: August 5th, 2020 * Improve Nginx reloading for failed Let's Encrypt certificates ([#1207](https://github.com/roots/trellis/pull/1207)) * Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c82941bcc7..69433b33fb 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,5 +1,7 @@ --- -nginx_ppa: "ppa:nginx/mainline" +nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" +nginx_keyserver_id: "ABF5BD827BD9BF62" +nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e2e53d230a..f97d720b2d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: Add Nginx APT key + apt_key: + keyserver: "{{ nginx_keyserver }}" + id: "{{ nginx_keyserver_id }}" + - name: Add Nginx PPA apt_repository: repo: "{{ nginx_ppa }}" @@ -10,6 +15,14 @@ state: "{{ nginx_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" +- name: Ensure site directories exist + file: + path: "{{ nginx_path }}/{{ item }}" + state: directory + with_items: + - sites-available + - sites-enabled + - name: Create SSL directory file: mode: 0700 From 08cecc883bf988ff72e99efa3e414a93a3fc483d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 5 Aug 2020 22:22:37 -0400 Subject: [PATCH 291/663] Improve python interpreter check Makes the python interepreter check more future compatible to prepare for Ubuntu 20.04 --- roles/python_interpreter/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml index 8935abe901..3fa493d310 100644 --- a/roles/python_interpreter/tasks/main.yml +++ b/roles/python_interpreter/tasks/main.yml @@ -1,11 +1,11 @@ - block: - - name: Get Ubuntu release - raw: lsb_release -cs - register: ubuntu_release + - name: Get Ubuntu version + raw: lsb_release -rs + register: ubuntu_version changed_when: false - - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + - name: Set ansible_python_interpreter for Ubuntu >= 18.04 set_fact: ansible_python_interpreter: python3 - when: ubuntu_release.stdout | trim == 'bionic' + when: ubuntu_version.stdout | trim is version('18.04', '>=') when: ansible_python_interpreter is not defined tags: always From f2d98db9d993a0aeb493ad9447dd022905e89c2a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 6 Aug 2020 22:17:23 -0400 Subject: [PATCH 292/663] Update MariaDB to 10.5 This bumps the MariaDB PPA from 10.2 to 10.5. Note that this will *not* actually upgrade the version of MariaDB already installed on a server. Upgrading is a manual process that involves: 1. stopping the service 2. removing the installed package 3. re-installing the package The full process is detailed at https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/ Though it's not required, backing up your database before the upgrade is recommended. --- CHANGELOG.md | 1 + roles/mariadb/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59dcd4be7e..fb2426b0d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) ### 1.5.0: August 5th, 2020 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 89f7b57ea0..491dd9a6f4 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From c5f1117296baef6b28baaf08e8b7d6ce883087a6 Mon Sep 17 00:00:00 2001 From: Lachlan Arthur Date: Sun, 30 Aug 2020 00:28:03 +1000 Subject: [PATCH 293/663] Remove default SMB credentials --- Vagrantfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index d59cdb3b5a..4e09cd5175 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -70,8 +70,8 @@ Vagrant.configure('2') do |config| extra_options = if vagrant_mount_type == 'smb' { - smb_username: vconfig.fetch('vagrant_smb_username', 'vagrant'), - smb_password: vconfig.fetch('vagrant_smb_password', 'vagrant'), + smb_username: vconfig.fetch('vagrant_smb_username', nil), + smb_password: vconfig.fetch('vagrant_smb_password', nil), } else {} From 10c7417b6b93ad908d4ea922af82a7e460a268fb Mon Sep 17 00:00:00 2001 From: Clinton Blackburn Date: Sun, 30 Aug 2020 13:33:25 -0700 Subject: [PATCH 294/663] Corrected use of ANSIBLE_CONFIG environment variable ANSIBLE_CONFIG is now treated as a path to a file rather than a directory. Fixes #1216 --- lib/trellis/plugins/callback/output.py | 3 ++- lib/trellis/utils/output.py | 3 ++- lib/trellis/vagrant.rb | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 7344b803aa..cf8fe73d11 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -18,7 +18,8 @@ try: from trellis.utils import output as output except ImportError: - ansible_path = os.getenv('ANSIBLE_CONFIG', os.getcwd()) + ansible_config_path = os.getenv('ANSIBLE_CONFIG') + ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() if sys.path.append(os.path.join(ansible_path, 'lib')) in sys.path: raise sys.path.append(sys.path.append(os.path.join(ansible_path, 'lib'))) from trellis.utils import output as output diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 89b073b9c7..8beef101bc 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -14,7 +14,8 @@ def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry changelog_msg = '' - ansible_path = os.getenv('ANSIBLE_CONFIG', os.getcwd()) + ansible_config_path = os.getenv('ANSIBLE_CONFIG') + ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() changelog = os.path.join(ansible_path, 'CHANGELOG.md') if os.path.isfile(changelog): diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index fa60ad0112..d34f216009 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -1,5 +1,5 @@ # Set Ansible paths relative to Ansible directory -ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH +ENV['ANSIBLE_CONFIG'] = File.join(ANSIBLE_PATH, 'ansible.cfg') ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" ENV['ANSIBLE_LIBRARY'] = "~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" From e3d912ff27da22757691ea2fc49cb38dbb64ac5e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Sep 2020 19:40:15 -0400 Subject: [PATCH 295/663] Update CHANGELOG #1217 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb2426b0d9..4a5d4edafb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) From 2e18ca4e20eb991cf4c6a1894c4d56406ec9614f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Sep 2020 19:42:11 -0400 Subject: [PATCH 296/663] Update CHANGELOG #1215 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a5d4edafb..917be77351 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) From 550454d5ca18328c7b624a7e409a19115cdbccf5 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 23 Sep 2020 11:15:18 +0100 Subject: [PATCH 297/663] CircleCI: Invalidate pip caches ``` Upgrading directly from ansible-2.9 or less to ansible-2.10 or greater with pip is known to cause problems. Please uninstall the old version found at: /home/circleci/.local/lib/python2.7/site-packages/ansible/__init__.pyc and install the new version: pip uninstall ansible pip install ansible If you have a broken installation, perhaps because ansible-base was installed before ansible was upgraded, try this to resolve it: pip install --force-reinstall ansible ansible-base If ansible is installed in a different location than you will be installing it now (for example, if the old version is installed by a system package manager to /usr/lib/python3.8/site-packages/ansible but you are installing the new version into ~/.local/lib/python3.8/site-packages/ansible with `pip install --user ansible`) or you want to install anyways and cleanup any breakage afterwards, then you may set the ANSIBLE_SKIP_CONFLICT_CHECK environment variable to ignore this check: ANSIBLE_SKIP_CONFLICT_CHECK=1 pip install --user ansible ``` --- .circleci/config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c932078d10..c1efe12621 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,13 +14,13 @@ commands: - restore_cache: name: Restore pip Cache keys: - - pip-v2-<>-<>- + - pip-v3-<>-<>- - run: name: Install pip Package command: pip install --user --upgrade <> - save_cache: name: Save pip Cache - key: pip-v2-<>-<>-{{ epoch }} + key: pip-v3-<>-<>-{{ epoch }} paths: - /home/circleci/.local/bin/ - /home/circleci/.local/lib/ @@ -83,13 +83,13 @@ jobs: - restore_cache: name: Restore pip Cache keys: - - pip-v2-<>-{{ checksum "requirements.txt" }}- + - pip-v3-<>-{{ checksum "requirements.txt" }}- - run: name: Install packages from requirements.txt (or any other file) via Pip. command: pip install --user --upgrade --requirement requirements.txt - save_cache: name: Save pip Cache - key: pip-v2-<>-{{ checksum "requirements.txt" }}-{{ epoch }} + key: pip-v3-<>-{{ checksum "requirements.txt" }}-{{ epoch }} paths: - /home/circleci/.local/bin/ - /home/circleci/.local/lib/ From d66124febd2cf91fedd45c80ca328d6d1a4a919b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 Sep 2020 12:44:38 -0400 Subject: [PATCH 298/663] Allow WP cron minute/interval to be configurable Adds `cron_interval` and `cron_interval_multisite` settings on a wordpress site. --- CHANGELOG.md | 1 + roles/wordpress-setup/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 917be77351..5cc1f246e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 561811eba7..e1e48bbe02 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -45,7 +45,7 @@ - name: Setup WP system cron cron: name: "{{ item.key }} WordPress cron" - minute: "*/15" + minute: "{{ item.value.cron_interval | default('*/15') }}" user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" @@ -55,7 +55,7 @@ - name: Setup WP Multisite system cron cron: name: "{{ item.key }} WordPress network cron" - minute: "*/30" + minute: "{{ item.value.cron_interval_multisite | default('*/30') }}" user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" From efe33fb7c7b7a227873ae35751b790d2cc357eb0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 3 Oct 2020 10:13:19 -0600 Subject: [PATCH 299/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 15469de21f..6e4e6cd7d3 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot +Kinsta KM Digital Carrot C21 Redwood Realty ## Community From d93e82e69be12b84f160cdc99ec580cb5388b7bc Mon Sep 17 00:00:00 2001 From: "Michael W. Delaney" Date: Mon, 5 Oct 2020 14:53:42 -0400 Subject: [PATCH 300/663] Update requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index cecd05381d..2bfebcdfc6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<3.0 +ansible>=2.8.0,<2.10.0 passlib From 2ec13c3187d38f92a31b6d5287ba0c59d6147136 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:35:51 +0100 Subject: [PATCH 301/663] Ansible Lint: Skip `[106] Role name {} does not match ^[a-z][a-z0-9_]+$ pattern` --- .ansible-lint | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.ansible-lint b/.ansible-lint index 93b07a23e5..a83461d38c 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ --- skip_list: - - 204 # Lines should be no longer than 160 chars + - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern + - '204' # Lines should be no longer than 160 chars From 19eb68527324735753aa20e1e2951e916fe626b5 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:25:49 +0100 Subject: [PATCH 302/663] Separate 'Enable or disable Nginx sites' task into two Fix #1225 --- roles/wordpress-setup/tasks/nginx.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index ffb9fcb11f..0f1333fa12 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -28,12 +28,22 @@ notify: reload nginx tags: nginx-sites -- name: Enable or disable Nginx sites +- name: Enable Nginx sites file: path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - state: "{{ item.enabled | default(true) | ternary('link', 'absent') }}" + state: link force: yes + when: item.enabled | default(true) + with_items: "{{ nginx_sites_confs }}" + notify: reload nginx + tags: nginx-sites + +- name: Disable Nginx sites + file: + path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" + state: absent + when: not(item.enabled | default(true)) with_items: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites From 1ad7fa1a3e45c4cdc66ddbd870a57463502aec34 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:30:35 +0100 Subject: [PATCH 303/663] Revert "Merge pull request #1226 from roots/exclude-ansible-2.10" This reverts commit 143282643a36a241d84542ee32a3b535bcbf04a0, reversing changes made to efe33fb7c7b7a227873ae35751b790d2cc357eb0. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2bfebcdfc6..cecd05381d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<2.10.0 +ansible>=2.8.0,<3.0 passlib From e54e3010eb5e91ed082b4b084dbd92d8b3b0a936 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 22:25:21 +0100 Subject: [PATCH 304/663] Fix: `[WARNING]: Module did not set no_log for unsafe_login_password` --- roles/wordpress-setup/tasks/database.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 8b1f885a98..ad10a40026 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -7,6 +7,7 @@ login_host: "{{ site_env.db_host }}" login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" + no_log: true with_dict: "{{ wordpress_sites }}" - name: Create/assign database user to db and grant permissions From aff51a5157cc05b298929b382344b68380254184 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:45:42 +0100 Subject: [PATCH 305/663] Ansible Lint: Fix `[208] File permissions unset or incorrect` --- .ansible-lint | 4 ++-- roles/deploy/tasks/prepare.yml | 2 ++ roles/deploy/tasks/share.yml | 1 + roles/wordpress-install/tasks/dotenv.yml | 1 + roles/wp-cli/tasks/main.yml | 1 + 5 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index a83461d38c..b7aefe84fd 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,4 @@ --- skip_list: - - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - - '204' # Lines should be no longer than 160 chars + - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern + - 204 # Lines should be no longer than 160 chars diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index ecd635aaf3..2567d7986e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,6 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" + mode: '0755' state: directory - name: Run git archive to populate new build dir @@ -50,6 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" + mode: '0744' state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 279fdcf2d5..12da9836c2 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -40,6 +40,7 @@ - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" + mode: '0777' state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 7b6945a762..5397096992 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,6 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" + mode: '0644' owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index fe3d85c62d..21494865dc 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,6 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg + mode: '0744' - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar From 7e2366b5294609e0c9767d40d4a96ce9dcfdf2b3 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 22:51:59 +0100 Subject: [PATCH 306/663] Fix (Remove the test database): `[WARNING]: Module did not set no_log for unsafe_login_password` --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 205e0eea04..f329616f62 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -69,5 +69,6 @@ mysql_db: name: test state: absent + no_log: true when: not sites_using_remote_db | count From 2ae67c439ba4991906e1c8564dbaabe7add49afc Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 11 Oct 2020 16:47:09 +0100 Subject: [PATCH 307/663] Deploy: Set `.env` file permission to `0600` --- roles/deploy/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 35cc39d58c..61a5ad7b62 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,6 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env + mode: '0600' # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type From 490f04b6f0558549fa01ee0f9bc6ecb9569a13ae Mon Sep 17 00:00:00 2001 From: TangRufus Date: Thu, 15 Oct 2020 17:52:21 +0100 Subject: [PATCH 308/663] Ansible Lint: Fail if `experimental` rules are failed See: https://github.com/ansible/ansible-lint/issues/1031#issuecomment-687241617 Fix #1231 --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index b7aefe84fd..959984bdc8 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,6 @@ --- +warn_list: [] + skip_list: - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - 204 # Lines should be no longer than 160 chars From 187e19e4fd10afd283b227715638f89c3aa2dad8 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 20 Oct 2020 14:37:39 +0200 Subject: [PATCH 309/663] Add [arch=amd64] to nginx_ppa --- roles/nginx/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 69433b33fb..4d837762cc 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,7 +1,7 @@ --- nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" nginx_keyserver_id: "ABF5BD827BD9BF62" -nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" +nginx_ppa: "deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From e799e0fdfdb1a5e973c4363af3835a5cdace02d6 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 20 Oct 2020 15:10:19 +0200 Subject: [PATCH 310/663] Use versioned php module for memcached and xdebug --- roles/memcached/defaults/main.yml | 2 +- roles/xdebug/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 8bdd3e663a..3fc0f0d733 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -8,7 +8,7 @@ memcached_port_udp: 0 memcached_packages_default: memcached: "{{ apt_package_state }}" - php-memcached: "{{ apt_package_state }}" + php7.4-memcached: "{{ apt_package_state }}" memcached_packages_custom: {} memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 3efa2ccfb2..65fde7dd7e 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,4 +1,4 @@ -php_xdebug_package: php-xdebug +php_xdebug_package: php7.4-xdebug # XDebug Remote Debugging xdebug_remote_enable: 0 From 31722f182801b0a265103fe0c913a6f9de466d4a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Oct 2020 16:46:27 -0400 Subject: [PATCH 311/663] Set universal_newlines for renew-certs script Using `universal_newlines` is better for Python 2/3 compatibility since it will return a string and not bytes to ensure it's the same regardless of the version. --- roles/letsencrypt/templates/renew-certs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 1dc215f298..72106e3611 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -39,7 +39,7 @@ ).format(csr_path) try: - new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True) + new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) except CalledProcessError as e: failed = True print('Error while generating certificate for {}\n{}'.format(site, e.output), file=sys.stderr) From 9e89a072665e271d31f0bd80c2801ed82e2a0cbc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 25 Oct 2020 19:23:16 -0400 Subject: [PATCH 312/663] Remove prestissimo from composer_global_packages `hirak/prestissimo` is a composer plugin that speeded up `composer install` by downloading packages in parallel. It's not incompatible with Composer 2.0 and not needed since 2.0 has parallel downloading built-in. --- CHANGELOG.md | 1 + group_vars/all/main.yml | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cc1f246e4..e2be3ddadb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) * Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 333aae75df..e6c5b416f6 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,6 +1,4 @@ composer_keep_updated: true -composer_global_packages: - - { name: hirak/prestissimo } apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest From fc0aa1351ce3f0c86d7c6bf6a22b30ef760822e3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 5 Nov 2020 22:56:19 -0500 Subject: [PATCH 313/663] v1.6.0 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2be3ddadb..6ff29294c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD + +### 1.6.0: November 5th, 2020 * Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) * Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) From 6bfb56f7a16613fdd0319b7195edfe42713ea8cd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 22 Jun 2020 22:51:12 -0400 Subject: [PATCH 314/663] Ubuntu 20.04 support Officially support and recommend Ubuntu 20.04 Focal. The only tangible change is bumping the Vagrant box from 18.04 to 20.04. Trellis has been made compatible with 20.04 already. --- CHANGELOG.md | 1 + roles/common/tasks/main.yml | 8 +++++--- vagrant.default.yml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ff29294c6..0bd367d526 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) ### 1.6.0: November 5th, 2020 * Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1559a76a89..971ca45ead 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -67,7 +67,9 @@ - name: Validate Ubuntu version debug: msg: | - Trellis is built for Ubuntu 18.04 Bionic as of https://github.com/roots/trellis/pull/992 + Ubuntu 18.04 Bionic is the minimum supported version of Ubuntu in Trellis 1.0+ (as of https://github.com/roots/trellis/pull/992) + + 20.04 Focal is the recommend version for Trellis 1.7+ (as of https://github.com/roots/trellis/pull/1197) Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} @@ -77,8 +79,8 @@ Development via Vagrant: `vagrant destroy && vagrant up` - Staging/Production: Create a new server with Ubuntu 18.04 and provision - when: ansible_distribution_release != 'bionic' + Staging/Production: Create a new server with Ubuntu 20.04 and provision + when: ansible_distribution_version is version('18.04', '<') - name: Check whether passlib is needed fail: diff --git a/vagrant.default.yml b/vagrant.default.yml index a41258b078..96361bc6c4 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,7 +2,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-18.04' +vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 201807.12.0' vagrant_ansible_version: '2.8.0' vagrant_skip_galaxy: false From b53ca37675440603eb01582eaa9fc0007801e5ef Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 10 Nov 2020 11:55:43 -0500 Subject: [PATCH 315/663] Validate that letsencrypt_contact_emails is a list We already validate that `letsencrypt_contact_emails` needs to be defined. This further validates that it's defined as a list and not a string. --- roles/letsencrypt/tasks/setup.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index dd6c9f721d..48c3221cf3 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -2,10 +2,10 @@ - name: Fail if letsencrypt_contact_emails is not defined fail: msg: > - Error: the required `letsencrypt_contact_emails` variable is not defined. + Error: the required `letsencrypt_contact_emails` variable is not defined or invalid. - Please define it in `groups_vars/all/main.yml` with at least one email: + Please define it in `groups_vars/all/main.yml` with at least one email (as a list/array, *not* a string): letsencrypt_contact_emails: - changeme@example.com @@ -19,7 +19,7 @@ Since Trellis attempts to renew certificates after {{ letsencrypt_min_renewal_age }} days ({{ 90 - letsencrypt_min_renewal_age }} days before renewal), getting an expiry notice email means something has gone wrong giving you enough notice to fix the problem. - when: letsencrypt_contact_emails is not defined + when: (letsencrypt_contact_emails is not defined) or (letsencrypt_contact_emails is string) - name: Create directories and set permissions file: From b6d6ee744ab4469c72ef8878efe7f3987b7d58de Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 13 Nov 2020 12:09:45 -0500 Subject: [PATCH 316/663] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bd367d526..a244a165b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ### HEAD +* Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) + +### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) ### 1.6.0: November 5th, 2020 From f5c412198aa90ee99c51df4b4dd466587f7ef9b5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:40:17 +0100 Subject: [PATCH 317/663] Manually update Ansible Galaxy role `geerlingguy.composer` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 10708826e3..cfab8eb28c 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.7.6 + version: 1.9.0 - name: ntp src: geerlingguy.ntp From 9ed0571c2d4dba43e291dd97f8927f9e85321c91 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:41:27 +0100 Subject: [PATCH 318/663] Manually update Ansible Galaxy role `geerlingguy.ntp` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index cfab8eb28c..809b05c851 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 2.0.0 + version: 2.2.0 - name: logrotate src: nickhammond.logrotate From 8f10dec1cadb00cdb76544e37a1b5519abef2920 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:42:49 +0100 Subject: [PATCH 319/663] Manually update Ansible Galaxy role `oefenweb.swapfile` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 809b05c851..5004ac69b6 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.26 + version: v2.0.32 - name: mailhog src: geerlingguy.mailhog From 68df1f5f9568a0083f74b97388395c7a1051eb3b Mon Sep 17 00:00:00 2001 From: arusa Date: Mon, 21 Dec 2020 09:53:48 +0100 Subject: [PATCH 320/663] Fix security issue with empty password If no password is defined for user "web", insert "!" to disable authentication without a password. --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a628ee17f9..f4eda4025c 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -33,7 +33,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' + password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ "!" }}{% endfor %}' state: present shell: /bin/bash update_password: "{{ item.update_password | default('always') }}" From 715f17bc5efa9ce7f3d1419a07b95c1453d2dd25 Mon Sep 17 00:00:00 2001 From: Mike iLL Kilmer Date: Mon, 21 Dec 2020 14:48:06 -0600 Subject: [PATCH 321/663] Update README.md Update to Ubuntu 20 Focal. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e4e6cd7d3..4528a8f904 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -- Ubuntu 18.04 Bionic LTS +- Ubuntu 20.04 Focal LTS - Nginx (with optional FastCGI micro-caching) - PHP 7.4 - MariaDB (a drop-in MySQL replacement) From 5bcf3029236aef688f898836318c0d56b0c3fefc Mon Sep 17 00:00:00 2001 From: Andrew Kovalyov Date: Sun, 10 Jan 2021 23:05:43 +0200 Subject: [PATCH 322/663] Add config for PHP CLI --- roles/php/tasks/main.yml | 9 +++++++-- roles/php/templates/php-cli.ini.j2 | 20 +++++++++++++++++++ .../templates/{php.ini.j2 => php-fpm.ini.j2} | 0 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 roles/php/templates/php-cli.ini.j2 rename roles/php/templates/{php.ini.j2 => php-fpm.ini.j2} (100%) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 3914ab70ed..520613958e 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -45,8 +45,13 @@ when: php72_status.stat.exists notify: reload php-fpm -- name: PHP configuration file +- name: Copy PHP-FPM configuration file template: - src: php.ini.j2 + src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini notify: reload php-fpm + +- name: Copy PHP CLI configuration file + template: + src: php-fpm.ini.j2 + dest: /etc/php/7.4/cli/php.ini diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 new file mode 100644 index 0000000000..a1e90f314b --- /dev/null +++ b/roles/php/templates/php-cli.ini.j2 @@ -0,0 +1,20 @@ +; {{ ansible_managed }} + +[PHP] +error_reporting = {{ php_error_reporting }} +sendmail_path = {{ php_sendmail_path }} +track_errors = {{ php_track_errors }} +expose_php = Off +date.timezone = {{ php_timezone }} + +[mysqlnd] +mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} + +[opcache] +opcache.enable = {{ php_opcache_enable }} +opcache.enable_cli = {{ php_opcache_enable_cli }} +opcache.memory_consumption = {{ php_opcache_memory_consumption }} +opcache.interned_strings_buffer = {{ php_opcache_interned_strings_buffer }} +opcache.max_accelerated_files = {{ php_opcache_max_accelerated_files }} +opcache.revalidate_freq = {{ php_opcache_revalidate_freq }} +opcache.fast_shutdown = {{ php_opcache_fast_shutdown }} diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php-fpm.ini.j2 similarity index 100% rename from roles/php/templates/php.ini.j2 rename to roles/php/templates/php-fpm.ini.j2 From 21913ffbe720d1b6dac5bf7d031b03045f0a56aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 10 Jan 2021 17:00:11 -0500 Subject: [PATCH 323/663] Add #1261 to CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a244a165b8..a720a3a05e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) +* Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) ### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) From 2f9479a7a6a7f1009b639850c2629583bd5829a9 Mon Sep 17 00:00:00 2001 From: Andrew Kovalyov Date: Mon, 11 Jan 2021 11:39:09 +0200 Subject: [PATCH 324/663] Use correct template file for PHP CLI env --- roles/php/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 520613958e..e706517d29 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -53,5 +53,5 @@ - name: Copy PHP CLI configuration file template: - src: php-fpm.ini.j2 + src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini From 31fb95030debc8f8a13cde5d61e578d848cf46d3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 14 Jan 2021 22:30:12 -0500 Subject: [PATCH 325/663] Remove PHP option track_errors `track_errors` was deprecated as of PHP 7.2 so we're removing it entirely. --- CHANGELOG.md | 1 + group_vars/development/php.yml | 1 - roles/php/defaults/main.yml | 1 - roles/php/templates/php-cli.ini.j2 | 1 - roles/php/templates/php-fpm.ini.j2 | 1 - 5 files changed, 1 insertion(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a720a3a05e..194f5c6ed0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 7b9af47888..4641858f1e 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -1,7 +1,6 @@ php_error_reporting: 'E_ALL' php_display_errors: 'On' php_display_startup_errors: 'On' -php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 169df595ce..879d8ec3c0 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -32,7 +32,6 @@ php_session_save_path: /tmp php_session_cookie_httponly: 'On' php_session_cookie_secure: 'Off' php_upload_max_filesize: 25M -php_track_errors: 'Off' php_timezone: '{{ ntp_timezone }}' php_output_buffering: 'Off' diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 index a1e90f314b..389f042f57 100644 --- a/roles/php/templates/php-cli.ini.j2 +++ b/roles/php/templates/php-cli.ini.j2 @@ -3,7 +3,6 @@ [PHP] error_reporting = {{ php_error_reporting }} sendmail_path = {{ php_sendmail_path }} -track_errors = {{ php_track_errors }} expose_php = Off date.timezone = {{ php_timezone }} diff --git a/roles/php/templates/php-fpm.ini.j2 b/roles/php/templates/php-fpm.ini.j2 index 84fe207c2e..8ff098f656 100644 --- a/roles/php/templates/php-fpm.ini.j2 +++ b/roles/php/templates/php-fpm.ini.j2 @@ -13,7 +13,6 @@ sendmail_path = {{ php_sendmail_path }} session.save_path = {{ php_session_save_path }} session.cookie_httponly = {{ php_session_cookie_httponly }} session.cookie_secure = {{ php_session_cookie_secure }} -track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off date.timezone = {{ php_timezone }} From 531cf8b81463d2f2d105aa2d814c783b19e42278 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 21 Jan 2021 00:14:40 +0000 Subject: [PATCH 326/663] Extend failed connection to remote repo msg Due to no_log for git clone on deploy you are unable to see the exact output error message, adding the branch being used to the fail message may help when incorrect branch name is used. --- roles/deploy/tasks/update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index d85ff6a963..ad3780a7d1 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -35,7 +35,7 @@ - name: Failed connection to remote repo fail: msg: | - Git repo {{ project.repo }} cannot be accessed. Please verify the repository exists and you have SSH forwarding set up correctly. + Git repo {{ project.repo }} on branch {{ project_version }} cannot be accessed. Please verify the repository/branch are correct and you have SSH forwarding set up correctly. More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding From e80438bc22d7981176ea4aacf5d73844b7586538 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 20 Jan 2021 23:12:45 -0500 Subject: [PATCH 327/663] CHANGELOG for #1265 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 194f5c6ed0..b67c312a51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) From 457e890365d455d1be842b315e3c65e6940f225c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 20 Jan 2021 23:14:40 -0500 Subject: [PATCH 328/663] v1.7.1 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b67c312a51..d56f627325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,9 @@ -### HEAD +### 1.7.1: January 20th, 2021 * Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) +* Fix security issue with empty password ([#1256](https://github.com/roots/trellis/pull/1256)) ### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) From 68e313ffc1a2c34badfcc22cda6a5aaba11ec2f9 Mon Sep 17 00:00:00 2001 From: Adam Bergman Date: Wed, 27 Jan 2021 05:08:59 +0100 Subject: [PATCH 329/663] Migrate to Xdebug v3 (#1260) --- group_vars/development/php.yml | 5 +++-- roles/xdebug-tunnel/defaults/main.yml | 4 ++-- roles/xdebug/defaults/main.yml | 28 +++++++++----------------- roles/xdebug/tasks/main.yml | 9 --------- roles/xdebug/templates/xdebug.ini.j2 | 29 +++++++++------------------ 5 files changed, 25 insertions(+), 50 deletions(-) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 4641858f1e..f4b4a726ad 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,5 +4,6 @@ php_display_startup_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 -xdebug_remote_enable: 1 -xdebug_remote_connect_back: 1 +xdebug_mode: 'debug' +xdebug_start_with_request: 'yes' +xdebug_discover_client_host: 1 diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml index 764f6a43fa..3623b4ac55 100644 --- a/roles/xdebug-tunnel/defaults/main.yml +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -1,6 +1,6 @@ -xdebug_tunnel_remote_port: 9000 +xdebug_tunnel_remote_port: 9003 xdebug_tunnel_host: localhost -xdebug_tunnel_local_port: 9000 +xdebug_tunnel_local_port: 9003 xdebug_tunnel_control_socket: /tmp/trellis-xdebug-{{ xdebug_tunnel_inventory_host }} xdebug_tunnel_control_identity: "{{ ansible_user_id }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 65fde7dd7e..a0574668c4 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,14 +1,17 @@ php_xdebug_package: php7.4-xdebug +# XDebug Generic +xdebug_output_dir: /tmp +xdebug_trigger_value: + # XDebug Remote Debugging -xdebug_remote_enable: 0 -xdebug_remote_connect_back: 0 -xdebug_remote_autostart: 0 -xdebug_remote_host: localhost -xdebug_remote_port: 9000 -xdebug_remote_log: /tmp/xdebug.log +xdebug_mode: 'off' +xdebug_start_with_request: 'no' +xdebug_discover_client_host: 0 +xdebug_client_host: localhost +xdebug_client_port: 9003 +xdebug_log: /tmp/xdebug.log xdebug_idekey: XDEBUG -xdebug_extended_info: 1 xdebug_max_nesting_level: 200 # XDebug Display Settings @@ -21,24 +24,13 @@ xdebug_var_display_max_depth: 3 # XDebug Function/Stack Traces xdebug_collect_assignments: 0 -xdebug_collect_includes: 1 -xdebug_collect_params: 0 xdebug_collect_return: 0 -xdebug_collect_vars: 0 xdebug_show_exception_trace: 0 xdebug_show_local_vars: 0 -xdebug_show_mem_delta: 0 -xdebug_trace_enable_trigger: 0 -xdebug_trace_enable_trigger_value: xdebug_trace_format: 0 xdebug_trace_options: 0 -xdebug_trace_output_dir: /tmp xdebug_trace_output_name: trace.%c # XDebug Profiler xdebug_profiler_append: 0 -xdebug_profiler_enable: 0 -xdebug_profiler_enable_trigger: 0 -xdebug_profiler_enable_trigger_value: -xdebug_profiler_output_dir: /tmp xdebug_profiler_output_name: cachegrind.out.%p diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 6463d234e0..9ef22ccab6 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -19,15 +19,6 @@ state: link notify: reload php-fpm - when: xdebug_remote_enable | bool - -- name: Disable Xdebug - file: - path: /etc/php/7.4/fpm/conf.d/20-xdebug.ini - state: absent - when: not xdebug_remote_enable | bool - notify: reload php-fpm - - name: Disable Xdebug CLI file: path: /etc/php/7.4/cli/conf.d/20-xdebug.ini diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 3490bc1d9b..fb8a18c951 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -3,16 +3,18 @@ [XDebug] zend_extension=xdebug.so +; Generic +xdebug.output_dir={{ xdebug_output_dir }} +xdebug.trigger_value={{ xdebug_trigger_value }} + ; Remote Debugging -xdebug.remote_enable={{ xdebug_remote_enable }} -xdebug.remote_connect_back={{ xdebug_remote_connect_back }} -xdebug.remote_autostart={{ xdebug_remote_autostart }} -xdebug.remote_host={{ xdebug_remote_host }} -xdebug.remote_port={{ xdebug_remote_port }} -xdebug.remote_handler=dbgp -xdebug.remote_log={{ xdebug_remote_log }} +xdebug.mode={{ xdebug_mode }} +xdebug.start_with_request={{ xdebug_start_with_request }} +xdebug.discover_client_host={{ xdebug_discover_client_host }} +xdebug.client_host={{ xdebug_client_host }} +xdebug.client_port={{ xdebug_client_port }} +xdebug.log={{ xdebug_log }} xdebug.idekey={{ xdebug_idekey }} -xdebug.extended_info={{ xdebug_extended_info }} xdebug.max_nesting_level={{ xdebug_max_nesting_level }} ; Display Settings @@ -25,24 +27,13 @@ xdebug.var_display_max_depth={{ xdebug_var_display_max_depth }} ; Function/Stack Traces xdebug.collect_assignments={{ xdebug_collect_assignments }} -xdebug.collect_includes={{ xdebug_collect_includes }} -xdebug.collect_params={{ xdebug_collect_params }} xdebug.collect_return={{ xdebug_collect_return }} -xdebug.collect_vars={{ xdebug_collect_vars }} xdebug.show_exception_trace={{ xdebug_show_exception_trace }} xdebug.show_local_vars={{ xdebug_show_local_vars }} -xdebug.show_mem_delta={{ xdebug_show_mem_delta }} -xdebug.trace_enable_trigger={{ xdebug_trace_enable_trigger }} -xdebug.trace_enable_trigger_value={{ xdebug_trace_enable_trigger_value }} xdebug.trace_format={{ xdebug_trace_format }} xdebug.trace_options={{ xdebug_trace_options }} -xdebug.trace_output_dir={{ xdebug_trace_output_dir }} xdebug.trace_output_name={{ xdebug_trace_output_name }} ; Profiler xdebug.profiler_append={{ xdebug_profiler_append }} -xdebug.profiler_enable={{ xdebug_profiler_enable }} -xdebug.profiler_enable_trigger={{ xdebug_profiler_enable_trigger }} -xdebug.profiler_enable_trigger_value={{ xdebug_profiler_enable_trigger_value }} -xdebug.profiler_output_dir={{ xdebug_profiler_output_dir }} xdebug.profiler_output_name={{ xdebug_profiler_output_name }} From 7b7a35e69d218fb3ade76173f11d466226107cd2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Jan 2021 23:09:45 -0500 Subject: [PATCH 330/663] Remove unnecessary block --- roles/xdebug/tasks/main.yml | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 9ef22ccab6..690c459baa 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -1,23 +1,22 @@ --- -- block: - - name: Install Xdebug - apt: - name: "{{ php_xdebug_package }}" - state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" - cache_valid_time: "{{ apt_cache_valid_time }}" +- name: Install Xdebug + apt: + name: "{{ php_xdebug_package }}" + state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" + cache_valid_time: "{{ apt_cache_valid_time }}" - - name: Template the Xdebug configuration file - template: - src: xdebug.ini.j2 - dest: /etc/php/7.4/mods-available/xdebug.ini - notify: reload php-fpm +- name: Template the Xdebug configuration file + template: + src: xdebug.ini.j2 + dest: /etc/php/7.4/mods-available/xdebug.ini + notify: reload php-fpm - - name: Ensure 20-xdebug.ini is present - file: - src: /etc/php/7.4/mods-available/xdebug.ini - dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini - state: link - notify: reload php-fpm +- name: Ensure 20-xdebug.ini is present + file: + src: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini + state: link + notify: reload php-fpm - name: Disable Xdebug CLI file: From cdc7260cef400a64eca08adf147cf759e0872eef Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Jan 2021 23:10:45 -0500 Subject: [PATCH 331/663] CHANGELOG for #1260 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d56f627325..0cf496b765 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) + ### 1.7.1: January 20th, 2021 * Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) From 0478098f4169c256d5a8b564114e63ade62a60c9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 20:22:31 -0500 Subject: [PATCH 332/663] Bump vagrant_ansible_version --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 96361bc6c4..6fa047ecff 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.8.0' +vagrant_ansible_version: '2.9.10' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From b38b83d793855537d48f563f0053d3f2843a8b33 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 20:34:58 -0500 Subject: [PATCH 333/663] Vagrant: use python3 Pip doesn't support Python2 anymore so we're defaulting Vagrant to python3. This defines a new config option `vagrant_ansible_python_interpreter` which defaults to `/usr/bin/python3`. --- Vagrantfile | 16 ++-------------- vagrant.default.yml | 3 ++- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 4e09cd5175..016f43c149 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -117,23 +117,11 @@ Vagrant.configure('2') do |config| provisioner = local_provisioning? ? :ansible_local : :ansible provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH - # Fix for https://github.com/hashicorp/vagrant/issues/10914 - if local_provisioning? - config.vm.provision 'shell', inline: <<~SHELL - sudo apt-get update -y -qq && - sudo dpkg-reconfigure libc6 && - export DEBIAN_FRONTEND=noninteractive && - sudo -E apt-get -q --option \"Dpkg::Options::=--force-confold\" --assume-yes install libssl1.1 - SHELL - end - config.vm.provision provisioner do |ansible| if local_provisioning? + ansible.extra_vars = { ansible_python_interpreter: vconfig.fetch('vagrant_ansible_python_interpreter') } ansible.install_mode = 'pip' - if Vagrant::VERSION >= '2.2.5' - # Fix for https://github.com/hashicorp/vagrant/issues/10950 - ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' - end + ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-distutils && curl https://bootstrap.pypa.io/get-pip.py | sudo python3' ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end diff --git a/vagrant.default.yml b/vagrant.default.yml index 6fa047ecff..7ff8284984 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,8 +3,9 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' -vagrant_box_version: '>= 201807.12.0' +vagrant_box_version: '>= 202012.23.0' vagrant_ansible_version: '2.9.10' +vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 21b3f720bf88307ebb1cd42edc14c57162430a37 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 23:15:28 -0500 Subject: [PATCH 334/663] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cf496b765..f5f19b86f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD +* Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) +* Bump `vagrant_ansible_version` to `2.9.10` ([#1268](https://github.com/roots/trellis/pull/1268)) * Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) ### 1.7.1: January 20th, 2021 From 23cf10806dc6991b0b96ad2980f8a5c06bc756e7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 6 Feb 2021 00:17:34 -0500 Subject: [PATCH 335/663] Set file permissions explicitly Fixes ansible-lint violations --- roles/deploy/defaults/main.yml | 6 +++--- roles/deploy/tasks/build.yml | 2 +- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 8 ++++---- roles/fail2ban/tasks/main.yml | 4 +++- roles/ferm/tasks/main.yml | 2 ++ roles/letsencrypt/tasks/nginx.yml | 4 +++- roles/letsencrypt/tasks/setup.yml | 6 ++++-- roles/mariadb/tasks/main.yml | 1 + roles/memcached/tasks/main.yml | 1 + roles/nginx/tasks/main.yml | 3 +++ roles/php/tasks/main.yml | 2 ++ roles/rollback/tasks/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 ++ roles/wordpress-install/tasks/directories.yml | 1 + roles/wordpress-install/tasks/dotenv.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 1 + roles/wordpress-setup/tasks/nginx-includes.yml | 1 + roles/wordpress-setup/tasks/nginx.yml | 3 +++ roles/wordpress-setup/tasks/self-signed-certificate.yml | 3 ++- roles/wp-cli/tasks/main.yml | 2 +- roles/xdebug/tasks/main.yml | 1 + 22 files changed, 43 insertions(+), 17 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 61a5ad7b62..48174a8d3c 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,7 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env - mode: '0600' + mode: 0600 # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type @@ -29,8 +29,8 @@ project_templates: # project_shared_children: # - path: app/sessions # src: sessions -# mode: '0755' // <- optional, must be quoted, defaults to `'0755'` if `directory` or `'0644'` if `file` -# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` +# mode: 0755 // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file` +# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads src: uploads diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index d5a99316c5..b9fc2f2c03 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -17,7 +17,7 @@ template: src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2567d7986e..8af8bd223d 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,7 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" - mode: '0755' + mode: 0755 state: directory - name: Run git archive to populate new build dir @@ -51,7 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" - mode: '0744' + mode: 0744 state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 12da9836c2..ac76b09f2f 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -17,7 +17,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory - mode: "{{ item.mode | default('0755') }}" + mode: "{{ item.mode | default(0755) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' @@ -25,7 +25,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory - mode: '0755' + mode: 0755 with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' @@ -33,14 +33,14 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: '0777' + mode: 0777 state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 278f0811ab..5f2b8100ad 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -11,6 +11,7 @@ template: src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} + mode: 0644 with_items: - jail.local - fail2ban.local @@ -30,12 +31,13 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: '0755' + mode: 0755 - name: template fail2ban filters template: src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + mode: 0644 with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index bdbaa0b53d..453ac00112 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -28,6 +28,7 @@ template: src: "{{ item }}.j2" dest: /{{ item }} + mode: 0644 with_items: - etc/default/ferm - etc/ferm/ferm.conf @@ -55,6 +56,7 @@ {% else %} dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf {% endif %} + mode=0644 with_flattened: - "{{ ferm_input_list }}" - "{{ ferm_input_group_list }}" diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 20b97e63b1..d67bfa2e4f 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -3,6 +3,7 @@ template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 - name: Get list of hosts in current Nginx conf shell: | @@ -17,6 +18,7 @@ template: src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" + mode: 0644 register: challenge_site_confs when: - site_uses_letsencrypt @@ -42,7 +44,7 @@ file: path: "{{ acme_tiny_challenges_directory }}/ping.txt" state: touch - mode: '0644' + mode: 0644 - name: Test Acme Challenges test_challenges: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 48c3221cf3..942cfc4655 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -28,12 +28,12 @@ state: directory with_items: - path: "{{ acme_tiny_data_directory }}" - mode: '0700' + mode: 0700 - path: "{{ acme_tiny_data_directory }}/csrs" - path: "{{ acme_tiny_software_directory }}" - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" - mode: '0700' + mode: 0700 - name: Clone acme-tiny repository git: @@ -46,12 +46,14 @@ copy: src: "{{ letsencrypt_account_key_source_file }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_file is defined - name: Copy Lets Encrypt account key source contents copy: content: "{{ letsencrypt_account_key_source_content | trim }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_content is defined - name: Generate a new account key diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f329616f62..b1acc09da4 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,6 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root + mode: 0644 when: mysql_binary_logging_disabled | bool notify: restart mysql server diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 359ee645f3..0b54161bae 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -10,6 +10,7 @@ template: src: memcached.conf.j2 dest: /etc/memcached.conf + mode: 0644 notify: restart memcached - name: Set the max open file descriptors diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f97d720b2d..e0176a8ffb 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,6 +19,7 @@ file: path: "{{ nginx_path }}/{{ item }}" state: directory + mode: 0755 with_items: - sites-available - sites-enabled @@ -42,12 +43,14 @@ copy: src: templates/h5bp dest: "{{ nginx_path }}" + mode: 0755 notify: reload nginx - name: Create nginx.conf template: src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" + mode: 0644 notify: reload nginx tags: nginx-includes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e706517d29..3feda4fd23 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -49,9 +49,11 @@ template: src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini + mode: 0644 notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini + mode: 0644 diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index f8bd6f80c3..44dad91849 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -30,3 +30,4 @@ file: path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" state: touch + mode: 0644 diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 9d62055d4d..6b98dc228b 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,8 +9,10 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf + mode: 0644 - name: ssmtp revaliases configuration template: src: revaliases.j2 dest: /etc/ssmtp/revaliases + mode: 0644 diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 093d3212a6..7070de7392 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -22,6 +22,7 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" + mode: 0755 state: directory recurse: yes with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 5397096992..84b2e3f721 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,7 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" - mode: '0644' + mode: 0644 owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index e1e48bbe02..53951327c5 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -27,6 +27,7 @@ template: src: php-fpm.conf.j2 dest: /etc/php/7.4/fpm/pool.d/wordpress.conf + mode: 0644 notify: reload php-fpm - name: Disable default PHP-FPM pool diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 0ea756a397..03885a8a59 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -24,6 +24,7 @@ template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" + mode: 0644 with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 0f1333fa12..c5e29930c7 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -23,6 +23,7 @@ template: src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + mode: 0644 with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx @@ -52,12 +53,14 @@ template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 notify: reload nginx - name: Create WordPress configuration for Nginx template: src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" + mode: 0644 with_dict: "{{ wordpress_sites }}" notify: reload nginx tags: nginx-includes diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 193415e7d9..a1601f9361 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -3,12 +3,13 @@ file: path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" state: directory - mode: "0755" + mode: 0755 - name: Template openssl configs template: src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" + mode: 0644 with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - sites_use_ssl | bool diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 21494865dc..b0b6aef406 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,7 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg - mode: '0744' + mode: 0744 - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 690c459baa..5b19db0ef4 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,6 +9,7 @@ template: src: xdebug.ini.j2 dest: /etc/php/7.4/mods-available/xdebug.ini + mode: 0644 notify: reload php-fpm - name: Ensure 20-xdebug.ini is present From 2bd826fafe6b6a764b1ae0067c6ab10da9c09585 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 9 Feb 2021 05:53:29 +0000 Subject: [PATCH 336/663] File permissions: Use strings instead of octal numbers Follow up #1270 Fix: https://discourse.roots.io/t/mode-must-be-in-octal-or-symbolic-form/20038 --- roles/deploy/defaults/main.yml | 4 ++-- roles/deploy/tasks/build.yml | 2 +- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 8 ++++---- roles/fail2ban/tasks/main.yml | 6 +++--- roles/ferm/tasks/main.yml | 4 ++-- roles/letsencrypt/tasks/certificates.yml | 4 ++-- roles/letsencrypt/tasks/nginx.yml | 6 +++--- roles/letsencrypt/tasks/setup.yml | 8 ++++---- roles/mariadb/tasks/main.yml | 4 ++-- roles/memcached/tasks/main.yml | 2 +- roles/nginx/tasks/main.yml | 8 ++++---- roles/php/tasks/main.yml | 4 ++-- roles/rollback/tasks/main.yml | 2 +- roles/sshd/tasks/main.yml | 4 ++-- roles/ssmtp/tasks/main.yml | 4 ++-- roles/users/tasks/main.yml | 2 +- roles/wordpress-install/tasks/directories.yml | 6 +++--- roles/wordpress-install/tasks/dotenv.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/wordpress-setup/tasks/nginx-client-cert.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 4 ++-- roles/wordpress-setup/tasks/nginx.yml | 10 +++++----- .../wordpress-setup/tasks/self-signed-certificate.yml | 4 ++-- roles/wp-cli/tasks/main.yml | 2 +- roles/xdebug/tasks/main.yml | 2 +- 26 files changed, 57 insertions(+), 57 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 48174a8d3c..597fa036b2 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,7 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env - mode: 0600 + mode: '0600' # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type @@ -29,7 +29,7 @@ project_templates: # project_shared_children: # - path: app/sessions # src: sessions -# mode: 0755 // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file` +# mode: '0755' // <- optional, use an octal number starting with 0 or quote it, defaults to `'0755'` if `directory` or `'0644'` if `file` # type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index b9fc2f2c03..d5a99316c5 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -17,7 +17,7 @@ template: src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" - mode: "{{ item.mode | default(0644) }}" + mode: "{{ item.mode | default('0644') }}" with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 8af8bd223d..2567d7986e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,7 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" - mode: 0755 + mode: '0755' state: directory - name: Run git archive to populate new build dir @@ -51,7 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" - mode: 0744 + mode: '0744' state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index ac76b09f2f..12da9836c2 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -17,7 +17,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory - mode: "{{ item.mode | default(0755) }}" + mode: "{{ item.mode | default('0755') }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' @@ -25,7 +25,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory - mode: 0755 + mode: '0755' with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' @@ -33,14 +33,14 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch - mode: "{{ item.mode | default(0644) }}" + mode: "{{ item.mode | default('0644') }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: 0777 + mode: '0777' state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 5f2b8100ad..45580f1a3f 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -11,7 +11,7 @@ template: src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} - mode: 0644 + mode: '0644' with_items: - jail.local - fail2ban.local @@ -31,13 +31,13 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: 0755 + mode: '0755' - name: template fail2ban filters template: src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" - mode: 0644 + mode: '0644' with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 453ac00112..2848cb488a 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -19,7 +19,7 @@ file: path: "{{ item }}" state: directory - mode: 0750 + mode: '0750' with_items: - /etc/ferm/ferm.d - /etc/ferm/filter-input.d @@ -28,7 +28,7 @@ template: src: "{{ item }}.j2" dest: /{{ item }} - mode: 0644 + mode: '0644' with_items: - etc/default/ferm - etc/ferm/ferm.conf diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index efc86dc568..110af4219e 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -9,7 +9,7 @@ - name: Ensure correct permissions on private keys file: path: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" - mode: 0600 + mode: '0600' when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" @@ -39,7 +39,7 @@ template: src: renew-certs.py dest: "{{ acme_tiny_data_directory }}/renew-certs.py" - mode: 0700 + mode: '0700' tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate the certificates diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index d67bfa2e4f..877ed09c92 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -3,7 +3,7 @@ template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" - mode: 0644 + mode: '0644' - name: Get list of hosts in current Nginx conf shell: | @@ -18,7 +18,7 @@ template: src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" - mode: 0644 + mode: '0644' register: challenge_site_confs when: - site_uses_letsencrypt @@ -44,7 +44,7 @@ file: path: "{{ acme_tiny_challenges_directory }}/ping.txt" state: touch - mode: 0644 + mode: '0644' - name: Test Acme Challenges test_challenges: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 942cfc4655..c23ba5918d 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -28,12 +28,12 @@ state: directory with_items: - path: "{{ acme_tiny_data_directory }}" - mode: 0700 + mode: '0700' - path: "{{ acme_tiny_data_directory }}/csrs" - path: "{{ acme_tiny_software_directory }}" - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" - mode: 0700 + mode: '0700' - name: Clone acme-tiny repository git: @@ -46,14 +46,14 @@ copy: src: "{{ letsencrypt_account_key_source_file }}" dest: "{{ letsencrypt_account_key }}" - mode: 0700 + mode: '0700' when: letsencrypt_account_key_source_file is defined - name: Copy Lets Encrypt account key source contents copy: content: "{{ letsencrypt_account_key_source_content | trim }}" dest: "{{ letsencrypt_account_key }}" - mode: 0700 + mode: '0700' when: letsencrypt_account_key_source_content is defined - name: Generate a new account key diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index b1acc09da4..4a533a0ba9 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,7 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root - mode: 0644 + mode: '0644' when: mysql_binary_logging_disabled | bool notify: restart mysql server @@ -53,7 +53,7 @@ dest: ~/.my.cnf owner: root group: root - mode: 0600 + mode: '0600' - name: Delete anonymous MySQL server users mysql_user: diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 0b54161bae..04bec4ffb4 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -10,7 +10,7 @@ template: src: memcached.conf.j2 dest: /etc/memcached.conf - mode: 0644 + mode: '0644' notify: restart memcached - name: Set the max open file descriptors diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e0176a8ffb..3bf25d435e 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,14 +19,14 @@ file: path: "{{ nginx_path }}/{{ item }}" state: directory - mode: 0755 + mode: '0755' with_items: - sites-available - sites-enabled - name: Create SSL directory file: - mode: 0700 + mode: '0700' path: "{{ nginx_path }}/ssl" state: directory @@ -43,14 +43,14 @@ copy: src: templates/h5bp dest: "{{ nginx_path }}" - mode: 0755 + mode: '0755' notify: reload nginx - name: Create nginx.conf template: src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" - mode: 0644 + mode: '0644' notify: reload nginx tags: nginx-includes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 3feda4fd23..832ee00974 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -49,11 +49,11 @@ template: src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini - mode: 0644 + mode: '0644' diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index 44dad91849..6ceb07dc30 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -30,4 +30,4 @@ file: path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" state: touch - mode: 0644 + mode: '0644' diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index acabc23938..152b4f7fd3 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -11,7 +11,7 @@ template: src: "{{ sshd_config }}" dest: /etc/ssh/sshd_config - mode: 0600 + mode: '0600' validate: '/usr/sbin/sshd -T -f %s' notify: restart ssh @@ -19,7 +19,7 @@ template: src: "{{ ssh_config }}" dest: /etc/ssh/ssh_config - mode: 0644 + mode: '0644' - name: Remove Diffie-Hellman moduli of size < 2000 lineinfile: diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 6b98dc228b..c0e78ba3ec 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,10 +9,10 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf - mode: 0644 + mode: '0644' - name: ssmtp revaliases configuration template: src: revaliases.j2 dest: /etc/ssmtp/revaliases - mode: 0644 + mode: '0644' diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index f4eda4025c..acfcd74838 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -43,7 +43,7 @@ template: src: sudoers.d.j2 dest: "/etc/sudoers.d/{{ web_user }}-services" - mode: 0440 + mode: '0440' owner: root group: root validate: "/usr/sbin/visudo -cf %s" diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 7070de7392..680951a57e 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -4,7 +4,7 @@ path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -13,7 +13,7 @@ path: "{{ www_root }}/{{ item.key }}/shared" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -22,7 +22,7 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory recurse: yes with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 84b2e3f721..5397096992 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,7 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" - mode: 0644 + mode: '0644' owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 53951327c5..69851a902d 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -11,7 +11,7 @@ path: "{{ www_root }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory - name: Create logs folder of sites @@ -19,7 +19,7 @@ path: "{{ www_root }}/{{ item.key }}/logs" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -27,7 +27,7 @@ template: src: php-fpm.conf.j2 dest: /etc/php/7.4/fpm/pool.d/wordpress.conf - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Disable default PHP-FPM pool diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml index 49d810eee5..69f7026a22 100644 --- a/roles/wordpress-setup/tasks/nginx-client-cert.yml +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -3,6 +3,6 @@ get_url: url: "{{ item.value.ssl.client_cert_url }}" dest: "{{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt" - mode: 0640 + mode: '0640' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.client_cert_url is defined diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 03885a8a59..a18e2e1851 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -13,7 +13,7 @@ file: path: "{{ nginx_path }}/includes.d/{{ item }}" state: directory - mode: 0755 + mode: '0755' with_items: "{{ nginx_includes_templates.files | map(attribute='path') | map('regex_replace', nginx_includes_pattern, '\\2') | map('dirname') | unique | list | sort @@ -24,7 +24,7 @@ template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" - mode: 0644 + mode: '0644' with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index c5e29930c7..ebeb80c49b 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -3,7 +3,7 @@ copy: src: "{{ item.value.ssl.cert }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}" - mode: 0640 + mode: '0640' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.cert is defined notify: reload nginx @@ -12,7 +12,7 @@ copy: src: "{{ item.value.ssl.key }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}" - mode: 0600 + mode: '0600' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.key is defined notify: reload nginx @@ -23,7 +23,7 @@ template: src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - mode: 0644 + mode: '0644' with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx @@ -53,14 +53,14 @@ template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" dest: "{{ nginx_path }}/acme-challenge-location.conf" - mode: 0644 + mode: '0644' notify: reload nginx - name: Create WordPress configuration for Nginx template: src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" - mode: 0644 + mode: '0644' with_dict: "{{ wordpress_sites }}" notify: reload nginx tags: nginx-includes diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index a1601f9361..1147125d93 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -3,13 +3,13 @@ file: path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" state: directory - mode: 0755 + mode: '0755' - name: Template openssl configs template: src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" - mode: 0644 + mode: '0644' with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - sites_use_ssl | bool diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index b0b6aef406..21494865dc 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,7 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg - mode: 0744 + mode: '0744' - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 5b19db0ef4..50d7396e86 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,7 +9,7 @@ template: src: xdebug.ini.j2 dest: /etc/php/7.4/mods-available/xdebug.ini - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Ensure 20-xdebug.ini is present From cb83384c14aee8a5bd2bb4d7d2e137a7a5df261d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 12 Feb 2021 15:41:37 +0000 Subject: [PATCH 337/663] Add ` wp_post_revisions: true` to `wordpress_env_defaults` Complementing https://github.com/roots/bedrock/pull/572/ --- roles/deploy/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index c01bfc82c6..1a7612f9bb 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -10,5 +10,6 @@ wordpress_env_defaults: git_sha: "{{ git_clone.after }}" release_version: "{{ deploy_helper.new_release }}" wp_debug_log: "{{ project_root }}/logs/debug.log" + wp_post_revisions: true site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 4a5332e299ce6ed4803d6b8a49d31832b7e456eb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 12 Feb 2021 17:44:01 -0500 Subject: [PATCH 338/663] v1.8.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5f19b86f3..7ebd0d975f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.8.0: February 12th, 2021 +* Set permissions on all file related tasks ([#1270](https://github.com/roots/trellis/pull/1270)) * Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) * Bump `vagrant_ansible_version` to `2.9.10` ([#1268](https://github.com/roots/trellis/pull/1268)) * Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) From 72d244497e5054bdee0785b3ab3926ec16686df7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 15 Feb 2021 12:07:31 -0700 Subject: [PATCH 339/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4528a8f904..6921a16ca2 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty +Kinsta Carrot C21 Redwood Realty WordPress.com ## Community From 9ea779c65845689bb834849911f96ae6aafedc39 Mon Sep 17 00:00:00 2001 From: Lukas Besch Date: Tue, 16 Feb 2021 21:11:44 +0100 Subject: [PATCH 340/663] Update required Ubuntu version in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6921a16ca2..4a8a965874 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ $ trellis up ## Remote server setup (staging/production) -A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. +A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` From 64601d51641df093003e5cf319e405ea3b9128f6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 10 Mar 2021 06:06:04 +0000 Subject: [PATCH 341/663] CircleCI: Remove `ansible-lint` --- .ansible-lint | 6 ------ .circleci/config.yml | 22 ---------------------- roles/deploy/tasks/update.yml | 2 +- 3 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index 959984bdc8..0000000000 --- a/.ansible-lint +++ /dev/null @@ -1,6 +0,0 @@ ---- -warn_list: [] - -skip_list: - - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - - 204 # Lines should be no longer than 160 chars diff --git a/.circleci/config.yml b/.circleci/config.yml index c1efe12621..9e78a3993b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -98,22 +98,6 @@ jobs: - install-galaxy-roles - check-playbook-syntax - lint: - parameters: - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - install-pip-package: - package: ansible-lint - python-version: <> - - run: ansible-lint --version - - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml - workflows: syntax-check: jobs: @@ -128,9 +112,3 @@ workflows: matrix: parameters: python-version: ["3.7.8", "2.7"] - - lint: - jobs: - - lint: - name: lint-python-3.7 - python-version: "3.7.8" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index ad3780a7d1..fb8831e24f 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -41,7 +41,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed -- name: Remove untracked files from project folder # noqa 303 +- name: Remove untracked files from project folder command: git clean -fdx args: chdir: "{{ project_source_path }}" From 654518c94e3f33bd9cd587ff0317cbb71d2112b6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 15 Mar 2021 16:31:36 -0600 Subject: [PATCH 342/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4a8a965874..28da5ceb59 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Carrot C21 Redwood Realty WordPress.com +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com ## Community From 5f398b2e27f1838b2eb4998a961c43db81c7aa57 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 2 Apr 2021 18:04:48 -0400 Subject: [PATCH 343/663] Improve handling of PHP versions Refactors how PHP and its extensions are installed per version. Previously all version references were hardcoded and updating to a new version (ie from `7.4` to `8.0`) meant replacing a bunch of version numbers across lots of files which made it difficult to use a different version than Trellis' default. Now to switch to another PHP version that Trellis supports, only the `php_version` variable needs to be changed. And to support a new version, only a single version specific vars file needs to be created (example: `roles/php/vars/8.0.yml`). --- group_vars/all/main.yml | 3 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/common/tasks/main.yml | 12 +++++++ roles/deploy/hooks/finalize-after.yml | 2 +- roles/memcached/defaults/main.yml | 3 +- roles/php/defaults/main.yml | 14 --------- roles/php/tasks/main.yml | 45 ++++++++++----------------- roles/php/vars/7.4.yml | 16 ++++++++++ roles/php/vars/8.0.yml | 16 ++++++++++ roles/wordpress-setup/tasks/main.yml | 6 ++-- roles/xdebug/defaults/main.yml | 2 -- roles/xdebug/tasks/main.yml | 8 ++--- xdebug-tunnel.yml | 2 +- 14 files changed, 75 insertions(+), 58 deletions(-) create mode 100644 roles/php/vars/7.4.yml create mode 100644 roles/php/vars/8.0.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e6c5b416f6..b53f26c92e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,8 +1,9 @@ -composer_keep_updated: true apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest +composer_keep_updated: true +php_version: "7.4" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index b61f4342cc..c19aafa286 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.4-fpm *" + - "/usr/sbin/service php{{ php_version }}-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index a42884d2d3..8035cb64b4 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.4-fpm + name: php{{ php_version }}-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 971ca45ead..34271b37b6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -34,6 +34,18 @@ when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] +- name: Import PHP version specific vars + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - '{{ php_version }}.yml' + - '7.4.yml' + paths: + - "{{ playbook_dir }}/roles/php/vars/" + + tags: [php, memcached] + - name: Verify dict format for apt package component variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 751c27e0f3..1d20d3b456 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.4-fpm reload + shell: sudo service php{{ php_version }}-fpm reload args: warn: false diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 3fc0f0d733..0e9ba87761 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -8,7 +8,6 @@ memcached_port_udp: 0 memcached_packages_default: memcached: "{{ apt_package_state }}" - php7.4-memcached: "{{ apt_package_state }}" memcached_packages_custom: {} -memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" +memcached_packages: "{{ memcached_packages_default | combine(php_memcached_packages, memcached_packages_custom) }}" diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 879d8ec3c0..8f68a7dc27 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -1,20 +1,6 @@ disable_default_pool: true memcached_sessions: false -php_extensions_default: - php7.4-cli: "{{ apt_package_state }}" - php7.4-common: "{{ apt_package_state }}" - php7.4-curl: "{{ apt_package_state }}" - php7.4-dev: "{{ apt_package_state }}" - php7.4-fpm: "{{ apt_package_state }}" - php7.4-gd: "{{ apt_package_state }}" - php7.4-mbstring: "{{ apt_package_state }}" - php7.4-mysql: "{{ apt_package_state }}" - php7.4-opcache: "{{ apt_package_state }}" - php7.4-xml: "{{ apt_package_state }}" - php7.4-xmlrpc: "{{ apt_package_state }}" - php7.4-zip: "{{ apt_package_state }}" - php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 832ee00974..d67879fbda 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,59 +1,48 @@ --- -- name: Add PHP 7.4 PPA +- name: Add PHP PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.4 +- name: Install PHP and extensions apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.4-fpm service +- name: Start php fpm service service: - name: php7.4-fpm + name: "php{{ php_version }}-fpm" state: started enabled: true -- name: Check for existing php7.3-fpm service - stat: - path: /etc/init.d/php7.3-fpm - register: php73_status +- name: Find existing php fpm services + find: + paths: /etc/init.d + patterns: "^php((?!{{ php_version }})(\\d\\.\\d))-fpm$" + use_regex: true + register: old_php_fpm_services -- name: Stop php7.3-fpm service if it exists +- name: Stop old php-fpm services service: - name: php7.3-fpm + name: "{{ item.path | basename }}" state: stopped enabled: false - register: service_stopped - when: php73_status.stat.exists - notify: reload php-fpm - -- name: Check for existing php7.2-fpm service - stat: - path: /etc/init.d/php7.2-fpm - register: php72_status - -- name: Stop php7.2-fpm service if it exists - service: - name: php7.2-fpm - state: stopped - enabled: false - register: service_stopped - when: php72_status.stat.exists + loop: "{{ old_php_fpm_services.files }}" + loop_control: + label: "{{ item.path | basename }}" notify: reload php-fpm - name: Copy PHP-FPM configuration file template: src: php-fpm.ini.j2 - dest: /etc/php/7.4/fpm/php.ini + dest: /etc/php/{{ php_version }}/fpm/php.ini mode: '0644' notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 - dest: /etc/php/7.4/cli/php.ini + dest: /etc/php/{{ php_version }}/cli/php.ini mode: '0644' diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml new file mode 100644 index 0000000000..8f6a9eb8a7 --- /dev/null +++ b/roles/php/vars/7.4.yml @@ -0,0 +1,16 @@ +php_extensions_default: + php7.4-cli: "{{ apt_package_state }}" + php7.4-curl: "{{ apt_package_state }}" + php7.4-dev: "{{ apt_package_state }}" + php7.4-fpm: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" + php7.4-mbstring: "{{ apt_package_state }}" + php7.4-mysql: "{{ apt_package_state }}" + php7.4-xml: "{{ apt_package_state }}" + php7.4-xmlrpc: "{{ apt_package_state }}" + php7.4-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php7.4-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php7.4-xdebug diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml new file mode 100644 index 0000000000..a1781ec34e --- /dev/null +++ b/roles/php/vars/8.0.yml @@ -0,0 +1,16 @@ +php_extensions_default: + php8.0-cli: "{{ apt_package_state }}" + php8.0-curl: "{{ apt_package_state }}" + php8.0-dev: "{{ apt_package_state }}" + php8.0-fpm: "{{ apt_package_state }}" + php8.0-gd: "{{ apt_package_state }}" + php8.0-mbstring: "{{ apt_package_state }}" + php8.0-mysql: "{{ apt_package_state }}" + php8.0-xml: "{{ apt_package_state }}" + php8.0-xmlrpc: "{{ apt_package_state }}" + php8.0-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.0-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.0-xdebug diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 69851a902d..ac1fd8a735 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,14 +26,14 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.4/fpm/pool.d/wordpress.conf + dest: /etc/php/{{ php_version }}/fpm/pool.d/wordpress.conf mode: '0644' notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.disabled + command: mv /etc/php/{{ php_version }}/fpm/pool.d/www.conf /etc/php/{{ php_version }}/fpm/pool.d/www.disabled args: - creates: /etc/php/7.4/fpm/pool.d/www.disabled + creates: /etc/php/{{ php_version }}/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index a0574668c4..ff80d8fba9 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,5 +1,3 @@ -php_xdebug_package: php7.4-xdebug - # XDebug Generic xdebug_output_dir: /tmp xdebug_trigger_value: diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 50d7396e86..2b52f58420 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -8,18 +8,18 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/{{ php_version }}/mods-available/xdebug.ini mode: '0644' notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.4/mods-available/xdebug.ini - dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini + src: /etc/php/{{ php_version }}/mods-available/xdebug.ini + dest: /etc/php/{{ php_version }}/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.4/cli/conf.d/20-xdebug.ini + path: /etc/php/{{ php_version }}/cli/conf.d/20-xdebug.ini state: absent diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index d85a1c59cb..014c1f0d41 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.4-fpm + name: php{{ php_version }}-fpm state: reloaded From 6697b0639ed42ac0379034a3fe0c0bd19d425a67 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 7 Apr 2021 21:17:58 -0400 Subject: [PATCH 344/663] Update CHANGELOG for #1284 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ebd0d975f..4dd6dcca0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) + ### 1.8.0: February 12th, 2021 * Set permissions on all file related tasks ([#1270](https://github.com/roots/trellis/pull/1270)) * Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) From 17430191bb7211545eb63ba3ba989ee95c262c5f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 8 Apr 2021 14:54:48 -0600 Subject: [PATCH 345/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 28da5ceb59..4752d55de7 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Motto ## Community From 74edb049bd7fb59792994ce87dcf88315fb28319 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 19 May 2021 18:40:31 -0600 Subject: [PATCH 346/663] Update `wp_cli_version` to 2.5.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index f13bd98c4a..6abe35ebe1 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.4.0 +wp_cli_version: 2.5.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 99719079a2fd9ac9d8e2f1e27302e37f252f34fd Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 08:56:45 -0500 Subject: [PATCH 347/663] Add php-intl extension Per the WordPress Hosting Team recommendation: https://make.wordpress.org/hosting/2021/05/20/why-hosters-should-install-the-php-intl-extension/ --- roles/php/vars/7.4.yml | 1 + roles/php/vars/8.0.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 8f6a9eb8a7..74e1d64c22 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -4,6 +4,7 @@ php_extensions_default: php7.4-dev: "{{ apt_package_state }}" php7.4-fpm: "{{ apt_package_state }}" php7.4-gd: "{{ apt_package_state }}" + php7.4-intl: "{{ apt_package_state }}" php7.4-mbstring: "{{ apt_package_state }}" php7.4-mysql: "{{ apt_package_state }}" php7.4-xml: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index a1781ec34e..54b793f4d1 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -4,6 +4,7 @@ php_extensions_default: php8.0-dev: "{{ apt_package_state }}" php8.0-fpm: "{{ apt_package_state }}" php8.0-gd: "{{ apt_package_state }}" + php8.0-intl: "{{ apt_package_state }}" php8.0-mbstring: "{{ apt_package_state }}" php8.0-mysql: "{{ apt_package_state }}" php8.0-xml: "{{ apt_package_state }}" From e5cd61e1ffaecd081c19257ee71c43cb5350e682 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 19:11:00 -0500 Subject: [PATCH 348/663] Replace GD with ImageMagick; Add bc_math extension and ghostscript --- roles/common/defaults/main.yml | 3 +++ roles/php/vars/7.4.yml | 2 +- roles/php/vars/8.0.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 1dcdd38d15..40bfd96589 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -24,7 +24,10 @@ _apt_packages_default: build-essential: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" + ghostscript: "{{ apt_package_state }}" git: "{{ apt_package_state }}" + imagemagick: "{{ apt_package_state }}" + libgs-dev: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" python: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 74e1d64c22..6fb725e79f 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -3,7 +3,7 @@ php_extensions_default: php7.4-curl: "{{ apt_package_state }}" php7.4-dev: "{{ apt_package_state }}" php7.4-fpm: "{{ apt_package_state }}" - php7.4-gd: "{{ apt_package_state }}" + php7.4-imagick: "{{ apt_package_state }}" php7.4-intl: "{{ apt_package_state }}" php7.4-mbstring: "{{ apt_package_state }}" php7.4-mysql: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index 54b793f4d1..6ab784b6e2 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -3,7 +3,7 @@ php_extensions_default: php8.0-curl: "{{ apt_package_state }}" php8.0-dev: "{{ apt_package_state }}" php8.0-fpm: "{{ apt_package_state }}" - php8.0-gd: "{{ apt_package_state }}" + php8.0-imagick: "{{ apt_package_state }}" php8.0-intl: "{{ apt_package_state }}" php8.0-mbstring: "{{ apt_package_state }}" php8.0-mysql: "{{ apt_package_state }}" From d924947d79900511a1abac4fe3b963789cd222c8 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 19:11:27 -0500 Subject: [PATCH 349/663] Enable PDF thumbnail generation --- roles/php/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index d67879fbda..370e7d5aeb 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -46,3 +46,11 @@ src: php-cli.ini.j2 dest: /etc/php/{{ php_version }}/cli/php.ini mode: '0644' + +- name: Change ImageMagick policy.xml to allow for PDFs + replace: + path: /etc/ImageMagick-6/policy.xml + regexp: '' + replace: '' + backup: no + notify: reload php-fpm From 87ef14a1e4bbd35dbc8d20a089e1bc2da70651f9 Mon Sep 17 00:00:00 2001 From: Dale Grant Date: Fri, 28 May 2021 12:55:51 +1000 Subject: [PATCH 350/663] Correct logrotate error using reload over rotate --- group_vars/all/logrotate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/logrotate.yml b/group_vars/all/logrotate.yml index c6d24962c6..ba1ba124fa 100644 --- a/group_vars/all/logrotate.yml +++ b/group_vars/all/logrotate.yml @@ -17,4 +17,4 @@ logrotate_scripts: if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi \ - postrotate: service nginx rotate + postrotate: service nginx reload >/dev/null 2>&1 From a54cb8746f54b04ca22ce657602f09605f4b66b5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 27 May 2021 22:58:11 -0400 Subject: [PATCH 351/663] Changelog entry for #1292 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dd6dcca0d..250976f4fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) ### 1.8.0: February 12th, 2021 From 2811e3cb42fa0ea95e9748609ea4266723c7120c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 27 May 2021 23:36:45 -0400 Subject: [PATCH 352/663] CHANGELOG entry for #1293 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 250976f4fb..bacd90c3ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) From 8a777d4331587afa89a5b79444487db4a1c29990 Mon Sep 17 00:00:00 2001 From: strarsis Date: Tue, 1 Jun 2021 15:34:08 +0200 Subject: [PATCH 353/663] Remove PHP version from messages. --- dev.yml | 2 +- server.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev.yml b/dev.yml index f6658d9f58..4b86ffc748 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.4 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/server.yml b/server.yml index cb6db5ca53..cdc43e206a 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.4 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: From 4932e5b8165546cf516e065d40a6d4e51195d7f8 Mon Sep 17 00:00:00 2001 From: Daniel Robinson Date: Wed, 2 Jun 2021 09:15:11 -0400 Subject: [PATCH 354/663] overridden ansible_ssh_extra_args should always take precedence --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 00b89ba68a..d3b13bafcc 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - not (not ansible_ssh_extra_args) + - not ansible_ssh_extra_args - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} From b317844535446ffecfc679aebba7f1d9ad6178c9 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Sat, 5 Jun 2021 17:06:48 -0500 Subject: [PATCH 355/663] Add php-bcmath extension This commit was missing from #1292. It adds the PHP bc_math extension. --- roles/php/vars/7.4.yml | 1 + roles/php/vars/8.0.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 6fb725e79f..61ab906904 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -1,4 +1,5 @@ php_extensions_default: + php7.4-bcmath: "{{ apt_package_state }}" php7.4-cli: "{{ apt_package_state }}" php7.4-curl: "{{ apt_package_state }}" php7.4-dev: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index 6ab784b6e2..02eb376120 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -1,4 +1,5 @@ php_extensions_default: + php8.0-bcmath: "{{ apt_package_state }}" php8.0-cli: "{{ apt_package_state }}" php8.0-curl: "{{ apt_package_state }}" php8.0-dev: "{{ apt_package_state }}" From b603902f5360c1c4d1d756ee0c322a8a647cb9fa Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 01:47:35 +0100 Subject: [PATCH 356/663] GitHub: Add issue forms --- .github/ISSUE_TEMPLATE/bug_report.yml | 108 +++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 4 + .github/ISSUE_TEMPLATE/feature_request.yml | 54 +++++++++++ 3 files changed, 166 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000000..164f6940eb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,108 @@ +name: Bug Report +description: Report a problem with Trellis. Please provide enough information that we can reproduce the problem. +title: "Bug: " +labels: [bug] + +body: + - type: markdown + attributes: + value: | + This form is for reporting Trellis technical issues. + If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + + - type: checkboxes + id: terms + attributes: + options: + - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) + required: true + - label: This request is not a duplicate of an existing issue + required: true + - label: I have read the [Trellis docs](https://roots.io/docs/trellis/) and followed them (if applicable) + required: true + - label: I have seached the [Roots Discourse](https://discourse.roots.io/) for answers and followed them (if applicable) + required: true + - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community + required: true + + - type: textarea + id: description + attributes: + label: Description + value: | + #### What's wrong? + + #### What have you tried? + + #### What insights have you gained? + + #### Possible solutions? + + #### Temporary workaround? + validations: + required: true + + - type: textarea + id: steps-to-reproduce + attributes: + label: Steps To Reproduce + description: | + Non-reproducible issues may be immediately closed as not actionable. + Please provide reproduction steps as details as possible. + value: | + 1. + 1. + 1. + validations: + required: true + + - type: textarea + id: expected-behavior + attributes: + label: Expected Behavior + placeholder: What you expect to happen? + validations: + required: true + + - type: textarea + id: actual-behavior + attributes: + label: Actual Behavior + placeholder: What actually happens? + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant log output + description: Please copy and paste any relevant log output. + render: shell + + - type: input + id: trellis-version + attributes: + label: Trellis Version + description: You can get this information from referencing `CHANGELOG.md`. If you know, please provide the [roots/trellis](https://github.com/roots/trellis) Git commit SHA. + validations: + required: true + + - type: textarea + id: ansible-version + attributes: + label: Ansible Version + description: You can get this information by running `$ ansible --version`. Please include the whole console output. + render: shell + validations: + required: true + + - type: input + id: trellis-cli-version + attributes: + label: Trellis CLI Version + description: If you are using [Trellis CLI](https://github.com/roots/trellis-cli), please provide the version (for stable versions; `$ trellis --version`) or the Git commit SHA (for canary builds). + + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000..089dbe29f9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,4 @@ +contact_links: + - name: Roots Discourse + url: https://discourse.roots.io + about: Is this a personal support request? Find help on our support forum. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000000..52c6e3c8f2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,54 @@ +name: Feature Request +description: Suggest an idea for Trellis. +title: "Feature Request: " +labels: [feature, enhancement] + +body: + - type: markdown + attributes: + value: | + This form is for suggesting an idea for Trellis. + If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + + - type: checkboxes + id: terms + attributes: + options: + - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) + required: true + - label: This request is not a duplicate of an existing issue + required: true + - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community + required: true + + - type: textarea + id: summary + attributes: + label: Summary + description: One paragraph explanation of the feature. + validations: + required: true + + - type: textarea + id: motivation + attributes: + label: Motivation + value: | + #### Why are we doing this? + + #### What use cases does it support? + + #### What is the expected outcome? + validations: + required: true + + - type: textarea + id: additional-context + attributes: + label: Additional context + description: Add any other context or screenshots about the feature request here. + + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this feature request form! From 55f9193b5c13e14b417e4befb8976eb7a8aee6d7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 13 Jul 2021 19:19:42 -0600 Subject: [PATCH 357/663] Update bug_report.yml --- .github/ISSUE_TEMPLATE/bug_report.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 164f6940eb..f786e1bee6 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -1,5 +1,5 @@ name: Bug Report -description: Report a problem with Trellis. Please provide enough information that we can reproduce the problem. +description: Report a problem with Trellis. Please provide enough information so that we can reproduce the problem. title: "Bug: " labels: [bug] @@ -8,7 +8,7 @@ body: attributes: value: | This form is for reporting Trellis technical issues. - If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - type: checkboxes id: terms @@ -60,7 +60,7 @@ body: id: expected-behavior attributes: label: Expected Behavior - placeholder: What you expect to happen? + placeholder: What did you expect to happen? validations: required: true From 62eded89a9d719047d19020c8810da5ece1963b7 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 06:06:43 +0100 Subject: [PATCH 358/663] Titilize form labels --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index f786e1bee6..39d63ef6eb 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -75,7 +75,7 @@ body: - type: textarea id: logs attributes: - label: Relevant log output + label: Relevant Log Output description: Please copy and paste any relevant log output. render: shell diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 52c6e3c8f2..07458fbbf7 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -45,7 +45,7 @@ body: - type: textarea id: additional-context attributes: - label: Additional context + label: Additional Context description: Add any other context or screenshots about the feature request here. - type: markdown From f6fd617ab07cc5c9ba2245cccc796e79f6844c68 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 06:13:04 +0100 Subject: [PATCH 359/663] Update default value wordings --- .github/ISSUE_TEMPLATE/bug_report.yml | 4 ++-- .github/ISSUE_TEMPLATE/feature_request.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 39d63ef6eb..08c14e4055 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -36,9 +36,9 @@ body: #### What insights have you gained? - #### Possible solutions? + #### Possible solutions - #### Temporary workaround? + #### Temporary workarounds validations: required: true diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 07458fbbf7..9fbbcbc8a0 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -39,6 +39,8 @@ body: #### What use cases does it support? #### What is the expected outcome? + + #### Potential conflicts / foreseeable issues validations: required: true From c9988f9b7486950f17726f44bd84341fc261b9dd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 1 Jun 2021 22:55:36 -0400 Subject: [PATCH 360/663] Improve handling of WP-CLI failed verification Fixes #1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time. --- CHANGELOG.md | 1 + roles/wp-cli/tasks/main.yml | 19 ++++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bacd90c3ee..ace92cae62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 21494865dc..dab02c6ea8 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -21,9 +21,22 @@ dest: /tmp/wp-cli.pgp.gpg mode: '0744' -- name: Verify WP-CLI Phar Signature - command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar - changed_when: false +- name: Verify WP-CLI + block: + - name: Check GPG signature + command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + changed_when: false + rescue: + - name: Delete invalid WP-CLI Phar file + file: + path: "{{ item }}" + state: absent + with_items: + - "/tmp/wp-cli-{{ wp_cli_version }}.phar" + - "/tmp/wp-cli-{{ wp_cli_version }}.phar.asc" + - name: Fail verification + fail: + msg: "WP-CLI Phar signature could not be verified. Please try again." - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} From 04428ba015a0ef06a4cd6c2a671f99273f0cef91 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 6 Mar 2021 21:22:50 +0000 Subject: [PATCH 361/663] Allow customizing PHP CLI `memory_limit` Close #1277 --- roles/php/defaults/main.yml | 1 + roles/php/templates/php-cli.ini.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 8f68a7dc27..9f4baf5e39 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -11,6 +11,7 @@ php_max_execution_time: 120 php_max_input_time: 300 php_max_input_vars: 1000 php_memory_limit: 96M +php_cli_memory_limit: "{{ php_memory_limit }}" php_mysqlnd_collect_memory_statistics: 'Off' php_post_max_size: 25M php_sendmail_path: /usr/sbin/ssmtp -t diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 index 389f042f57..44360aa80d 100644 --- a/roles/php/templates/php-cli.ini.j2 +++ b/roles/php/templates/php-cli.ini.j2 @@ -5,6 +5,7 @@ error_reporting = {{ php_error_reporting }} sendmail_path = {{ php_sendmail_path }} expose_php = Off date.timezone = {{ php_timezone }} +memory_limit = {{ php_cli_memory_limit }} [mysqlnd] mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} From 8cfbbefbadd21adcf277149683394233ee1b8b46 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 14 Jul 2021 11:02:08 -0400 Subject: [PATCH 362/663] Default PHP CLI memory limit to -1 --- CHANGELOG.md | 1 + roles/php/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ace92cae62..76b989aa54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1277 - Disable PHP CLI memory limit ([#1278](https://github.com/roots/trellis/pull/1278)) * Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 9f4baf5e39..f157c97b98 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -11,7 +11,7 @@ php_max_execution_time: 120 php_max_input_time: 300 php_max_input_vars: 1000 php_memory_limit: 96M -php_cli_memory_limit: "{{ php_memory_limit }}" +php_cli_memory_limit: -1 php_mysqlnd_collect_memory_statistics: 'Off' php_post_max_size: 25M php_sendmail_path: /usr/sbin/ssmtp -t From 7240ba6471dbd335b810b5eb1e389d1a1fb58737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Debuchy?= Date: Thu, 12 Aug 2021 16:56:56 -0300 Subject: [PATCH 363/663] Replace dist folder with public --- deploy-hooks/build-before.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index a42b124490..6fef7df48f 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -1,7 +1,7 @@ # Placeholder `deploy_build_before` hook for building theme assets on the # host machine and then copying the files to the remote server # -# ⚠️ This example assumes your theme is using Sage 9 +# ⚠️ This example assumes your theme is using Sage 10 # An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # # Uncomment the lines below and replace `sage` with your theme folder @@ -26,7 +26,7 @@ # # - name: Copy production assets # synchronize: -# src: "{{ project_local_path }}/web/app/themes/sage/dist" +# src: "{{ project_local_path }}/web/app/themes/sage/public" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no From f89ae25b32d037bc14168da2ec47b7f874f0f018 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 7 Oct 2021 17:17:42 -0500 Subject: [PATCH 364/663] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4752d55de7..c434e75f3c 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Motto +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon ## Community From 0b8e481f72404704179019f71b296062db3125fd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Oct 2021 23:44:07 -0400 Subject: [PATCH 365/663] Add default for composer_authentications --- roles/deploy/hooks/build-after.yml | 2 +- roles/wordpress-install/tasks/composer-authentications.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 8e7daf91dc..4c088f6452 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -20,7 +20,7 @@ - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" - composer_authentication.password is defined and composer_authentication.password != "" - loop: "{{ composer_authentications }}" + loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication label: "{{ composer_authentication.hostname }}" diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 8d8445fa86..2b2e8649e2 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -10,7 +10,7 @@ - not (not composer_authentication.hostname) - not (not composer_authentication.username) - not (not composer_authentication.password) - loop: "{{ composer_authentications }}" + loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication label: "{{ composer_authentication.hostname }}" From 49b85e228682757d1842d4a669018ace9f2d6f00 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Oct 2021 23:59:15 -0400 Subject: [PATCH 366/663] Remove explicit permission for site directory Fixes #1311 The `mode` option was set in https://github.com/roots/trellis/pull/1270 for linting purposes. However, this can result in the permissions changing on local site files causing them to appear as changed in Git. Since this directory is guaranteed to exist, we don't need to set `mode`. The purpose of this task is just to set the owner + group recursively. --- roles/wordpress-install/tasks/directories.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 680951a57e..0a6956fad7 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -22,7 +22,6 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: '0755' state: directory recurse: yes with_dict: "{{ wordpress_sites }}" From 97980efc12540e1c2ef0c483c464993ad1ac164e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 20:23:06 -0400 Subject: [PATCH 367/663] Fix display output in logs Background: https://github.com/roots/trellis/pull/1235#issuecomment-729621213 Ansible bases the log level based on colour (yeah, it's dumb) when logging is enabled. `bright gray` was a valid log level mapping. Instead of trying to pick some other colur supported in both contexts, we can just set `screen_only` to skip these messages which are meant for STDOUT anyway. --- lib/trellis/utils/output.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 8beef101bc..ca4eb22728 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -102,17 +102,17 @@ def display(obj, result): hr = '-' * int(wrap_width*.67) if obj.task_failed and first: - display(system(obj.vagrant_version), 'bright gray') - display(hr, 'bright gray') + display(system(obj.vagrant_version), 'bright gray', screen_only=True) + display(hr, 'bright gray', screen_only=True) if msg == '': if obj.task_failed and not first: - display(hr, 'bright gray') + display(hr, 'bright gray', screen_only=True) else: return else: if not first: - display(hr, 'bright gray') + display(hr, 'bright gray', screen_only=True) display(msg, 'red' if obj.task_failed else 'bright purple') def display_host(obj, result): From 65a9710632802d7b543278b635d21e98cd3286bc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:10:11 -0400 Subject: [PATCH 368/663] Bump version_tested_max to 2.10.7 --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 3511c78774..cee62944f7 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.10' +version_tested_max = '2.10.7' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From cc03544717c37832dbe685dcc45db951850b261c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:19:33 -0400 Subject: [PATCH 369/663] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76b989aa54..e24dc45eb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ ### HEAD +* Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) +* Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) +* Define `composer_authentications` default ([#1315](https://github.com/roots/trellis/pull/1315)) +* Fix #1311 - Remove explicit permission for site directory ([#1314](https://github.com/roots/trellis/pull/1314)) * Fix #1277 - Disable PHP CLI memory limit ([#1278](https://github.com/roots/trellis/pull/1278)) * Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) From 0baee93b6bfcd06e775e82c9a68042b68458f490 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:20:27 -0400 Subject: [PATCH 370/663] v1.9.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e24dc45eb0..d7405045ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) * Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) * Define `composer_authentications` default ([#1315](https://github.com/roots/trellis/pull/1315)) From 32b1b6fcec8cb9fe14c6ec43cc1fccd3851fac2f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 30 Oct 2021 15:55:45 -0400 Subject: [PATCH 371/663] Remove explicit arch deb options Apt defaults to the architecture supported by `dpkg`, which defaults to the actual architecture of the OS (as it should). Removing this explicit `arc=amd64` option just means we'll get the smart default which improves support for `arm64` (Apple M1 CPUs primarily). --- roles/mariadb/defaults/main.yml | 2 +- roles/nginx/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 491dd9a6f4..8eed8ce06f 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 4d837762cc..69433b33fb 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,7 +1,7 @@ --- nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" nginx_keyserver_id: "ABF5BD827BD9BF62" -nginx_ppa: "deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" +nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From 319a29fb1257ac17050ec6e67e7e98e933de421e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 10 Nov 2021 20:49:44 -0500 Subject: [PATCH 372/663] Change MariaDB mirror source Digitalocean has proven to be an unreliable mirror so let's switch to another one (from the official MariaDB site). --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 8eed8ce06f..3eee94bcf2 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://mirrors.gigenet.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From 630c41cf00addd324ac1ecd2a99511ab5a0a184c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 11 Nov 2021 08:33:26 -0500 Subject: [PATCH 373/663] 1.9.1 Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7405045ba..a97e4e80ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.9.1: November 11th, 2021 +* Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) + ### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) * Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) From b8098497a39f932ea304a41fc958fc535b5e6138 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 11 Nov 2021 08:34:36 -0500 Subject: [PATCH 374/663] CHANGELOG update --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a97e4e80ed..6953abb013 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### 1.9.1: November 11th, 2021 * Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) +* Remove explicit arch deb options for MariaDB (improves ARM support) ([#1318](https://github.com/roots/trellis/pull/1318)) ### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) From 0e22a90aef264a48b21b6fd28fdde5f14c713ade Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 18 Nov 2021 14:02:54 -0500 Subject: [PATCH 375/663] Default to proper box for M1 macs --- Vagrantfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 016f43c149..1d55bd42b0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,7 +19,13 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version '>= 2.1.0' Vagrant.configure('2') do |config| - config.vm.box = vconfig.fetch('vagrant_box') + vagrant_box = if Vagrant::Util::Platform.darwin? && `uname -m`.chomp == "arm64" + 'jeffnoxon/ubuntu-20.04-arm64' + else + vconfig.fetch('vagrant_box') + end + + config.vm.box = vagrant_box config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message From fa716ac8f3b0e42693e74d6aed7b49afe29be362 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 22 Nov 2021 14:39:58 -0500 Subject: [PATCH 376/663] Update default PHP version to 8.0 --- group_vars/all/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index b53f26c92e..562864d6ee 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -3,7 +3,7 @@ apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest composer_keep_updated: true -php_version: "7.4" +php_version: "8.0" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www From 3feabc765361e0a8919032c087cd091888c2cf74 Mon Sep 17 00:00:00 2001 From: Craig Pearson Date: Thu, 25 Nov 2021 16:34:26 +0000 Subject: [PATCH 377/663] Enable pipelining for local connections Enabling pipelining for SSH connections only means that `become` behaves differently for vagrant, than it does VMs over SSH. Moving this config to the defaults makes both vagrant and VMs behave the same in regards to become, and perhaps we will see some local speed improvements on local provisions as a result. --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index c1a2890ca7..e6467d2586 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,8 +8,8 @@ inventory = hosts nocows = 1 roles_path = vendor/roles vars_plugins = ~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:lib/trellis/plugins/vars +pipelining = True [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -pipelining = True retries = 1 From 35e14991819fa2a3d0c7809d2bf9dff04fe80ffd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 26 Nov 2021 19:25:07 -0500 Subject: [PATCH 378/663] Add GitHub SSH ed25519 key to known hosts --- group_vars/all/known_hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/all/known_hosts.yml b/group_vars/all/known_hosts.yml index b8af937ca5..1db951997f 100644 --- a/group_vars/all/known_hosts.yml +++ b/group_vars/all/known_hosts.yml @@ -6,6 +6,8 @@ known_hosts: - name: github.com key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + - name: github.com + key: github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - name: bitbucket.org key: bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - name: gitlab.com From 8f841e61e10e3325a62f857d63f28cd264e4540a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 26 Nov 2021 19:28:40 -0500 Subject: [PATCH 379/663] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6953abb013..fc2a86b9a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) +* Enable pipelining for local Ansible connections ([#1323](https://github.com/roots/trellis/pull/1323)) + ### 1.9.1: November 11th, 2021 * Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) * Remove explicit arch deb options for MariaDB (improves ARM support) ([#1318](https://github.com/roots/trellis/pull/1318)) From 97426b8ca8ea0eff7cd460f5dac231cff2aedd1b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 28 Nov 2021 13:22:13 -0500 Subject: [PATCH 380/663] v1.10.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc2a86b9a1..8d50f4f622 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.10.0: November 28th, 2021 +* Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) * Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) * Enable pipelining for local Ansible connections ([#1323](https://github.com/roots/trellis/pull/1323)) From 31b7e7fe93950541f3297412c102b394ad453fe7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 28 Nov 2021 21:58:40 -0600 Subject: [PATCH 381/663] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c434e75f3c..6d0649a654 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Trellis will configure a server with the following and more: - Ubuntu 20.04 Focal LTS - Nginx (with optional FastCGI micro-caching) -- PHP 7.4 +- PHP 8.0 - MariaDB (a drop-in MySQL replacement) - SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) - Let's Encrypt for free SSL certificates From 7afb000e57a6a96bcf999e20bffe03ec4e1dd8a8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Nov 2021 00:23:04 -0500 Subject: [PATCH 382/663] Add PHP 8.1 support --- roles/php/vars/8.1.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 roles/php/vars/8.1.yml diff --git a/roles/php/vars/8.1.yml b/roles/php/vars/8.1.yml new file mode 100644 index 0000000000..1b15ae2d4e --- /dev/null +++ b/roles/php/vars/8.1.yml @@ -0,0 +1,18 @@ +php_extensions_default: + php8.1-bcmath: "{{ apt_package_state }}" + php8.1-cli: "{{ apt_package_state }}" + php8.1-curl: "{{ apt_package_state }}" + php8.1-dev: "{{ apt_package_state }}" + php8.1-fpm: "{{ apt_package_state }}" + php8.1-imagick: "{{ apt_package_state }}" + php8.1-intl: "{{ apt_package_state }}" + php8.1-mbstring: "{{ apt_package_state }}" + php8.1-mysql: "{{ apt_package_state }}" + php8.1-xml: "{{ apt_package_state }}" + php8.1-xmlrpc: "{{ apt_package_state }}" + php8.1-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.1-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.1-xdebug From c054a7ab75cc6f518727e2a26f4679f0fe23cc50 Mon Sep 17 00:00:00 2001 From: Nathan Knowler Date: Thu, 2 Dec 2021 05:41:58 -0600 Subject: [PATCH 383/663] chore(github): fix typos in issue templates [skip ci] Co-authored-by: QWp6t --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 08c14e4055..552d2b64c2 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -48,7 +48,7 @@ body: label: Steps To Reproduce description: | Non-reproducible issues may be immediately closed as not actionable. - Please provide reproduction steps as details as possible. + Please provide reproduction steps as detailed as possible. value: | 1. 1. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 9fbbcbc8a0..7842e919f4 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -8,7 +8,7 @@ body: attributes: value: | This form is for suggesting an idea for Trellis. - If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - type: checkboxes id: terms From 577e6cc683a010d719b55df017644d7f5e8faa31 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Nov 2021 00:23:44 -0500 Subject: [PATCH 384/663] Remove ssl_dhparam and Diffie-Hellman group This was needed to prevent Logjam attacks but those only applied to DHE cyphers which haven't been supported in Trellis for 2 years. --- CHANGELOG.md | 3 +++ roles/nginx/tasks/main.yml | 9 --------- roles/wordpress-setup/templates/ssl.no-default.conf.j2 | 1 - roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 - 4 files changed, 3 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d50f4f622..070526f68c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) + ### 1.10.0: November 28th, 2021 * Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) * Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3bf25d435e..676679ce1b 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -30,15 +30,6 @@ path: "{{ nginx_path }}/ssl" state: directory -- name: Generate strong unique Diffie-Hellman group. - command: openssl dhparam -out dhparams.pem 2048 - args: - chdir: "{{ nginx_path }}/ssl" - creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: sites_use_ssl | bool - notify: reload nginx - tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] - - name: Copy h5bp configs copy: src: templates/h5bp diff --git a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 index a29b113dbd..479979c710 100644 --- a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 +++ b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 @@ -12,7 +12,6 @@ server { listen 443 ssl default_server deferred; include h5bp/directive-only/ssl.conf; - ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_certificate {{ nginx_path }}/ssl/no_default.cert; ssl_trusted_certificate {{ nginx_path }}/ssl/no_default.cert; diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 61d06356f9..e090b2ea6a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -75,7 +75,6 @@ server { include h5bp/directive-only/ssl-stapling.conf; {% endif -%} - ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} From 8ca1f45e5df478637bbbe16315b7b635717b1548 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 3 Dec 2021 19:28:38 -0500 Subject: [PATCH 385/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 070526f68c..1d274348f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) +* Add PHP 8.1 support ([#1325](https://github.com/roots/trellis/pull/1325)) ### 1.10.0: November 28th, 2021 * Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) From c86fa9b83f1e6476ece6f3ec982b321edfaabf77 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 6 Dec 2021 15:41:18 -0600 Subject: [PATCH 386/663] Remove issue closer --- .github/workflows/issues.yml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 .github/workflows/issues.yml diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml deleted file mode 100644 index f2b2474ec3..0000000000 --- a/.github/workflows/issues.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Issue closer -on: [issues] -jobs: - autoclose: - runs-on: ubuntu-latest - steps: - - name: Autoclose issues that did not follow issue template - uses: roots/issue-closer@v1.1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-close-message: "Hi @${issue.user.login}, -It looks like the issue template is missing from this issue. Please take a look at the [Contribution Guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md), which will tell you **exactly** what your ticket has to contain in order to be processable. -Please **do not** use the issue tracker for personal support requests. Use [Roots Discourse](https://discourse.roots.io/) to ask the Roots community for help, or [hire someone from the community](https://discourse.roots.io/c/jobs)." - issue-pattern: ".*guidelines for Contributing.*" From 978700dd59b20b9b4a48c3c4f67e093cd0815a6f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 8 Dec 2021 13:18:26 -0600 Subject: [PATCH 387/663] Update docs links [ci skp] --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6d0649a654..34751b908f 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@

- Official Website | Documentation | Change Log + Official Website | Documentation | Change Log

## Supporting @@ -74,7 +74,7 @@ Trellis will configure a server with the following and more: ## Documentation -Full documentation is available at [https://roots.io/docs/trellis/master/installation/](https://roots.io/docs/trellis/master/installation/). +Full documentation is available at [https://docs.roots.io/trellis/master/installation/](https://docs.roots.io/trellis/master/installation/). ## Requirements @@ -84,7 +84,7 @@ Make sure all dependencies have been installed before moving on: - [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 - **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) -**Windows user?** [Read the Windows getting started docs](https://roots.io/docs/getting-started/windows/#working-with-trellis) for slightly different installation instructions. +**Windows user?** [Read the Windows getting started docs](https://docs.roots.io/getting-started/windows/#working-with-trellis) for slightly different installation instructions. ## Installation @@ -148,15 +148,15 @@ $ trellis up 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` -[Read the local development docs](https://roots.io/docs/trellis/master/local-development/#wordpress-installation) for more information. +[Read the local development docs](https://docs.roots.io/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for setting up remote servers. -1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) +1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://docs.roots.io/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` -3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/docs/trellis/master/ssh-keys/)) +3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://docs.roots.io/trellis/master/ssh-keys/)) ### Using trellis-cli @@ -180,7 +180,7 @@ $ trellis droplet create production ### Manual -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/docs/trellis/master/remote-server-setup/#requirements) for more information. +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://docs.roots.io/trellis/master/remote-server-setup/#requirements) for more information. Provision the server: @@ -188,7 +188,7 @@ Provision the server: $ ansible-playbook server.yml -e env= ``` -[Read the remote server docs](https://roots.io/docs/trellis/master/remote-server-setup/) for more information. +[Read the remote server docs](https://docs.roots.io/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers From 98816fa3bfd61217ae56d83b3d33aefb6badc9a1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 8 Dec 2021 22:34:02 -0500 Subject: [PATCH 388/663] Bump vagrant_ansible_version to 2.10.7 --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 7ff8284984..6698daf6e3 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 202012.23.0' -vagrant_ansible_version: '2.9.10' +vagrant_ansible_version: '2.10.7' vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 3518a2432a2bcc52083c92b280a633083b5e5d5c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 00:19:06 -0500 Subject: [PATCH 389/663] Require Vagrant < 2.2.19 2.2.19 has a bug affecting macOS Big Sur and should be avoided. --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 016f43c149..133616b618 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.1.0' +Vagrant.require_version '>= 2.1.0', '< 2.2.19' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') From e2b12a6badfd0da16749c6d56cd61e3bd2b61de4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:36:55 -0500 Subject: [PATCH 390/663] Set default for ansible_ssh_extra_args ansible-base in 2.10.16 changed how SSH option defaults worked breaking this. Just ensuring it has a proper default instead of undefined solves the issue. --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index d3b13bafcc..8acdef9606 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - not ansible_ssh_extra_args + - not ansible_ssh_extra_args | default(None) - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} From 56ec12d8dcd5f403236c5b48b7e3b8fd15ddcae4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:43:21 -0500 Subject: [PATCH 391/663] v1.11.0 --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d274348f7..5d29648121 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ -### HEAD +### 1.11.0: December 10th, 2021 +* Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) +* Set max supported Vagrant version to `< 2.2.19` ([#1332](https://github.com/roots/trellis/pull/1332)) +* Bump `vagrant_ansible_version` to `2.10.7` ([#1329](https://github.com/roots/trellis/pull/1329)) * Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) * Add PHP 8.1 support ([#1325](https://github.com/roots/trellis/pull/1325)) From 32b1625d1e00e7060b95ffe232ecffb25afdab0a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:52:39 -0500 Subject: [PATCH 392/663] Add ansible-base to requirements Bumps minimum required Ansible to >= 2.10 as well. The Ansible ecosystem has changed how their versions and packages work causing the main `ansible` package versions to no longer determine the version of `ansible-playbook`. Instead, the new `ansible-base` package is what matters. Background: https://blog.while-true-do.io/ansible-release-3-0-0/ For example, installing `ansible==2.10.7` would result in `ansible-playbook==2.10.16` which was confusing. By adding `ansible-base` to our `requirements.txt`, we'll get more consistent and predictable version constraints. Installing `ansible-base==2.10.16` would result in `ansible-playbook==2.10.16` as you'd expect. --- .circleci/config.yml | 2 +- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 4 ++-- requirements.txt | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9e78a3993b..ac59b18eee 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -106,7 +106,7 @@ workflows: matrix: parameters: python-version: ["3.7.8", "2.7"] - ansible-version: ["~=2.9.0", "~=2.8.0"] + ansible-version: ["~=2.10.0"] - syntax-check-with-requirements-txt: name: syntax-check-python-<>-requirements-txt matrix: diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d29648121..69d36cb36d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### 1.11.0: December 10th, 2021 +* Bump minimum ansible version to `2.10.0` and add `ansible-base` to requirements ([#1334](https://github.com/roots/trellis/pull/1334)) * Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) * Set max supported Vagrant version to `< 2.2.19` ([#1332](https://github.com/roots/trellis/pull/1332)) * Bump `vagrant_ansible_version` to `2.10.7` ([#1329](https://github.com/roots/trellis/pull/1329)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index cee62944f7..5ecff33d4a 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,8 +14,8 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.8.0' -version_tested_max = '2.10.7' +version_requirement = '2.10.0' +version_tested_max = '2.10.16' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index cecd05381d..d794f8d619 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ -ansible>=2.8.0,<3.0 +ansible>=2.10.0,<3.0 +ansible-base>=2.10,<=2.10.16 passlib From aa78f3aec8d01d1568efad883d5648dacbdec71d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 21:15:18 -0500 Subject: [PATCH 393/663] Remove old version checks --- lib/trellis/plugins/vars/version.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 5ecff33d4a..951cf30d2a 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -16,11 +16,6 @@ version_requirement = '2.10.0' version_tested_max = '2.10.16' -python3_required_version = '2.5.3' - -if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): - raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' - 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' @@ -30,10 +25,6 @@ u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) -if eq(LooseVersion(__version__), LooseVersion('2.5.0')): - display.warning(u'Your Ansible version is {}. Consider upgrading your Ansible version to avoid ' - u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) - # Import BaseVarsPlugin after Ansible version check. # Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. from ansible.plugins.vars import BaseVarsPlugin From 587738ec1324e1f1138ebb2cf000fff9185c74b8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 15:42:43 -0500 Subject: [PATCH 394/663] Simplify README This removes the "manual" docs from the README and focuses on the trellis-cli workflow. This README isn't meant to be the full documentation anyway. --- README.md | 86 ++++--------------------------------------------------- 1 file changed, 6 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 34751b908f..f79f869a31 100644 --- a/README.md +++ b/README.md @@ -78,61 +78,18 @@ Full documentation is available at [https://docs.roots.io/trellis/master/install ## Requirements -Make sure all dependencies have been installed before moving on: - -- [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -- [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 -- **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) - -**Windows user?** [Read the Windows getting started docs](https://docs.roots.io/getting-started/windows/#working-with-trellis) for slightly different installation instructions. +See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. ## Installation -### Using trellis-cli - Create a new project: ```bash $ trellis new example.com ``` -### Manual - -The recommended directory structure for a Trellis project looks like: - -```bash -example.com/ # → Root folder for the project -├── trellis/ # → Your clone of this repository -└── site/ # → A Bedrock-based WordPress site - └── web/ - ├── app/ # → WordPress content directory (themes, plugins, etc.) - └── wp/ # → WordPress core (don't touch!) -``` - -See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). - -1. Create a new project directory: - -```bash -$ mkdir example.com && cd example.com -``` - -2. Install Trellis: - -```bash -$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git -``` - -3. Install Bedrock into the `site` directory: - -```bash -$ composer create-project roots/bedrock site -``` - ## Local development setup -### Using trellis-cli - 1. Review the automatically created site in `group_vars/development/wordpress_sites.yml` 2. Customize settings if necessary @@ -142,12 +99,6 @@ Start the Vagrant virtual machine: $ trellis up ``` -### Manual - -1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` -2. Ensure you're in the trellis directory: `cd trellis` -3. Run `vagrant up` - [Read the local development docs](https://docs.roots.io/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) @@ -158,14 +109,6 @@ A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://docs.roots.io/trellis/master/ssh-keys/)) -### Using trellis-cli - -Initialize Trellis (Virtualenv) environment: - -```bash -$ trellis init -``` - Provision the server: ```bash @@ -178,16 +121,6 @@ Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) suppor $ trellis droplet create production ``` -### Manual - -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://docs.roots.io/trellis/master/remote-server-setup/#requirements) for more information. - -Provision the server: - -```bash -$ ansible-playbook server.yml -e env= -``` - [Read the remote server docs](https://docs.roots.io/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers @@ -195,8 +128,6 @@ $ ansible-playbook server.yml -e env= 1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars//wordpress_sites.yml` file 2. Set the `branch` you want to deploy (defaults to `master`) -### Using trellis-cli - Deploy a site: ```bash @@ -209,22 +140,17 @@ Rollback a deploy: $ trellis rollback ``` -### Manual +[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. -Deploy a site: +## Migrating existing projects to trellis-cli: -```bash -$ ./bin/deploy.sh -``` - -Rollback a deploy: +Assuming you're using the standard project structure, you just need to make the +project trellis-cli compatible by initializing it: ```bash -$ ansible-playbook rollback.yml -e "site= env=" +$ trellis init ``` -[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. - ## Contributing Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. From 19bdce6638c98ea438b9e8a4bb13f43de2351653 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 16:39:31 -0500 Subject: [PATCH 395/663] Fix #1331 - Improve passlib instructions Updates the error message when `passlib` isn't installed on macOS. This recommends using trellis-cli as the main solution but still provides a manual method including better options for install pip. --- roles/common/tasks/main.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 34271b37b6..84ff7aa2fd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -97,10 +97,21 @@ - name: Check whether passlib is needed fail: msg: | - Ansible on OS X requires python passlib module to create user password hashes + Ansible on macOS requires Python's passlib module to create user password hashes + + If you're seeing this error message, you likely didn't use trellis-cli to create your project. + We highly recommend installing and using trellis-cli to manage your Trellis projects. + + See https://github.com/roots/trellis-cli for more documentation. + + For existing projects, you can run `trellis init` which will manage the dependencies automatically and fix this problem + as long as you use the `trellis` commands (like `trellis provision`) afterwards. + + To fix this manually, use pip to install the package: pip install passlib + + If pip is not installed, you'll have to install it first. + See https://stackoverflow.com/questions/17271319/how-do-i-install-pip-on-macos-or-os-x for many options. - sudo easy_install pip - pip install passlib when: env != 'development' and darwin_without_passlib | default(false) run_once: true From e8fcd02b836586f918a0d9ac15983a1c8eba47be Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 18:24:03 -0500 Subject: [PATCH 396/663] Fixes #1319 - Improve how ssh_args are loaded This refactors how `ssh_args` are loaded since the private method `_ssh_args` on `PlayContext` has been removed in Ansible 2.11. Instead, we load the ssh plugin and get the option directly. --- lib/trellis/plugins/callback/vars.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 9cd0f941e2..f42bebf2c8 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -3,6 +3,7 @@ import re import sys +import os from __main__ import cli from ansible.module_utils.six import iteritems @@ -14,6 +15,7 @@ from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var from ansible import context +from ansible.plugins.loader import connection_loader class CallbackModule(CallbackBase): @@ -94,6 +96,9 @@ def darwin_without_passlib(self): return True def v2_playbook_on_play_start(self, play): + play_context = PlayContext(play=play) + connection = connection_loader.get('ssh', play_context, os.devnull) + env = play.get_variable_manager().get_vars(play=play).get('env', '') env_group = next((group for key,group in iteritems(play.get_variable_manager()._inventory.groups) if key == env), False) if env_group: @@ -102,7 +107,7 @@ def v2_playbook_on_play_start(self, play): for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) - host.vars['ssh_args_default'] = PlayContext(play=play)._ssh_args.default + host.vars['ssh_args_default'] = connection.get_option('ssh_args') host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) From ba5767d5452c8f30974ddf29d7aafca5e37e4e03 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 19:02:53 -0500 Subject: [PATCH 397/663] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69d36cb36d..e7b441ed0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) +* Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) + ### 1.11.0: December 10th, 2021 * Bump minimum ansible version to `2.10.0` and add `ansible-base` to requirements ([#1334](https://github.com/roots/trellis/pull/1334)) * Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) From a51674d7299d7953933311a99bee41722c650957 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 13 Dec 2021 22:52:17 -0500 Subject: [PATCH 398/663] Remove old WP customizer frame options hack --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index e090b2ea6a..414328fcc4 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -206,14 +206,7 @@ server { {% block embed_security -%} {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%} add_header Content-Security-Policy "frame-ancestors 'self'" always; - - # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved - set $x_frame_options SAMEORIGIN; - if ($arg_customize_changeset_uuid) { - set $x_frame_options ""; - } - add_header X-Frame-Options $x_frame_options always; - + add_header X-Frame-Options SAMEORIGIN always; {% endif -%} {% endblock -%} From b193890bad0d0fac5b41f6179dc528fbd55ff912 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Dec 2021 23:59:21 -0500 Subject: [PATCH 399/663] Update default vagrant_ip Changes the default `vagrant_ip` from `192.168.50.5` to `192.168.56.5` (note the subtle change from `50` -> `56`). A recent change in VirtualBox means that only IP addresses in the 192.168.56.0/21 range are allowed. Vagrant is now validating that the IP is within this range as well (https://github.com/hashicorp/vagrant/pull/12564). --- hosts/development | 4 ++-- vagrant.default.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/development b/hosts/development index 4af294aca7..2075118800 100644 --- a/hosts/development +++ b/hosts/development @@ -35,7 +35,7 @@ # into the Vagrantfile's `config.vm.provision` section. [development] -192.168.50.5 ansible_connection=local +192.168.56.5 ansible_connection=local [web] -192.168.50.5 ansible_connection=local +192.168.56.5 ansible_connection=local diff --git a/vagrant.default.yml b/vagrant.default.yml index 6698daf6e3..581f36a61c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: '192.168.50.5' +vagrant_ip: '192.168.56.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' From 5b6a295e70a998f311ba9e025f5d159755b13977 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 29 Dec 2021 16:03:30 -0500 Subject: [PATCH 400/663] Add support for public keys for deploys Adding a deploy specific SSH public key to a Trellis server is a common task to enable CI/CD deploys (such as GitHub Actions). This creates a standard folder (`public_keys`) for them. Any public SSH keys in that folder (ending in `.pub`) will be automatically added to the `web_user` as an authorized key. --- CHANGELOG.md | 1 + lib/trellis/utils/output.py | 2 +- public_keys/.gitkeep | 0 roles/users/tasks/main.yml | 8 +++++++- 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 public_keys/.gitkeep diff --git a/CHANGELOG.md b/CHANGELOG.md index e7b441ed0c..322b31fe5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) * Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) * Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index ca4eb22728..33dbc4b55a 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -55,7 +55,7 @@ def replace_item_with_key(obj, result): ) if should_replace: - if 'key' in result._result[item]: + if type(result._result[item]) is dict and 'key' in result._result[item]: result._result[item] = result._result[item]['key'] elif type(result._result[item]) is dict: subitem = '_ansible_item_label' if '_ansible_item_label' in result._result[item] else 'item' diff --git a/public_keys/.gitkeep b/public_keys/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index acfcd74838..09b84830df 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -49,7 +49,7 @@ validate: "/usr/sbin/visudo -cf %s" when: web_sudoers[0] is defined -- name: Add SSH keys +- name: Add user SSH keys authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" @@ -57,6 +57,12 @@ - "{{ users | default([]) }}" - keys +- name: Add deploy SSH keys + authorized_key: + user: "{{ web_user }}" + key: "{{ lookup('file', item) }}" + with_fileglob: 'public_keys/*.pub' + - name: Check whether Ansible can connect as admin_user command: ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} delegate_to: localhost From 39423738b70cfd06cc777ebf219921a30cc9d194 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 31 Dec 2021 16:22:41 -0500 Subject: [PATCH 401/663] Update sponsors section in README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f79f869a31..fb94b64b48 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,8 @@ However, the amount of effort needed to maintain and develop new features and pr
-[![Donate via Patreon](https://img.shields.io/badge/donate-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) +[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub)](https://github.com/sponsors/roots) +[![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) [![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev)
From 47b04b70e299eab1d34294401290a4bb6db7858c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 2 Jan 2022 16:12:34 -0500 Subject: [PATCH 402/663] Revert "Default to proper box for M1 macs" --- Vagrantfile | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 88514e3310..133616b618 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,13 +19,7 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version '>= 2.1.0', '< 2.2.19' Vagrant.configure('2') do |config| - vagrant_box = if Vagrant::Util::Platform.darwin? && `uname -m`.chomp == "arm64" - 'jeffnoxon/ubuntu-20.04-arm64' - else - vconfig.fetch('vagrant_box') - end - - config.vm.box = vagrant_box + config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message From 8f1c4600ac27529872eedee490d13b6a9f750bc4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 3 Jan 2022 10:45:59 -0500 Subject: [PATCH 403/663] v1.12.0 --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 322b31fe5b..c8d5c6b634 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ -### HEAD +### 1.12.0: January 3rd, 2022 * Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) +* Update default Vagrant IP to 192.168.56.5 ([#1341](https://github.com/roots/trellis/pull/1341)) +* Remove old WP customizer frame options hack ([#1338](https://github.com/roots/trellis/pull/1338)) * Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) * Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) From 4045d3050491d7dd25d7e1141ea7474f10e9129b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 10:33:42 -0500 Subject: [PATCH 404/663] Switch CI to GitHub Actions --- .circleci/config.yml | 114 --------------------------------------- .github/workflows/ci.yml | 37 +++++++++++++ 2 files changed, 37 insertions(+), 114 deletions(-) delete mode 100644 .circleci/config.yml create mode 100644 .github/workflows/ci.yml diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index ac59b18eee..0000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,114 +0,0 @@ -version: 2.1 - -orbs: - python: circleci/python@0.3.2 - -commands: - install-pip-package: - parameters: - package: - type: string - python-version: - type: string - steps: - - restore_cache: - name: Restore pip Cache - keys: - - pip-v3-<>-<>- - - run: - name: Install pip Package - command: pip install --user --upgrade <> - - save_cache: - name: Save pip Cache - key: pip-v3-<>-<>-{{ epoch }} - paths: - - /home/circleci/.local/bin/ - - /home/circleci/.local/lib/ - - /home/circleci/.cache/pip/ - install-galaxy-roles: - steps: - - restore_cache: - name: Restore Galaxy Role Cache - keys: - - galaxy-role-v2-{{ checksum "galaxy.yml" }} - - run: - name: Install Galaxy Roles - command: ansible-galaxy install -r galaxy.yml - - save_cache: - name: Save Galaxy Role Cache - key: galaxy-role-v2-{{ checksum "galaxy.yml" }} - paths: - - vendor/ - check-playbook-syntax: - steps: - - run: - name: Check Playbook Syntax - command: | - ansible-playbook --syntax-check -e env=development deploy.yml - ansible-playbook --syntax-check -e env=development dev.yml - ansible-playbook --syntax-check -e env=development server.yml - ansible-playbook --syntax-check -e env=development rollback.yml - ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml - -jobs: - syntax-check: - parameters: - ansible-version: - type: string - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - install-pip-package: - package: ansible<< parameters.ansible-version >> - python-version: <> - - run: ansible --version - - install-galaxy-roles - - check-playbook-syntax - - syntax-check-with-requirements-txt: - parameters: - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - restore_cache: - name: Restore pip Cache - keys: - - pip-v3-<>-{{ checksum "requirements.txt" }}- - - run: - name: Install packages from requirements.txt (or any other file) via Pip. - command: pip install --user --upgrade --requirement requirements.txt - - save_cache: - name: Save pip Cache - key: pip-v3-<>-{{ checksum "requirements.txt" }}-{{ epoch }} - paths: - - /home/circleci/.local/bin/ - - /home/circleci/.local/lib/ - - /home/circleci/.cache/pip - - run: ansible --version - - install-galaxy-roles - - check-playbook-syntax - -workflows: - syntax-check: - jobs: - - syntax-check: - name: syntax-check-python-<>-ansible<> - matrix: - parameters: - python-version: ["3.7.8", "2.7"] - ansible-version: ["~=2.10.0"] - - syntax-check-with-requirements-txt: - name: syntax-check-python-<>-requirements-txt - matrix: - parameters: - python-version: ["3.7.8", "2.7"] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..e4133c470c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,37 @@ +name: ci + +on: + push: + branches: + - master + pull_request: + branches: + - master + workflow_dispatch: + +jobs: + test: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ['2.x', '3.x'] + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + architecture: x64 + cache: 'pip' + - run: pip install -r requirements.txt + - uses: actions/cache@v2 + with: + path: vendor + key: ${{ runner.os }}-galaxy-${{ hashFiles('galaxy.yml') }} + - run: ansible-galaxy install -r galaxy.yml + - name: Check playbook syntax + run: | + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml From 089f023a54ff52725fba0887cd8c818ed3b76f09 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 00:13:31 -0500 Subject: [PATCH 405/663] Use trellis-cli for Vagrant galaxy install This replaces the default galaxy command (`ansible-galaxy install`) with the much better `trellis galaxy install` if trellis-cli is available on the host machine. With trellis-cli's command, there should be no reason to use the annoying `SKIP_GALAXY` env var which was added to prevent Vagrant from always installing the roles each time. `trellis galaxy install` is efficient and quickly skips already installed roles. --- Vagrantfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 133616b618..92e29c3c3b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -131,6 +131,10 @@ Vagrant.configure('2') do |config| ansible.galaxy_role_file = File.join(provisioning_path, 'galaxy.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') + if which('trellis') + ansible.galaxy_command = 'trellis galaxy install' + end + ansible.groups = { 'web' => ['default'], 'development' => ['default'] From 967c1ee115ffee0290c72069038319f27eba8171 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 3 Jan 2022 14:50:55 -0500 Subject: [PATCH 406/663] Update default ssh key paths Adds id_ed25519 in addition to the existing id_rsa entry and sets `errors='ignore'` to both. If that local path doesn't exist, Ansible will still show a helpful warning but won't fail. --- group_vars/all/users.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index c19aafa286..4d38ac23d2 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -7,13 +7,15 @@ users: groups: - "{{ web_group }}" keys: - - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}" + - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}" # - https://github.com/username.keys - name: "{{ admin_user }}" groups: - sudo keys: - - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}" + - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}" # - https://github.com/username.keys web_user: web From 3b72c4f5f5c9fa0b3bc49101df7c3a4b69ddbf7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 14:13:52 -0500 Subject: [PATCH 407/663] Fix #970 - Improve git clone failure error Outputs the original stderr message as well in case of failure. --- roles/deploy/tasks/update.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index fb8831e24f..92ac949b00 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -39,6 +39,9 @@ More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding + + Error: + {{ git_clone.stderr }} when: git_clone is failed - name: Remove untracked files from project folder From 45d88096dc92c2b1eeb7e6b898a0c82e9180ffca Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 20:03:17 -0500 Subject: [PATCH 408/663] Update CHANGELOG --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5c6b634..ba63f4e2a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) +* Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) +* Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) + ### 1.12.0: January 3rd, 2022 * Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) * Update default Vagrant IP to 192.168.56.5 ([#1341](https://github.com/roots/trellis/pull/1341)) From 825c0e1a4adf42b23120a0e295d747be17e4d759 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 18 Jan 2022 16:14:18 -0600 Subject: [PATCH 409/663] Remove issue templates --- .github/ISSUE_TEMPLATE/bug_report.yml | 108 --------------------- .github/ISSUE_TEMPLATE/config.yml | 4 - .github/ISSUE_TEMPLATE/feature_request.yml | 56 ----------- 3 files changed, 168 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml delete mode 100644 .github/ISSUE_TEMPLATE/config.yml delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml deleted file mode 100644 index 552d2b64c2..0000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: Bug Report -description: Report a problem with Trellis. Please provide enough information so that we can reproduce the problem. -title: "Bug: " -labels: [bug] - -body: - - type: markdown - attributes: - value: | - This form is for reporting Trellis technical issues. - If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - - - type: checkboxes - id: terms - attributes: - options: - - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) - required: true - - label: This request is not a duplicate of an existing issue - required: true - - label: I have read the [Trellis docs](https://roots.io/docs/trellis/) and followed them (if applicable) - required: true - - label: I have seached the [Roots Discourse](https://discourse.roots.io/) for answers and followed them (if applicable) - required: true - - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community - required: true - - - type: textarea - id: description - attributes: - label: Description - value: | - #### What's wrong? - - #### What have you tried? - - #### What insights have you gained? - - #### Possible solutions - - #### Temporary workarounds - validations: - required: true - - - type: textarea - id: steps-to-reproduce - attributes: - label: Steps To Reproduce - description: | - Non-reproducible issues may be immediately closed as not actionable. - Please provide reproduction steps as detailed as possible. - value: | - 1. - 1. - 1. - validations: - required: true - - - type: textarea - id: expected-behavior - attributes: - label: Expected Behavior - placeholder: What did you expect to happen? - validations: - required: true - - - type: textarea - id: actual-behavior - attributes: - label: Actual Behavior - placeholder: What actually happens? - validations: - required: true - - - type: textarea - id: logs - attributes: - label: Relevant Log Output - description: Please copy and paste any relevant log output. - render: shell - - - type: input - id: trellis-version - attributes: - label: Trellis Version - description: You can get this information from referencing `CHANGELOG.md`. If you know, please provide the [roots/trellis](https://github.com/roots/trellis) Git commit SHA. - validations: - required: true - - - type: textarea - id: ansible-version - attributes: - label: Ansible Version - description: You can get this information by running `$ ansible --version`. Please include the whole console output. - render: shell - validations: - required: true - - - type: input - id: trellis-cli-version - attributes: - label: Trellis CLI Version - description: If you are using [Trellis CLI](https://github.com/roots/trellis-cli), please provide the version (for stable versions; `$ trellis --version`) or the Git commit SHA (for canary builds). - - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index 089dbe29f9..0000000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,4 +0,0 @@ -contact_links: - - name: Roots Discourse - url: https://discourse.roots.io - about: Is this a personal support request? Find help on our support forum. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml deleted file mode 100644 index 7842e919f4..0000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Feature Request -description: Suggest an idea for Trellis. -title: "Feature Request: " -labels: [feature, enhancement] - -body: - - type: markdown - attributes: - value: | - This form is for suggesting an idea for Trellis. - If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - - - type: checkboxes - id: terms - attributes: - options: - - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) - required: true - - label: This request is not a duplicate of an existing issue - required: true - - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community - required: true - - - type: textarea - id: summary - attributes: - label: Summary - description: One paragraph explanation of the feature. - validations: - required: true - - - type: textarea - id: motivation - attributes: - label: Motivation - value: | - #### Why are we doing this? - - #### What use cases does it support? - - #### What is the expected outcome? - - #### Potential conflicts / foreseeable issues - validations: - required: true - - - type: textarea - id: additional-context - attributes: - label: Additional Context - description: Add any other context or screenshots about the feature request here. - - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this feature request form! From 73285794f0382e6ea81cb16951c9b5c231f53114 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 18 Jan 2022 18:38:59 -0500 Subject: [PATCH 410/663] Disable install_recommends for php packages php8.1-cli is being installed due to another package recommending it. Right now this breaks WordPress installation due to WP-CLI being incompatible. However, 8.1 shouldn't be installed anyway when the `php_version` is set to `8.0`. This fixes the root cause by setting `install_recommends: no` which disables the feature in `apt`. More background: https://github.com/oerdnj/deb.sury.org/wiki/Frequently-Asked-Questions#why-is-phpdefaultversion-cli-always-installed and https://github.com/oerdnj/deb.sury.org/issues/1711 --- CHANGELOG.md | 1 + roles/php/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba63f4e2a4..65a1c4640a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1354 - Disable `install_recommends` for php packages ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) * Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) * Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 370e7d5aeb..e70d1cbf57 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -9,6 +9,7 @@ name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" + install_recommends: no with_dict: "{{ php_extensions }}" - name: Start php fpm service From fadd2bebfe433b3d3de52e36b55c14937e55cfe3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 21 Jan 2022 17:01:04 -0500 Subject: [PATCH 411/663] v1.13.0 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65a1c4640a..4ec3f45b76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ -### HEAD -* Fix #1354 - Disable `install_recommends` for php packages ([#1355](https://github.com/roots/trellis/pull/1355)) +### 1.13.0: January 21st, 2022 +* Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) * Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) * Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) From 495ae1ce102fba6f9f4299f796a254a0dc7fb056 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 22 Jan 2022 00:43:29 -0600 Subject: [PATCH 412/663] Deploy hook build example: Update Sage build command --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 6fef7df48f..87951f4735 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -19,7 +19,7 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn build:production +# command: yarn build # delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From afdeade3d0bf7c35a887623d82f4cc4e731b962c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 22 Jan 2022 01:42:01 -0600 Subject: [PATCH 413/663] chore(project): Remove .circleci and add .github to .gitattributes --- .gitattributes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index 41c1519e9f..aacb20e852 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,2 @@ -/.circleci export-ignore /.gitattributes export-ignore +/.github export-ignore From 51c1a3e58ee5600bf486ccfc51e922ff617de1cb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 26 Jan 2022 12:30:16 -0600 Subject: [PATCH 414/663] Update `wp_cli_version` to 2.6.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 6abe35ebe1..b27b963495 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.5.0 +wp_cli_version: 2.6.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From f977a2580a6a4b5b9ee9bff5a8900f36bc7b474c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Jan 2022 12:03:04 -0500 Subject: [PATCH 415/663] Remove bin scripts These scripts were created as better interfaces to running the deploy and xdebug tunnel Ansible playbooks (since the Ansible CLI developer experience isn't the best when arguments are needed). They've been superceded by the much better trellis-cli now. If you don't want to use trellis-cli, then the `ansible-playbook` commands that these scripts ran can always be used. --- CHANGELOG.md | 5 +++++ Vagrantfile | 4 ---- bin/deploy.sh | 45 -------------------------------------------- bin/xdebug-tunnel.sh | 43 ------------------------------------------ 4 files changed, 5 insertions(+), 92 deletions(-) delete mode 100755 bin/deploy.sh delete mode 100755 bin/xdebug-tunnel.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ec3f45b76..22c84c09a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) +* Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) +* Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) + ### 1.13.0: January 21st, 2022 * Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) diff --git a/Vagrantfile b/Vagrantfile index 92e29c3c3b..1e198139f8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -64,8 +64,6 @@ Vagrant.configure('2') do |config| fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" end - bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') - vagrant_mount_type = vconfig.fetch('vagrant_mount_type') extra_options = if vagrant_mount_type == 'smb' @@ -84,7 +82,6 @@ Vagrant.configure('2') do |config| end config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 644), type: vagrant_mount_type, **extra_options - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 755), type: vagrant_mount_type, **extra_options elsif !Vagrant.has_plugin?('vagrant-bindfs') fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else @@ -95,7 +92,6 @@ Vagrant.configure('2') do |config| config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' - config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end vconfig.fetch('vagrant_synced_folders', []).each do |folder| diff --git a/bin/deploy.sh b/bin/deploy.sh deleted file mode 100755 index 0b346e8e34..0000000000 --- a/bin/deploy.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -shopt -s nullglob - -ENVIRONMENTS=( hosts/* ) -ENVIRONMENTS=( "${ENVIRONMENTS[@]##*/}" ) - -show_usage() { - echo "Usage: deploy [options] - - is the environment to deploy to ("staging", "production", etc) - is the WordPress site to deploy (name defined in "wordpress_sites") -[options] is any number of parameters that will be passed to ansible-playbook - -Available environments: -`( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" )` - -Examples: - deploy staging example.com - deploy production example.com - deploy staging example.com -vv -T 60 -" -} - -[[ $# -lt 2 ]] && { show_usage; exit 127; } - -for arg -do - [[ $arg = -h ]] && { show_usage; exit 0; } -done - -ENV="$1"; shift -SITE="$1"; shift -EXTRA_PARAMS=$@ -DEPLOY_CMD="ansible-playbook deploy.yml -e env=$ENV -e site=$SITE $EXTRA_PARAMS" -HOSTS_FILE="hosts/$ENV" - -if [[ ! -e $HOSTS_FILE ]]; then - echo "Error: $ENV is not a valid environment ($HOSTS_FILE does not exist)." - echo - echo "Available environments:" - ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) - exit 1 -fi - -$DEPLOY_CMD diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh deleted file mode 100755 index e60e4d48bb..0000000000 --- a/bin/xdebug-tunnel.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -show_usage() { - echo " -Usage: bin/xdebug-tunnel.sh - - can be 'open' or 'close' - is the hostname, IP, or inventory alias in your \`hosts/\` file. - -Examples: - To open a tunnel: - bin/xdebug-tunnel.sh open 12.34.56.78 - - To close a tunnel: - bin/xdebug-tunnel.sh close 12.34.56.78 -" -} - -ENABLE_TCP_FORWARDING= -if [[ $1 == "open" ]]; then - REMOTE_ENABLE=1 - ENABLE_TCP_FORWARDING="-e sshd_allow_tcp_forwarding=yes" -elif [[ $1 == "close" ]]; then - REMOTE_ENABLE=0 -else - >&2 echo "The provided argument '${1}' is not acceptable." - show_usage - exit 1 -fi - -if [[ -z $2 ]]; then - >&2 echo "The argument is required." - show_usage - exit 1 -fi - -XDEBUG_ENABLE="-e xdebug_remote_enable=${REMOTE_ENABLE}" -SSH_HOST="-e xdebug_tunnel_inventory_host=$2" - -if [[ -n $DEBUG ]]; then - PARAMS="$PARAMS ${VERBOSITY:--vvvv}" -fi - -ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $ENABLE_TCP_FORWARDING $SSH_HOST $PARAMS From 0e6aa1eca20e3bc14e27b6730d56a542c15d4d69 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 28 Jan 2022 17:20:17 -0500 Subject: [PATCH 416/663] Create mysql my.cnf credentials file earlier In some situations the "Set root user password" task might fail because it tries to connect with no root password. Moving the my.cnf credentials file task above it fixes that situation and also just makes more sense in general. --- CHANGELOG.md | 1 + roles/mariadb/tasks/main.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22c84c09a9..c77e5960aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Create mysql my.cnf credentials file earlier ([#1360](https://github.com/roots/trellis/pull/1360)) * Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) * Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) * Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 4a533a0ba9..0da81f6f95 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -33,6 +33,14 @@ when: mysql_binary_logging_disabled | bool notify: restart mysql server + - name: Copy .my.cnf file with root password credentials. + template: + src: my.cnf.j2 + dest: ~/.my.cnf + owner: root + group: root + mode: '0600' + - name: Set root user password mysql_user: name: root @@ -47,14 +55,6 @@ - ::1 - localhost - - name: Copy .my.cnf file with root password credentials. - template: - src: my.cnf.j2 - dest: ~/.my.cnf - owner: root - group: root - mode: '0600' - - name: Delete anonymous MySQL server users mysql_user: user: "" From 56582d408054f556e8d634a6308730ec17f75068 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 31 Jan 2022 18:04:28 -0600 Subject: [PATCH 417/663] Update README.md --- README.md | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index fb94b64b48..ac9977290b 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,8 @@ Release - - Build Status + + Build Status @@ -24,12 +24,10 @@

Ansible-powered LEMP stack for WordPress -
- Built with ❤️

- Official Website | Documentation | Change Log + Website    Documentation    Releases    Support

## Supporting @@ -40,7 +38,7 @@ However, the amount of effort needed to maintain and develop new features and pr
-[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub)](https://github.com/sponsors/roots) +[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub&style=flat-square)](https://github.com/sponsors/roots) [![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) [![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) @@ -73,10 +71,6 @@ Trellis will configure a server with the following and more: - Memcached - Fail2ban and ferm -## Documentation - -Full documentation is available at [https://docs.roots.io/trellis/master/installation/](https://docs.roots.io/trellis/master/installation/). - ## Requirements See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. @@ -152,22 +146,18 @@ project trellis-cli compatible by initializing it: $ trellis init ``` -## Contributing - -Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. - ## Trellis sponsors -Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). +Help support our open-source development efforts by [becoming a GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon +KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon ## Community Keep track of development and community news. +- Join us on Roots Slack by becoming a [GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev) - Participate on the [Roots Discourse](https://discourse.roots.io/) - Follow [@rootswp on Twitter](https://twitter.com/rootswp) - Read and subscribe to the [Roots Blog](https://roots.io/blog/) - Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) -- Listen to the [Roots Radio podcast](https://roots.io/podcast/) From 2225973005119112e0167ac34c9500c3fb0464b0 Mon Sep 17 00:00:00 2001 From: Lucas DEMEA Date: Sat, 12 Feb 2022 20:24:47 +0100 Subject: [PATCH 418/663] allow to copy subfolders between releases --- roles/deploy/tasks/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index d5a99316c5..aa0e043e69 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -27,7 +27,11 @@ with_items: "{{ project.project_copy_folders | default(project_copy_folders) }}" - name: Copy project folders - command: cp -rp {{ deploy_helper.current_path }}/{{ item.item }} {{ deploy_helper.new_release_path }} + copy: + src: "{{ deploy_helper.current_path }}/{{ item.item }}/" + dest: "{{ deploy_helper.new_release_path }}/{{ item.item }}" + remote_src: true + mode: 'preserve' with_items: "{{ project_folder_paths.results }}" when: item.stat.exists From 1b900f3d6433c9644513354c1b15260d1b03ff29 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 26 Jan 2022 19:24:08 -0500 Subject: [PATCH 419/663] Add integration test using trellis-cli Uses trellis-cli to create a new Trellis project from the current SHA. The project is provisioned and deployed all using trellis-cli. Finally the site is verified that WordPress was actually installed and working. The steps are a little more complex than someone provisioning a normal remote server for a few reasons: 1. GitHub's Ubuntu image has a lot of software installed by default including mysql-server which needs to be purged completely. 2. there's a few workarounds to force Ansible to use a local connection since we aren't actually SSHing into a remote server. --- .github/workflows/integration.yml | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/integration.yml diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml new file mode 100644 index 0000000000..96cd6fc7e4 --- /dev/null +++ b/.github/workflows/integration.yml @@ -0,0 +1,51 @@ +name: Integration + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: mkdir $HOME/.ssh + - name: Remove and cleanup mysql + run: | + sudo apt-get remove --purge mysql* + sudo apt-get autoremove + sudo apt-get autoclean + sudo rm -rf /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/cache/usr.sbin.mysqld /etc/mysql /var/lib/mysql /var/log/mysql* /var/log/upstart/mysql.log* /var/run/mysqld ~/.mysql_history + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: actions/setup-python@v2 + with: + python-version: '3.9' + - uses: roots/setup-trellis-cli@v1 + with: + ansible-vault-password: 'fake' + auto-init: false + galaxy-install: false + trellis-directory: '.' + - name: Create new Trellis project + run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com + - name: Update configs + run: | + sudo echo "127.0.0.1 www.example.com example.com" | sudo tee -a /etc/hosts + rm hosts/production && echo -e "[production]\nlocalhost ansible_connection=local\n[web]\nlocalhost ansible_connection=local\n" > hosts/production + sed --in-place '/repo_subtree_path: site/d' group_vars/production/wordpress_sites.yml + working-directory: example.com/trellis + - name: Provision + run: trellis provision --extra-vars web_user=runner production + working-directory: example.com + - name: Deploy + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production + working-directory: example.com + - name: Install WordPress + run: | + wp core install --url="http://example.com" --title="Example.com" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" + working-directory: /srv/www/example.com/current + - name: Verify install + run: curl -s http://www.example.com | grep "Example" From c41bb8d92ee5751e8758275586356afa07f82604 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 10:40:22 -0500 Subject: [PATCH 420/663] Ensure correct PHP version is set Background: https://github.com/roots/trellis/issues/1354 https://github.com/roots/trellis/pull/1355 fixed half of this problem, but there's still situations where php-cli ends up defaulting to 8.1. This ensures the correct version of PHP is always set based on `php_version` by using the `update-alternatives` command. --- roles/php/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e70d1cbf57..eaec4b4f16 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -12,6 +12,11 @@ install_recommends: no with_dict: "{{ php_extensions }}" +- name: Ensure correct PHP version selected + community.general.alternatives: + name: php + path: /usr/bin/php{{ php_version }} + - name: Start php fpm service service: name: "php{{ php_version }}-fpm" From f42e15fa8d82e1a7db7fef199f5579f0d8431307 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 12:15:48 -0500 Subject: [PATCH 421/663] Run integration tests on pull requests --- .github/workflows/integration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 96cd6fc7e4..ebb53a7062 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -4,6 +4,9 @@ on: push: branches: - master + pull_request: + branches: + - master workflow_dispatch: jobs: From fa1a5a42b0f892224625b5cd640293949921b2a3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 16 Feb 2022 23:43:57 -0500 Subject: [PATCH 422/663] v1.14.0 --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c77e5960aa..39e9e0942b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,10 @@ -### HEAD +### 1.14.0: February 16th, 2022 +* Fix #1026 - Preserve nested path for copied folders between deploys ([#1364](https://github.com/roots/trellis/pull/1364)) +* Fix #1354 - Ensure correct PHP version is set ([#1365](https://github.com/roots/trellis/pull/1365)) * Create mysql my.cnf credentials file earlier ([#1360](https://github.com/roots/trellis/pull/1360)) * Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) * Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) -* Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) +* Deploy hook build example: update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) ### 1.13.0: January 21st, 2022 * Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) From f931c899453fdf4acec8dc92217eed1a2fb9b3d1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 28 Jan 2022 18:29:03 -0500 Subject: [PATCH 423/663] Remove python2 support Python 2 has been EOL for a while now anad is unsupported. macOS is removing it as well as of 12.3 Trellis was compatible with both Python 2 or 3 but it took some extra work and complexity. This removes all workarounds for python2 and makes python3 a requirement. --- .github/workflows/ci.yml | 2 +- CHANGELOG.md | 3 +++ Vagrantfile | 3 +-- dev.yml | 7 ------- lib/trellis/__init__.py | 3 --- lib/trellis/plugins/callback/output.py | 4 ---- lib/trellis/plugins/callback/vars.py | 3 --- lib/trellis/plugins/filter/filters.py | 4 ---- lib/trellis/plugins/vars/version.py | 4 ---- lib/trellis/utils/__init__.py | 3 --- lib/trellis/utils/output.py | 4 +--- roles/common/defaults/main.yml | 20 +++++--------------- roles/letsencrypt/library/test_challenges.py | 9 ++------- roles/letsencrypt/templates/renew-certs.py | 6 ++---- roles/python_interpreter/tasks/main.yml | 11 ----------- server.yml | 7 ------- vagrant.default.yml | 1 - 17 files changed, 15 insertions(+), 79 deletions(-) delete mode 100644 lib/trellis/__init__.py delete mode 100644 lib/trellis/utils/__init__.py delete mode 100644 roles/python_interpreter/tasks/main.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4133c470c..67ab61288b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ['2.x', '3.x'] + python-version: ['3.x'] steps: - uses: actions/checkout@v2 - uses: actions/setup-python@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 39e9e0942b..d18d304b1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) + ### 1.14.0: February 16th, 2022 * Fix #1026 - Preserve nested path for copied folders between deploys ([#1364](https://github.com/roots/trellis/pull/1364)) * Fix #1354 - Ensure correct PHP version is set ([#1365](https://github.com/roots/trellis/pull/1365)) diff --git a/Vagrantfile b/Vagrantfile index 1e198139f8..1fb5a27031 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -115,9 +115,8 @@ Vagrant.configure('2') do |config| config.vm.provision provisioner do |ansible| if local_provisioning? - ansible.extra_vars = { ansible_python_interpreter: vconfig.fetch('vagrant_ansible_python_interpreter') } ansible.install_mode = 'pip' - ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-distutils && curl https://bootstrap.pypa.io/get-pip.py | sudo python3' + ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-pip' ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end diff --git a/dev.yml b/dev.yml index 4b86ffc748..2ef8d4eaac 100644 --- a/dev.yml +++ b/dev.yml @@ -1,11 +1,4 @@ --- -- name: Set ansible_python_interpreter - hosts: web:&development - gather_facts: false - become: yes - roles: - - { role: python_interpreter, tags: [always] } - - name: "WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL" hosts: web:&development become: yes diff --git a/lib/trellis/__init__.py b/lib/trellis/__init__.py deleted file mode 100644 index 980f84a225..0000000000 --- a/lib/trellis/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index cf8fe73d11..61935552a0 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - import os.path import sys diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index f42bebf2c8..2ffbbf9854 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -1,6 +1,3 @@ -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - import re import sys import os diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index 6c8eed5eb7..8b4f624232 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function, unicode_literals) -__metaclass__ = type - import types from ansible import errors diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 951cf30d2a..32acf93327 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion diff --git a/lib/trellis/utils/__init__.py b/lib/trellis/utils/__init__.py deleted file mode 100644 index 980f84a225..0000000000 --- a/lib/trellis/utils/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 33dbc4b55a..4ae252df67 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -1,5 +1,4 @@ # Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) __metaclass__ = type import os.path @@ -9,7 +8,6 @@ from ansible import __version__ from ansible.module_utils._text import to_text -from ansible.module_utils.six import string_types def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry @@ -91,7 +89,7 @@ def display(obj, result): # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks if isinstance(msg, list): msg = '\n'.join([to_text(x) for x in msg]) - elif not isinstance(msg, string_types): + elif not isinstance(msg, str): msg = to_text(msg) # Wrap text diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 40bfd96589..2ba0cb8252 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -20,7 +20,7 @@ site_keys_by_env_pair: "[ {% endfor %} ]" -_apt_packages_default: +apt_packages_default: build-essential: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" @@ -29,22 +29,12 @@ _apt_packages_default: imagemagick: "{{ apt_package_state }}" libgs-dev: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" - python: "{{ apt_package_state }}" + python3: "{{ apt_package_state }}" + python3-software-properties: "{{ apt_package_state }}" + python3-mysqldb: "{{ apt_package_state }}" + python3-pycurl: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" -apt_packages_python: - '2': - python-software-properties: "{{ apt_package_state }}" - python-mysqldb: "{{ apt_package_state }}" - python-pycurl: "{{ apt_package_state }}" - '3': - python3-software-properties: "{{ apt_package_state }}" - python3-mysqldb: "{{ apt_package_state }}" - python3-pycurl: "{{ apt_package_state }}" - -python_major_version: "{{ ansible_python_version[0] }}" -apt_packages_default: "{{ _apt_packages_default | combine(apt_packages_python[python_major_version]) }}" - apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py index d7f4a8cc2c..8d5899e745 100644 --- a/roles/letsencrypt/library/test_challenges.py +++ b/roles/letsencrypt/library/test_challenges.py @@ -1,13 +1,8 @@ -#!/usr/bin/python +#!/usr/bin/python3 # -*- coding: utf-8 -*- import socket - -try: - from httplib import HTTPConnection, HTTPException -except ImportError: - # Python 3 - from http.client import HTTPConnection, HTTPException +from http.client import HTTPConnection, HTTPException DOCUMENTATION = ''' --- diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 72106e3611..b13ed8efa6 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,6 +1,4 @@ -#!/usr/bin/env python - -from __future__ import print_function +#!/usr/bin/env python3 import os import sys @@ -29,7 +27,7 @@ 'Not creating a new certificate.'.format(bundled_hashed_cert_path)) else: - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml deleted file mode 100644 index 3fa493d310..0000000000 --- a/roles/python_interpreter/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ -- block: - - name: Get Ubuntu version - raw: lsb_release -rs - register: ubuntu_version - changed_when: false - - name: Set ansible_python_interpreter for Ubuntu >= 18.04 - set_fact: - ansible_python_interpreter: python3 - when: ubuntu_version.stdout | trim is version('18.04', '>=') - when: ansible_python_interpreter is not defined - tags: always diff --git a/server.yml b/server.yml index cdc43e206a..be9a456eb4 100644 --- a/server.yml +++ b/server.yml @@ -9,13 +9,6 @@ roles: - { role: connection, tags: [connection, always] } -- name: Set ansible_python_interpreter - hosts: web:&{{ env }} - gather_facts: false - become: yes - roles: - - { role: python_interpreter, tags: [always] } - - name: WordPress Server - Install LEMP Stack with PHP and MariaDB MySQL hosts: web:&{{ env }} become: yes diff --git a/vagrant.default.yml b/vagrant.default.yml index 581f36a61c..b02ed2384f 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -5,7 +5,6 @@ vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 202012.23.0' vagrant_ansible_version: '2.10.7' -vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From f409fe3895a4d7d1e7368fa57aed37a389a05bee Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 20 Feb 2022 16:25:23 -0500 Subject: [PATCH 424/663] Require python3 in code --- lib/trellis/plugins/vars/version.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 32acf93327..81d206d810 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -2,7 +2,7 @@ from ansible.errors import AnsibleError from distutils.version import LooseVersion from operator import eq, ge, gt -from sys import version_info +from platform import python_version, python_version_tuple try: from __main__ import display @@ -13,6 +13,11 @@ version_requirement = '2.10.0' version_tested_max = '2.10.16' +if python_version_tuple()[0] == '2': + raise AnsibleError(('Trellis no longer supports Python 2 (you are using version {}).' + ' Python 2 reached end of life in 2020 and is unmaintained.\n' + 'Python 3 is required as of Trellis version v1.15.0.').format(python_version())) + if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) From 7b7061ee607c99d2d700c119921d717d9a495f04 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 12:50:06 -0500 Subject: [PATCH 425/663] Add HTTPS site to integration tests --- .github/actions/setup-step-ca/action.yml | 42 ++++++++++++++++++++++++ .github/files/inventory | 4 +++ .github/files/step-ca.service | 15 +++++++++ .github/files/vault.yml | 36 ++++++++++++++++++++ .github/files/wordpress_sites.yml | 34 +++++++++++++++++++ .github/workflows/integration.yml | 25 ++++++++++---- 6 files changed, 149 insertions(+), 7 deletions(-) create mode 100644 .github/actions/setup-step-ca/action.yml create mode 100644 .github/files/inventory create mode 100644 .github/files/step-ca.service create mode 100644 .github/files/vault.yml create mode 100644 .github/files/wordpress_sites.yml diff --git a/.github/actions/setup-step-ca/action.yml b/.github/actions/setup-step-ca/action.yml new file mode 100644 index 0000000000..1f95236d7f --- /dev/null +++ b/.github/actions/setup-step-ca/action.yml @@ -0,0 +1,42 @@ +name: Setup Step CA ACME server +description: Installs and runs an ACME compatible server via step-ca +inputs: + path: + description: 'step-ca path' + required: false + default: /root/.step +runs: + using: composite + steps: + - name: Set STEP_CA_PATH env + run: echo STEP_CA_PATH=${{ inputs.path }} >> $GITHUB_ENV + shell: bash + - name: Download packages + run: | + wget -q https://dl.step.sm/gh-release/cli/docs-ca-install/v0.18.1/step-cli_0.18.1_amd64.deb + wget -q https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.18.1/step-ca_0.18.1_amd64.deb + shell: bash + - name: Install packages + run: | + sudo dpkg -i step-cli_0.18.1_amd64.deb + sudo dpkg -i step-ca_0.18.1_amd64.deb + shell: bash + - name: Create password file + run: | + sudo mkdir $STEP_CA_PATH && sudo touch $STEP_CA_PATH/password.txt + echo $(openssl rand -hex 12) | sudo tee $STEP_CA_PATH/password.txt + shell: bash + - name: Initialize + run: | + sudo step ca init --name trellis-local-ca --dns 127.0.0.1 --address :8443 --provisioner admin --password-file $STEP_CA_PATH/password.txt --provisioner-password-file $STEP_CA_PATH/password.txt + sudo step ca provisioner add acme --type ACME + shell: bash + - name: Install certificate to system + run: | + sudo step certificate install $STEP_CA_PATH/certs/root_ca.crt + shell: bash + - name: Run service + run: | + sudo cp .github/files/step-ca.service /etc/systemd/system/step-ca.service + sudo systemctl start step-ca + shell: bash diff --git a/.github/files/inventory b/.github/files/inventory new file mode 100644 index 0000000000..87d5779a91 --- /dev/null +++ b/.github/files/inventory @@ -0,0 +1,4 @@ +[production] +localhost ansible_connection=local +[web] +localhost ansible_connection=local diff --git a/.github/files/step-ca.service b/.github/files/step-ca.service new file mode 100644 index 0000000000..e62cc2bc5d --- /dev/null +++ b/.github/files/step-ca.service @@ -0,0 +1,15 @@ +[Unit] +Description=step-ca service +After=network.target +StartLimitIntervalSec=0 + +[Service] +Type=simple +Restart=always +RestartSec=1 +Environment=STEPPATH=/root/.step +WorkingDirectory=/root/.step +ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt + +[Install] +WantedBy=multi-user.target diff --git a/.github/files/vault.yml b/.github/files/vault.yml new file mode 100644 index 0000000000..0dd232f46a --- /dev/null +++ b/.github/files/vault.yml @@ -0,0 +1,36 @@ +# Documentation: https://roots.io/trellis/docs/vault/ +vault_mysql_root_password: productionpw + +# Documentation: https://roots.io/trellis/docs/security/ +vault_users: + - name: "{{ admin_user }}" + password: example_password + salt: "generateme" + +# Variables to accompany `group_vars/production/wordpress_sites.yml` +# Note: the site name (`example.com`) must match up with the site name in the above file. +vault_wordpress_sites: + example.com: + env: + db_password: example_dbpassword + # Generate your keys here: https://roots.io/salts.html + auth_key: "generateme" + secure_auth_key: "generateme" + logged_in_key: "generateme" + nonce_key: "generateme" + auth_salt: "generateme" + secure_auth_salt: "generateme" + logged_in_salt: "generateme" + nonce_salt: "generateme" + example-https.com: + env: + db_password: example_dbpassword + # Generate your keys here: https://roots.io/salts.html + auth_key: "generateme" + secure_auth_key: "generateme" + logged_in_key: "generateme" + nonce_key: "generateme" + auth_salt: "generateme" + secure_auth_salt: "generateme" + logged_in_salt: "generateme" + nonce_salt: "generateme" diff --git a/.github/files/wordpress_sites.yml b/.github/files/wordpress_sites.yml new file mode 100644 index 0000000000..8fa390b191 --- /dev/null +++ b/.github/files/wordpress_sites.yml @@ -0,0 +1,34 @@ +letsencrypt_contact_emails: + - admin@example.com + +wordpress_sites: + example.com: + site_hosts: + - canonical: example.com + redirects: + - www.example.com + local_path: ../site + repo: git@github.com:roots/bedrock.git + branch: master + multisite: + enabled: false + ssl: + enabled: false + provider: letsencrypt + cache: + enabled: true + example-https.com: + site_hosts: + - canonical: example-https.com + redirects: + - www.example-https.com + local_path: ../site + repo: git@github.com:roots/bedrock.git + branch: master + multisite: + enabled: false + ssl: + enabled: true + provider: letsencrypt + cache: + enabled: false diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index ebb53a7062..0cc9c0f380 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -26,6 +26,7 @@ jobs: - uses: actions/setup-python@v2 with: python-version: '3.9' + - uses: ./.github/actions/setup-step-ca - uses: roots/setup-trellis-cli@v1 with: ansible-vault-password: 'fake' @@ -36,19 +37,29 @@ jobs: run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com - name: Update configs run: | - sudo echo "127.0.0.1 www.example.com example.com" | sudo tee -a /etc/hosts - rm hosts/production && echo -e "[production]\nlocalhost ansible_connection=local\n[web]\nlocalhost ansible_connection=local\n" > hosts/production - sed --in-place '/repo_subtree_path: site/d' group_vars/production/wordpress_sites.yml + sudo echo "127.0.0.1 www.example.com example.com www.example-https.com example-https.com" | sudo tee -a /etc/hosts + cp ../../.github/files/inventory hosts/production + cp ../../.github/files/wordpress_sites.yml group_vars/production/wordpress_sites.yml + cp ../../.github/files/vault.yml group_vars/production/vault.yml working-directory: example.com/trellis - name: Provision - run: trellis provision --extra-vars web_user=runner production + run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production working-directory: example.com - - name: Deploy - run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production + - name: Deploy non-https site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example.com working-directory: example.com - name: Install WordPress run: | wp core install --url="http://example.com" --title="Example.com" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" working-directory: /srv/www/example.com/current - name: Verify install - run: curl -s http://www.example.com | grep "<title>Example" + run: curl -s http://example.com | grep "<title>Example" + - name: Deploy https site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example-https.com + working-directory: example.com + - name: Install WordPress + run: | + wp core install --url="http://example-https.com" --title="Example HTTPS" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" + working-directory: /srv/www/example-https.com/current + - name: Verify install + run: curl -s https://example-https.com | grep "<title>Example HTTPS" From 40b949a910373398e3fda06105287e0edf24051a Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sat, 26 Feb 2022 23:33:40 -0600 Subject: [PATCH 426/663] =?UTF-8?q?=F0=9F=93=9D=20remove=20getting=20start?= =?UTF-8?q?ed=20ref?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac9977290b..a350e8e28d 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Trellis will configure a server with the following and more: ## Requirements -See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. +See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements. ## Installation From 4e3720724f441049c5865bb233bbd87417355ec9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 12 Mar 2022 21:59:23 -0800 Subject: [PATCH 427/663] Support Ansible >= 2.10 This removes the upper version constraint and supports Ansible versions up to 5.4.0 (ansible-core 2.12) --- lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 81d206d810..e05b94e800 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -11,7 +11,7 @@ display = Display() version_requirement = '2.10.0' -version_tested_max = '2.10.16' +version_tested_max = '5.4.0' if python_version_tuple()[0] == '2': raise AnsibleError(('Trellis no longer supports Python 2 (you are using version {}).' diff --git a/requirements.txt b/requirements.txt index d794f8d619..5955db3396 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ -ansible>=2.10.0,<3.0 -ansible-base>=2.10,<=2.10.16 +ansible>=2.10.0 passlib From b24115ce81faacb14f99c9b5485dfbf19c6a2e56 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 13 Mar 2022 18:43:55 -0700 Subject: [PATCH 428/663] Add Discourse release topic workflow --- .github/workflows/discourse.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/discourse.yml diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml new file mode 100644 index 0000000000..c98763d53a --- /dev/null +++ b/.github/workflows/discourse.yml @@ -0,0 +1,19 @@ +name: Post release topic on Discourse + +on: + release: + types: [published] + +jobs: + post: + runs-on: ubuntu-latest + steps: + - uses: roots/discourse-topic-github-release-action@main + with: + discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }} + discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} + discourse-author-username: swalkinshaw + discourse-category: 12 + discourse-tags: + trellis + releases From 9631aa53765b7503e8572244cad4ae1f8f85e80a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 17 Mar 2022 00:06:22 -0400 Subject: [PATCH 429/663] Add ansible version to integration tests --- .github/workflows/integration.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 0cc9c0f380..9741423727 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -42,6 +42,8 @@ jobs: cp ../../.github/files/wordpress_sites.yml group_vars/production/wordpress_sites.yml cp ../../.github/files/vault.yml group_vars/production/vault.yml working-directory: example.com/trellis + - run: trellis exec ansible-playbook --version + working-directory: example.com/trellis - name: Provision run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production working-directory: example.com From a0c313f63efeaad3629e650f43cca54058098940 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 17 Mar 2022 00:19:56 -0400 Subject: [PATCH 430/663] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d18d304b1b..8ce3cda53d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) * Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) ### 1.14.0: February 16th, 2022 From b2905e0d587fcdab936885f62833545d3601659e Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 18 Mar 2022 00:06:52 -0500 Subject: [PATCH 431/663] =?UTF-8?q?=F0=9F=93=84=20update=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- LICENSE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.md b/LICENSE.md index ee859d0f58..1b5cd27da6 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) Roots +Copyright (c) Roots Software Foundation LLC Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 6db53e76b602663edfc5efc87a8a0dacde1ba395 Mon Sep 17 00:00:00 2001 From: Paul Brzeski <mail@paulbrzeski.com> Date: Tue, 22 Mar 2022 06:38:58 +0000 Subject: [PATCH 432/663] Updating ntp role to latest (2.3.1) --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 5004ac69b6..3a526930eb 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 2.2.0 + version: 2.3.1 - name: logrotate src: nickhammond.logrotate From fa082f263b6f398258547df370624809d32c9af9 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 28 Mar 2022 08:40:35 -0500 Subject: [PATCH 433/663] =?UTF-8?q?=E2=9C=A8=20add=20`build-after`=20place?= =?UTF-8?q?holder=20(#1377)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- deploy-hooks/build-after.yml | 11 +++++++++++ deploy-hooks/build-before.yml | 4 ++-- roles/deploy/defaults/main.yml | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 deploy-hooks/build-after.yml diff --git a/deploy-hooks/build-after.yml b/deploy-hooks/build-after.yml new file mode 100644 index 0000000000..9cce3a2ac3 --- /dev/null +++ b/deploy-hooks/build-after.yml @@ -0,0 +1,11 @@ +# Placeholder `deploy_build_after` hook +# +# ⚠️ This example assumes your theme is using Sage 10 +# +# Uncomment the lines below if you are using Sage 10 +# +# --- +# - name: Run Acorn optimize +# command: wp acorn optimize +# args: +# chdir: "{{ deploy_helper.new_release_path }}" diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 87951f4735..78003bd92c 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -2,9 +2,9 @@ # host machine and then copying the files to the remote server # # ⚠️ This example assumes your theme is using Sage 10 -# An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # -# Uncomment the lines below and replace `sage` with your theme folder +# Uncomment the lines below if you are using Sage 10 +# and replace `sage` with your theme folder # # --- # - name: Install npm dependencies diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 597fa036b2..50b91e6b8b 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -67,6 +67,7 @@ deploy_build_before: deploy_build_after: - "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml" + - "{{ playbook_dir }}/deploy-hooks/build-after.yml" # - "{{ playbook_dir }}/deploy-hooks/sites/{{ site }}-build-after.yml" deploy_finalize_before: From 1abd6575aeddfe75f9997e0040d5d643086a23cf Mon Sep 17 00:00:00 2001 From: Hemang Ajmera <hemang.ajmera@teliacompany.com> Date: Thu, 14 Apr 2022 18:47:16 +0530 Subject: [PATCH 434/663] replacing hardcoded values with parameter --- roles/deploy/defaults/main.yml | 4 +++- roles/wordpress-install/tasks/directories.yml | 2 +- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 50b91e6b8b..329075b9de 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -32,7 +32,7 @@ project_templates: # mode: '0755' // <- optional, use an octal number starting with 0 or quote it, defaults to `'0755'` if `directory` or `'0644'` if `file` # type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - - path: web/app/uploads + - path: "{{ project_public_path }}/{{ project_upload_path }}" src: uploads # The project_environment is a list of environment variables that can be used in hooks @@ -58,6 +58,8 @@ composer_classmap_authoritative: true project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" +project_public_path: "{{ project.public_path | default('web') }}" +project_upload_path: "{{ project.upload_path | default('app/uploads') }}" # Deploy hooks diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 0a6956fad7..591255688b 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -1,7 +1,7 @@ --- - name: Create web root of sites file: - path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web" + path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/{{ item.value.public_path | default('web') }}" owner: "{{ web_user }}" group: "{{ web_group }}" mode: '0755' diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 414328fcc4..2096c6d45b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -15,7 +15,7 @@ server { {% endblock %} {% block server_basic -%} - root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; + root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/{{ item.value.public_path | default('web') }}; index index.php index.htm index.html; add_header Fastcgi-Cache $upstream_cache_status; From 73b50739f613261ae123248e2d2fb371a25f36b8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 18 Mar 2022 21:02:29 -0400 Subject: [PATCH 435/663] Add built-in fail2ban filters Trellis supported default fail2ban services previously but they were restricted to filters built into fail2ban itself (like `sshd`). This adds filters defined by Trellis as well now by automatically creating the filter configuration files from templates. Importantly, these filters will be _disabled_ by default. Any time a new filter is added, it will also be added to `fail2ban_services_custom` with enabled set to `false.` This achieves a few goals: 1. makes it very easy to enable the built-in filters, which 2. brings more awareness to them by adding them to `group_vars/all/security.yml` 3. hopefully encourages more fail2ban filters to be created and used Currently there's only one built-in filter for banning requests to WordPress' `xmlrpc.php` endpoint which is a common DDoS attack vector. --- CHANGELOG.md | 1 + group_vars/all/security.yml | 17 ++++++++++++++++- roles/fail2ban/defaults/main.yml | 1 - roles/fail2ban/tasks/main.yml | 3 ++- .../filters/wordpress-wp-login.conf.j2 | 2 ++ .../templates/filters/wordpress-xmlrpc.conf.j2 | 2 ++ 6 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 create mode 100644 roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ce3cda53d..dbb85e0e16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add built-in fail2ban filters ([#1375](https://github.com/roots/trellis/pull/1375)) * Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) * Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index 0aa2b604ba..bac2bbb098 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -1,3 +1,5 @@ +# Documentation: https://roots.io/trellis/docs/security/ + ferm_input_list: - type: dport_accept dport: [http, https] @@ -10,7 +12,20 @@ ferm_input_list: seconds: 300 hits: 20 -# Documentation: https://roots.io/trellis/docs/security/ + +# Enable built-in fail2ban services or add your own custom ones +fail2ban_services_custom: + - name: wordpress_xmlrpc + filter: wordpress-xmlrpc + enabled: "false" + port: http,https + logpath: "{{ www_root }}/**/logs/access.log" + - name: wordpress_wp_login + filter: wordpress-wp-login + enabled: "false" + port: http,https + logpath: "{{ www_root }}/**/logs/access.log" + # If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) sshd_permit_root_login: true diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index b1aa62d1a1..598172cfbd 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -29,4 +29,3 @@ fail2ban_services_custom: [] fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" fail2ban_filter_templates_path: fail2ban_filters -fail2ban_filter_templates_pattern: "^({{ fail2ban_filter_templates_path | regex_escape }})/(.*)\\.j2$" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 45580f1a3f..2a900a2a87 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -21,6 +21,7 @@ - name: build list of fail2ban filter templates find: paths: + - "{{ playbook_dir }}/roles/fail2ban/templates/filters" - "{{ fail2ban_filter_templates_path }}" pattern: "*.conf.j2" become: no @@ -36,7 +37,7 @@ - name: template fail2ban filters template: src: "{{ item }}" - dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + dest: "/etc/fail2ban/filter.d/{{ item | basename | regex_replace('.j2$', '') }}" mode: '0644' with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 b/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 new file mode 100644 index 0000000000..d0f9271098 --- /dev/null +++ b/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 @@ -0,0 +1,2 @@ +[Definition] +failregex = ^<HOST> .* "POST .*wp-login\.php diff --git a/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 b/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 new file mode 100644 index 0000000000..6d8547146f --- /dev/null +++ b/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 @@ -0,0 +1,2 @@ +[Definition] +failregex = ^<HOST> .* "POST .*xmlrpc\.php From 1f676098d8590933a4d63716ac256d244cf13eaa Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Wed, 4 May 2022 12:25:40 +0100 Subject: [PATCH 436/663] Remove redundant ansible_connection=local and comments --- hosts/development | 41 ++++------------------------------------- 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/hosts/development b/hosts/development index 2075118800..c71378df73 100644 --- a/hosts/development +++ b/hosts/development @@ -1,41 +1,8 @@ -# This file is only used for Windows hosts. -# -# Windows -# ------------------------------------------------------------- -# If you want to run `dev.yml` manually you can SSH into the VM -# to the directory with the `dev.yml` playbook and run: - -# `ansible-playbook dev.yml` -# -# Non-Windows -# ------------------------------------------------------------- -# If you want to run `dev.yml` manually via the `ansible-playbook` -# command (vs. `vagrant up` or `vagrant provision`), you might be -# inclined to define your development host information in this file. -# We recommend instead that you use the `-i` (inventory) option with -# your `ansible-playbook` command to specify the custom inventory file -# Vagrant has created for the VM. Vagrant's custom inventory -# includes necessary non-standard SSH connection information. -# -# Here is an example command: -# -# `ansible-playbook dev.yml -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory` -# -# The `.vagrant` directory above is usually in the same directory as -# your `Vagrantfile`. If not, you will need to adjust this path in the -# command. -# -# Why run `dev.yml` manually? -# ------------------------------------------------------------- -# One reason you may want to run `dev.yml` via the `ansible-playbook` -# command is for the convenience of adding Ansible options via the -# command line (e.g., `--tags`, `--skip-tags`, or `-vvvv`). In contrast, -# the commands `vagrant up` and `vagrant provision` would only run the -# `dev.yml` playbook with such options if you were edit the options -# into the Vagrantfile's `config.vm.provision` section. +# Add each host to the [staging] group and to a "type" group such as [web] or [db]. +# List each machine only once per [group], even if it will host multiple sites. [development] -192.168.56.5 ansible_connection=local +192.168.56.5 [web] -192.168.56.5 ansible_connection=local +192.168.56.5 From 734e262d85b38e656000a8abdac256dd1a88b649 Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Wed, 4 May 2022 21:59:52 +0100 Subject: [PATCH 437/663] Fix typo --- hosts/development | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/development b/hosts/development index c71378df73..694b39e540 100644 --- a/hosts/development +++ b/hosts/development @@ -1,4 +1,4 @@ -# Add each host to the [staging] group and to a "type" group such as [web] or [db]. +# Add each host to the [development] group and to a "type" group such as [web] or [db]. # List each machine only once per [group], even if it will host multiple sites. [development] From 44025584b67ab11af09840bd8c08a876ffd9711d Mon Sep 17 00:00:00 2001 From: nextgenthemes <nextgenthemes@users.noreply.github.com> Date: Sat, 14 May 2022 11:24:07 +0200 Subject: [PATCH 438/663] Do not disallow up to date Vagrant vers. on Linux When this version restriction was introduced, I found out from the changelog or an issue that this was specifically because of a mac OS issue. I have successfully ran Vagrant versions that ship with Open SUSE Tumbleweed (Not sure), Ubuntu 21.10 and Ubuntu 22.04. AFAIK there is no reason to shut Linux users out of up-to-date Vagrant versions. --- Vagrantfile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 1fb5a27031..da2eec1f18 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,8 +16,12 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.1.0', '< 2.2.19' - +if Vagrant::Util::Platform.darwin? + Vagrant.require_version '>= 2.1.0', '< 2.2.19' +else + Vagrant.require_version '>= 2.1.0' +end + Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') From b530f7e6d2a6f4dde4d108294b75b41534ee1393 Mon Sep 17 00:00:00 2001 From: jakobmeusburger <48139550+jakobmeusburger@users.noreply.github.com> Date: Mon, 23 May 2022 18:53:49 +0200 Subject: [PATCH 439/663] Change MariaDB PPA link --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 3eee94bcf2..d337299bfb 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb http://mirrors.gigenet.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://mariadb.mirror.globo.tech/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From c7729fcc29c16734bcb267ed72f2edc4cdf6d63c Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 31 May 2022 13:55:05 -0500 Subject: [PATCH 440/663] =?UTF-8?q?=F0=9F=92=AC=20update=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a350e8e28d..eca8889534 100644 --- a/README.md +++ b/README.md @@ -30,18 +30,16 @@ <a href="https://roots.io/"><strong><code>Website</code></strong></a>    <a href="https://docs.roots.io/trellis/master/installation/"><strong><code>Documentation</code></strong></a>    <a href="https://github.com/roots/trellis/releases"><strong><code>Releases</code></strong></a>    <a href="https://discourse.roots.io/"><strong><code>Support</code></strong></a> </p> -## Supporting +## Sponsors **Trellis** is an open source project and completely free to use. -However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below: +However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider [sponsoring Roots](https://github.com/sponsors/roots). -<div align="center"> - -[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub&style=flat-square)](https://github.com/sponsors/roots) -[![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) -[![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) +<p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> +<div align="center"> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://www.c21redwood.com/"><img src="https://cdn.roots.io/app/uploads/c21redwood.svg" alt="C21 Redwood Realty" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> </div> ## Overview @@ -146,17 +144,11 @@ project trellis-cli compatible by initializing it: $ trellis init ``` -## Trellis sponsors - -Help support our open-source development efforts by [becoming a GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev). - -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="200" height="150"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="200" height="150"></a> <a href="https://www.c21redwood.com/"><img src="https://cdn.roots.io/app/uploads/c21redwood.svg" alt="C21 Redwood Realty" width="200" height="150"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="200" height="150"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="200" height="150"></a> - ## Community Keep track of development and community news. -- Join us on Roots Slack by becoming a [GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev) +- Join us on Discord by [sponsoring us on GitHub](https://github.com/sponsors/roots) - Participate on the [Roots Discourse](https://discourse.roots.io/) - Follow [@rootswp on Twitter](https://twitter.com/rootswp) - Read and subscribe to the [Roots Blog](https://roots.io/blog/) From c2f6eebda47b7351c086fa662929c13d346807f3 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 00:50:56 +0200 Subject: [PATCH 441/663] Split is installed check into a non-multisite and a mulitsite specific one. --- roles/deploy/hooks/finalize-before.yml | 48 ++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 4c46ed35ea..0b88736b49 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,16 +1,58 @@ --- +# Is installed check +# Non-multisite specific check +- name: WordPress Installed (non-multisite)? + command: wp core is-installed --skip-plugins --skip-themes + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_single + changed_when: false + failed_when: wp_installed_single.stderr | length > 0 or wp_installed_single.rc > 1 + when: + - not project.multisite.enabled | default(false) + +# Multisite specific check - name: Create file with multisite constants defined as false copy: src: "tmp_multisite_constants.php" dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + when: + - project.multisite.enabled | default(false) + +- name: Set variables used in "WordPress Installed?" check + set_fact: + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + when: + #- project.multisite.enabled | default(false) + - not project.multisite.enabled | default(false) -- name: WordPress Installed? +- name: WordPress Installed (multisite)? command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php args: chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed + register: wp_installed_multisite changed_when: false - failed_when: wp_installed.stderr | default("") != "" or wp_installed.rc > 1 + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + when: + - project.multisite.enabled | default(false) +# /Multisite specific check + +# Because variable is always registered, even with non-applying when-condition +- name: Set "WordPress installed (non-multisite)?" result variable + set_fact: + wp_installed: "{{ wp_installed_single }}" + when: + - not project.multisite.enabled | default(false) + +- name: Set "WordPress installed (multisite)?" result variable + set_fact: + wp_installed: "{{ wp_installed_multisite }}" + when: + - project.multisite.enabled | default(false) +# /Is installed check + + + - name: Get WP theme template and stylesheet roots shell: > From 49d95c980eddded5e90f30029cea0a8e9f36e272 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 15:44:16 +0200 Subject: [PATCH 442/663] Fix `when` for defining variable used in multisite-specific check. --- roles/deploy/hooks/finalize-before.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 0b88736b49..aebfc7c0c9 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -19,12 +19,11 @@ when: - project.multisite.enabled | default(false) -- name: Set variables used in "WordPress Installed?" check +- name: Set variables used in "WordPress Installed (multisite)?" check set_fact: php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" when: - #- project.multisite.enabled | default(false) - - not project.multisite.enabled | default(false) + - project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php From 4952e88778cf65c5a2e9efe555f873d3429399d4 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 18:24:52 +0200 Subject: [PATCH 443/663] Group "WordPress Installed" non-multisite and multisite tasks into Ansible blocks. --- roles/deploy/hooks/finalize-before.yml | 80 +++++++++++--------------- 1 file changed, 35 insertions(+), 45 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index aebfc7c0c9..056216c0bb 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,57 +1,47 @@ --- -# Is installed check -# Non-multisite specific check - name: WordPress Installed (non-multisite)? - command: wp core is-installed --skip-plugins --skip-themes - args: - chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed_single - changed_when: false - failed_when: wp_installed_single.stderr | length > 0 or wp_installed_single.rc > 1 - when: - - not project.multisite.enabled | default(false) - -# Multisite specific check -- name: Create file with multisite constants defined as false - copy: - src: "tmp_multisite_constants.php" - dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - when: - - project.multisite.enabled | default(false) - -- name: Set variables used in "WordPress Installed (multisite)?" check - set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + block: + - name: "'wp core is-installed' command" + command: wp core is-installed --skip-plugins --skip-themes + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_singlesite + changed_when: false + failed_when: wp_installed_singlesite.stderr | length > 0 or wp_installed_singlesite.rc > 1 + + - name: Set "WordPress installed?" result variable (from non-multisite) + set_fact: + wp_installed: "{{ wp_installed_singlesite }}" when: + #- not project.multisite.enabled | default(false) - project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? - command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php - args: - chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed_multisite - changed_when: false - failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 - when: - - project.multisite.enabled | default(false) -# /Multisite specific check - -# Because variable is always registered, even with non-applying when-condition -- name: Set "WordPress installed (non-multisite)?" result variable - set_fact: - wp_installed: "{{ wp_installed_single }}" + block: + - name: Create file with multisite constants defined as false + copy: + src: "tmp_multisite_constants.php" + dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + + - name: Set variables used in "WordPress Installed (multisite)?" check + set_fact: + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + + - name: "'wp core is-installed' command" + command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_multisite + changed_when: false + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + + - name: Set "WordPress installed?" result variable (from multisite) + set_fact: + wp_installed: "{{ wp_installed_multisite }}" when: + #- project.multisite.enabled | default(false) - not project.multisite.enabled | default(false) -- name: Set "WordPress installed (multisite)?" result variable - set_fact: - wp_installed: "{{ wp_installed_multisite }}" - when: - - project.multisite.enabled | default(false) -# /Is installed check - - - - name: Get WP theme template and stylesheet roots shell: > From 2f1cfe05ec76f23e38f04535be934d36939c05a8 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 18:29:02 +0200 Subject: [PATCH 444/663] Fix when lines. --- roles/deploy/hooks/finalize-before.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 056216c0bb..b72b2c1c1a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -13,8 +13,7 @@ set_fact: wp_installed: "{{ wp_installed_singlesite }}" when: - #- not project.multisite.enabled | default(false) - - project.multisite.enabled | default(false) + - not project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? block: @@ -39,8 +38,7 @@ set_fact: wp_installed: "{{ wp_installed_multisite }}" when: - #- project.multisite.enabled | default(false) - - not project.multisite.enabled | default(false) + - project.multisite.enabled | default(false) - name: Get WP theme template and stylesheet roots From e1e82a8d094c96367d67afbe104dcc044aa32c5b Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 19:38:47 +0200 Subject: [PATCH 445/663] Make `strpos` `empty needle` PHP warning match less strict (omit line number). --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index b72b2c1c1a..70c5988f1d 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -24,7 +24,7 @@ - name: Set variables used in "WordPress Installed (multisite)?" check set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" - name: "'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php From cc07d1e194d13f43b05c2a2bef162dfc6d87bc20 Mon Sep 17 00:00:00 2001 From: Kelly Mears <developers@tinypixel.dev> Date: Wed, 1 Jun 2022 10:54:40 -0700 Subject: [PATCH 446/663] fix: set mjs as application/javascript in h5bp (#1383) --- roles/nginx/templates/h5bp/mime.types | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/mime.types b/roles/nginx/templates/h5bp/mime.types index 7c3b1e7386..972fd08958 100644 --- a/roles/nginx/templates/h5bp/mime.types +++ b/roles/nginx/templates/h5bp/mime.types @@ -14,7 +14,7 @@ types { # Normalize to standard type. # https://tools.ietf.org/html/rfc4329#section-7.2 - application/javascript js; + application/javascript js mjs; # Manifest files From 8edc250e4597b183892240ca3f4a6d35a7d5d437 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 20:00:16 +0200 Subject: [PATCH 447/663] Improve task names (invoke). --- roles/deploy/hooks/finalize-before.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 70c5988f1d..550b0f85cf 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,7 +1,7 @@ --- - name: WordPress Installed (non-multisite)? block: - - name: "'wp core is-installed' command" + - name: "Invoke 'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.new_release_path }}" @@ -26,7 +26,7 @@ set_fact: php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" - - name: "'wp core is-installed' command" + - name: "Invoke 'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php args: chdir: "{{ deploy_helper.new_release_path }}" From 868d6c3bb443ef2388593f335cd2e585b5bfcbe1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 8 Jun 2022 22:11:15 -0400 Subject: [PATCH 448/663] Fix discourse release tags --- .github/workflows/discourse.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml index c98763d53a..14893e0879 100644 --- a/.github/workflows/discourse.yml +++ b/.github/workflows/discourse.yml @@ -14,6 +14,4 @@ jobs: discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} discourse-author-username: swalkinshaw discourse-category: 12 - discourse-tags: - trellis - releases + discourse-tags: trellis, releases From b419b8b36dbcadd7028c558101dbdb14e72374ed Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 8 Jun 2022 22:23:44 -0400 Subject: [PATCH 449/663] [skip ci] Update discourse release tags --- .github/workflows/discourse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml index 14893e0879..0205abbd1f 100644 --- a/.github/workflows/discourse.yml +++ b/.github/workflows/discourse.yml @@ -14,4 +14,4 @@ jobs: discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} discourse-author-username: swalkinshaw discourse-category: 12 - discourse-tags: trellis, releases + discourse-tags: releases From 71955807c244d75ff4c176d40ee42b377e33105c Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 00:29:24 +0200 Subject: [PATCH 450/663] Change is-installed check to exempt DB error dump PHP warning for not yet set up multisite sites. --- roles/deploy/hooks/finalize-before.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 550b0f85cf..06cbd1b0d7 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -17,22 +17,17 @@ - name: WordPress Installed (multisite)? block: - - name: Create file with multisite constants defined as false - copy: - src: "tmp_multisite_constants.php" - dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - - name: Set variables used in "WordPress Installed (multisite)?" check set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" + multisite_non_setup_db_error: "WordPress database error Table '{{ site_env.db_name }}.wp_blogs' doesn't exist" - name: "Invoke 'wp core is-installed' command" - command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + command: wp core is-installed --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed_multisite changed_when: false - failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(multisite_non_setup_db_error)) or wp_installed_multisite.rc > 1 - name: Set "WordPress installed?" result variable (from multisite) set_fact: From b58ca90e5d99617c713462952cc8c02904178557 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 01:44:45 +0200 Subject: [PATCH 451/663] Clean up now unused `tmp_multisite_constants.php`. --- roles/deploy/hooks/finalize-before.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 06cbd1b0d7..46700d51a3 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,4 +1,9 @@ --- +- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed check. + file: + state: absent + path: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + - name: WordPress Installed (non-multisite)? block: - name: "Invoke 'wp core is-installed' command" From c982803dde94647c1380302ea2ea636bc62aebc3 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 01:47:39 +0200 Subject: [PATCH 452/663] Improve name. --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 46700d51a3..b9fb5fd981 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,5 +1,5 @@ --- -- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed check. +- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed checks. file: state: absent path: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" From 3bea855b015acd209e4c0bbf9931a8e6897e02ce Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 13:05:52 +0200 Subject: [PATCH 453/663] Remove unused `tmp_multisite_constants.php` source file. --- roles/deploy/files/tmp_multisite_constants.php | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 roles/deploy/files/tmp_multisite_constants.php diff --git a/roles/deploy/files/tmp_multisite_constants.php b/roles/deploy/files/tmp_multisite_constants.php deleted file mode 100644 index e468cc8bfc..0000000000 --- a/roles/deploy/files/tmp_multisite_constants.php +++ /dev/null @@ -1,7 +0,0 @@ -<?php -error_reporting(E_ALL & ~E_NOTICE); -define('MULTISITE', false); -define('SUBDOMAIN_INSTALL', false); -define('WPMU_PLUGIN_DIR', null); -define('WP_PLUGIN_DIR', null); -define('WP_USE_THEMES', false); From 3122748038d927b1514a431df0d90ea5dd692737 Mon Sep 17 00:00:00 2001 From: Tang Rufus <tangrufus@gmail.com> Date: Fri, 24 Jun 2022 02:13:06 +0100 Subject: [PATCH 454/663] Limit ansible version range in `>=2.10.0,<6` See: https://github.com/roots/trellis/issues/1393 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 5955db3396..b9680b92c6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.10.0 +ansible>=2.10.0,<6 passlib From 7659e7983aa1510739c89bde0fb8061d586b1df6 Mon Sep 17 00:00:00 2001 From: Tang Rufus <tangrufus@gmail.com> Date: Fri, 24 Jun 2022 05:48:32 +0100 Subject: [PATCH 455/663] Fix ansible incompatibility with `Failed connection to remote repo` Newer versions of `ansible.builtin.git` puts error message in `msg` instead of `stderr`. --- roles/deploy/tasks/update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 92ac949b00..17250a0493 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -41,7 +41,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding Error: - {{ git_clone.stderr }} + {{ git_clone.msg | default(git_clone.stderr) }} when: git_clone is failed - name: Remove untracked files from project folder From 04213bf4ed107cbe69be96ab4fb09fd102be85e0 Mon Sep 17 00:00:00 2001 From: Rob Record <rob@robrecord.com> Date: Fri, 1 Jul 2022 11:49:45 +0100 Subject: [PATCH 456/663] Switch order of PHP operations Stop old process(es) before starting a new one. Fixes #1394 Signed-off-by: Rob Record <rob@robrecord.com> --- roles/php/tasks/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index eaec4b4f16..3a8c6d9f10 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -16,13 +16,7 @@ community.general.alternatives: name: php path: /usr/bin/php{{ php_version }} - -- name: Start php fpm service - service: - name: "php{{ php_version }}-fpm" - state: started - enabled: true - + - name: Find existing php fpm services find: paths: /etc/init.d @@ -40,6 +34,12 @@ label: "{{ item.path | basename }}" notify: reload php-fpm +- name: Start php fpm service + service: + name: "php{{ php_version }}-fpm" + state: started + enabled: true + - name: Copy PHP-FPM configuration file template: src: php-fpm.ini.j2 From 0d4bd8e5285f3327a08ce38a03df4531c196aee6 Mon Sep 17 00:00:00 2001 From: Rob Record <rob@robrecord.com> Date: Fri, 1 Jul 2022 12:48:49 +0100 Subject: [PATCH 457/663] Set max journal log file size Fixes #1307 --- group_vars/all/main.yml | 1 + roles/common/handlers/main.yml | 5 +++++ roles/common/tasks/main.yml | 10 ++++++++++ 3 files changed, 16 insertions(+) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 562864d6ee..a9bbfccbdf 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -7,6 +7,7 @@ php_version: "8.0" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www +max_journal_size: 512M # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 8035cb64b4..0b98ca248d 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -12,4 +12,9 @@ name: php{{ php_version }}-fpm state: reloaded +- name: restart journald + service: + name: systemd-journald + state: restarted + - import_tasks: reload_nginx.yml diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 84ff7aa2fd..8b74eb1061 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -183,3 +183,13 @@ - name: Fail when unable to retrieve SSH client IP fail: msg: "External IP resolution failed. Check that your DNS servers are working. Try to disable DNSCrypt if you are using it." + +- name: Restrict journal log size + lineinfile: + backup: yes + dest: /etc/systemd/journald.conf + insertafter: "^[Journal]" + line: "SystemMaxUse={{ max_journal_size }}" + regexp: "^#?(SystemMaxUse=.*?)$" + state: present + notify: restart journald From 7a8ec5224799d131faa6a52097aa24fa88723799 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 10 Jul 2022 16:06:07 -0400 Subject: [PATCH 458/663] Fix shared folder permissions --- roles/deploy/tasks/share.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 12da9836c2..043ab79392 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -40,7 +40,7 @@ - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: '0777' + mode: '0755' state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" From 30ab12a0013492ff6bd70ae2be66bfe961fcf689 Mon Sep 17 00:00:00 2001 From: Lee Hanbury <lee.hanbury@gmail.com> Date: Mon, 4 Jul 2022 23:00:57 +0100 Subject: [PATCH 459/663] chore: Use new `requirements.yml` format --- galaxy.yml | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 3a526930eb..5eb2e2545f 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,19 +1,21 @@ -- name: composer - src: geerlingguy.composer - version: 1.9.0 +--- +roles: + - name: composer + src: geerlingguy.composer + version: 1.9.0 -- name: ntp - src: geerlingguy.ntp - version: 2.3.1 + - name: ntp + src: geerlingguy.ntp + version: 2.3.1 -- name: logrotate - src: nickhammond.logrotate - version: v0.0.5 + - name: logrotate + src: nickhammond.logrotate + version: v0.0.5 -- name: swapfile - src: oefenweb.swapfile - version: v2.0.32 + - name: swapfile + src: oefenweb.swapfile + version: v2.0.32 -- name: mailhog - src: geerlingguy.mailhog - version: 2.2.0 + - name: mailhog + src: geerlingguy.mailhog + version: 2.2.0 From 8ad39dca35b0f88d7fcccc737c266d76f29293cb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 18 Jul 2022 17:44:10 -0400 Subject: [PATCH 460/663] Update CHANGELOG --- CHANGELOG.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbb85e0e16..a7f9cffab5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,20 @@ ### HEAD +* Fix #1400 - update shared path permission ([#1403](https://github.com/roots/trellis/pull/1403)) +* Update requirements.yml to new format ([#1402](https://github.com/roots/trellis/pull/1402)) +* Set journald max log file size ([#1399](https://github.com/roots/trellis/pull/1399)) +* Stop old php-fpm services before starting new one ([#1395](https://github.com/roots/trellis/pull/1395)) +* Fix ansible incompatibility in git connection error ([#1397](https://github.com/roots/trellis/pull/1397)) +* Update Ansible version requirement ([#1396](https://github.com/roots/trellis/pull/1396)) + +### 1.15.0: June 8th, 2022 +* Add variables for web and uploads paths ([#1378](https://github.com/roots/trellis/pull/1378)) +* Fix WP is-installed check during deploys for multisite installs ([#1388](https://github.com/roots/trellis/pull/1388)) +* Set `mjs` as `application/javascript` in Nginx confs ([#1383](https://github.com/roots/trellis/pull/1383)) +* Change MariaDB PPA repo ([#1384](https://github.com/roots/trellis/pull/1384)) +* Allow newer Vagrant versions on Linux ([#1382](https://github.com/roots/trellis/pull/1382)) +* Remove redundant `ansible_connection=local` and comments ([#1380](https://github.com/roots/trellis/pull/1380)) +* Update `build-after` deploy hook example for Sage 10 ([#1377](https://github.com/roots/trellis/pull/1377)) +* Update `geerlingguy.ntp` role to `2.3.1` ([#1376](https://github.com/roots/trellis/pull/1376)) * Add built-in fail2ban filters ([#1375](https://github.com/roots/trellis/pull/1375)) * Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) * Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) From ef81dea31feb615c338314aa5654bc31868aaa24 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 18 Jul 2022 18:11:46 -0400 Subject: [PATCH 461/663] Remove broken and unused cli import Fixes #1393 Importing `cli` from `__main__` no longer works as of ansible 2.13.1 This import is no longer used anyway so the fix is to remove it. --- lib/trellis/plugins/callback/vars.py | 2 -- requirements.txt | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 2ffbbf9854..92f827f9ff 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -2,12 +2,10 @@ import sys import os -from __main__ import cli from ansible.module_utils.six import iteritems from ansible.errors import AnsibleError from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.playbook.play_context import PlayContext -from ansible.playbook.task import Task from ansible.plugins.callback import CallbackBase from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var diff --git a/requirements.txt b/requirements.txt index b9680b92c6..5955db3396 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.10.0,<6 +ansible>=2.10.0 passlib From 7b5d976e05adbe62f6b28ff4eedc384667efcbdf Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 18 Jul 2022 18:29:21 -0400 Subject: [PATCH 462/663] v1.16.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7f9cffab5..4d27d6c94e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.16.0: July 18th, 2022 +* Fix Ansible 6 support - remove broken and unused `cli` import ([#1404](https://github.com/roots/trellis/pull/1404)) * Fix #1400 - update shared path permission ([#1403](https://github.com/roots/trellis/pull/1403)) * Update requirements.yml to new format ([#1402](https://github.com/roots/trellis/pull/1402)) * Set journald max log file size ([#1399](https://github.com/roots/trellis/pull/1399)) From e3327d60c3b330d57f98a00f152ea7e9d86c5c63 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 19 Jul 2022 16:04:32 -0400 Subject: [PATCH 463/663] Update hb5p cache expiration conf Fixes #905 Replaces the old h5bp location specific `expires.conf` with a new `cache_expiration` directive-only conf. The config just sets a mapping of expiration headers which is then used in the site specific server template. --- .../h5bp/directive-only/cache_expiration.conf | 61 +++++++++++++++++++ .../templates/h5bp/location/expires.conf | 45 -------------- roles/nginx/templates/nginx.conf.j2 | 4 ++ .../templates/wordpress-site.conf.j2 | 2 +- 4 files changed, 66 insertions(+), 46 deletions(-) create mode 100644 roles/nginx/templates/h5bp/directive-only/cache_expiration.conf delete mode 100644 roles/nginx/templates/h5bp/location/expires.conf diff --git a/roles/nginx/templates/h5bp/directive-only/cache_expiration.conf b/roles/nginx/templates/h5bp/directive-only/cache_expiration.conf new file mode 100644 index 0000000000..865de49bd5 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/cache_expiration.conf @@ -0,0 +1,61 @@ +map $sent_http_content_type $expires { + default 1y; + + # No content + "" off; + + # CSS + ~*text/css 1y; + + # Data interchange + ~*application/atom\+xml 1h; + ~*application/rdf\+xml 1h; + ~*application/rss\+xml 1h; + + ~*application/json 0; + ~*application/ld\+json 0; + ~*application/schema\+json 0; + ~*application/geo\+json 0; + ~*application/xml 0; + ~*text/calendar 0; + ~*text/xml 0; + + # Favicon (cannot be renamed!) and cursor images + ~*image/vnd.microsoft.icon 1w; + ~*image/x-icon 1w; + + # HTML + ~*text/html 0; + + # JavaScript + ~*application/javascript 1y; + ~*application/x-javascript 1y; + ~*text/javascript 1y; + + # Manifest files + ~*application/manifest\+json 1w; + ~*application/x-web-app-manifest\+json 0; + ~*text/cache-manifest 0; + + # Markdown + ~*text/markdown 0; + + # Media files + ~*audio/ 1y; + ~*image/ 1y; + ~*video/ 1y; + + # WebAssembly + ~*application/wasm 1y; + + # Web fonts + ~*font/ 1y; + ~*application/vnd.ms-fontobject 1y; + ~*application/x-font-ttf 1y; + ~*application/x-font-woff 1y; + ~*application/font-woff 1y; + ~*application/font-woff2 1y; + + # Other + ~*text/x-cross-domain-policy 1w; +} diff --git a/roles/nginx/templates/h5bp/location/expires.conf b/roles/nginx/templates/h5bp/location/expires.conf deleted file mode 100644 index 6766ef2217..0000000000 --- a/roles/nginx/templates/h5bp/location/expires.conf +++ /dev/null @@ -1,45 +0,0 @@ -# Expire rules for static content - -# No default expire rule. This config mirrors that of apache as outlined in the -# html5-boilerplate .htaccess file. However, nginx applies rules by location, -# the apache rules are defined by type. A consequence of this difference is that -# if you use no file extension in the url and serve html, with apache you get an -# expire time of 0s, with nginx you'd get an expire header of one month in the -# future (if the default expire rule is 1 month). Therefore, do not use a -# default expire rule with nginx unless your site is completely static - -# cache.appcache, your document html and data -location ~* \.(?:manifest|appcache|html?|xml|json)$ { - add_header Cache-Control "max-age=0"; -} - -# Feed -location ~* \.(?:rss|atom)$ { - add_header Cache-Control "max-age=3600"; -} - -# Media: images, icons, video, audio, HTC -location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ { - access_log off; - add_header Cache-Control "max-age=2592000"; -} - -# Media: svgz files are already compressed. -location ~* \.svgz$ { - access_log off; - gzip off; - add_header Cache-Control "max-age=2592000"; -} - -# CSS and Javascript -location ~* \.(?:css|js)$ { - add_header Cache-Control "max-age=31536000"; - access_log off; -} - -# WebFonts -# If you are NOT using cross-domain-fonts.conf, uncomment the following directive -# location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { -# add_header Cache-Control "max-age=2592000"; -# access_log off; -# } diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index f4ef92d394..c61d35c9af 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -204,6 +204,10 @@ http { include includes.d/http/*.conf; {% endblock -%} + {% if h5bp_expires_enabled -%} + include h5bp/directive-only/cache_expiration.conf; + {% endif -%} + {% block sites_enabled -%} # Include files in the sites-enabled folder. server{} configuration files should be # placed in the sites-available folder, and then the configuration should be enabled diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2096c6d45b..d6cf59a10b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -194,7 +194,7 @@ server { {% endif -%} {% if h5bp_expires_enabled -%} - include h5bp/location/expires.conf; + expires $expires; {% endif -%} {% if h5bp_protect_system_files_enabled -%} From c5320cff9fe16d83ed27cb25b39e2b30b44cf017 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 19 Jul 2022 16:31:09 -0400 Subject: [PATCH 464/663] Update cross origin requests confs Fixes #831 --- .../directive-only/cross-domain-insecure.conf | 14 --------- .../directive-only/cross-origin-requests.conf | 18 ++++++++++++ roles/nginx/templates/nginx.conf.j2 | 29 +++++++++++++++++-- .../templates/wordpress-site.conf.j2 | 2 +- 4 files changed, 46 insertions(+), 17 deletions(-) delete mode 100644 roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf create mode 100644 roles/nginx/templates/h5bp/directive-only/cross-origin-requests.conf diff --git a/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf b/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf deleted file mode 100644 index e9373adc40..0000000000 --- a/roles/nginx/templates/h5bp/directive-only/cross-domain-insecure.conf +++ /dev/null @@ -1,14 +0,0 @@ -# Cross domain AJAX requests - -# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header - -# **Security Warning** -# Do not use this without understanding the consequences. -# This will permit access from any other website. -# -add_header "Access-Control-Allow-Origin" "*"; - -# Instead of using this file, consider using a specific rule such as: -# -# Allow access based on [sub]domain: -# add_header "Access-Control-Allow-Origin" "subdomain.example.com"; diff --git a/roles/nginx/templates/h5bp/directive-only/cross-origin-requests.conf b/roles/nginx/templates/h5bp/directive-only/cross-origin-requests.conf new file mode 100644 index 0000000000..976961fe24 --- /dev/null +++ b/roles/nginx/templates/h5bp/directive-only/cross-origin-requests.conf @@ -0,0 +1,18 @@ +# ---------------------------------------------------------------------- +# | Cross-origin requests | +# ---------------------------------------------------------------------- + +# Allow cross-origin requests. +# +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS +# https://enable-cors.org/ +# https://www.w3.org/TR/cors/ + +# (!) Do not use this without understanding the consequences. +# This will permit access from any other website. +# Instead of using this file, consider using a specific rule such as +# allowing access based on (sub)domain: +# +# add_header Access-Control-Allow-Origin "subdomain.example.com"; + +add_header Access-Control-Allow-Origin $cors; diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index c61d35c9af..a3c6fbc26f 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -204,9 +204,34 @@ http { include includes.d/http/*.conf; {% endblock -%} - {% if h5bp_expires_enabled -%} + # Add Access-Control-Allow-Origin. + # h5bp/directive-only/cross-origin-requests.conf + map $sent_http_content_type $cors { + # Images + image/bmp "*"; + image/gif "*"; + image/jpeg "*"; + image/png "*"; + image/svg+xml "*"; + image/webp "*"; + image/x-icon "*"; + + # Web fonts + font/collection "*"; + application/vnd.ms-fontobject "*"; + font/eot "*"; + font/opentype "*"; + font/otf "*"; + application/x-font-ttf "*"; + font/ttf "*"; + application/font-woff "*"; + application/x-font-woff "*"; + font/woff "*"; + application/font-woff2 "*"; + font/woff2 "*"; + } + include h5bp/directive-only/cache_expiration.conf; - {% endif -%} {% block sites_enabled -%} # Include files in the sites-enabled folder. server{} configuration files should be diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d6cf59a10b..a5cf322d1b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -190,7 +190,7 @@ server { {% endif -%} {% if h5bp_cross_domain_fonts_enabled -%} - include h5bp/location/cross-domain-fonts.conf; + include h5bp/directive-only/cross-origin-requests.conf; {% endif -%} {% if h5bp_expires_enabled -%} From a36214c06c00993773703479633154f08d58c473 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 19 Jul 2022 16:56:02 -0400 Subject: [PATCH 465/663] Update mime types --- roles/nginx/templates/h5bp/mime.types | 41 ++++++++++++++------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/roles/nginx/templates/h5bp/mime.types b/roles/nginx/templates/h5bp/mime.types index 972fd08958..03dde44898 100644 --- a/roles/nginx/templates/h5bp/mime.types +++ b/roles/nginx/templates/h5bp/mime.types @@ -6,15 +6,21 @@ types { application/json json map topojson; application/ld+json jsonld; application/rss+xml rss; - application/vnd.geo+json geojson; - application/xml rdf xml; + # Normalize to standard type. + # https://tools.ietf.org/html/rfc7946#section-12 + application/geo+json geojson; + application/xml xml; + # Normalize to standard type. + # https://tools.ietf.org/html/rfc3870#section-2 + application/rdf+xml rdf; # JavaScript - # Normalize to standard type. - # https://tools.ietf.org/html/rfc4329#section-7.2 - application/javascript js mjs; + # Servers should use text/javascript for JavaScript resources. + # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages + text/javascript js mjs; + application/wasm wasm; # Manifest files @@ -32,9 +38,12 @@ types { audio/ogg oga ogg opus; audio/x-realaudio ra; audio/x-wav wav; + image/apng apng; + image/avif avif avifs; image/bmp bmp; image/gif gif; image/jpeg jpeg jpg; + image/jxl jxl; image/jxr jxr hdp wdp; image/png png; image/svg+xml svg svgz; @@ -51,7 +60,6 @@ types { video/x-flv flv; video/x-mng mng; video/x-ms-asf asf asx; - video/x-ms-wmv wmv; video/x-msvideo avi; # Serving `.ico` image files with a different media type @@ -73,20 +81,12 @@ types { # Web fonts - application/font-woff woff; - application/font-woff2 woff2; + font/woff woff; + font/woff2 woff2; application/vnd.ms-fontobject eot; - - # Browsers usually ignore the font media types and simply sniff - # the bytes to figure out the font type. - # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern - # - # However, Blink and WebKit based browsers will show a warning - # in the console if the following font types are served with any - # other media types. - - application/x-font-ttf ttc ttf; - font/opentype otf; + font/ttf ttf; + font/collection ttc; + font/otf otf; # Other @@ -122,10 +122,11 @@ types { application/xhtml+xml xhtml; application/xslt+xml xsl; application/zip zip; + text/calendar ics; text/css css; text/csv csv; text/html htm html shtml; - text/markdown md; + text/markdown md markdown; text/mathml mml; text/plain txt; text/vcard vcard vcf; From 8c0dee6d9c27cb4255c72b9bc48689141c7095f5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 20 Jul 2022 10:27:29 -0400 Subject: [PATCH 466/663] [skip ci] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d27d6c94e..41d9da4fb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Fix #905, #831 - Update hb5p Nginx configs ([#1406](https://github.com/roots/trellis/pull/1406)) + ### 1.16.0: July 18th, 2022 * Fix Ansible 6 support - remove broken and unused `cli` import ([#1404](https://github.com/roots/trellis/pull/1404)) * Fix #1400 - update shared path permission ([#1403](https://github.com/roots/trellis/pull/1403)) From 5fde32740888b24cc1686d01f647cae6b06324bd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 20 Jul 2022 12:06:43 -0400 Subject: [PATCH 467/663] Fix warnings for missing nginx-includes paths --- .../wordpress-setup/tasks/nginx-includes.yml | 99 +++++++++++-------- 1 file changed, 57 insertions(+), 42 deletions(-) diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index a18e2e1851..aebc5ae644 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -1,49 +1,64 @@ --- -- name: Build list of Nginx includes templates - find: - paths: - - "{{ nginx_includes_templates_path }}" - pattern: "*.conf.j2" - recurse: yes +- stat: + path: "{{ nginx_includes_templates_path }}" become: no delegate_to: localhost - register: nginx_includes_templates + register: nginx_includes_local_directory -- name: Create includes.d directories - file: - path: "{{ nginx_path }}/includes.d/{{ item }}" - state: directory - mode: '0755' - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | - map('regex_replace', nginx_includes_pattern, '\\2') | - map('dirname') | unique | list | sort - }}" - when: nginx_includes_templates.files | count +- block: + - name: Build list of Nginx includes templates + find: + paths: "{{ nginx_includes_templates_path }}" + pattern: "*.conf.j2" + recurse: yes + become: no + delegate_to: localhost + register: nginx_includes_templates -- name: Template files out to includes.d - template: - src: "{{ item }}" - dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" - mode: '0644' - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" - notify: reload nginx + - name: Create includes.d directories + file: + path: "{{ nginx_path }}/includes.d/{{ item }}" + state: directory + recurse: yes + mode: '0755' + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | + map('regex_replace', nginx_includes_pattern, '\\2') | + map('dirname') | unique | list | sort + }}" + when: nginx_includes_templates.files | count -- name: Retrieve list of existing files in includes.d - find: - paths: "{{ nginx_path }}/includes.d" - pattern: "*.conf" - recurse: yes - register: nginx_includes_existing - when: nginx_includes_d_cleanup | bool + - name: Template files out to includes.d + template: + src: "{{ item }}" + dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" + mode: '0644' + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" + notify: reload nginx + when: nginx_includes_local_directory.stat.isdir is defined + +- name: Cleanup old unmanaged Nginx includes + block: + - stat: + path: "{{ nginx_path }}/includes.d" + register: nginx_includes_directory -- name: Remove unmanaged files from includes.d - file: - path: "{{ item }}" - state: absent - with_items: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | - difference(nginx_includes_templates.files | map(attribute='path') | - map('regex_replace', nginx_includes_pattern, nginx_path + '/includes.d/\\2') | unique - ) | list - }}" - when: nginx_includes_d_cleanup - notify: reload nginx + - name: Retrieve list of existing files in includes.d + find: + paths: "{{ nginx_path }}/includes.d" + pattern: "*.conf" + recurse: yes + register: nginx_includes_existing + when: nginx_includes_directory.stat.isdir is defined + + - name: Remove unmanaged files from includes.d + file: + path: "{{ item }}" + state: absent + with_items: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | + difference(nginx_includes_templates.files | default({} )| map(attribute='path') | + map('regex_replace', nginx_includes_pattern, nginx_path + '/includes.d/\\2') | unique + ) | list + }}" + when: nginx_includes_directory.stat.isdir is defined + notify: reload nginx + when: nginx_includes_d_cleanup | bool From b06a2f3c251b5218cef316d41e4ce5f11e627edd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 20 Jul 2022 12:51:27 -0400 Subject: [PATCH 468/663] Fix warnings for missing fail2ban filters paths --- roles/fail2ban/defaults/main.yml | 1 + roles/fail2ban/tasks/main.yml | 14 +++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index 598172cfbd..a57c78e9ab 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -28,4 +28,5 @@ fail2ban_services_default: fail2ban_services_custom: [] fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" +fail2ban_builtin_filter_templates_path: "{{ playbook_dir }}/roles/fail2ban/templates/filters" fail2ban_filter_templates_path: fail2ban_filters diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 2a900a2a87..8e1bf7ecba 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -18,11 +18,19 @@ notify: - restart fail2ban +- name: Check if fail2ban_filter_templates_path exists + stat: + path: "{{ fail2ban_filter_templates_path }}" + become: no + delegate_to: localhost + register: fail2ban_filter_templates_path_result + - name: build list of fail2ban filter templates find: - paths: - - "{{ playbook_dir }}/roles/fail2ban/templates/filters" - - "{{ fail2ban_filter_templates_path }}" + paths: "{{ fail2ban_filter_templates_path_result.stat.isdir is defined | ternary( + [fail2ban_builtin_filter_templates_path, fail2ban_filter_templates_path], + [fail2ban_builtin_filter_templates_path] + ) }}" pattern: "*.conf.j2" become: no delegate_to: localhost From 9c6f1ef0273caa1024d53169d81d3c89f3157b3c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 20 Jul 2022 15:32:37 -0400 Subject: [PATCH 469/663] Update mailhog galaxy role --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 5eb2e2545f..0413790b04 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -18,4 +18,4 @@ roles: - name: mailhog src: geerlingguy.mailhog - version: 2.2.0 + version: 2.3.0 From 6c78027c443ddf2253814b36e0de91339ca69308 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 20 Jul 2022 15:08:04 -0400 Subject: [PATCH 470/663] Disable HSTS includeSubdomains by default Ref #741 This changes the default for HSTS' `includeSubdomains` value from `true` to `false`. Previously a user visiting a WordPress site would result in HSTS being enabled in their browser for _all_ subdomains of the site's domain. Now HSTS will only apply to the hostnames activately managed by Trellis in the `wordpress_sites.yml` config. This is a safer default since subdomains can frequently exist without SSL. --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 41d9da4fb7..f12d3980e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) * Fix #905, #831 - Update hb5p Nginx configs ([#1406](https://github.com/roots/trellis/pull/1406)) ### 1.16.0: July 18th, 2022 diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 4684d17a67..f03c2b010a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -18,7 +18,7 @@ nginx_sites_confs: # HSTS defaults nginx_hsts_max_age: 31536000 -nginx_hsts_include_subdomains: true +nginx_hsts_include_subdomains: false nginx_hsts_preload: false # HSTS helpers From 2f5b06a31b838ae1cd154dd0718bb0c95c47aecc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 21 Jul 2022 13:54:43 -0400 Subject: [PATCH 471/663] Run composer check-platform-reqs during deploy Fixes #1244 Runs `composer check-platform-reqs` before installing composer dependencies to verify that platform requirements (i.e. php and php extensions) are fulfilled by the PHP process currently running. This could potentially prevent some "white page of death" errors before a deploy. Ref https://getcomposer.org/doc/07-runtime.md#platform-check --- roles/deploy/defaults/main.yml | 2 ++ roles/deploy/hooks/build-after.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 329075b9de..3ac82c415f 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -51,6 +51,8 @@ update_db_on_deploy: true # Most scripts are used in development instead of remote servers. Use with caution. composer_no_scripts: true +# Whether to run `composer check-platform-reqs`. +composer_platform_requirements_check: true # Whether to autoload classes from classmap only. composer_classmap_authoritative: true diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 4c088f6452..78e3743924 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -25,6 +25,12 @@ loop_var: composer_authentication label: "{{ composer_authentication.hostname }}" +- name: Run composer check + composer: + command: check-platform-reqs + working_dir: "{{ deploy_helper.new_release_path }}" + when: composer_platform_requirements_check + - name: Install Composer dependencies composer: no_scripts: "{{ composer_no_scripts }}" From 28f1e5d1f8c18a35f8078497d12efb80dd6a804c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 22 Jul 2022 11:06:50 -0400 Subject: [PATCH 472/663] Improve composer authentications password handling Removes the validation to enforce `password` and sets the default to `""` which is quoted to ensure `composer` is properly passed `""` as the last argument value. --- roles/deploy/hooks/build-after.yml | 3 +-- roles/wordpress-install/tasks/composer-authentications.yml | 7 +++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 4c088f6452..8177ed270f 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -12,14 +12,13 @@ - name: Setup composer authentications composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password | default("") | quote }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true changed_when: false when: - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" - - composer_authentication.password is defined and composer_authentication.password != "" loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 2b2e8649e2..62a23df81a 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -2,14 +2,13 @@ - name: "Setup composer authentications - {{ site }}" composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password | default("") | quote }} working_dir: "{{ working_dir }}" no_log: true changed_when: false when: - - not (not composer_authentication.hostname) - - not (not composer_authentication.username) - - not (not composer_authentication.password) + - composer_authentication.hostname is defined and composer_authentication.hostname != "" + - composer_authentication.username is defined and composer_authentication.username != "" loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication From 9458545874375980a0392495deb66d3424018d89 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 22 Jul 2022 11:08:54 -0400 Subject: [PATCH 473/663] Remove deprecated packagist token --- group_vars/all/helpers.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 1e56f5c083..10101a4da7 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -20,8 +20,4 @@ ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_ cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" -# For backward compatibility, to be removed in Trellis v2. -site_packagist_org_authentications: - - { hostname: repo.packagist.com, username: token, password: "{{ vault_wordpress_sites[site].packagist_token | default('') }}" } -site_composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" -composer_authentications: "{{ site_packagist_org_authentications + site_composer_authentications }}" +composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" From 7357bf31abcb1262a1840282689549bc7b09f28c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 22 Jul 2022 13:53:45 -0400 Subject: [PATCH 474/663] Quote username and hostname too Co-authored-by: Tang Rufus <tangrufus@gmail.com> --- roles/deploy/hooks/build-after.yml | 2 +- roles/wordpress-install/tasks/composer-authentications.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 8177ed270f..292ce23f75 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -12,7 +12,7 @@ - name: Setup composer authentications composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password | default("") | quote }} + arguments: --auth http-basic.{{ composer_authentication.hostname | quote }} {{ composer_authentication.username | quote }} {{ composer_authentication.password | default("") | quote }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true changed_when: false diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 62a23df81a..8ad265fe24 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -2,7 +2,7 @@ - name: "Setup composer authentications - {{ site }}" composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password | default("") | quote }} + arguments: --auth http-basic.{{ composer_authentication.hostname | quote }} {{ composer_authentication.username | quote }} {{ composer_authentication.password | default("") | quote }} working_dir: "{{ working_dir }}" no_log: true changed_when: false From e703d9d253569e9fcd0ace2d9ffe1ff7ad5ba414 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 27 Jul 2022 15:06:31 -0400 Subject: [PATCH 475/663] Simplify Nginx no-default sites Nginx has a newer `ssl_reject_handshake` directive that lets us simplify the "no default" site conf. Before we had to generate a self-signed certificate just to satisfy Nginx and create a server that listened on port 443. Now with `ssl_reject_handshake`, SSL handshakes with server names that are *not* part of the real WordPress server hosts will be rejected up front. This means we can skip self-signed certificate generation in default cases. The two separate server configs (HTTP and HTTPS) have now been merged into one as well since they are simpler overall. --- roles/wordpress-setup/defaults/main.yml | 11 ---------- .../tasks/self-signed-certificate.yml | 4 ++-- .../templates/no-default.conf.j2 | 9 ++++++++ .../templates/ssl.no-default.conf.j2 | 21 ------------------- 4 files changed, 11 insertions(+), 34 deletions(-) delete mode 100644 roles/wordpress-setup/templates/ssl.no-default.conf.j2 diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index f03c2b010a..277277a67c 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -2,19 +2,8 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" nginx_wordpress_site_conf: wordpress-site.conf.j2 nginx_ssl_path: "{{ nginx_path }}/ssl" -ssl_default_site: - no_default: - site_hosts: - - canonical: request.is.invalid - ssl: - enabled: true - provider: self-signed - multisite: {} - nginx_sites_confs: - src: no-default.conf.j2 - - src: ssl.no-default.conf.j2 - enabled: "{{ sites_use_ssl }}" # HSTS defaults nginx_hsts_max_age: 31536000 diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 1147125d93..eef2b29775 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -10,7 +10,7 @@ src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" mode: '0644' - with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" + with_dict: "{{ wordpress_sites }}" when: - sites_use_ssl | bool - ssl_enabled | bool @@ -24,7 +24,7 @@ args: chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" - with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" + with_dict: "{{ wordpress_sites }}" when: - sites_use_ssl | bool - ssl_enabled | bool diff --git a/roles/wordpress-setup/templates/no-default.conf.j2 b/roles/wordpress-setup/templates/no-default.conf.j2 index 3a9bff2df6..8bd1a85e98 100644 --- a/roles/wordpress-setup/templates/no-default.conf.j2 +++ b/roles/wordpress-setup/templates/no-default.conf.j2 @@ -12,3 +12,12 @@ server { listen 80 default_server deferred; return 444; } + +{% if sites_use_ssl %} +server { + listen [::]:443 ssl default_server deferred; + listen 443 ssl default_server deferred; + + ssl_reject_handshake on; +} +{% endif %} diff --git a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 deleted file mode 100644 index 479979c710..0000000000 --- a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 +++ /dev/null @@ -1,21 +0,0 @@ -# {{ ansible_managed }} - -# Drop requests for unknown hosts -# -# If no default server is defined, nginx will use the first found server. -# To prevent host header attacks, or other potential problems when an unknown -# servername is used in a request, it's recommended to drop the request -# returning 444 "no response". - -server { - listen [::]:443 ssl default_server deferred; - listen 443 ssl default_server deferred; - - include h5bp/directive-only/ssl.conf; - - ssl_certificate {{ nginx_path }}/ssl/no_default.cert; - ssl_trusted_certificate {{ nginx_path }}/ssl/no_default.cert; - ssl_certificate_key {{ nginx_path }}/ssl/no_default.key; - - return 444; -} From ef015f66784b54c4de78273493ced6500deb0c95 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 27 Jul 2022 15:28:42 -0400 Subject: [PATCH 476/663] Uninstall Nginx from base GitHub image --- .github/workflows/integration.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 9741423727..284f8dab0e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -20,6 +20,11 @@ jobs: sudo apt-get autoremove sudo apt-get autoclean sudo rm -rf /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/cache/usr.sbin.mysqld /etc/mysql /var/lib/mysql /var/log/mysql* /var/log/upstart/mysql.log* /var/run/mysqld ~/.mysql_history + - name: Remove and cleanup Nginx + run: | + sudo apt-get remove --purge nginx* + sudo apt-get autoremove + sudo apt-get autoclean - uses: actions/checkout@v2 with: fetch-depth: 0 From 613e0452c6b12d227e21feaff6305e6fe478633e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 3 Aug 2022 21:36:47 -0400 Subject: [PATCH 477/663] Fix backwards compat for ssl.no-default conf https://github.com/roots/trellis/pull/1414 simplified the Nginx "no-default" site confs but broke backwards compatibility for existing servers by leaving the old site enabled. This would result in Nginx failing to restart because of duplicate listen options. This keeps the `ssl.no-default.conf.j2` site conf but instead sets it to disabled to prevent the duplicate listen options. Now there will only be a single active site for "no-default" that contains both HTTP (port 80) and HTTPS (port 443) listen options. --- roles/wordpress-setup/defaults/main.yml | 2 ++ roles/wordpress-setup/tasks/nginx.yml | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 277277a67c..e8e6d91959 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -4,6 +4,8 @@ nginx_ssl_path: "{{ nginx_path }}/ssl" nginx_sites_confs: - src: no-default.conf.j2 + - src: ssl.no-default.conf.j2 + enabled: false # HSTS defaults nginx_hsts_max_age: 31536000 diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index ebeb80c49b..c16108f02c 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -29,22 +29,22 @@ notify: reload nginx tags: nginx-sites -- name: Enable Nginx sites +- name: Disable Nginx sites file: path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" - src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - state: link - force: yes - when: item.enabled | default(true) + state: absent + when: not(item.enabled | default(true)) with_items: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites -- name: Disable Nginx sites +- name: Enable Nginx sites file: path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" - state: absent - when: not(item.enabled | default(true)) + src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + state: link + force: yes + when: item.enabled | default(true) with_items: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites From e6aa8e57020511947a52ca424d1c2db684cfb3c6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 5 Aug 2022 17:52:18 -0400 Subject: [PATCH 478/663] Add integration test step for second deploy This will trigger more conditional branches that the first deploy doesn't (since WP isn't yet installed for that one). --- .github/workflows/integration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 284f8dab0e..757f406e96 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -61,6 +61,9 @@ jobs: working-directory: /srv/www/example.com/current - name: Verify install run: curl -s http://example.com | grep "<title>Example" + - name: Deploy previously deployed site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example.com + working-directory: example.com - name: Deploy https site run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example-https.com working-directory: example.com From 5d5d1d23cd58a1a4b3bb683b38efb61a15e5e087 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 5 Aug 2022 14:40:21 -0400 Subject: [PATCH 479/663] Replace with_ usage with `loop` This is the direction Ansible is moving in and it provides consistency and better loop control flexibility. --- .../common/tasks/disable_challenge_sites.yml | 2 +- roles/common/tasks/main.yml | 12 ++++--- roles/deploy/hooks/finalize-after.yml | 10 +++--- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/build.yml | 20 +++++++---- roles/deploy/tasks/finalize.yml | 10 +++--- roles/deploy/tasks/initialize.yml | 8 ++--- roles/deploy/tasks/main.yml | 8 ++--- roles/deploy/tasks/prepare.yml | 8 ++--- roles/deploy/tasks/share.yml | 34 +++++++++++++------ roles/deploy/tasks/update.yml | 12 ++++--- roles/fail2ban/tasks/main.yml | 4 +-- roles/ferm/handlers/main.yml | 4 ++- roles/ferm/tasks/main.yml | 14 +++----- roles/letsencrypt/tasks/certificates.yml | 16 ++++++--- roles/letsencrypt/tasks/nginx.yml | 18 +++++++--- roles/letsencrypt/tasks/setup.yml | 4 ++- roles/mariadb/tasks/main.yml | 4 +-- roles/memcached/tasks/main.yml | 4 ++- roles/nginx/tasks/main.yml | 2 +- roles/php/tasks/main.yml | 6 ++-- roles/sshd/tasks/main.yml | 4 ++- roles/users/tasks/main.yml | 12 ++++--- roles/wordpress-install/tasks/directories.yml | 12 +++++-- roles/wordpress-install/tasks/dotenv.yml | 8 +++-- roles/wordpress-install/tasks/main.yml | 22 ++++++++---- roles/wordpress-setup/tasks/database.yml | 8 +++-- roles/wordpress-setup/tasks/main.yml | 12 +++++-- .../tasks/nginx-client-cert.yml | 4 ++- .../wordpress-setup/tasks/nginx-includes.yml | 6 ++-- roles/wordpress-setup/tasks/nginx.yml | 22 ++++++++---- .../tasks/self-signed-certificate.yml | 8 +++-- roles/wp-cli/tasks/main.yml | 4 +-- 33 files changed, 209 insertions(+), 115 deletions(-) diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml index 7995565b3a..32c12667e9 100644 --- a/roles/common/tasks/disable_challenge_sites.yml +++ b/roles/common/tasks/disable_challenge_sites.yml @@ -3,5 +3,5 @@ file: path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item }}.conf" state: absent - with_items: "{{ wordpress_sites.keys() | list }}" + loop: "{{ wordpress_sites.keys() | list }}" notify: reload nginx diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 8b74eb1061..0d24d606e4 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -4,7 +4,7 @@ include_vars: file: group_vars/{{ item }}/wordpress_sites.yml name: "{{ item }}_sites" - with_items: "{{ envs_with_wp_sites }}" + loop: "{{ envs_with_wp_sites }}" when: envs_with_wp_sites | count > 1 - name: Fail if there are duplicate site keys within host's wordpress_sites @@ -15,7 +15,7 @@ are duplicated between the `{{ item.env_pair | join('` and `') }}` groups: {{ item.site_keys | to_nice_yaml | indent(2) }} when: item.site_keys | count - with_items: "{{ site_keys_by_env_pair }}" + loop: "{{ site_keys_by_env_pair }}" when: - env_groups | count > 1 @@ -30,7 +30,9 @@ - name: Validate format of site_hosts fail: msg: "{{ lookup('template', 'site_hosts.j2') }}" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] @@ -144,7 +146,9 @@ name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" - with_dict: "{{ apt_packages }}" + loop: "{{ apt_packages | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Validate timezone variable stat: diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 1d20d3b456..a939f5c4da 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -10,15 +10,15 @@ - name: Update WP theme paths command: > - wp option set {{ item[0].option }} + wp option set {{ item[0].item }} {{ item[1] | regex_replace('.*' + deploy_helper.releases_path + '/[^/]*(.*)', deploy_helper.new_release_path + '\1') }} {% if project.multisite.enabled | default(false) %} --url={{ item[1].split(' ')[0] }}{% endif %} args: chdir: "{{ deploy_helper.current_path }}" - when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool - with_subelements: - - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | default ([]) | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" - - stdout_lines + loop: "{{ wp_template_root.results | subelements('stdout_lines', skip_missing=true) }}" + loop_control: + label: "{{ item[0].item }}" + when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool and item[1] is match(deploy_helper.releases_path) - name: Warn about updating network database. debug: diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index b9fb5fd981..b219df86b0 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -56,6 +56,6 @@ when: - wp_installed.rc == 0 - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool - with_items: + loop: - template_root - stylesheet_root diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index aa0e043e69..499d65eed3 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -4,12 +4,13 @@ path: "{{ item }}" delegate_to: localhost register: deploy_build_before_paths - with_items: "{{ deploy_build_before | default([]) }}" + loop: "{{ deploy_build_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_build_before_paths.results }}" + loop: "{{ deploy_build_before_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-build-before @@ -18,13 +19,15 @@ src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project.project_templates | default(project_templates) }}" + loop: "{{ project.project_templates | default(project_templates) }}" + loop_control: + label: "{{ item.name }}" - name: Check if project folders exist stat: path: "{{ deploy_helper.current_path }}/{{ item }}" register: project_folder_paths - with_items: "{{ project.project_copy_folders | default(project_copy_folders) }}" + loop: "{{ project.project_copy_folders | default(project_copy_folders) }}" - name: Copy project folders copy: @@ -32,7 +35,9 @@ dest: "{{ deploy_helper.new_release_path }}/{{ item.item }}" remote_src: true mode: 'preserve' - with_items: "{{ project_folder_paths.results }}" + loop: "{{ project_folder_paths.results }}" + loop_control: + label: "{{ item.item }}" when: item.stat.exists - name: Check if deploy_build_after scripts exist @@ -40,11 +45,12 @@ path: "{{ item }}" delegate_to: localhost register: deploy_build_after_paths - with_items: "{{ deploy_build_after | default([]) }}" + loop: "{{ deploy_build_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_build_after_paths.results }}" + loop: "{{ deploy_build_after_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-build-after diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 824c44f3e5..843f46632c 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -4,12 +4,13 @@ path: "{{ item }}" delegate_to: localhost register: deploy_finalize_before_paths - with_items: "{{ deploy_finalize_before | default([]) }}" + loop: "{{ deploy_finalize_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_finalize_before_paths.results }}" + loop: "{{ deploy_finalize_before_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-finalize-before @@ -26,12 +27,13 @@ path: "{{ item }}" delegate_to: localhost register: deploy_finalize_after_paths - with_items: "{{ deploy_finalize_after | default([]) }}" + loop: "{{ deploy_finalize_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_finalize_after_paths.results }}" + loop: "{{ deploy_finalize_after_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-finalize-after diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index 5b1d48cc16..df75215f5e 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -4,10 +4,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_initialize_before_paths - with_items: "{{ deploy_initialize_before | default([]) }}" + loop: "{{ deploy_initialize_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_initialize_before_paths.results }}" + loop: "{{ deploy_initialize_before_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists @@ -24,10 +24,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_initialize_after_paths - with_items: "{{ deploy_initialize_after | default([]) }}" + loop: "{{ deploy_initialize_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_initialize_after_paths.results }}" + loop: "{{ deploy_initialize_after_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 5478676a7b..b8c102d4ac 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -4,10 +4,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_before_paths - with_items: "{{ deploy_before | default([]) }}" + loop: "{{ deploy_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_before_paths.results }}" + loop: "{{ deploy_before_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists @@ -25,10 +25,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_after_paths - with_items: "{{ deploy_after | default([]) }}" + loop: "{{ deploy_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_after_paths.results }}" + loop: "{{ deploy_after_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2567d7986e..33ae769999 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -4,10 +4,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_prepare_before_paths - with_items: "{{ deploy_prepare_before | default([]) }}" + loop: "{{ deploy_prepare_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_prepare_before_paths.results }}" + loop: "{{ deploy_prepare_before_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists @@ -59,10 +59,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_prepare_after_paths - with_items: "{{ deploy_prepare_after | default([]) }}" + loop: "{{ deploy_prepare_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_prepare_after_paths.results }}" + loop: "{{ deploy_prepare_after_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 043ab79392..ee3166d549 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -4,12 +4,13 @@ path: "{{ item }}" delegate_to: localhost register: deploy_share_before_paths - with_items: "{{ deploy_share_before | default([]) }}" + loop: "{{ deploy_share_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_share_before_paths.results }}" + loop: "{{ deploy_share_before_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-share-before @@ -18,7 +19,9 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory mode: "{{ item.mode | default('0755') }}" - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" when: item.type | default('directory') | lower == 'directory' - name: Ensure shared sources are present -- files' parent directories @@ -26,7 +29,9 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory mode: '0755' - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" when: item.type | default('directory') | lower == 'file' - name: Ensure shared sources are present -- files @@ -34,7 +39,9 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present @@ -42,31 +49,38 @@ path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" mode: '0755' state: directory - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" - name: Ensure shared paths are absent file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" state: absent - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" - name: Create shared symlinks file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" src: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: link - with_items: "{{ project.project_shared_children | default(project_shared_children) }}" + loop: "{{ project.project_shared_children | default(project_shared_children) }}" + loop_control: + label: "{{ item.path }}" - name: Check if deploy_share_after scripts exist stat: path: "{{ item }}" delegate_to: localhost register: deploy_share_after_paths - with_items: "{{ deploy_share_after | default([]) }}" + loop: "{{ deploy_share_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_share_after_paths.results }}" + loop: "{{ deploy_share_after_paths.results }}" loop_control: loop_var: include_path + label: "{{ include_path.item }}" when: include_path.stat.exists tags: deploy-share-after diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 17250a0493..36e97346aa 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -4,10 +4,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_update_before_paths - with_items: "{{ deploy_update_before | default([]) }}" + loop: "{{ deploy_update_before | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_update_before_paths.results }}" + loop: "{{ deploy_update_before_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists @@ -19,7 +19,9 @@ key: "{{ item.key | default(omit) }}" path: "{{ item.path | default(omit) }}" state: "{{ item.state | default('present') }}" - with_items: "{{ known_hosts | default([]) }}" + loop: "{{ known_hosts | default([]) }}" + loop_control: + label: "{{ item.name }}" - name: Clone project files git: @@ -56,10 +58,10 @@ path: "{{ item }}" delegate_to: localhost register: deploy_update_after_paths - with_items: "{{ deploy_update_after | default([]) }}" + loop: "{{ deploy_update_after | default([]) }}" - include_tasks: "{{ include_path.item }}" - with_items: "{{ deploy_update_after_paths.results }}" + loop: "{{ deploy_update_after_paths.results }}" loop_control: loop_var: include_path when: include_path.stat.exists diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 8e1bf7ecba..e11453c8f4 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -12,7 +12,7 @@ src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} mode: '0644' - with_items: + loop: - jail.local - fail2ban.local notify: @@ -47,7 +47,7 @@ src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | basename | regex_replace('.j2$', '') }}" mode: '0644' - with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" + loop: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban - name: ensure fail2ban starts on a fresh reboot diff --git a/roles/ferm/handlers/main.yml b/roles/ferm/handlers/main.yml index 2af34d8500..c18fe1719c 100644 --- a/roles/ferm/handlers/main.yml +++ b/roles/ferm/handlers/main.yml @@ -1,4 +1,6 @@ --- - name: restart ferm - service: name=ferm state=restarted + service: + name: ferm + state: restarted when: ferm_enabled | bool diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 2848cb488a..ae147a5554 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -20,7 +20,7 @@ path: "{{ item }}" state: directory mode: '0750' - with_items: + loop: - /etc/ferm/ferm.d - /etc/ferm/filter-input.d @@ -29,7 +29,7 @@ src: "{{ item }}.j2" dest: /{{ item }} mode: '0644' - with_items: + loop: - etc/default/ferm - etc/ferm/ferm.conf notify: @@ -42,10 +42,7 @@ {% else %} path=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf {% endif %} - with_flattened: - - "{{ ferm_input_list }}" - - "{{ ferm_input_group_list }}" - - "{{ ferm_input_host_list }}" + loop: "{{ ferm_input_list + ferm_input_group_list + ferm_input_host_list | flatten}}" when: ((item.type is defined and item.type) and (item.dport is defined and item.dport)) and (item.delete is defined and item.delete) @@ -57,10 +54,7 @@ dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf {% endif %} mode=0644 - with_flattened: - - "{{ ferm_input_list }}" - - "{{ ferm_input_group_list }}" - - "{{ ferm_input_host_list }}" + loop: "{{ ferm_input_list + ferm_input_group_list + ferm_input_host_list | flatten}}" when: (item.type is defined and item.type and item.dport is defined and item.dport) and (item.delete is undefined or (item.delete is defined and not item.delete)) diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 110af4219e..eb330a3fa3 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -4,14 +4,18 @@ args: creates: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Ensure correct permissions on private keys file: path: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" mode: '0600' when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Generate Lets Encrypt certificate IDs shell: | @@ -24,7 +28,9 @@ register: generate_cert_ids changed_when: false when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate CSRs @@ -33,7 +39,9 @@ executable: /bin/bash creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Generate certificate renewal script template: diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 877ed09c92..229f6ff4b2 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -12,7 +12,9 @@ register: current_hosts changed_when: false when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Create needed Nginx confs for challenges template: @@ -23,7 +25,9 @@ when: - site_uses_letsencrypt - missing_hosts | count - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Enable Nginx sites file: @@ -34,7 +38,9 @@ when: - site_uses_letsencrypt - missing_hosts | count - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" notify: disable temporary challenge sites - import_tasks: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" @@ -52,7 +58,9 @@ register: letsencrypt_test_challenges ignore_errors: true when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Notify of challenge failures fail: @@ -63,4 +71,4 @@ If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details. when: item is not skipped and item is failed - with_items: "{{ letsencrypt_test_challenges.results }}" + loop: "{{ letsencrypt_test_challenges.results }}" diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index c23ba5918d..72664d0f42 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -26,7 +26,7 @@ mode: "{{ item.mode | default(omit) }}" path: "{{ item.path }}" state: directory - with_items: + loop: - path: "{{ acme_tiny_data_directory }}" mode: '0700' - path: "{{ acme_tiny_data_directory }}/csrs" @@ -34,6 +34,8 @@ - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" mode: '0700' + loop_control: + label: "{{ item.path }}" - name: Clone acme-tiny repository git: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 0da81f6f95..08a0d2a611 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -49,7 +49,7 @@ check_implicit_admin: yes state: present no_log: true - with_items: + loop: - "{{ inventory_hostname }}" - 127.0.0.1 - ::1 @@ -61,7 +61,7 @@ host: "{{ item }}" state: absent no_log: true - with_items: + loop: - localhost - "{{ inventory_hostname }}" - "{{ ansible_hostname }}" diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 04bec4ffb4..c638f2cb85 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -4,7 +4,9 @@ name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" - with_dict: "{{ memcached_packages }}" + loop: "{{ memcached_packages |dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Copy the client configuration file template: diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 676679ce1b..c0748a2117 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -20,7 +20,7 @@ path: "{{ nginx_path }}/{{ item }}" state: directory mode: '0755' - with_items: + loop: - sites-available - sites-enabled diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 3a8c6d9f10..e5fce88125 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -10,13 +10,15 @@ state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no - with_dict: "{{ php_extensions }}" + loop: "{{ php_extensions | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Ensure correct PHP version selected community.general.alternatives: name: php path: /usr/bin/php{{ php_version }} - + - name: Find existing php fpm services find: paths: /etc/init.d diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 152b4f7fd3..4dc76960e5 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -4,7 +4,9 @@ name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" - with_dict: "{{ sshd_packages }}" + loop: "{{ sshd_packages | dict2items }}" + loop_control: + label: "{{ item.key }}" notify: restart ssh - name: Create a secure sshd_config diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 09b84830df..fb65473803 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -3,7 +3,7 @@ group: name: "{{ item }}" state: present - with_items: "{{ users | sum(attribute='groups', start=[]) | list | unique }}" + loop: "{{ users | sum(attribute='groups', start=[]) | list | unique }}" - name: Ensure sudo group has sudo privileges lineinfile: @@ -37,7 +37,9 @@ state: present shell: /bin/bash update_password: "{{ item.update_password | default('always') }}" - with_items: "{{ users }}" + loop: "{{ users }}" + loop_control: + label: "{{ item.name }}" - name: Add web user sudoers items for services template: @@ -53,9 +55,9 @@ authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" - with_subelements: - - "{{ users | default([]) }}" - - keys + loop: "{{ users | default([]) | subelements('keys') }}" + loop_control: + label: "{{ item.0.name }}" - name: Add deploy SSH keys authorized_key: diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 591255688b..7b3c0c44bd 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -6,7 +6,9 @@ group: "{{ web_group }}" mode: '0755' state: directory - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Create shared folder of sites file: @@ -15,7 +17,9 @@ group: "{{ web_group }}" mode: '0755' state: directory - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Change site owner to user file: @@ -24,4 +28,6 @@ group: "{{ web_group }}" state: directory recurse: yes - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 5397096992..af744be89d 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -6,12 +6,16 @@ mode: '0644' owner: "{{ web_user }}" group: "{{ web_group }}" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Copy .env file into web root synchronize: src: "/tmp/{{ item.key }}.env" dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" checksum: true - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" delegate_to: "{{ inventory_hostname }}" diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 25bb07f0ce..aa1037d8a0 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -12,14 +12,18 @@ path: "{{ item.path | default(omit) }}" state: "{{ item.state | default('present') }}" become: no - with_items: "{{ known_hosts | default([]) }}" + loop: "{{ known_hosts | default([]) }}" + loop_control: + label: "{{ item.name }}" - include_tasks: tasks/composer-authentications.yml vars: site: "{{ item.key }}" working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" no_log: true - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Install Dependencies with Composer composer: @@ -27,7 +31,9 @@ optimize_autoloader: no working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" become: no - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Install WP command: wp core {{ item.value.multisite.enabled | default(false) | ternary('multisite-install', 'install') }} @@ -46,7 +52,9 @@ args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" register: wp_install - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: item.value.site_install | default(true) changed_when: "'WordPress is already installed.' not in wp_install.stdout and 'The network already exists.' not in wp_install.stdout" @@ -54,12 +62,14 @@ command: wp rewrite structure {{ item.item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root args: chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" - with_items: "{{ wp_install.results }}" + loop: "{{ wp_install.results }}" when: item is changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index ad10a40026..4fed3d97c1 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -8,7 +8,9 @@ login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" no_log: true - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Create/assign database user to db and grant permissions mysql_user: @@ -22,6 +24,8 @@ login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" no_log: true - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: site_uses_local_db and item.value.db_create | default(true) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index ac1fd8a735..685a6b184e 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -21,7 +21,9 @@ group: "{{ web_group }}" mode: '0755' state: directory - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Create WordPress php-fpm configuration file template: @@ -51,7 +53,9 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" state: "{{ (cron_enabled and not item.value.multisite.enabled) | ternary('present', 'absent') }}" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" - name: Setup WP Multisite system cron cron: @@ -61,4 +65,6 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" state: "{{ (cron_enabled and item.value.multisite.enabled) | ternary('present', 'absent') }}" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml index 69f7026a22..7e11e90de8 100644 --- a/roles/wordpress-setup/tasks/nginx-client-cert.yml +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -4,5 +4,7 @@ url: "{{ item.value.ssl.client_cert_url }}" dest: "{{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt" mode: '0640' - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: ssl_enabled and item.value.ssl.client_cert_url is defined diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index aebc5ae644..265011cea0 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -21,7 +21,7 @@ state: directory recurse: yes mode: '0755' - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | + loop: "{{ nginx_includes_templates.files | map(attribute='path') | map('regex_replace', nginx_includes_pattern, '\\2') | map('dirname') | unique | list | sort }}" @@ -32,7 +32,7 @@ src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" mode: '0644' - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" + loop: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx when: nginx_includes_local_directory.stat.isdir is defined @@ -54,7 +54,7 @@ file: path: "{{ item }}" state: absent - with_items: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | + loop: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | difference(nginx_includes_templates.files | default({} )| map(attribute='path') | map('regex_replace', nginx_includes_pattern, nginx_path + '/includes.d/\\2') | unique ) | list diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index c16108f02c..9f81d32c23 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -4,7 +4,9 @@ src: "{{ item.value.ssl.cert }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}" mode: '0640' - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: ssl_enabled and item.value.ssl.cert is defined notify: reload nginx @@ -13,7 +15,9 @@ src: "{{ item.value.ssl.key }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}" mode: '0600' - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: ssl_enabled and item.value.ssl.key is defined notify: reload nginx @@ -24,7 +28,7 @@ src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" mode: '0644' - with_items: "{{ nginx_sites_confs }}" + loop: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx tags: nginx-sites @@ -34,7 +38,7 @@ path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" state: absent when: not(item.enabled | default(true)) - with_items: "{{ nginx_sites_confs }}" + loop: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites @@ -45,7 +49,7 @@ state: link force: yes when: item.enabled | default(true) - with_items: "{{ nginx_sites_confs }}" + loop: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites @@ -61,7 +65,9 @@ src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" mode: '0644' - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" notify: reload nginx tags: nginx-includes @@ -72,5 +78,7 @@ owner: root group: root state: link - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index eef2b29775..7b1fe2dd55 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -10,7 +10,9 @@ src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" mode: '0644' - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: - sites_use_ssl | bool - ssl_enabled | bool @@ -24,7 +26,9 @@ args: chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" - with_dict: "{{ wordpress_sites }}" + loop: "{{ wordpress_sites | dict2items }}" + loop_control: + label: "{{ item.key }}" when: - sites_use_ssl | bool - ssl_enabled | bool diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index dab02c6ea8..e7c064b364 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -31,7 +31,7 @@ file: path: "{{ item }}" state: absent - with_items: + loop: - "/tmp/wp-cli-{{ wp_cli_version }}.phar" - "/tmp/wp-cli-{{ wp_cli_version }}.phar.asc" - name: Fail verification @@ -66,4 +66,4 @@ changed_when: - "'Nothing to install or update' not in wp_cli_packages_installed.stdout" - "'Package operations: 0 installs, 0 updates, 0 removals' not in wp_cli_packages_installed.stdout" - with_items: "{{ wp_cli_packages }}" + loop: "{{ wp_cli_packages }}" From d55b18d1dca8a38390938a0600dde6fe9417c0ea Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 5 Aug 2022 23:33:05 -0400 Subject: [PATCH 480/663] debugging --- roles/deploy/hooks/finalize-after.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index a939f5c4da..7b033d9639 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -8,6 +8,9 @@ changed_when: site_transient_theme_roots.stdout != '' when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool + - debug: + var: wp_template_root.results + - name: Update WP theme paths command: > wp option set {{ item[0].item }} From 0401078926048b5ead1858dcc83918b5ea03ee2f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 5 Aug 2022 23:57:29 -0400 Subject: [PATCH 481/663] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f12d3980e5..c7472c6182 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ ### HEAD +* Fix backwards compat for ssl.no-default conf ([#1415](https://github.com/roots/trellis/pull/1415)) +* Simplify Nginx no-default sites for HTTPS ([#1414](https://github.com/roots/trellis/pull/1414)) +* Improve composer authentications password default ([#1412](https://github.com/roots/trellis/pull/1412)) +* Run composer check-platform-reqs during deploy ([#1411](https://github.com/roots/trellis/pull/1411)) * [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) * Fix #905, #831 - Update hb5p Nginx configs ([#1406](https://github.com/roots/trellis/pull/1406)) From b594280475f7a4c6611661949a5ba2756c37773b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 6 Aug 2022 00:14:26 -0400 Subject: [PATCH 482/663] Remove debugging --- roles/deploy/hooks/finalize-after.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 7b033d9639..a939f5c4da 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -8,9 +8,6 @@ changed_when: site_transient_theme_roots.stdout != '' when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool - - debug: - var: wp_template_root.results - - name: Update WP theme paths command: > wp option set {{ item[0].item }} From 9d630c83f383c35eb661270b9e2895fd5b2fb62e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 8 Aug 2022 14:12:09 -0400 Subject: [PATCH 483/663] Remove custom output callback plugin This custom output plugin had three main functions: 1. make the output for dictionaries cleaner (print key only) 2. display system info on failure for debugging purposes 3. couple other minor cosmetic changes The commit 5d5d1d23cd58a1a4b3bb683b38efb61a15e5e087 already improved all the dict output by explicitly specifying a `label` which should always be used when needed from now on. This removes the need for modifying dict output at this callback level. While the system info can be helpful for troubleshooting, the most important parts of that information can be returned by running Ansibles' verbose mode (`-vv`). There's been many cases in the past of this information being confusing or misleading as well. While this custom output probably provides a small benefit, removing custom code like this makes it easier to maintain Trellis over the long term since Ansible provides less compatibility for these APIs. --- ansible.cfg | 1 - lib/trellis/plugins/callback/output.py | 84 ----------------- lib/trellis/utils/output.py | 123 ------------------------- 3 files changed, 208 deletions(-) delete mode 100644 lib/trellis/plugins/callback/output.py delete mode 100644 lib/trellis/utils/output.py diff --git a/ansible.cfg b/ansible.cfg index e6467d2586..77646819f1 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,5 @@ [defaults] callback_plugins = ~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:lib/trellis/plugins/callback -stdout_callback = output filter_plugins = ~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:lib/trellis/plugins/filter force_color = True force_handlers = True diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py deleted file mode 100644 index 61935552a0..0000000000 --- a/lib/trellis/plugins/callback/output.py +++ /dev/null @@ -1,84 +0,0 @@ -import os.path -import sys - -DOCUMENTATION = ''' - callback: output - type: stdout - short_description: Custom output for Trellis - extends_documentation_fragment: - - default_callback -''' - -from ansible.plugins.callback.default import CallbackModule as CallbackModule_default - -try: - from trellis.utils import output as output -except ImportError: - ansible_config_path = os.getenv('ANSIBLE_CONFIG') - ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() - if sys.path.append(os.path.join(ansible_path, 'lib')) in sys.path: raise - sys.path.append(sys.path.append(os.path.join(ansible_path, 'lib'))) - from trellis.utils import output as output - - -class CallbackModule(CallbackModule_default): - ''' Customizes the default Ansible output ''' - - CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = 'stdout' - CALLBACK_NAME = 'output' - - def __init__(self): - super(CallbackModule, self).__init__() - output.reset_task_info(self) - self.vagrant_version = None - - def v2_runner_on_failed(self, result, ignore_errors=False): - self.task_failed = True - output.display_host(self, result) - super(CallbackModule, self).v2_runner_on_failed(result, ignore_errors) - - def v2_runner_on_ok(self, result): - output.display_host(self, result) - super(CallbackModule, self).v2_runner_on_ok(result) - - def v2_runner_on_skipped(self, result): - output.display_host(self, result) - super(CallbackModule, self).v2_runner_on_skipped(result) - - def v2_runner_on_unreachable(self, result): - self.task_failed = True - output.display_host(self, result) - super(CallbackModule, self).v2_runner_on_unreachable(result) - - def v2_playbook_on_task_start(self, task, is_conditional): - output.reset_task_info(self, task) - super(CallbackModule, self).v2_playbook_on_task_start(task, is_conditional) - - def v2_playbook_on_handler_task_start(self, task): - output.reset_task_info(self, task) - super(CallbackModule, self).v2_playbook_on_handler_task_start(task) - - def v2_playbook_on_play_start(self, play): - super(CallbackModule, self).v2_playbook_on_play_start(play) - - # Check for relevant settings or overrides passed via cli --extra-vars - extra_vars = play.get_variable_manager().extra_vars - if 'vagrant_version' in extra_vars: - self.vagrant_version = extra_vars['vagrant_version'] - - def v2_runner_item_on_ok(self, result): - output.display_item(self, result) - output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_runner_item_on_ok(result) - - def v2_runner_item_on_failed(self, result): - self.task_failed = True - output.display_item(self, result) - output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_runner_item_on_failed(result) - - def v2_runner_item_on_skipped(self, result): - output.display_item(self, result) - output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_runner_item_on_skipped(result) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py deleted file mode 100644 index 4ae252df67..0000000000 --- a/lib/trellis/utils/output.py +++ /dev/null @@ -1,123 +0,0 @@ -# Make coding more python3-ish -__metaclass__ = type - -import os.path -import platform -import re -import textwrap - -from ansible import __version__ -from ansible.module_utils._text import to_text - -def system(vagrant_version=None): - # Get most recent Trellis CHANGELOG entry - changelog_msg = '' - ansible_config_path = os.getenv('ANSIBLE_CONFIG') - ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() - changelog = os.path.join(ansible_path, 'CHANGELOG.md') - - if os.path.isfile(changelog): - with open(changelog) as f: - str = f.read(200) - - # Retrieve release number if it is most recent entry - release = re.search(r'^###\s((?!HEAD).*)', str) - if release is not None: - changelog_msg = '\n Trellis {0}'.format(release.group(1)) - - # Retrieve most recent changelog entry - else: - change = re.search(r'^\*\s?(\[BREAKING\])?([^\(\n\[]+)', str, re.M|re.I) - if change is not None: - changelog_msg = '\n Trellis version (per changelog): "{0}"'.format(change.group(2).strip()) - - # Vagrant info, if available - vagrant = ' Vagrant {0};'.format(vagrant_version) if vagrant_version else '' - - # Assemble components and return - return 'System info:\n Ansible {0};{1} {2}{3}'.format(__version__, vagrant, platform.system(), changelog_msg) - -def reset_task_info(obj, task=None): - obj.action = None if task is None else task._get_parent_attribute('action') - obj.first_host = True - obj.first_item = True - obj.task_failed = False - -# Display dict key only, instead of full json dump -def replace_item_with_key(obj, result): - item = '_ansible_item_label' if '_ansible_item_label' in result._result else 'item' - should_replace = ( - not obj._display.verbosity - and 'label' not in result._task._ds.get('loop_control', {}) - and item in result._result - ) - - if should_replace: - if type(result._result[item]) is dict and 'key' in result._result[item]: - result._result[item] = result._result[item]['key'] - elif type(result._result[item]) is dict: - subitem = '_ansible_item_label' if '_ansible_item_label' in result._result[item] else 'item' - if 'key' in result._result[item].get(subitem, {}): - result._result[item] = result._result[item][subitem]['key'] - elif '_ansible_item_label' in result._result[item]: - result._result[item] = result._result[item]['_ansible_item_label'] - -def display(obj, result): - msg = '' - result = result._result - display = obj._display.display - wrap_width = 77 - first = obj.first_host and obj.first_item - - # Only display msg if debug module or if failed (some modules have undesired 'msg' on 'ok') - if 'msg' in result and (obj.task_failed or obj.action == 'debug'): - msg = result.pop('msg', '') - - # Disable Ansible's verbose setting for debug module to avoid the CallbackBase._dump_results() - if '_ansible_verbose_always' in result: - del result['_ansible_verbose_always'] - - # Display additional info when failed - if obj.task_failed: - items = (item for item in ['reason', 'module_stderr', 'module_stdout', 'stderr'] if item in result and to_text(result[item]) != '') - for item in items: - msg = result[item] if msg == '' else '\n'.join([msg, result.pop(item, '')]) - - # Add blank line between this fail message and the json dump Ansible displays next - msg = '\n'.join([msg, '']) - - # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks - if isinstance(msg, list): - msg = '\n'.join([to_text(x) for x in msg]) - elif not isinstance(msg, str): - msg = to_text(msg) - - # Wrap text - msg = '\n'.join([textwrap.fill(line, wrap_width, replace_whitespace=False) - for line in msg.splitlines()]) - - # Display system info and msg, with horizontal rule between hosts/items - hr = '-' * int(wrap_width*.67) - - if obj.task_failed and first: - display(system(obj.vagrant_version), 'bright gray', screen_only=True) - display(hr, 'bright gray', screen_only=True) - - if msg == '': - if obj.task_failed and not first: - display(hr, 'bright gray', screen_only=True) - else: - return - else: - if not first: - display(hr, 'bright gray', screen_only=True) - display(msg, 'red' if obj.task_failed else 'bright purple') - -def display_host(obj, result): - if 'results' not in result._result: - display(obj, result) - obj.first_host = False - -def display_item(obj, result): - display(obj, result) - obj.first_item = False From 19c5abba5010a8975ef4a4b217454bc7253f96a8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 10 Aug 2022 15:39:16 -0400 Subject: [PATCH 484/663] Update Vagrant required version Now that Vagrant 2.3.0, we can drop the exception for the broken 2.2.19 release. This also removes the platform check and introduces a new `vagrant_require_version` config setting. This makes it easier to override the version constraint in a local config if need be without changing the `Vagrantfile`. --- Vagrantfile | 8 ++------ vagrant.default.yml | 1 + 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index da2eec1f18..7462d822a4 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,12 +16,8 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -if Vagrant::Util::Platform.darwin? - Vagrant.require_version '>= 2.1.0', '< 2.2.19' -else - Vagrant.require_version '>= 2.1.0' -end - +Vagrant.require_version vconfig.fetch('vagrant_require_version', '>= 2.1.0') + Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') diff --git a/vagrant.default.yml b/vagrant.default.yml index b02ed2384f..7382b936df 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -7,6 +7,7 @@ vagrant_box_version: '>= 202012.23.0' vagrant_ansible_version: '2.10.7' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' +vagrant_require_version: '>= 2.1.0' vagrant_install_plugins: true vagrant_plugins: From 56a66ea8974a48582a4ab19005b3f06373a6264a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 10 Aug 2022 15:59:49 -0400 Subject: [PATCH 485/663] [skip ci] Update changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c7472c6182..b798faea88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ### HEAD +* Update Vagrant required version ([#1420](https://github.com/roots/trellis/pull/1420)) +* Remove custom output callback plugin ([#1418](https://github.com/roots/trellis/pull/1418)) +* Migrage `with_X` looping usage to `loop` ([#1416](https://github.com/roots/trellis/pull/1416)) * Fix backwards compat for ssl.no-default conf ([#1415](https://github.com/roots/trellis/pull/1415)) * Simplify Nginx no-default sites for HTTPS ([#1414](https://github.com/roots/trellis/pull/1414)) * Improve composer authentications password default ([#1412](https://github.com/roots/trellis/pull/1412)) From 8b1bc5aa8de87a4b20c1dc7833ad71f09d166da5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 19 Nov 2021 18:21:46 -0500 Subject: [PATCH 486/663] Remove dynamic SSH key host checks --- ansible.cfg | 2 +- lib/trellis/plugins/callback/vars.py | 3 --- roles/connection/defaults/main.yml | 5 ----- roles/connection/tasks/main.yml | 24 ------------------------ 4 files changed, 1 insertion(+), 33 deletions(-) delete mode 100644 roles/connection/defaults/main.yml diff --git a/ansible.cfg b/ansible.cfg index 77646819f1..87df7f1376 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -10,5 +10,5 @@ vars_plugins = ~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:lib/trell pipelining = True [ssh_connection] -ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s +ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa retries = 1 diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 92f827f9ff..e30b59687c 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -10,7 +10,6 @@ from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var from ansible import context -from ansible.plugins.loader import connection_loader class CallbackModule(CallbackBase): @@ -92,7 +91,6 @@ def darwin_without_passlib(self): def v2_playbook_on_play_start(self, play): play_context = PlayContext(play=play) - connection = connection_loader.get('ssh', play_context, os.devnull) env = play.get_variable_manager().get_vars(play=play).get('env', '') env_group = next((group for key,group in iteritems(play.get_variable_manager()._inventory.groups) if key == env), False) @@ -102,7 +100,6 @@ def v2_playbook_on_play_start(self, play): for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) - host.vars['ssh_args_default'] = connection.get_option('ssh_args') host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml deleted file mode 100644 index 70219ac2e1..0000000000 --- a/roles/connection/defaults/main.yml +++ /dev/null @@ -1,5 +0,0 @@ -ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}" -ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}" -ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}" -openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.5', '>=') }}" -host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}" diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 8acdef9606..5bbbf6eee9 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -6,22 +6,11 @@ ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass when: dynamic_user | default(true) and ansible_user is not defined and cli_ask_pass | default(false) -- name: Specify preferred HostKeyAlgorithms for unknown hosts - set_fact: - ansible_ssh_extra_args: -o HostKeyAlgorithms={{ host_key_algorithms }} - register: preferred_host_key_algorithms - when: - - dynamic_host_key_algorithms | default(true) - - not ansible_ssh_extra_args | default(None) - - not (ansible_host_known or ssh_config_host_known) - - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} command: | ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv delegate_to: localhost - environment: - ANSIBLE_SSH_ARGS: "{{ ssh_args_default }} {{ ansible_ssh_extra_args | default('') }}" failed_when: false changed_when: false check_mode: no @@ -61,19 +50,6 @@ debug: msg: | Note: Ansible will attempt connections as user = {{ ansible_user }} - {% if preferred_host_key_algorithms is not skipped %} - - Note: The host `{{ ansible_host }}` was not detected in known_hosts - so Trellis prompted the host to offer a key type that will work with - the stronger key types Trellis configures on the server. This avoids future - connection failures due to changed host keys. Trellis used this SSH option: - - {{ ansible_ssh_extra_args }} - - To prevent Trellis from ever using this SSH option, add this to group_vars: - - dynamic_host_key_algorithms: false - {% endif %} - name: Load become password set_fact: From f18700f3e73ff018685727b2ed2f6dcb98b534be Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 11 Aug 2022 10:10:14 -0500 Subject: [PATCH 487/663] =?UTF-8?q?=F0=9F=93=9D=20update=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eca8889534..4c4048e077 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ However, the amount of effort needed to maintain and develop new features and pr <p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://www.c21redwood.com/"><img src="https://cdn.roots.io/app/uploads/c21redwood.svg" alt="C21 Redwood Realty" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> </div> ## Overview From e9e7c370410dc3c680d64c5b846a4bab8b00c5f0 Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Fri, 12 Aug 2022 08:42:29 +0100 Subject: [PATCH 488/663] Disable Landrush DNS Resolver in Parallels --- Vagrantfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 7462d822a4..dda9e7273c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -181,6 +181,11 @@ Vagrant.configure('2') do |config| prl.cpus = vconfig.fetch('vagrant_cpus') prl.memory = vconfig.fetch('vagrant_memory') prl.update_guest_tools = true + + # Parallels handles DNS resolution itself when used in conjunction with landrush + if Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? + config.landrush.guest_redirect_dns = false + end end # Hyper-V settings From 2691745f2d9e1e6534a8a002b9250dc5fdc633bc Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 14 Aug 2022 19:18:39 -0500 Subject: [PATCH 489/663] =?UTF-8?q?=F0=9F=94=A7=20Change=20MariaDB=20PPA?= =?UTF-8?q?=20mirror=20to=20Rackspace=20(#1422)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index d337299bfb..0434d7bb93 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb http://mariadb.mirror.globo.tech/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From 4c2bb35e587aa94dd8562a541b3929ed49f2a2ce Mon Sep 17 00:00:00 2001 From: TangRufus <tangrufus@gmail.com> Date: Tue, 26 Jul 2022 10:43:00 +0100 Subject: [PATCH 490/663] Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles --- group_vars/all/helpers.yml | 4 ++ roles/deploy/hooks/build-after.yml | 42 +++++++++++++++---- .../tasks/composer-authentications.yml | 42 +++++++++++++++---- 3 files changed, 74 insertions(+), 14 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 10101a4da7..29d2c29d8a 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -21,3 +21,7 @@ cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" +# Default `type` is `http-basic`. +composer_authentications_using_basic_auth: "{{ composer_authentications | rejectattr('type', 'defined') | union( composer_authentications | selectattr('type', 'defined') | selectattr('type', 'equalto', 'http-basic') ) }}" +composer_authentications_using_bitbucket_oauth: "{{ composer_authentications | selectattr('type', 'defined') | selectattr('type', 'equalto', 'bitbucket-oauth') }}" +composer_authentications_using_other_token: "{{ composer_authentications | selectattr('type', 'defined') | rejectattr('type', 'equalto', 'http-basic') | rejectattr('type', 'equalto', 'bitbucket-oauth') }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index a38ea3e74e..4822c7549c 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -9,20 +9,48 @@ msg: "Unable to find a `composer.json` file in the root of '{{ deploy_helper.new_release_path }}'. Make sure your repo has a `composer.json` file in its root or edit `repo_subtree_path` for '{{ site }}' in `wordpress_sites.yml` so it points to the directory with a `composer.json` file." when: not composer_json.stat.exists -- name: Setup composer authentications +- name: Setup composer authentications (HTTP Basic) composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname | quote }} {{ composer_authentication.username | quote }} {{ composer_authentication.password | default("") | quote }} + arguments: --auth http-basic.{{ item.hostname | quote }} {{ item.username | quote }} {{ item.password | default("") | quote }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true changed_when: false when: - - composer_authentication.hostname is defined and composer_authentication.hostname != "" - - composer_authentication.username is defined and composer_authentication.username != "" - loop: "{{ composer_authentications | default([]) }}" + - item.hostname is defined and item.hostname != "" + - item.username is defined and item.username != "" + loop: "{{ composer_authentications_using_basic_auth }}" loop_control: - loop_var: composer_authentication - label: "{{ composer_authentication.hostname }}" + label: "{{ item.type | default('default-type') }}.{{ item.hostname }}" + +- name: Setup composer authentications (BitBucket OAuth) + composer: + command: config + arguments: --auth bitbucket-oauth.{{ item.hostname | quote }} {{ item.consumer_key | quote }} {{ item.consumer_secret | quote }} + working_dir: "{{ deploy_helper.new_release_path }}" + no_log: true + changed_when: false + when: + - item.hostname is defined and item.hostname != "" + - item.consumer_key is defined and item.consumer_key != "" + - item.consumer_secret is defined and item.consumer_secret != "" + loop: "{{ composer_authentications_using_bitbucket_oauth }}" + loop_control: + label: "{{ item.type }}.{{ item.hostname }}" + +- name: Setup composer authentications (Other Tokens) + composer: + command: config + arguments: --auth {{ item.type | quote }}.{{ item.hostname | quote }} {{ item.token | quote }} + working_dir: "{{ deploy_helper.new_release_path }}" + no_log: true + changed_when: false + when: + - item.hostname is defined and item.hostname != "" + - item.token is defined and item.token != "" + loop: "{{ composer_authentications_using_other_token }}" + loop_control: + label: "{{ item.type }}.{{ item.hostname }}" - name: Run composer check composer: diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 8ad265fe24..c37db42714 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -1,15 +1,43 @@ --- -- name: "Setup composer authentications - {{ site }}" +- name: "Setup composer authentications (HTTP Basic) - {{ site }}" composer: command: config - arguments: --auth http-basic.{{ composer_authentication.hostname | quote }} {{ composer_authentication.username | quote }} {{ composer_authentication.password | default("") | quote }} + arguments: --auth http-basic.{{ item.hostname | quote }} {{ item.username | quote }} {{ item.password | default("") | quote }} working_dir: "{{ working_dir }}" no_log: true changed_when: false when: - - composer_authentication.hostname is defined and composer_authentication.hostname != "" - - composer_authentication.username is defined and composer_authentication.username != "" - loop: "{{ composer_authentications | default([]) }}" + - item.hostname is defined and item.hostname != "" + - item.username is defined and item.username != "" + loop: "{{ composer_authentications_using_basic_auth }}" loop_control: - loop_var: composer_authentication - label: "{{ composer_authentication.hostname }}" + label: "{{ item.type | default('default-type') }}.{{ item.hostname }}" + +- name: "Setup composer authentications (BitBucket OAuth) - {{ site }}" + composer: + command: config + arguments: --auth bitbucket-oauth.{{ item.hostname | quote }} {{ item.consumer_key | quote }} {{ item.consumer_secret | quote }} + working_dir: "{{ working_dir }}" + no_log: true + changed_when: false + when: + - item.hostname is defined and item.hostname != "" + - item.consumer_key is defined and item.consumer_key != "" + - item.consumer_secret is defined and item.consumer_secret != "" + loop: "{{ composer_authentications_using_bitbucket_oauth }}" + loop_control: + label: "{{ item.type }}.{{ item.hostname }}" + +- name: "Setup composer authentications (Other Tokens) - {{ site }}" + composer: + command: config + arguments: --auth {{ item.type | quote }}.{{ item.hostname | quote }} {{ item.token | quote }} + working_dir: "{{ working_dir }}" + no_log: true + changed_when: false + when: + - item.hostname is defined and item.hostname != "" + - item.token is defined and item.token != "" + loop: "{{ composer_authentications_using_other_token }}" + loop_control: + label: "{{ item.type }}.{{ item.hostname }}" From a746077c7859706c12af60ed6cf9d29355612cbb Mon Sep 17 00:00:00 2001 From: Pacotole <pacotole@gmail.com> Date: Tue, 13 Sep 2022 16:15:30 +0200 Subject: [PATCH 491/663] Add "text/javascript" to Nginx gzip_types (#1424) --- roles/nginx/templates/nginx.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index a3c6fbc26f..6b60169863 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -186,6 +186,7 @@ http { image/x-icon text/cache-manifest text/css + text/javascript text/plain text/vcard text/vnd.rim.location.xloc From 82a7893e2836c6898a7e73033df291411177d633 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 25 Sep 2022 12:09:02 -0500 Subject: [PATCH 492/663] =?UTF-8?q?=F0=9F=94=A7=20Sage=2010=20deploy:=20Fa?= =?UTF-8?q?il=20if=20entrypoints=20is=20missing=20(#1426)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- deploy-hooks/build-before.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 78003bd92c..06d3980fa7 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -24,6 +24,17 @@ # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # +# - name: Check for entrypoints +# stat: +# path: "{{ project_local_path }}/web/app/themes/sage/public/entrypoints.json" +# delegate_to: localhost +# register: entrypoints_data + +# - name: Entrypoints missing +# ansible.builtin.fail: +# msg: "The theme is missing the public/entrypoints.json file" +# when: not entrypoints_data.stat.exists +# # - name: Copy production assets # synchronize: # src: "{{ project_local_path }}/web/app/themes/sage/public" From b17bf491c159bf51f71799bf87bf83fcf1470fbf Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 26 Sep 2022 21:24:06 -0400 Subject: [PATCH 493/663] Don't use sudo for composer authentications (#1427) Sets `become: no` to avoid sudo usage which will prevent Composer from aborting due to its default root/superuser protection. --- roles/wordpress-install/tasks/composer-authentications.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 8ad265fe24..be2e3377c8 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -4,6 +4,7 @@ command: config arguments: --auth http-basic.{{ composer_authentication.hostname | quote }} {{ composer_authentication.username | quote }} {{ composer_authentication.password | default("") | quote }} working_dir: "{{ working_dir }}" + become: no no_log: true changed_when: false when: From 54e3844da2920b9f7c445ca4ebbf1e94dfb0e844 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 27 Sep 2022 21:39:05 -0400 Subject: [PATCH 494/663] v1.17.0 --- CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b798faea88..9b0ec2744f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,10 @@ -### HEAD +### 1.17.0: September 27th, 2022 +* [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) +* Don't use sudo for composer authentications in dev ([#1427](https://github.com/roots/trellis/pull/1427)) +* Sage 10 deploy: Fail if entrypoints are missing ([#1426](https://github.com/roots/trellis/pull/1426)) +* Nginx: add "text/javascript" to gzip_types ([#1424](https://github.com/roots/trellis/pull/1424)) +* Disable Landrush DNS Resolver in Parallels ([#1421](https://github.com/roots/trellis/pull/1421)) +* Remove dynamic SSH key host checks ([#1419](https://github.com/roots/trellis/pull/1419)) * Update Vagrant required version ([#1420](https://github.com/roots/trellis/pull/1420)) * Remove custom output callback plugin ([#1418](https://github.com/roots/trellis/pull/1418)) * Migrage `with_X` looping usage to `loop` ([#1416](https://github.com/roots/trellis/pull/1416)) @@ -6,7 +12,6 @@ * Simplify Nginx no-default sites for HTTPS ([#1414](https://github.com/roots/trellis/pull/1414)) * Improve composer authentications password default ([#1412](https://github.com/roots/trellis/pull/1412)) * Run composer check-platform-reqs during deploy ([#1411](https://github.com/roots/trellis/pull/1411)) -* [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) * Fix #905, #831 - Update hb5p Nginx configs ([#1406](https://github.com/roots/trellis/pull/1406)) ### 1.16.0: July 18th, 2022 From d5bf440cf93ab6b5bb512451bd9116b3d4817114 Mon Sep 17 00:00:00 2001 From: Lucas Demea <lucas@digital-swing.com> Date: Thu, 6 Oct 2022 16:18:10 +0200 Subject: [PATCH 495/663] fix: missing var (#1429) Include php role vars to get the otherwise missing php_xdebug_package vars --- roles/xdebug/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 2b52f58420..7b6248d1c0 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: Include php{{ php_version }} related vars + include_vars: 'roles/php/vars/{{ php_version }}.yml' + - name: Install Xdebug apt: name: "{{ php_xdebug_package }}" From 5fbd429089906b3241f966a790319de8c58dacdb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 14 Oct 2022 17:01:34 -0400 Subject: [PATCH 496/663] Automate arm64 Vagrant box support (#1431) Adds built-in support to automate host architecture detection and setting of arm64 specific boxes for Apple Silicon. Previously the `vagrant_box` config setting would have to be manually overwritten. Now Vagrant will detect the OS architecture of the host and _append_ `-arm64` (by convention) when three conditions apply: 1. `vagrant_box_auto_arch` is enabled (default: true) 2. `vagrant_box` does not already end up with `-arm64` 3. the OS is running on Apple Silicon --- Vagrantfile | 9 ++++++++- lib/trellis/vagrant.rb | 13 +++++++++++++ vagrant.default.yml | 3 ++- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index dda9e7273c..db23d31dc8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,7 +19,14 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version vconfig.fetch('vagrant_require_version', '>= 2.1.0') Vagrant.configure('2') do |config| - config.vm.box = vconfig.fetch('vagrant_box') + box = vconfig.fetch('vagrant_box') + box_auto_arch = vconfig.fetch('vagrant_box_auto_arch', true) + + if box_auto_arch && !box.end_with?("-arm64") && apple_silicon? + box = "#{box}-arm64" + end + + config.vm.box = box config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index d34f216009..a25aada739 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -6,6 +6,19 @@ ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" +def apple_silicon? + return false unless Vagrant::Util::Platform.darwin? + + arch = `uname -m`.chomp + case arch + when "x86_64" + translated = `sysctl -in sysctl.proc_translated`.chomp + translated == "1" + when "arm64" + true + end +end + def ensure_plugins(plugins) logger = Vagrant::UI::Colored.new installed = false diff --git a/vagrant.default.yml b/vagrant.default.yml index 7382b936df..4b6d62517c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,8 @@ vagrant_ip: '192.168.56.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' -vagrant_box_version: '>= 202012.23.0' +vagrant_box_version: '>= 0' +vagrant_box_auto_arch: true vagrant_ansible_version: '2.10.7' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From e4764e344deeae0e534447a877c8b847238dc995 Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Fri, 14 Oct 2022 23:03:57 +0100 Subject: [PATCH 497/663] [Security] Due to the default caching of POST requests personal information can be leaked (#1434) As per: https://www.rfc-editor.org/rfc/rfc7231#section-4.1 --- .../wordpress-setup/templates/wordpress-site.conf.j2 | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index a5cf322d1b..b101678c25 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -36,6 +36,17 @@ server { {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} # Fastcgi cache conditions set $skip_cache 0; + + # Prevent POST data being held in cache + if ($request_method = POST) { + set $skip_cache 1; + } + + # Prevent common API POST like requests being cached + if ($request_method ~ ^(PUT|PATCH|DELETE)$) { + set $skip_cache 1; + } + if ($query_string != "") { set $skip_cache 1; } From d73567e5dad8334158ec2ac2fe9a3e190741a600 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 15 Oct 2022 13:24:07 -0400 Subject: [PATCH 498/663] Skip cache for OPTIONS requests (#1435) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b101678c25..36e648e1a4 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -37,13 +37,8 @@ server { # Fastcgi cache conditions set $skip_cache 0; - # Prevent POST data being held in cache - if ($request_method = POST) { - set $skip_cache 1; - } - - # Prevent common API POST like requests being cached - if ($request_method ~ ^(PUT|PATCH|DELETE)$) { + # Skip requests with HTTP methods that should not be cached: DELETE, OPTIONS, PATCH, POST, PUT + if ($request_method !~ ^(GET|HEAD)$) { set $skip_cache 1; } From 11dc0cc753e4fbaa3a31d5c05b761adfb4d05e0a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 15 Oct 2022 14:06:15 -0400 Subject: [PATCH 499/663] Support ARM64 arch in Mailhog role (#1432) `geerlingguy.mailhog` doesn't support arm64 (Apple Silicon) because the underlying binaries (`mailhog` and `mhsendmail`) don't have official `arm64` builds. To support this by default, we need to override the url variables to point to forks that have these builds. This adds a new "shim loader" `mailhog` role which simply loads the proper vars and then passes them to the included `geerlingguy.mailhog` role. --- galaxy.yml | 3 +-- roles/mailhog/defaults/main.yml | 1 + roles/mailhog/tasks/main.yml | 13 +++++++++++++ roles/mailhog/vars/aarch64.yml | 2 ++ roles/mailhog/vars/default.yml | 2 ++ 5 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 roles/mailhog/defaults/main.yml create mode 100644 roles/mailhog/tasks/main.yml create mode 100644 roles/mailhog/vars/aarch64.yml create mode 100644 roles/mailhog/vars/default.yml diff --git a/galaxy.yml b/galaxy.yml index 0413790b04..5b9d4cc42c 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,6 +16,5 @@ roles: src: oefenweb.swapfile version: v2.0.32 - - name: mailhog - src: geerlingguy.mailhog + - src: geerlingguy.mailhog version: 2.3.0 diff --git a/roles/mailhog/defaults/main.yml b/roles/mailhog/defaults/main.yml new file mode 100644 index 0000000000..b9ab8363a3 --- /dev/null +++ b/roles/mailhog/defaults/main.yml @@ -0,0 +1 @@ +mailhog_install_dir: /opt/mailhog diff --git a/roles/mailhog/tasks/main.yml b/roles/mailhog/tasks/main.yml new file mode 100644 index 0000000000..2eedb88f6b --- /dev/null +++ b/roles/mailhog/tasks/main.yml @@ -0,0 +1,13 @@ +- ansible.builtin.include_vars: + file: "{{ item }}" + name: mailhog_overrides + with_first_found: + - files: + - "vars/{{ ansible_architecture }}.yml" + - "vars/default.yml" + +- ansible.builtin.include_role: + name: geerlingguy.mailhog + vars: + mailhog_binary_url: "{{ mailhog_overrides.mailhog_binary_url }}" + mhsendmail_binary_url: "{{ mailhog_overrides.mhsendmail_binary_url }}" diff --git a/roles/mailhog/vars/aarch64.yml b/roles/mailhog/vars/aarch64.yml new file mode 100644 index 0000000000..0a2acc290c --- /dev/null +++ b/roles/mailhog/vars/aarch64.yml @@ -0,0 +1,2 @@ +mailhog_binary_url: "https://github.com/evertiro/MailHog/releases/download/v1.0.1-M1/MailHog_linux_arm64" +mhsendmail_binary_url: "https://github.com/evertiro/mhsendmail/releases/download/v0.2.0-M1/mhsendmail_linux_arm64" diff --git a/roles/mailhog/vars/default.yml b/roles/mailhog/vars/default.yml new file mode 100644 index 0000000000..8582b58818 --- /dev/null +++ b/roles/mailhog/vars/default.yml @@ -0,0 +1,2 @@ +mailhog_binary_url: "https://github.com/mailhog/MailHog/releases/download/v{{ mailhog_version }}/MailHog_linux_{{ mailhog_arch }}" +mhsendmail_binary_url: "https://github.com/mailhog/mhsendmail/releases/download/v{{ mhsendmail_version }}/mhsendmail_linux_{{ mailhog_arch }}" From d2b0d12338e95ebb4a4053c6b5cee0ee0aa95276 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 15 Oct 2022 14:48:32 -0400 Subject: [PATCH 500/663] Configure Renovate (#1436) * chore(deps): add renovate.json * Enable ansible-galaxy in renovate config Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com> --- .github/renovate.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000000..b98eceea69 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "ansible-galaxy": { + "enabled": true + } +} From f731daead3db28e78249fb2e3cf3b3efda58a13a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 15 Oct 2022 14:56:12 -0400 Subject: [PATCH 501/663] Update renovate managers --- .github/renovate.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index b98eceea69..9a387b8674 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,6 +1,6 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "ansible-galaxy": { - "enabled": true + { + "enabledManagers": ["ansible-galaxy"] } } From eb202fa3058caabf94bd8cb31236ceaa08d60674 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 15 Oct 2022 14:58:04 -0400 Subject: [PATCH 502/663] Fix renovate config --- .github/renovate.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index 9a387b8674..f0a7a9ad79 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,6 +1,4 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - { - "enabledManagers": ["ansible-galaxy"] - } + "enabledManagers": ["ansible-galaxy"] } From a23771a20185b808b54b07d57b7afb41770fdd70 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 8 Nov 2022 17:45:59 -0500 Subject: [PATCH 503/663] v1.18.0 changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b0ec2744f..5d7193e9e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +### 1.18.0: November 8th, 2022 +* Fix xdebug role by including PHP vars ([#1429](https://github.com/roots/trellis/pull/1429)) +* Automate ARM64 Vagrant box support for Apple Silicon ([#1431](https://github.com/roots/trellis/pull/1431)) +* Support ARM64 arch in Mailhog role ([#1432](https://github.com/roots/trellis/pull/1432)) +* Only allow Nginx caching for GET and HEAD requests ([#1435](https://github.com/roots/trellis/pull/1435)) + ### 1.17.0: September 27th, 2022 * [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) * Don't use sudo for composer authentications in dev ([#1427](https://github.com/roots/trellis/pull/1427)) From 58ee7e3dcafe7bab1c09fe442d754042c1abff88 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 9 Nov 2022 23:22:03 -0500 Subject: [PATCH 504/663] Prevent ansible-core 2.13.6 (#1448) This version has a regression: https://github.com/ansible/ansible/issues/79291 --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index 5955db3396..a28dd4b1d1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ ansible>=2.10.0 +ansible-core<2.13.6 passlib From c91c7793e578df413832a6845e7890daf278a344 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 10 Nov 2022 20:12:28 -0500 Subject: [PATCH 505/663] Close #1442 - Enable PHP opcache in development (#1447) OPcache was previously disabled in development to ensure no stale cached PHP. However, there are still performance benefits to having OPcache enabled with a `revalidate_freq` of `0` which will result in OPcache checking for updates on every request (instead of the default of `60` in production). --- group_vars/development/php.yml | 2 +- roles/php/defaults/main.yml | 2 ++ roles/php/templates/php-fpm.ini.j2 | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index f4b4a726ad..cda1a39022 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -2,7 +2,7 @@ php_error_reporting: 'E_ALL' php_display_errors: 'On' php_display_startup_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' -php_opcache_enable: 0 +php_opcache_revalidate_freq: 0 xdebug_mode: 'debug' xdebug_start_with_request: 'yes' diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index f157c97b98..73a40e58c4 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -24,8 +24,10 @@ php_output_buffering: 'Off' php_opcache_enable: 1 php_opcache_enable_cli: 1 +php_opcache_enable_file_override: 0 php_opcache_fast_shutdown: 1 php_opcache_interned_strings_buffer: 8 php_opcache_max_accelerated_files: 4000 php_opcache_memory_consumption: 128 php_opcache_revalidate_freq: 60 +php_opcache_validate_timestamps: 1 diff --git a/roles/php/templates/php-fpm.ini.j2 b/roles/php/templates/php-fpm.ini.j2 index 8ff098f656..4638a4ee23 100644 --- a/roles/php/templates/php-fpm.ini.j2 +++ b/roles/php/templates/php-fpm.ini.j2 @@ -27,5 +27,7 @@ opcache.enable_cli = {{ php_opcache_enable_cli }} opcache.memory_consumption = {{ php_opcache_memory_consumption }} opcache.interned_strings_buffer = {{ php_opcache_interned_strings_buffer }} opcache.max_accelerated_files = {{ php_opcache_max_accelerated_files }} +opcache.validate_timestamps = {{ php_opcache_validate_timestamps }} +opcache.enable_file_override = {{ php_opcache_enable_file_override }} opcache.revalidate_freq = {{ php_opcache_revalidate_freq }} opcache.fast_shutdown = {{ php_opcache_fast_shutdown }} From b274b01e47e60e3c264965f92b151f9b6362303a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 26 Nov 2022 23:37:01 -0500 Subject: [PATCH 506/663] Remove deprecated warn usage (#1450) The `warm` option for `command` and `shell` is deprecated and was removed in ansible-core 2.14 For backwards compat it's easiest to remove all usage. --- roles/deploy/hooks/finalize-after.yml | 2 -- roles/wp-cli/tasks/main.yml | 5 ----- 2 files changed, 7 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index a939f5c4da..c1c54c66e5 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -35,5 +35,3 @@ - name: Reload php-fpm shell: sudo service php{{ php_version }}-fpm reload - args: - warn: false diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index e7c064b364..10d9c16755 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -40,8 +40,6 @@ - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} - args: - warn: false register: wp_cli changed_when: wp_cli.stdout == 'wp-cli-' + wp_cli_version + '.phar' @@ -49,12 +47,9 @@ command: curl -4Ls {{ wp_cli_completion_url }} -o /tmp/wp-completion-{{ wp_cli_version }}.bash args: creates: /tmp/wp-completion-{{ wp_cli_version }}.bash - warn: false - name: Install WP-CLI tab completions command: rsync -c --chmod=0644 --info=name /tmp/wp-completion-{{ wp_cli_version }}.bash {{ wp_cli_completion_path }} - args: - warn: false register: wp_cli_completion changed_when: wp_cli_completion.stdout == 'wp-completion-' + wp_cli_version + '.bash' From 5864220514031f86eacc08d0ed338b474bf27a69 Mon Sep 17 00:00:00 2001 From: Tang Rufus <tangrufus@gmail.com> Date: Mon, 5 Dec 2022 15:25:45 +0000 Subject: [PATCH 507/663] Update `wp_cli_version` to 2.7.1 (#1451) --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index b27b963495..18dacfd053 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.6.0 +wp_cli_version: 2.7.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 7676f8b92650f81aa6919d2a0ce715dd734d67cc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 11 Dec 2022 14:11:54 -0500 Subject: [PATCH 508/663] Ensure ubuntu-20.04 is used in GitHub workflows (#1454) `ubuntu-latest` recently changed to Ubuntu 22.04 --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 67ab61288b..195235b469 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 strategy: matrix: python-version: ['3.x'] diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 757f406e96..dc7dede353 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - run: mkdir $HOME/.ssh - name: Remove and cleanup mysql From 514b7943cd199d08622b2ded63f3e5a1f3a21414 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 11 Dec 2022 14:21:53 -0500 Subject: [PATCH 509/663] Disable chown site directory task by default (#1452) Vagrant creates synced folders with the `web_user`/`web_group` (`vagrant`/`www-data`) already via the `Vagrantfile`. This task can be slow, and since it's redundant, it's being disabled by default. In case this task is needed, the `chown_site_directory` variable can be set to true in `group_vars/development/main.yml` --- roles/wordpress-install/tasks/directories.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 7b3c0c44bd..ab53524b1d 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -31,3 +31,4 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" + when: chown_site_directory | default(false) From 0927fa6f1807b54d0a084f4e970783795f88d535 Mon Sep 17 00:00:00 2001 From: Henning Orth <mail@e-vance.net> Date: Thu, 15 Dec 2022 03:27:09 +0100 Subject: [PATCH 510/663] Update galaxy.yml (#1455) Bump swapfile to `v2.0.36` which fixes the deprecated `warn` option for `command` and `shell`(removed in ansible-core 2.14). --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 5b9d4cc42c..22cd87291a 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -14,7 +14,7 @@ roles: - name: swapfile src: oefenweb.swapfile - version: v2.0.32 + version: v2.0.36 - src: geerlingguy.mailhog version: 2.3.0 From 0acbde2ea43f4107a2e4d4c1fc29eec8fa92825f Mon Sep 17 00:00:00 2001 From: Tim Pfeifer <timpfeifer@mailbox.org> Date: Thu, 15 Dec 2022 03:27:19 +0100 Subject: [PATCH 511/663] Allow remote and local database (#1456) (#1457) Co-authored-by: Tim Pfeifer <tim.pfeifer@mailbox.org> --- roles/mariadb/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 08a0d2a611..1b2028a308 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -72,4 +72,4 @@ state: absent no_log: true - when: not sites_using_remote_db | count + when: (wordpress_sites.items() | count) > (sites_using_remote_db | count) From 8038b1ad0c0c252285df9f5fc8b462ea1c417c3a Mon Sep 17 00:00:00 2001 From: Henning Orth <mail@e-vance.net> Date: Thu, 15 Dec 2022 20:31:04 +0100 Subject: [PATCH 512/663] Tweak multisite cron job to fix standard output (#1458) --- roles/wordpress-setup/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 685a6b184e..dcdf09df96 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -62,7 +62,7 @@ name: "{{ item.key }} WordPress network cron" minute: "{{ item.value.cron_interval_multisite | default('*/30') }}" user: "{{ web_user }}" - job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" + job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && (wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now) > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" state: "{{ (cron_enabled and item.value.multisite.enabled) | ternary('present', 'absent') }}" loop: "{{ wordpress_sites | dict2items }}" From b983f7ef959357eb6b07c9efd133bc258201772c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 17 Dec 2022 15:40:36 -0500 Subject: [PATCH 513/663] Fix sshd config - set AcceptEnv conditionally (#1453) --- roles/sshd/templates/sshd_config.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index a1b961d7d4..47af53e470 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -13,7 +13,9 @@ ListenAddress {{ address }} Protocol {{ sshd_protocol }} -AcceptEnv {{ sshd_accept_env | join(' ') }} +{% if sshd_accept_env | count %} + AcceptEnv {{ sshd_accept_env | join(' ') }} +{% endif -%} AllowAgentForwarding {{ sshd_allow_agent_forwarding | ternary('yes', 'no') }} AllowTcpForwarding {{ sshd_allow_tcp_forwarding is string | ternary(sshd_allow_tcp_forwarding, sshd_allow_tcp_forwarding | ternary('yes', 'no')) }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} From 1789d2e4faa27724fe72f1157078d0ceec3e4425 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 17 Dec 2022 15:45:45 -0500 Subject: [PATCH 514/663] Update changelog --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d7193e9e6..6c161af4ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +### HEAD +* Prevent ansible-core 2.13.6 [#1448](https://github.com/roots/trellis/pull/1448) +* Enable PHP opcache in development [#1447](https://github.com/roots/trellis/pull/1447) +* Remove deprecated warn usage [#1450](https://github.com/roots/trellis/pull/1450) +* Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles [#1413](https://github.com/roots/trellis/pull/1413) +* Update `wp_cli_version` to 2.7.1 [#1451](https://github.com/roots/trellis/pull/1451) +* Disable chown site directory task by default [#1452](https://github.com/roots/trellis/pull/1452) +* Update oefenweb.swapfile role [#1455](https://github.com/roots/trellis/pull/1455) +* Allow remote and local databases for a site [#1457](https://github.com/roots/trellis/pull/1457) +* Fix standard output for multisite cron job [#1458](https://github.com/roots/trellis/pull/1458) +* Fix sshd config - set AcceptEnv conditionally [#1453](https://github.com/roots/trellis/pull/1453) + ### 1.18.0: November 8th, 2022 * Fix xdebug role by including PHP vars ([#1429](https://github.com/roots/trellis/pull/1429)) * Automate ARM64 Vagrant box support for Apple Silicon ([#1431](https://github.com/roots/trellis/pull/1431)) From dbee152b2608c12225b011340bafbbb834f7fce3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 17 Dec 2022 16:08:59 -0500 Subject: [PATCH 515/663] Remove ansible-core version constraint (#1459) Bugs/regressions in 2.13.6 have been fixed --- requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index a28dd4b1d1..5955db3396 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ ansible>=2.10.0 -ansible-core<2.13.6 passlib From ddb322eaed2f801e2c3794a4fa9a406590fd33aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 17 Dec 2022 16:35:04 -0500 Subject: [PATCH 516/663] Update to MariaDB 10.6 (#1460) --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 0434d7bb93..b2c4de073e 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/10.6/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From dbc203747894f917d55c2a64d54e2a4d5d2ca468 Mon Sep 17 00:00:00 2001 From: Clinton Blackburn <clinton.blackburn@gmail.com> Date: Sun, 18 Dec 2022 10:54:21 -0800 Subject: [PATCH 517/663] Set SendEnv conditionally (#1463) Empty values break Git+SSH. If `ssh_send_env` is empty, `SendEnv` should not be set in SSH config. This is especially needed for Ubuntu 22.04 (#1392) --- roles/sshd/templates/ssh_config.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/sshd/templates/ssh_config.j2 b/roles/sshd/templates/ssh_config.j2 index a21eee8c8f..488b188e96 100644 --- a/roles/sshd/templates/ssh_config.j2 +++ b/roles/sshd/templates/ssh_config.j2 @@ -17,7 +17,9 @@ Host * KexAlgorithms {{ (ssh_kex_algorithms_default | default(sshd_kex_algorithms_default) + ssh_kex_algorithms_extra | default(sshd_kex_algorithms_extra)) | join(',') }} MACs {{ (ssh_macs_default | default(sshd_macs_default) + ssh_macs_extra | default(sshd_macs_extra)) | join(',') }} PasswordAuthentication {{ ssh_password_authentication | default(sshd_password_authentication) | ternary('yes', 'no') }} - SendEnv {{ ssh_send_env | join(' ') }} + {% if ssh_send_env | count %} + SendEnv {{ ssh_send_env | join(' ') }} + {% endif -%} StrictHostKeyChecking {{ ssh_strict_host_key_checking }} UseRoaming {{ ssh_use_roaming | ternary('yes','no') }} {% endblock %} From 3ea20a339f64684dbd3e2a5d5b90951073745e10 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 2 Jan 2023 10:55:59 -0600 Subject: [PATCH 518/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20CHANGELOG?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c161af4ed..d5b29a51a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.19.0: January 2nd, 2023 +* Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles [#1413](https://github.com/roots/trellis/pull/1413) * Prevent ansible-core 2.13.6 [#1448](https://github.com/roots/trellis/pull/1448) * Enable PHP opcache in development [#1447](https://github.com/roots/trellis/pull/1447) * Remove deprecated warn usage [#1450](https://github.com/roots/trellis/pull/1450) From c8e850e9601390edf253db0c1e61dff345be95cb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 2 Jan 2023 15:25:47 -0500 Subject: [PATCH 519/663] Update workflow dependencies (#1465) --- .github/workflows/ci.yml | 4 ++-- .github/workflows/integration.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 195235b469..00f8b97870 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ jobs: matrix: python-version: ['3.x'] steps: - - uses: actions/checkout@v2 - - uses: actions/setup-python@v2 + - uses: actions/checkout@v3 + - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} architecture: x64 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index dc7dede353..2e2cfc3dbc 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -25,10 +25,10 @@ jobs: sudo apt-get remove --purge nginx* sudo apt-get autoremove sudo apt-get autoclean - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: fetch-depth: 0 - - uses: actions/setup-python@v2 + - uses: actions/setup-python@v4 with: python-version: '3.9' - uses: ./.github/actions/setup-step-ca From 676e9b6a9d396385a567b852153afca614b2fba5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 2 Jan 2023 16:00:30 -0500 Subject: [PATCH 520/663] Set development web_user to ansible_user (#1464) This removes another place where `vagrant` is harcoded while still ensuring its set to that value according to `dev.yml`'s `remote_user` setting. --- group_vars/development/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index 1a3d9f3bd2..05c01e25b7 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,4 +1,4 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml -web_user: vagrant +web_user: "{{ ansible_user }}" From 5e47bd94d82ded8ccc579dc15f836cf4501011c8 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 10 Jan 2023 14:47:21 -0600 Subject: [PATCH 521/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4c4048e077..ca9599f7da 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ </a> <a href="https://github.com/roots/trellis/actions"> - <img alt="Build Status" src="https://img.shields.io/github/workflow/status/roots/trellis/ci?style=flat-square" /> + <img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/trellis/ci.yml?branch=master&style=flat-square" /> </a> <a href="https://twitter.com/rootswp"> @@ -39,7 +39,7 @@ However, the amount of effort needed to maintain and develop new features and pr <p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="148" height="111"></a> </div> ## Overview From bdcbc631fd58590268df128159a3c627329f04c9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 26 Jan 2023 19:27:49 -0500 Subject: [PATCH 522/663] Add repo-token to setup-trellis-cli step in CI --- .github/workflows/integration.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 2e2cfc3dbc..7a976f6e13 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -37,6 +37,7 @@ jobs: ansible-vault-password: 'fake' auto-init: false galaxy-install: false + repo-token: ${{ secrets.GITHUB_TOKEN }} trellis-directory: '.' - name: Create new Trellis project run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com From 445572b6cd887aefc0c9a46ba8f29ebd67df67af Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 28 Jan 2023 14:49:04 -0500 Subject: [PATCH 523/663] Update boxes to Ubuntu 22.04 (#1461) --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- README.md | 4 ++-- vagrant.default.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00f8b97870..f2cf0b2e27 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 strategy: matrix: python-version: ['3.x'] diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 7a976f6e13..45e3434b14 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - run: mkdir $HOME/.ssh - name: Remove and cleanup mysql diff --git a/README.md b/README.md index ca9599f7da..ed24357fe8 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -- Ubuntu 20.04 Focal LTS +- Ubuntu 22.04 Jammy LTS - Nginx (with optional FastCGI micro-caching) - PHP 8.0 - MariaDB (a drop-in MySQL replacement) @@ -96,7 +96,7 @@ $ trellis up ## Remote server setup (staging/production) -A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for setting up remote servers. +A base Ubuntu 22.04 server (18.04 and 20.04 also supported) is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars/<environment>/wordpress_sites.yml` and in `group_vars/<environment>/vault.yml` (see the [Vault docs](https://docs.roots.io/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/<environment>` diff --git a/vagrant.default.yml b/vagrant.default.yml index 4b6d62517c..1f83085ad4 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,7 +2,7 @@ vagrant_ip: '192.168.56.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-20.04' +vagrant_box: 'bento/ubuntu-22.04' vagrant_box_version: '>= 0' vagrant_box_auto_arch: true vagrant_ansible_version: '2.10.7' From 47d4a7465a9f45a996b5f94cf71b427cd3a35109 Mon Sep 17 00:00:00 2001 From: Tang Rufus <tangrufus@gmail.com> Date: Fri, 3 Feb 2023 18:29:54 +0000 Subject: [PATCH 524/663] Composer Authentications: Fix `loop_var` already in use issue (#1469) https://discourse.roots.io/t/composer-issue-with-http-auth/24696/5 Co-authored-by: dalepgrant <dale@codeand.com.au> --- roles/wordpress-install/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index aa1037d8a0..01199812e1 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -18,12 +18,13 @@ - include_tasks: tasks/composer-authentications.yml vars: - site: "{{ item.key }}" - working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + site: "{{ site.key }}" + working_dir: "{{ www_root }}/{{ site.key }}/{{ site.value.current_path | default('current') }}/" no_log: true loop: "{{ wordpress_sites | dict2items }}" loop_control: - label: "{{ item.key }}" + loop_var: site + label: "{{ site.key }}" - name: Install Dependencies with Composer composer: From 3aae194a40ceb7286b454868a6a40fdaed808078 Mon Sep 17 00:00:00 2001 From: Lucas Demea <lucas@digital-swing.com> Date: Tue, 7 Feb 2023 15:09:24 +0100 Subject: [PATCH 525/663] Install wp as the default user (#1470) --- roles/wordpress-install/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 01199812e1..5e3ca096e3 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -50,6 +50,7 @@ --admin_user="{{ item.value.admin_user | default('admin') }}" --admin_password="{{ vault_wordpress_sites[item.key].admin_password }}" --admin_email="{{ item.value.admin_email }}" + become: no args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" register: wp_install From 756319fc31244535ed8e30d433256698dec32e4c Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 10 Feb 2023 10:16:23 -0600 Subject: [PATCH 526/663] =?UTF-8?q?=F0=9F=94=A7=20Allow=20non-default=20up?= =?UTF-8?q?load=5Fpath=20(#1471)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 36e648e1a4..d17f999c6a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -122,7 +122,7 @@ server { {% block location_uploads_php -%} # Prevent PHP scripts from being executed inside the uploads folder. - location ~* /app/uploads/.*\.php$ { + location ~* /{{ item.value.upload_path | default('app/uploads') }}/.*\.php$ { deny all; } {% endblock %} From c1ea8a509bc36bc50df10e3efc6aecf4c06afdc6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 10 Feb 2023 18:31:26 -0500 Subject: [PATCH 527/663] Vagrant: disable NFS udp by default (#1472) Ubuntu 22.04 no longer supports UDP for NFS. UDP might offer better performance on 20.04 and older boxes so it can be re-enabled manually. And while there's no plans to switch to NFS v4, it doesn't support UDP either. --- Vagrantfile | 5 +++-- vagrant.default.yml | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index db23d31dc8..cdf70938d1 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -93,17 +93,18 @@ Vagrant.configure('2') do |config| fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' + config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs', nfs_udp: vconfig.fetch('vagrant_nfs_udp') config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end - config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' + config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs', nfs_udp: vconfig.fetch('vagrant_nfs_udp') config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' end vconfig.fetch('vagrant_synced_folders', []).each do |folder| options = { type: folder.fetch('type', 'nfs'), + nfs_udp: folder.fetch('nfs_udp', false), create: folder.fetch('create', false), mount_options: folder.fetch('mount_options', []) } diff --git a/vagrant.default.yml b/vagrant.default.yml index 1f83085ad4..0adc557981 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -8,6 +8,7 @@ vagrant_box_auto_arch: true vagrant_ansible_version: '2.10.7' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' +vagrant_nfs_udp: false vagrant_require_version: '>= 2.1.0' vagrant_install_plugins: true @@ -20,6 +21,7 @@ vagrant_plugins: # destination: /path/on/vm # create: false # type: nfs +# nfs_udp: false # bindfs: true # mount_options: [] # bindfs_options: {} From 48405a1ea37c7cd44eef64b6b5e244fcafcbe76d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 11 Feb 2023 15:47:01 -0500 Subject: [PATCH 528/663] Run SSH key generate task for local provision only (#1473) --- Vagrantfile | 4 ++++ roles/common/tasks/main.yml | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index cdf70938d1..ea5178a36a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -151,6 +151,10 @@ Vagrant.configure('2') do |config| ansible.extra_vars.merge!(extra_vars) end + if local_provisioning? + ansible.extra_vars.merge!('vagrant_local_provisioning' => true) + end + if !Vagrant::Util::Platform.windows? config.trigger.after :up do |trigger| # Add Vagrant ssh-config to ~/.ssh/config diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0d24d606e4..5c0f4e8aa6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -170,11 +170,11 @@ regexp: ^(hosts\:((?!myhostname).)*)$ state: present -- name: Generate SSH key for vagrant user +- name: Generate SSH key for vagrant user for ansible_local provisioning user: - name: vagrant + name: "{{ ansible_user }}" generate_ssh_key: yes - when: env == 'development' + when: vagrant_local_provisioning | default(false) - block: - name: Retrieve SSH client IP From d4f46d223e1b57b11b2887bc50db2bb04361b882 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 12 Feb 2023 13:04:50 -0600 Subject: [PATCH 529/663] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Disable=20xmlrp?= =?UTF-8?q?c=20by=20default=20(#1467)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- group_vars/development/wordpress_sites.yml | 2 ++ group_vars/production/wordpress_sites.yml | 2 ++ group_vars/staging/wordpress_sites.yml | 2 ++ roles/wordpress-setup/templates/wordpress-site.conf.j2 | 8 ++++++++ 4 files changed, 14 insertions(+) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 90009265e2..4a9f1d6f3b 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -17,3 +17,5 @@ wordpress_sites: provider: self-signed cache: enabled: false + xmlrpc: + enabled: false diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index e8a875d1ca..fc94943c51 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -19,3 +19,5 @@ wordpress_sites: provider: letsencrypt cache: enabled: false + xmlrpc: + enabled: false diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml index 054770ea7a..bf588be06b 100644 --- a/group_vars/staging/wordpress_sites.yml +++ b/group_vars/staging/wordpress_sites.yml @@ -19,3 +19,5 @@ wordpress_sites: provider: letsencrypt cache: enabled: false + xmlrpc: + enabled: false diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d17f999c6a..b26085cbc3 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -174,6 +174,14 @@ server { } {% endblock %} + {% block disable_xmlrpc -%} + {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %} + location ~* xmlrpc\.php$ { + return 444; + } + {% endif %} + {% endblock %} + {% block h5bp -%} {% if h5bp_cache_file_descriptors_enabled -%} include h5bp/directive-only/cache-file-descriptors.conf; From c9fa84141c6bca35515bdeddaa71b64e1a04bce5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 12 Feb 2023 14:08:47 -0500 Subject: [PATCH 530/663] Update CHANGELOG --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5b29a51a7..ba3f002644 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +### 1.20.0: February 12th, 2023 +* Set development web_user to ansible_user [#1464](https://github.com/roots/trellis/pull/1464) +* Update boxes to Ubuntu 22.04 [#1461](https://github.com/roots/trellis/pull/1461) +* Composer Authentications: Fix `loop_var` already in use issue [#1469](https://github.com/roots/trellis/pull/1469) +* Install wp as the default user [#1470](https://github.com/roots/trellis/pull/1470) +* Allow non-default upload_path [#1471](https://github.com/roots/trellis/pull/1471) +* Vagrant: disable NFS udp by default [#1472](https://github.com/roots/trellis/pull/1472) +* Run SSH key generate task for local provision only [#1473](https://github.com/roots/trellis/pull/1473) +* Disable xmlrpc by default [#1467](https://github.com/roots/trellis/pull/1467) + +**Full Changelog**: https://github.com/roots/trellis/compare/v1.19.0...v1.20.0 + ### 1.19.0: January 2nd, 2023 * Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles [#1413](https://github.com/roots/trellis/pull/1413) * Prevent ansible-core 2.13.6 [#1448](https://github.com/roots/trellis/pull/1448) From b6bf716e2f7a44215c2364866ab52d0f5e81b86f Mon Sep 17 00:00:00 2001 From: Lucas Demea <lucas@digital-swing.com> Date: Wed, 22 Feb 2023 20:00:10 +0100 Subject: [PATCH 531/663] fix: trim strict-transport-security header (#1478) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b26085cbc3..b436c857d4 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -84,7 +84,7 @@ server { ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} - add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') | trim }}"; {% endif -%} {% if item.value.ssl.client_cert_url is defined -%} From a1144106965019398048b7b008d73d3794b5c3f6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 22 Feb 2023 19:09:39 -0500 Subject: [PATCH 532/663] Replace MailHog with Mailpit (#1474) --- dev.yml | 2 +- galaxy.yml | 5 +++-- group_vars/development/mail.yml | 2 +- roles/mailhog/defaults/main.yml | 1 - roles/mailhog/tasks/main.yml | 13 ------------- roles/mailhog/vars/aarch64.yml | 2 -- roles/mailhog/vars/default.yml | 2 -- 7 files changed, 5 insertions(+), 22 deletions(-) delete mode 100644 roles/mailhog/defaults/main.yml delete mode 100644 roles/mailhog/tasks/main.yml delete mode 100644 roles/mailhog/vars/aarch64.yml delete mode 100644 roles/mailhog/vars/default.yml diff --git a/dev.yml b/dev.yml index 2ef8d4eaac..8625caa3fe 100644 --- a/dev.yml +++ b/dev.yml @@ -11,7 +11,7 @@ - { role: ntp, tags: [ntp] } - { role: sshd, tags: [sshd] } - { role: mariadb, tags: [mariadb] } - - { role: mailhog, tags: [mailhog, mail] } + - { role: mailpit, tags: [mailpit, mailhog, mail] } - { role: php, tags: [php] } - { role: xdebug, tags: [php, xdebug] } - { role: memcached, tags: [memcached] } diff --git a/galaxy.yml b/galaxy.yml index 22cd87291a..bc15459979 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,5 +16,6 @@ roles: src: oefenweb.swapfile version: v2.0.36 - - src: geerlingguy.mailhog - version: 2.3.0 + - name: mailpit + src: roots.mailpit + version: v1.0.0 diff --git a/group_vars/development/mail.yml b/group_vars/development/mail.yml index f6d4f663d5..acdcc7880b 100644 --- a/group_vars/development/mail.yml +++ b/group_vars/development/mail.yml @@ -1,2 +1,2 @@ # Documentation: https://roots.io/trellis/docs/mail/ -php_sendmail_path: "{{ mailhog_install_dir }}/mhsendmail" +php_sendmail_path: "{{ mailpit_install_dir }}/mailpit sendmail" diff --git a/roles/mailhog/defaults/main.yml b/roles/mailhog/defaults/main.yml deleted file mode 100644 index b9ab8363a3..0000000000 --- a/roles/mailhog/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ -mailhog_install_dir: /opt/mailhog diff --git a/roles/mailhog/tasks/main.yml b/roles/mailhog/tasks/main.yml deleted file mode 100644 index 2eedb88f6b..0000000000 --- a/roles/mailhog/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ -- ansible.builtin.include_vars: - file: "{{ item }}" - name: mailhog_overrides - with_first_found: - - files: - - "vars/{{ ansible_architecture }}.yml" - - "vars/default.yml" - -- ansible.builtin.include_role: - name: geerlingguy.mailhog - vars: - mailhog_binary_url: "{{ mailhog_overrides.mailhog_binary_url }}" - mhsendmail_binary_url: "{{ mailhog_overrides.mhsendmail_binary_url }}" diff --git a/roles/mailhog/vars/aarch64.yml b/roles/mailhog/vars/aarch64.yml deleted file mode 100644 index 0a2acc290c..0000000000 --- a/roles/mailhog/vars/aarch64.yml +++ /dev/null @@ -1,2 +0,0 @@ -mailhog_binary_url: "https://github.com/evertiro/MailHog/releases/download/v1.0.1-M1/MailHog_linux_arm64" -mhsendmail_binary_url: "https://github.com/evertiro/mhsendmail/releases/download/v0.2.0-M1/mhsendmail_linux_arm64" diff --git a/roles/mailhog/vars/default.yml b/roles/mailhog/vars/default.yml deleted file mode 100644 index 8582b58818..0000000000 --- a/roles/mailhog/vars/default.yml +++ /dev/null @@ -1,2 +0,0 @@ -mailhog_binary_url: "https://github.com/mailhog/MailHog/releases/download/v{{ mailhog_version }}/MailHog_linux_{{ mailhog_arch }}" -mhsendmail_binary_url: "https://github.com/mailhog/mhsendmail/releases/download/v{{ mhsendmail_version }}/mhsendmail_linux_{{ mailhog_arch }}" From 813eec01b7c5ceb291949de932124fbde3e9258b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 24 Feb 2023 10:37:53 -0500 Subject: [PATCH 533/663] Fix ansible_user references for local provisioning (#1479) `ansible_user` can't be assumed to be defined during Ansible local provisioning (the default mode in Vagrant if Ansible is not installed on the host machine). --- group_vars/development/main.yml | 2 +- roles/common/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index 05c01e25b7..7fa791436b 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,4 +1,4 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml -web_user: "{{ ansible_user }}" +web_user: "{{ ansible_user | default ('vagrant') }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 5c0f4e8aa6..cb126400f1 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -172,7 +172,7 @@ - name: Generate SSH key for vagrant user for ansible_local provisioning user: - name: "{{ ansible_user }}" + name: vagrant generate_ssh_key: yes when: vagrant_local_provisioning | default(false) From 23cafb4dfea18950ac2f1b83324ba52a46950c68 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 28 Feb 2023 00:03:46 -0600 Subject: [PATCH 534/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ed24357fe8..cf927f4b03 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ </p> <p align="center"> - <a href="https://roots.io/"><strong><code>Website</code></strong></a>    <a href="https://docs.roots.io/trellis/master/installation/"><strong><code>Documentation</code></strong></a>    <a href="https://github.com/roots/trellis/releases"><strong><code>Releases</code></strong></a>    <a href="https://discourse.roots.io/"><strong><code>Support</code></strong></a> + <a href="https://roots.io/"><strong><code>Website</code></strong></a>    <a href="https://roots.io/trellis/docs/installation/"><strong><code>Documentation</code></strong></a>    <a href="https://github.com/roots/trellis/releases"><strong><code>Releases</code></strong></a>    <a href="https://discourse.roots.io/"><strong><code>Support</code></strong></a> </p> ## Sponsors @@ -39,7 +39,7 @@ However, the amount of effort needed to maintain and develop new features and pr <p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="148" height="111"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="148" height="111"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="148" height="111"></a> </div> ## Overview From 1bfb2d7dce2ff2289c2b08d073206b5900f58f3a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 7 Mar 2023 13:47:58 -0500 Subject: [PATCH 535/663] Fix invalid arg error in ferm task (#1480) Fixes "invalid or malformed argument" issue --- roles/ferm/tasks/main.yml | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index ae147a5554..ce779972d1 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -36,24 +36,18 @@ - restart ferm - name: ensure iptables INPUT rules are removed - file: state=absent - {% if item.filename is defined and item.filename %} - path=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.filename }}.conf - {% else %} - path=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf - {% endif %} + file: + path: "/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ (item.filename is defined and item.filename) | ternary(item.filename, item.type + '_' + item.dport[0]) }}.conf" + state: absent loop: "{{ ferm_input_list + ferm_input_group_list + ferm_input_host_list | flatten}}" when: ((item.type is defined and item.type) and (item.dport is defined and item.dport)) and (item.delete is defined and item.delete) - name: ensure iptables INPUT rules are added - template: src=etc/ferm/filter-input.d/{{ item.type }}.conf.j2 - {% if item.filename is defined and item.filename %} - dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.filename }}.conf - {% else %} - dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf - {% endif %} - mode=0644 + template: + src: "etc/ferm/filter-input.d/{{ item.type }}.conf.j2" + dest: "/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ (item.filename is defined and item.filename) | ternary(item.filename, item.type + '_' + item.dport[0]) }}.conf" + mode: 0644 loop: "{{ ferm_input_list + ferm_input_group_list + ferm_input_host_list | flatten}}" when: (item.type is defined and item.type and item.dport is defined and item.dport) and (item.delete is undefined or (item.delete is defined and not item.delete)) From d39e989881eaa31480b56a16e2e7233223c7929b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 7 Mar 2023 13:51:58 -0500 Subject: [PATCH 536/663] v1.20.1 changelog --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba3f002644..ccd9127b6d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +### 1.20.1: March 7th, 2023 +* Fix invalid arg error in ferm task [#1480](https://github.com/roots/trellis/pull/1480) +* Fix `ansible_user` references for local provisioning [#1479](https://github.com/roots/trellis/pull/1479) +* Fix HSTS header by trimming whitespace [#1478](https://github.com/roots/trellis/pull/1478) +* Replace MailHog with Mailpit [#1474](https://github.com/roots/trellis/pull/1474) + +**Full Changelog**: https://github.com/roots/trellis/compare/v1.20.0...v1.20.1 + ### 1.20.0: February 12th, 2023 * Set development web_user to ansible_user [#1464](https://github.com/roots/trellis/pull/1464) * Update boxes to Ubuntu 22.04 [#1461](https://github.com/roots/trellis/pull/1461) From 92994573472fef684f4726503aab7e6dd749c735 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 7 Mar 2023 18:41:18 -0600 Subject: [PATCH 537/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 136 +++++++----------------------------------------------- 1 file changed, 16 insertions(+), 120 deletions(-) diff --git a/README.md b/README.md index cf927f4b03..1dcab66338 100644 --- a/README.md +++ b/README.md @@ -4,152 +4,48 @@ </a> </p> -<p align="center"> - <a href="LICENSE.md"> - <img alt="MIT License" src="https://img.shields.io/github/license/roots/trellis?color=%23525ddc&style=flat-square" /> - </a> - - <a href="https://github.com/roots/trellis/releases"> - <img alt="Release" src="https://img.shields.io/github/release/roots/trellis.svg?style=flat-square" /> - </a> - - <a href="https://github.com/roots/trellis/actions"> - <img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/trellis/ci.yml?branch=master&style=flat-square" /> +<p align="center"> + <a href="https://github.com/roots/trellis/actions/workflows/ci.yml"> + <img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/trellis/ci.yml?branch=master&logo=github&label=CI&style=flat-square"> </a> <a href="https://twitter.com/rootswp"> - <img alt="Follow Roots" src="https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2" /> + <img alt="Follow Roots" src="https://img.shields.io/badge/follow%20@rootswp-1da1f2?logo=twitter&logoColor=ffffff&message=&style=flat-square"> </a> </p> -<p align="center"> - <strong>Ansible-powered LEMP stack for WordPress</strong> -</p> +<p align="center">Ansible-powered LEMP stack for WordPress</strong></p> <p align="center"> - <a href="https://roots.io/"><strong><code>Website</code></strong></a>    <a href="https://roots.io/trellis/docs/installation/"><strong><code>Documentation</code></strong></a>    <a href="https://github.com/roots/trellis/releases"><strong><code>Releases</code></strong></a>    <a href="https://discourse.roots.io/"><strong><code>Support</code></strong></a> + <a href="https://roots.io/trellis/">Website</a>    <a href="https://roots.io/trellis/docs/installation/">Documentation</a>    <a href="https://github.com/roots/trellis/releases">Releases</a>    <a href="https://discourse.roots.io/">Community</a> </p> -## Sponsors -**Trellis** is an open source project and completely free to use. - -However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider [sponsoring Roots](https://github.com/sponsors/roots). +## Sponsors -<p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> +Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="148" height="111"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="148" height="111"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> </div> ## Overview -Ansible playbooks for setting up a LEMP stack for WordPress. +Trellis is a collection of Ansible playbooks for setting up a LEMP stack for WordPress. - Local development environment with Vagrant - High-performance production servers - Zero-downtime deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites - [trellis-cli](https://github.com/roots/trellis-cli) for easier management -## What's included - -Trellis will configure a server with the following and more: - -- Ubuntu 22.04 Jammy LTS -- Nginx (with optional FastCGI micro-caching) -- PHP 8.0 -- MariaDB (a drop-in MySQL replacement) -- SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) -- Let's Encrypt for free SSL certificates -- HTTP/2 support (requires SSL) -- Composer -- WP-CLI -- sSMTP (mail delivery) -- MailHog -- Memcached -- Fail2ban and ferm - -## Requirements - -See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements. - -## Installation - -Create a new project: - -```bash -$ trellis new example.com -``` - -## Local development setup - -1. Review the automatically created site in `group_vars/development/wordpress_sites.yml` -2. Customize settings if necessary - -Start the Vagrant virtual machine: - -```bash -$ trellis up -``` - -[Read the local development docs](https://docs.roots.io/trellis/master/local-development/#wordpress-installation) for more information. - -## Remote server setup (staging/production) - -A base Ubuntu 22.04 server (18.04 and 20.04 also supported) is required for setting up remote servers. - -1. Configure your WordPress sites in `group_vars/<environment>/wordpress_sites.yml` and in `group_vars/<environment>/vault.yml` (see the [Vault docs](https://docs.roots.io/trellis/master/vault/) for how to encrypt files containing passwords) -2. Add your server IP/hostnames to `hosts/<environment>` -3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://docs.roots.io/trellis/master/ssh-keys/)) - -Provision the server: - -```bash -$ trellis provision production -``` - -Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet _and_ provision it in a single command: - -```bash -$ trellis droplet create production -``` - -[Read the remote server docs](https://docs.roots.io/trellis/master/remote-server-setup/) for more information. - -## Deploying to remote servers - -1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars/<environment>/wordpress_sites.yml` file -2. Set the `branch` you want to deploy (defaults to `master`) - -Deploy a site: - -```bash -$ trellis deploy <environment> <site> -``` - -Rollback a deploy: - -```bash -$ trellis rollback <environment> <site> -``` - -[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. - -## Migrating existing projects to trellis-cli: - -Assuming you're using the standard project structure, you just need to make the -project trellis-cli compatible by initializing it: - -```bash -$ trellis init -``` +## Getting Started -## Community +See the [Trellis installation documentation](https://roots.io/trellis/docs/installation/). -Keep track of development and community news. +## Stay Connected - Join us on Discord by [sponsoring us on GitHub](https://github.com/sponsors/roots) -- Participate on the [Roots Discourse](https://discourse.roots.io/) +- Participate on [Roots Discourse](https://discourse.roots.io/) - Follow [@rootswp on Twitter](https://twitter.com/rootswp) -- Read and subscribe to the [Roots Blog](https://roots.io/blog/) -- Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) +- Read the [Roots Blog](https://roots.io/blog/) +- Subscribe to the [Roots Newsletter](https://roots.io/newsletter/) From 68cbc413587265c4b9500ea68563923185d64afe Mon Sep 17 00:00:00 2001 From: Barna <62602458+code23-barna@users.noreply.github.com> Date: Tue, 14 Mar 2023 16:23:59 +0000 Subject: [PATCH 538/663] use appropriate mount_option for 'parallels' provider (Apple Silicon, arm64) (#1481) --- lib/trellis/vagrant.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index a25aada739..ef3c6bd13a 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -65,6 +65,8 @@ def nfs_path(path) def mount_options(mount_type, dmode:, fmode:) if mount_type == 'smb' ["vers=3.02", "mfsymlinks", "dir_mode=0#{dmode}", "file_mode=0#{fmode}", "sec=ntlm"] + elsif mount_type == 'parallels' + ["share"] else ["dmode=#{dmode}", "fmode=#{fmode}"] end From 69d181998c09361d24b6999a4afa8f70e5de1bcb Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 5 Apr 2023 12:27:21 -0500 Subject: [PATCH 539/663] =?UTF-8?q?=F0=9F=94=A7=20Default=20to=20PHP=208.1?= =?UTF-8?q?=20(#1484)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- group_vars/all/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index a9bbfccbdf..08700ee18d 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -3,7 +3,7 @@ apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest composer_keep_updated: true -php_version: "8.0" +php_version: "8.1" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www From dc941c408e32b5a8edbae76c0c9b4e5d4f9ba8d5 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 5 Apr 2023 12:38:08 -0500 Subject: [PATCH 540/663] =?UTF-8?q?=F0=9F=94=A7=20Add=20optional=20PHP=208?= =?UTF-8?q?.2=20support=20(#1485)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/php/vars/8.2.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 roles/php/vars/8.2.yml diff --git a/roles/php/vars/8.2.yml b/roles/php/vars/8.2.yml new file mode 100644 index 0000000000..9fd5b87761 --- /dev/null +++ b/roles/php/vars/8.2.yml @@ -0,0 +1,18 @@ +php_extensions_default: + php8.2-bcmath: "{{ apt_package_state }}" + php8.2-cli: "{{ apt_package_state }}" + php8.2-curl: "{{ apt_package_state }}" + php8.2-dev: "{{ apt_package_state }}" + php8.2-fpm: "{{ apt_package_state }}" + php8.2-imagick: "{{ apt_package_state }}" + php8.2-intl: "{{ apt_package_state }}" + php8.2-mbstring: "{{ apt_package_state }}" + php8.2-mysql: "{{ apt_package_state }}" + php8.2-xml: "{{ apt_package_state }}" + php8.2-xmlrpc: "{{ apt_package_state }}" + php8.2-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.2-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.2-xdebug From 02cfc360911c545611d624c01ce4d97f197c6d00 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 5 Apr 2023 13:45:47 -0500 Subject: [PATCH 541/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20CHANGELOG=20[ci?= =?UTF-8?q?=20skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ccd9127b6d..3cd552c6d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +### 1.21.0: April 5th, 2023 +* Add optional PHP 8.2 support [#1485](https://github.com/roots/trellis/pull/1485) +* Default to PHP 8.1 [#1484](https://github.com/roots/trellis/pull/1484) +* Use appropriate mount_option for 'parallels' provider [#1481](https://github.com/roots/trellis/pull/1481) + +**Full Changelog**: https://github.com/roots/trellis/compare/v1.20.1...v1.21.0 + ### 1.20.1: March 7th, 2023 * Fix invalid arg error in ferm task [#1480](https://github.com/roots/trellis/pull/1480) * Fix `ansible_user` references for local provisioning [#1479](https://github.com/roots/trellis/pull/1479) From 4c0092047082290f39c5531f756ea180b8d910b6 Mon Sep 17 00:00:00 2001 From: Henning Orth <mail@e-vance.net> Date: Thu, 11 May 2023 14:31:40 +0200 Subject: [PATCH 542/663] Update deploy.yml (#1487) Fix doc link in "Deploy WP site"-step message. URL should be redirected IMO additionally. --- deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy.yml b/deploy.yml index 4d88bb2151..cbe2d77de0 100644 --- a/deploy.yml +++ b/deploy.yml @@ -27,7 +27,7 @@ Invalid Git repository. Ensure that your site's `repo` variable is defined in `group_vars/{{ env }}/wordpress_sites.yml` and uses the SSH format (example: git@github.com:roots/bedrock.git) More info: - > https://roots.io/trellis/docs/deploys/ + > https://roots.io/trellis/docs/deployments/ when: project.repo is not defined or project.repo is not match("^ssh://.+@.+|.+@.+:.+") roles: - deploy From fcafede2f6cfaea9539c2d2918fde079c73454f2 Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Mon, 15 May 2023 23:48:08 +1000 Subject: [PATCH 543/663] Fix issue with variable name 'site' clashing when setting composer authentications. (#1488) --- roles/wordpress-install/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 5e3ca096e3..6119154b47 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -18,13 +18,13 @@ - include_tasks: tasks/composer-authentications.yml vars: - site: "{{ site.key }}" - working_dir: "{{ www_root }}/{{ site.key }}/{{ site.value.current_path | default('current') }}/" + site: "{{ loop_item.key }}" + working_dir: "{{ www_root }}/{{ loop_item.key }}/{{ loop_item.value.current_path | default('current') }}/" no_log: true loop: "{{ wordpress_sites | dict2items }}" loop_control: - loop_var: site - label: "{{ site.key }}" + loop_var: loop_item # cannot be 'item' or 'site'. + label: "{{ loop_item.key }}" - name: Install Dependencies with Composer composer: From 268509ad853080382459be65961d08dbc7a2f86b Mon Sep 17 00:00:00 2001 From: Hylke Hellinga <hylke.hellinga@gmail.com> Date: Fri, 26 May 2023 20:56:30 +0200 Subject: [PATCH 544/663] Add libvirt support to Vagrant (#1490) Gives the ability for users who have the libvirt plugin installed on linux to use libvirt/kvm for creating the virtual machine. This change will make sure that the RAM and CPU count will be properly set on each trellis up. --- Vagrantfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index ea5178a36a..34cdd3270f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -208,4 +208,11 @@ Vagrant.configure('2') do |config| h.enable_virtualization_extensions = true h.linked_clone = true end + + # Libvirt/KVM settings + config.vm.provider 'libvirt' do [lv] + lv.vmname = config.vm.hostname + lv.cpus = vconfig.fetch('vagrant_cpus') + lv.memory = vconfig.fetch('vagrant_memory') + end end From f62a57c03853be96220ded6f21f40025098990cd Mon Sep 17 00:00:00 2001 From: Hylke Hellinga <hylke.hellinga@gmail.com> Date: Sat, 27 May 2023 18:11:39 +0200 Subject: [PATCH 545/663] Fix libvirt vagrant provider config * Change vmname to title for libvirt vagrant provider * Added KVM Acceleration to the VM. In order for a more accelerated virtual machine, KVM needs to be installed and set as the driver, so that the VM will be a lot faster. --- Vagrantfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 34cdd3270f..4997060552 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -210,8 +210,9 @@ Vagrant.configure('2') do |config| end # Libvirt/KVM settings - config.vm.provider 'libvirt' do [lv] - lv.vmname = config.vm.hostname + config.vm.provider 'libvirt' do |lv| + lv.driver = "kvm" + lv.title = config.vm.hostname lv.cpus = vconfig.fetch('vagrant_cpus') lv.memory = vconfig.fetch('vagrant_memory') end From aa136d3480e581e9fc310e14378decb2d55481f1 Mon Sep 17 00:00:00 2001 From: Risto Kaalma <25532263+rkaalma@users.noreply.github.com> Date: Tue, 30 May 2023 05:34:55 +0300 Subject: [PATCH 546/663] Update Bitbucket Cloud SSH Host Keys (#1492) --- group_vars/all/known_hosts.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/group_vars/all/known_hosts.yml b/group_vars/all/known_hosts.yml index 1db951997f..e337816980 100644 --- a/group_vars/all/known_hosts.yml +++ b/group_vars/all/known_hosts.yml @@ -9,7 +9,9 @@ known_hosts: - name: github.com key: github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - name: bitbucket.org - key: bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + key: bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M= + - name: bitbucket.org + key: bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO - name: gitlab.com key: gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - name: gitlab.com From 5642f8658dc8463a8b2aa6c65fdb7f2bb427cbe0 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 5 Jun 2023 10:54:31 -0500 Subject: [PATCH 547/663] Update `wp_cli_version` to 2.8.0 (#1493) --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 18dacfd053..8c5005924e 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.7.1 +wp_cli_version: 2.8.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From b2d2095f39f52446a977c4c1272ecc0e21b69769 Mon Sep 17 00:00:00 2001 From: Mike iLL Kilmer <mike@mzoo.org> Date: Wed, 21 Jun 2023 22:13:07 -0500 Subject: [PATCH 548/663] Update build-after.yml (#1489) This might also help others in the future. --- deploy-hooks/build-after.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy-hooks/build-after.yml b/deploy-hooks/build-after.yml index 9cce3a2ac3..7ed1b7e836 100644 --- a/deploy-hooks/build-after.yml +++ b/deploy-hooks/build-after.yml @@ -3,6 +3,7 @@ # ⚠️ This example assumes your theme is using Sage 10 # # Uncomment the lines below if you are using Sage 10 +# NOTE: this task will fail if Sage theme is not activated at time of deployment. # # --- # - name: Run Acorn optimize From c9f4dd918cb0a708b298c506785b09c7e0e80e3a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 21 Jun 2023 23:14:08 -0400 Subject: [PATCH 549/663] CLI config updates (#1486) Trellis CLI is now preferring `trellis.cli.yml` as the main config file path over `.trellis/cli.yml` (though it remains supported). This now makes it possible to gitignore the entire `.trellis` directory as it contains CLI generated files for machine use only. `.trellis/cli.yml` is exempted in the gitignore for legacy compatibility purposes. --- .gitignore | 4 +++- trellis.cli.yml | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 trellis.cli.yml diff --git a/.gitignore b/.gitignore index d0fc5f0aa7..5fd7350b2b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,6 @@ vagrant.local.yml vendor/roles *.py[co] *.retry -.trellis/virtualenv +.trellis/* +!.trellis/cli.yml +trellis.cli.local.yml diff --git a/trellis.cli.yml b/trellis.cli.yml new file mode 100644 index 0000000000..7cfe2470b0 --- /dev/null +++ b/trellis.cli.yml @@ -0,0 +1,6 @@ +# Trellis CLI example config file +# https://roots.io/trellis/docs/cli/#configuration +# +# database_app: sequel-ace +# open: +# admin: "https://mysite.com/wp/wp-admin" From f1377d1df3e69061f62de75a6b8fcd5296d57cfb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 24 Jul 2023 23:27:47 -0400 Subject: [PATCH 550/663] Add PHP-FPM conf and tuning settings (#1496) Allows customization of the PHP-FPM service configuration. Previously only the _pool_ configuration was exposed in Trellis. This allows for more advanced performance tuning. The PHP-FPM php.ini template is the default values as a starting point. Co-authored-by: Paul Brzeski <paulbrzeski@users.noreply.github.com> --- roles/php/defaults/main.yml | 7 + roles/php/tasks/main.yml | 8 +- roles/php/templates/php-fpm.conf.j2 | 153 ++++++++++++++++++ roles/wordpress-setup/tasks/main.yml | 2 +- ...conf.j2 => php-fpm-pool-wordpress.conf.j2} | 0 5 files changed, 168 insertions(+), 2 deletions(-) create mode 100644 roles/php/templates/php-fpm.conf.j2 rename roles/wordpress-setup/templates/{php-fpm.conf.j2 => php-fpm-pool-wordpress.conf.j2} (100%) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 73a40e58c4..31cd8a096f 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -31,3 +31,10 @@ php_opcache_max_accelerated_files: 4000 php_opcache_memory_consumption: 128 php_opcache_revalidate_freq: 60 php_opcache_validate_timestamps: 1 + +php_fpm_set_emergency_restart_threshold: false +php_fpm_emergency_restart_threshold: 0 +php_fpm_set_emergency_restart_interval: false +php_fpm_emergency_restart_interval: 0 +php_fpm_set_process_control_timeout: false +php_fpm_process_control_timeout: 0 diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e5fce88125..9606170c88 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -42,11 +42,17 @@ state: started enabled: true -- name: Copy PHP-FPM configuration file +- name: Copy PHP-FPM php.ini file template: src: php-fpm.ini.j2 dest: /etc/php/{{ php_version }}/fpm/php.ini mode: '0644' + +- name: Copy PHP-FPM configuration file + template: + src: php-fpm.conf.j2 + dest: /etc/php/{{ php_version }}/fpm/php-fpm.conf + mode: '0644' notify: reload php-fpm - name: Copy PHP CLI configuration file diff --git a/roles/php/templates/php-fpm.conf.j2 b/roles/php/templates/php-fpm.conf.j2 new file mode 100644 index 0000000000..57c5fc4922 --- /dev/null +++ b/roles/php/templates/php-fpm.conf.j2 @@ -0,0 +1,153 @@ +; {{ ansible_managed }} + +;;;;;;;;;;;;;;;;;;;;; +; FPM Configuration ; +;;;;;;;;;;;;;;;;;;;;; + +; All relative paths in this configuration file are relative to PHP's install +; prefix (/usr). This prefix can be dynamically changed by using the +; '-p' argument from the command line. + +;;;;;;;;;;;;;;;;;; +; Global Options ; +;;;;;;;;;;;;;;;;;; + +[global] +; Pid file +; Note: the default prefix is /var +; Default Value: none +; Warning: if you change the value here, you need to modify systemd +; service PIDFile= setting to match the value here. +pid = /run/php/php{{ php_version }}-fpm.pid + +; Error log file +; If it's set to "syslog", log is sent to syslogd instead of being written +; into a local file. +; Note: the default prefix is /var +; Default Value: log/php-fpm.log +error_log = /var/log/php{{ php_version }}-fpm.log + +; syslog_facility is used to specify what type of program is logging the +; message. This lets syslogd specify that messages from different facilities +; will be handled differently. +; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON) +; Default Value: daemon +;syslog.facility = daemon + +; syslog_ident is prepended to every message. If you have multiple FPM +; instances running on the same server, you can change the default value +; which must suit common needs. +; Default Value: php-fpm +;syslog.ident = php-fpm + +; Log level +; Possible Values: alert, error, warning, notice, debug +; Default Value: notice +;log_level = notice + +; Log limit on number of characters in the single line (log entry). If the +; line is over the limit, it is wrapped on multiple lines. The limit is for +; all logged characters including message prefix and suffix if present. However +; the new line character does not count into it as it is present only when +; logging to a file descriptor. It means the new line character is not present +; when logging to syslog. +; Default Value: 1024 +;log_limit = 4096 + +; Log buffering specifies if the log line is buffered which means that the +; line is written in a single write operation. If the value is false, then the +; data is written directly into the file descriptor. It is an experimental +; option that can potentionaly improve logging performance and memory usage +; for some heavy logging scenarios. This option is ignored if logging to syslog +; as it has to be always buffered. +; Default value: yes +;log_buffering = no + +; If this number of child processes exit with SIGSEGV or SIGBUS within the time +; interval set by emergency_restart_interval then FPM will restart. A value +; of '0' means 'Off'. +; Default Value: 0 +{% if php_fpm_set_emergency_restart_threshold %} +emergency_restart_threshold = {{ php_fpm_emergency_restart_threshold }} +{% endif %} + +; Interval of time used by emergency_restart_interval to determine when +; a graceful restart will be initiated. This can be useful to work around +; accidental corruptions in an accelerator's shared memory. +; Available Units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +{% if php_fpm_set_emergency_restart_interval %} +emergency_restart_interval = {{ php_fpm_emergency_restart_interval }} +{% endif %} + +; Time limit for child processes to wait for a reaction on signals from master. +; Available units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +{% if php_fpm_set_process_control_timeout %} +process_control_timeout = {{ php_fpm_process_control_timeout }} +{% endif %} + +; The maximum number of processes FPM will fork. This has been designed to control +; the global number of processes when using dynamic PM within a lot of pools. +; Use it with caution. +; Note: A value of 0 indicates no limit +; Default Value: 0 +; process.max = 128 + +; Specify the nice(2) priority to apply to the master process (only if set) +; The value can vary from -19 (highest priority) to 20 (lowest priority) +; Note: - It will only work if the FPM master process is launched as root +; - The pool process will inherit the master process priority +; unless specified otherwise +; Default Value: no set +; process.priority = -19 + +; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. +; Default Value: yes +;daemonize = yes + +; Set open file descriptor rlimit for the master process. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit for the master process. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Specify the event mechanism FPM will use. The following is available: +; - select (any POSIX os) +; - poll (any POSIX os) +; - epoll (linux >= 2.5.44) +; - kqueue (FreeBSD >= 4.1, OpenBSD >= 2.9, NetBSD >= 2.0) +; - /dev/poll (Solaris >= 7) +; - port (Solaris >= 10) +; Default Value: not set (auto detection) +;events.mechanism = epoll + +; When FPM is built with systemd integration, specify the interval, +; in seconds, between health report notification to systemd. +; Set to 0 to disable. +; Available Units: s(econds), m(inutes), h(ours) +; Default Unit: seconds +; Default value: 10 +;systemd_interval = 10 + +;;;;;;;;;;;;;;;;;;;; +; Pool Definitions ; +;;;;;;;;;;;;;;;;;;;; + +; Multiple pools of child processes may be started with different listening +; ports and different management options. The name of the pool will be +; used in logs and stats. There is no limitation on the number of pools which +; FPM can handle. Your system will tell you anyway :) + +; Include one or more files. If glob(3) exists, it is used to include a bunch of +; files from a glob(3) pattern. This directive can be used everywhere in the +; file. +; Relative path can also be used. They will be prefixed by: +; - the global prefix if it's been set (-p argument) +; - /usr otherwise +include=/etc/php/{{ php_version }}/fpm/pool.d/*.conf diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index dcdf09df96..890d7078aa 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -27,7 +27,7 @@ - name: Create WordPress php-fpm configuration file template: - src: php-fpm.conf.j2 + src: php-fpm-pool-wordpress.conf.j2 dest: /etc/php/{{ php_version }}/fpm/pool.d/wordpress.conf mode: '0644' notify: reload php-fpm diff --git a/roles/wordpress-setup/templates/php-fpm.conf.j2 b/roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 similarity index 100% rename from roles/wordpress-setup/templates/php-fpm.conf.j2 rename to roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 From e0cdc3d2b1be384c769b48e66d9e5e32acbf5beb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 25 Jul 2023 22:52:50 -0400 Subject: [PATCH 551/663] Add MariaDB server config for optimizatons (#1497) Co-authored-by: Paul Brzeski <paulbrzeski@users.noreply.github.com> --- roles/mariadb/defaults/main.yml | 8 +- roles/mariadb/tasks/main.yml | 7 ++ roles/mariadb/templates/50-server.cnf.j2 | 132 +++++++++++++++++++++++ 3 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 roles/mariadb/templates/50-server.cnf.j2 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index b2c4de073e..12a81ad2af 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,7 @@ +mariadb_version: 10.6 mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/10.6/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/{{ mariadb_version }}/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server @@ -9,3 +10,8 @@ mysql_binary_logging_disabled: true mysql_root_user: root sites_using_remote_db: "[{% for name, site in wordpress_sites.items() | list if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" + +mariadb_set_innodb_buffer_pool_size: false +mariadb_innodb_buffer_pool_size: 128M +mariadb_set_innodb_log_file_size: false +mariadb_innodb_log_file_size: 96M diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 1b2028a308..de3b9fb072 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -41,6 +41,13 @@ group: root mode: '0600' + - name: Copy server config file with MariaDB optimisations. + template: + src: 50-server.cnf.j2 + dest: /etc/mysql/mariadb.conf.d/50-server.cnf + mode: '0644' + notify: restart mysql server + - name: Set root user password mysql_user: name: root diff --git a/roles/mariadb/templates/50-server.cnf.j2 b/roles/mariadb/templates/50-server.cnf.j2 new file mode 100644 index 0000000000..f46ee20525 --- /dev/null +++ b/roles/mariadb/templates/50-server.cnf.j2 @@ -0,0 +1,132 @@ +# {{ ansible_managed }} +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# + +user = mysql +pid-file = /run/mysqld/mysqld.pid +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +lc-messages = en_US +skip-external-locking + +# Broken reverse DNS slows down connections considerably and name resolve is +# safe to skip if there are no "host by domain name" access grants +#skip-name-resolve + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# + +#key_buffer_size = 128M +#max_allowed_packet = 1G +#thread_stack = 192K +#thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +#myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 + +# +# * Logging and Replication +# + +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# Recommend only changing this at runtime for short testing periods if needed! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 + +# When running under systemd, error logging goes via stdout/stderr to journald +# and when running legacy init error logging goes to syslog due to +# /etc/mysql/conf.d/mariadb.conf.d/50-mysqld_safe.cnf +# Enable this if you want to have error logging into a separate file +#log_error = /var/log/mysql/error.log +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_verbosity = query_plan,explain +#log-queries-not-using-indexes +#min_examined_row_limit = 1000 + +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +#max_binlog_size = 100M + +# +# * SSL/TLS +# + +# For documentation, please read +# https://mariadb.com/kb/en/securing-connections-for-client-and-server/ +#ssl-ca = /etc/mysql/cacert.pem +#ssl-cert = /etc/mysql/server-cert.pem +#ssl-key = /etc/mysql/server-key.pem +#require-secure-transport = on + +# +# * Character sets +# + +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + +# +# * InnoDB +# + +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! +# Most important is to give InnoDB 80 % of the system RAM for buffer use: +# https://mariadb.com/kb/en/innodb-system-variables/#innodb_buffer_pool_size + +# Amount of RAM to allocate to database buffering. +# - Max is 80% of total RAM. i.e. 80% of 8G, 6.4G is the max. +# - On server doing PHP and MySQL, don't allocate more than 50% because the rest needs to go to PHP. +# - Default is 128M +{% if mariadb_set_innodb_buffer_pool_size %} +innodb_buffer_pool_size = {{ mariadb_innodb_buffer_pool_size }} +{% endif %} + +# Amount of disk space to allocate to database redo file +# - Should be 25% of buffer pool size as per MySQL Tuner (https://github.com/major/MySQLTuner-perl) +# - Default is 96M +{% if mariadb_set_innodb_log_file_size %} +innodb_log_file_size = {{ mariadb_innodb_log_file_size }} +{% endif %} + +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + +# This group is only read by MariaDB-{{mariadb_version}} servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-{{mariadb_version}}] From d7389a3f0fb904fbf1d72e9a4617fb8f87b5c884 Mon Sep 17 00:00:00 2001 From: Christian Widlund <christian.widlund@gmail.com> Date: Thu, 10 Aug 2023 18:23:56 +0200 Subject: [PATCH 552/663] Update wp_cli_version to 2.8.1 (#1500) --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 8c5005924e..04fddf898a 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.8.0 +wp_cli_version: 2.8.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From fd56f62d0725423d233f97a794a57f6a0755ca30 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson <joshua@orangepineapple.com> Date: Tue, 22 Aug 2023 09:19:36 -0500 Subject: [PATCH 553/663] Update documentation link (#1502) --- roles/deploy/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 3ac82c415f..a2f2247f26 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -65,7 +65,7 @@ project_upload_path: "{{ project.upload_path | default('app/uploads') }}" # Deploy hooks -# For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks +# For list of hooks and explanation, see https://roots.io/trellis/docs/deployments/#hooks deploy_build_before: - "{{ playbook_dir }}/deploy-hooks/build-before.yml" From c7951a66f5e7fff06c037ae43a14edd1411abadc Mon Sep 17 00:00:00 2001 From: Henning Orth <mail@e-vance.net> Date: Thu, 21 Sep 2023 16:27:31 +0200 Subject: [PATCH 554/663] Enable PHP OPCache overwrites for `max_wasted_percentage` & `huge_code_pages` (#1503) * Set defaults for `max_wasted_percentage` & `huge_code_pages` * Enable overwrites for `max_wasted_percentage` & `huge_code_pages` --- roles/php/defaults/main.yml | 2 ++ roles/php/templates/php-fpm.ini.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 31cd8a096f..bde3e6b71b 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -31,6 +31,8 @@ php_opcache_max_accelerated_files: 4000 php_opcache_memory_consumption: 128 php_opcache_revalidate_freq: 60 php_opcache_validate_timestamps: 1 +php_opcache_max_wasted_percentage: 5 +php_opcache_huge_code_pages: 0 php_fpm_set_emergency_restart_threshold: false php_fpm_emergency_restart_threshold: 0 diff --git a/roles/php/templates/php-fpm.ini.j2 b/roles/php/templates/php-fpm.ini.j2 index 4638a4ee23..c3a6cc0dc6 100644 --- a/roles/php/templates/php-fpm.ini.j2 +++ b/roles/php/templates/php-fpm.ini.j2 @@ -31,3 +31,5 @@ opcache.validate_timestamps = {{ php_opcache_validate_timestamps }} opcache.enable_file_override = {{ php_opcache_enable_file_override }} opcache.revalidate_freq = {{ php_opcache_revalidate_freq }} opcache.fast_shutdown = {{ php_opcache_fast_shutdown }} +opcache.max_wasted_percentage = {{ php_opcache_max_wasted_percentage }} +opcache.huge_code_pages = {{ php_opcache_huge_code_pages }} From ef2de218d5cd6fc2a8a57f8eedff8df5f96331ea Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 27 Sep 2023 10:11:03 -0500 Subject: [PATCH 555/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1dcab66338..ee575eff27 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> </div> ## Overview From 725402ec1c9c668fd8e74582ffa8c1569b28cf51 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Tue, 3 Oct 2023 05:08:04 +0200 Subject: [PATCH 556/663] Add `cron` to default `apt` packages (#1506) --- roles/common/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 2ba0cb8252..1b098c4fdc 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -22,6 +22,7 @@ site_keys_by_env_pair: "[ apt_packages_default: build-essential: "{{ apt_package_state }}" + cron: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" ghostscript: "{{ apt_package_state }}" From f692b33cd01a7b35fe35af54084a0ed56f39ac71 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 10 Oct 2023 19:26:32 -0500 Subject: [PATCH 557/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ee575eff27..fe91d3852a 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> </div> ## Overview From 4e13d8d8ffc3cddef22013e57cda3a37383a59e0 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 25 Oct 2023 10:40:42 -0500 Subject: [PATCH 558/663] Update `wp_cli_version` to 2.9.0 (#1508) --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 04fddf898a..205c81de25 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.8.1 +wp_cli_version: 2.9.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From ff74ca205e235382ca7b8fdf2f84ed18a5bf9e8b Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Thu, 16 Nov 2023 01:43:02 +0100 Subject: [PATCH 559/663] Add PHP JIT and enable it by default (#1505) --- roles/php/defaults/main.yml | 2 ++ roles/php/tasks/main.yml | 7 +++++++ roles/php/templates/10-opcache.ini.j2 | 6 ++++++ roles/php/templates/php-fpm.ini.j2 | 1 + 4 files changed, 16 insertions(+) create mode 100644 roles/php/templates/10-opcache.ini.j2 diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index bde3e6b71b..2b150021ed 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -33,6 +33,8 @@ php_opcache_revalidate_freq: 60 php_opcache_validate_timestamps: 1 php_opcache_max_wasted_percentage: 5 php_opcache_huge_code_pages: 0 +php_opcache_jit: 'tracing' +php_opcache_jit_buffer_size: 256M php_fpm_set_emergency_restart_threshold: false php_fpm_emergency_restart_threshold: 0 diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 9606170c88..107a102047 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -61,6 +61,13 @@ dest: /etc/php/{{ php_version }}/cli/php.ini mode: '0644' +- name: Copy 10-opcache.ini configuration file + template: + src: 10-opcache.ini.j2 + dest: /etc/php/{{ php_version }}/fpm/conf.d/10-opcache.ini + mode: '0644' + notify: reload php-fpm + - name: Change ImageMagick policy.xml to allow for PDFs replace: path: /etc/ImageMagick-6/policy.xml diff --git a/roles/php/templates/10-opcache.ini.j2 b/roles/php/templates/10-opcache.ini.j2 new file mode 100644 index 0000000000..5f5f74edb7 --- /dev/null +++ b/roles/php/templates/10-opcache.ini.j2 @@ -0,0 +1,6 @@ +; {{ ansible_managed }} + +; configuration for php opcache module +; priority=10 +zend_extension=opcache.so +opcache.jit={{ php_opcache_jit }} diff --git a/roles/php/templates/php-fpm.ini.j2 b/roles/php/templates/php-fpm.ini.j2 index c3a6cc0dc6..d07cfc9b62 100644 --- a/roles/php/templates/php-fpm.ini.j2 +++ b/roles/php/templates/php-fpm.ini.j2 @@ -33,3 +33,4 @@ opcache.revalidate_freq = {{ php_opcache_revalidate_freq }} opcache.fast_shutdown = {{ php_opcache_fast_shutdown }} opcache.max_wasted_percentage = {{ php_opcache_max_wasted_percentage }} opcache.huge_code_pages = {{ php_opcache_huge_code_pages }} +opcache.jit_buffer_size = {{ php_opcache_jit_buffer_size }} From 1ef1c2f0d93ea4dec2d130ce4ad86ec068b57ea6 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 7 Dec 2023 10:54:01 -0600 Subject: [PATCH 560/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fe91d3852a..124917af5c 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> </div> ## Overview From 36c8491cdd813bba19853e8d2976cb4690d2c116 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 11 Dec 2023 10:47:11 -0600 Subject: [PATCH 561/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 124917af5c..fe91d3852a 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> </div> ## Overview From 0b1fff7a223671a1fdc1ea34f00531576202d6cf Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 4 Apr 2024 09:17:30 -0500 Subject: [PATCH 562/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fe91d3852a..1b0402d8cd 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.copiadigital.com/"><img src="https://cdn.roots.io/app/uploads/copia-digital.svg" alt="Copia Digital" width="120" height="90"></a> <a href="https://www.freave.com/"><img src="https://cdn.roots.io/app/uploads/freave.svg" alt="Freave" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> </div> ## Overview From d0c75a99a732239967ab10ea18efbd0fd01c91bc Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 19 Apr 2024 09:23:03 -0500 Subject: [PATCH 563/663] =?UTF-8?q?=F0=9F=94=A7=20Default=20to=20PHP=208.2?= =?UTF-8?q?,=20add=20PHP=208.3=20support=20(#1514)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔧 Default to PHP 8.2 * 🔧 Add PHP 8.3 support --- group_vars/all/main.yml | 2 +- roles/php/vars/8.3.yml | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 roles/php/vars/8.3.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 08700ee18d..77a89e973d 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -3,7 +3,7 @@ apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest composer_keep_updated: true -php_version: "8.1" +php_version: "8.2" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/roles/php/vars/8.3.yml b/roles/php/vars/8.3.yml new file mode 100644 index 0000000000..557f9726a5 --- /dev/null +++ b/roles/php/vars/8.3.yml @@ -0,0 +1,18 @@ +php_extensions_default: + php8.3-bcmath: "{{ apt_package_state }}" + php8.3-cli: "{{ apt_package_state }}" + php8.3-curl: "{{ apt_package_state }}" + php8.3-dev: "{{ apt_package_state }}" + php8.3-fpm: "{{ apt_package_state }}" + php8.3-imagick: "{{ apt_package_state }}" + php8.3-intl: "{{ apt_package_state }}" + php8.3-mbstring: "{{ apt_package_state }}" + php8.3-mysql: "{{ apt_package_state }}" + php8.3-xml: "{{ apt_package_state }}" + php8.3-xmlrpc: "{{ apt_package_state }}" + php8.3-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.3-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.3-xdebug From 801a825a3824996981f5b79a601ecc4553fb678f Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 23 Apr 2024 09:51:44 -0500 Subject: [PATCH 564/663] =?UTF-8?q?=F0=9F=90=9B=20Fix=20MariaDB=20apt-key?= =?UTF-8?q?=20is=20deprecated=20failure=20(#1515)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🐛 Fix MariaDB apt-key is deprecated failure * Use apt_repository * Use apt_key module --------- Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com> --- roles/mariadb/defaults/main.yml | 2 -- roles/mariadb/tasks/main.yml | 23 +++++++++++------------ 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 12a81ad2af..4ec8d0b364 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,4 @@ mariadb_version: 10.6 -mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" -mariadb_keyserver_id: "0xF1656F24C74CD1D8" mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/{{ mariadb_version }}/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index de3b9fb072..58d8ea1717 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,24 +1,23 @@ --- -- block: - - name: Add MariaDB APT key - apt_key: - keyserver: "{{ mariadb_keyserver }}" - id: "{{ mariadb_keyserver_id }}" +- name: Add an Apt signing key, uses whichever key is at the URL + ansible.builtin.apt_key: + url: "https://mariadb.org/mariadb_release_signing_key.asc" + state: present - - name: Add MariaDB PPA - apt_repository: - repo: "{{ mariadb_ppa }}" - update_cache: yes +- name: Add MariaDB PPA + apt_repository: + repo: "{{ mariadb_ppa }}" + update_cache: yes - name: Install MySQL client - apt: + ansible.builtin.apt: name: "{{ mariadb_client_package }}" state: "{{ mariadb_client_package_state | default(apt_package_state) }}" - cache_valid_time: "{{ apt_cache_valid_time }}" + update_cache: true - block: - name: Install MySQL server - apt: + ansible.builtin.apt: name: "{{ mariadb_server_package }}" state: "{{ mariadb_server_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" From b791d54e8f6c9dcc5a909a51d9368136cf04f455 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 24 Apr 2024 12:51:06 -0500 Subject: [PATCH 565/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20CHANGELOG=20[ci?= =?UTF-8?q?=20skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3cd552c6d8..3b0674453c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +### 1.22.0: April 24th, 2024 +* Fix MariaDB apt-key is deprecated failure [#1515](https://github.com/roots/trellis/pull/1515) +* Default to PHP 8.2, add PHP 8.3 support [#1514](https://github.com/roots/trellis/pull/1514) +* Add PHP JIT and enable it by default [#1505](https://github.com/roots/trellis/pull/1505) +* Update wp_cli_version to 2.9.0 [#1508](https://github.com/roots/trellis/pull/1508) +* Add `cron` to default `apt` packages [#1506](https://github.com/roots/trellis/pull/1506) +* Enable PHP OPCache overwrites for `max_wasted_percentage` & `huge_code_pages` [#1503](https://github.com/roots/trellis/pull/1503) +* Add MariaDB server config for optimizatons [#1497](https://github.com/roots/trellis/pull/1497) +* Add PHP-FPM conf and tuning settings [#1496](https://github.com/roots/trellis/pull/1496) +* CLI config updates [#1486](https://github.com/roots/trellis/pull/1486) +* Update Bitbucket Cloud SSH Host Keys [#1492](https://github.com/roots/trellis/pull/1492) +* Add Libvirt to the Vagrant config file [#1490](https://github.com/roots/trellis/pull/1490) + +**Full Changelog**: https://github.com/roots/trellis/compare/v1.21.0...v1.22.0 + ### 1.21.0: April 5th, 2023 * Add optional PHP 8.2 support [#1485](https://github.com/roots/trellis/pull/1485) * Default to PHP 8.1 [#1484](https://github.com/roots/trellis/pull/1484) From a0851567025d8a9e35eb222d6ef392ac0312e974 Mon Sep 17 00:00:00 2001 From: Toine Kamps <toinekamps@gmail.com> Date: Thu, 30 May 2024 18:33:57 +0200 Subject: [PATCH 566/663] Fix Nginx apt-key is deprecated failure (#1518) --- roles/nginx/defaults/main.yml | 2 -- roles/nginx/tasks/main.yml | 10 +++++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 69433b33fb..57b9fb2187 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,6 +1,4 @@ --- -nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" -nginx_keyserver_id: "ABF5BD827BD9BF62" nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index c0748a2117..8b8641826d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Add Nginx APT key - apt_key: - keyserver: "{{ nginx_keyserver }}" - id: "{{ nginx_keyserver_id }}" + ansible.builtin.apt_key: + url: "https://nginx.org/keys/nginx_signing.key" + state: present - name: Add Nginx PPA apt_repository: @@ -10,10 +10,10 @@ update_cache: yes - name: Install Nginx - apt: + ansible.builtin.apt: name: "{{ nginx_package }}" state: "{{ nginx_package_state | default(apt_package_state) }}" - cache_valid_time: "{{ apt_cache_valid_time }}" + update_cache: true - name: Ensure site directories exist file: From daf531f2fb94394ce658f5d441a7e48eaa14e20e Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 30 May 2024 14:07:19 -0500 Subject: [PATCH 567/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20CHANGELOG=20[ci?= =?UTF-8?q?=20skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b0674453c..c035df9bb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.22.1: May 30th, 2024 +* Fix Nginx apt-key is deprecated failure [#1518](https://github.com/roots/trellis/pull/1518) + ### 1.22.0: April 24th, 2024 * Fix MariaDB apt-key is deprecated failure [#1515](https://github.com/roots/trellis/pull/1515) * Default to PHP 8.2, add PHP 8.3 support [#1514](https://github.com/roots/trellis/pull/1514) From fb1812d0e50138b872bf8bb28ad6bbfdf36f9f19 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 30 May 2024 17:25:52 -0500 Subject: [PATCH 568/663] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Update=20MariaDB?= =?UTF-8?q?=20to=2010.11=20(#1520)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 4ec8d0b364..3aa0af0969 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,4 +1,4 @@ -mariadb_version: 10.6 +mariadb_version: 10.11 mariadb_ppa: "deb https://mirror.rackspace.com/mariadb/repo/{{ mariadb_version }}/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client From db7341f999c4db1d590ede0554a1a623123a7c93 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 2 Jun 2024 15:27:17 -0500 Subject: [PATCH 569/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1b0402d8cd..c3089ee80b 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> </div> ## Overview From c46ae4f5a1339c6c89d08565ef70847697a7e74b Mon Sep 17 00:00:00 2001 From: Johan <12563436+Dyras@users.noreply.github.com> Date: Mon, 10 Jun 2024 15:38:53 +0200 Subject: [PATCH 570/663] Fix typo in all/vault.yml (#1522) --- group_vars/all/vault.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index fc11d9d9c2..d46f2cc6f4 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -2,7 +2,7 @@ vault_mail_password: smtp_password # Variables to accompany `wordpress_env_defaults` in `group_vars/all/helpers.yml` -# Note: These values can be overriden by `vault_wordpress_sites.*.env` +# Note: These values can be overridden by `vault_wordpress_sites.*.env` # # vault_wordpress_env_defaults: # my_api_key: 'available to all environments' From 80a491ed526b944a4af620b491476c8e7d221078 Mon Sep 17 00:00:00 2001 From: 1dkfa <37644682+1dkfa@users.noreply.github.com> Date: Thu, 13 Jun 2024 20:00:31 +0300 Subject: [PATCH 571/663] =?UTF-8?q?=F0=9F=90=9B=20Fix=20undefined=20method?= =?UTF-8?q?=20`exists=3F`=20error=20(#1524)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes an error where `trellis up` or `vagrant up` would fail in machines running Ruby on version 3.2 or higher due to the usage of a removed method. --- lib/trellis/vagrant.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index ef3c6bd13a..31ae27449a 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -105,7 +105,7 @@ def update_ssh_config(main_hostname) config_file = File.expand_path('~/.ssh/config') vagrant_ssh_config = `vagrant ssh-config --host #{main_hostname}`.chomp - if File.exists?(config_file) + if File.exist?(config_file) FileUtils.cp(config_file, "#{config_file}.trellis_backup") ssh_config = File.read(config_file) From fbd8b41f5035d394b0451802700991dd4ca19494 Mon Sep 17 00:00:00 2001 From: Adam Leviton <adam@adamleviton.com> Date: Thu, 4 Jul 2024 12:03:14 -0400 Subject: [PATCH 572/663] prevent warnings running composer as root (#1527) --- roles/wordpress-install/tasks/composer-authentications.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 07fd9a17af..217fe2a248 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -19,6 +19,7 @@ command: config arguments: --auth bitbucket-oauth.{{ item.hostname | quote }} {{ item.consumer_key | quote }} {{ item.consumer_secret | quote }} working_dir: "{{ working_dir }}" + become: no no_log: true changed_when: false when: @@ -34,6 +35,7 @@ command: config arguments: --auth {{ item.type | quote }}.{{ item.hostname | quote }} {{ item.token | quote }} working_dir: "{{ working_dir }}" + become: no no_log: true changed_when: false when: From ab4226b8f9509f7570580892c2210bbbda9e3db7 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Tue, 23 Jul 2024 22:16:00 +0200 Subject: [PATCH 573/663] Use `http2` and `http3` `nginx` directives (#1529) * Use `http2` directive in nginx wordpress site template. Add `http2_enabled` configuration. * Use `http3` directive in nginx wordpress site template. Add `http3_enabled` configuration. * Prefix `http2_enabled` and `http3_enabled` options with `nginx_`. --- roles/wordpress-setup/defaults/main.yml | 3 +++ .../wordpress-setup/templates/wordpress-site.conf.j2 | 12 ++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index e8e6d91959..77140141d4 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -7,6 +7,9 @@ nginx_sites_confs: - src: ssl.no-default.conf.j2 enabled: false +nginx_http2_enabled: true +nginx_http3_enabled: false + # HSTS defaults nginx_hsts_max_age: 31536000 nginx_hsts_include_subdomains: false diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b436c857d4..95b406439a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -4,8 +4,10 @@ server { {% block server_id -%} - listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }}; - listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; + listen {{ ssl_enabled | ternary('[::]:443 ssl', '[::]:80') }}; + listen {{ ssl_enabled | ternary('443 ssl', '80') }}; + http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }}; + http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }}; server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }}; {% endblock %} @@ -290,11 +292,13 @@ server { {% for host in item.value.site_hosts if host.redirects | default([]) %} server { {% if ssl_enabled -%} - listen [::]:443 ssl http2; - listen 443 ssl http2; + listen [::]:443 ssl; + listen 443 ssl; {% endif -%} listen [::]:80; listen 80; + http2 {{ nginx_http2_enabled | default(false) | ternary('on', 'off') }}; + http3 {{ nginx_http3_enabled | default(false) | ternary('on', 'off') }}; server_name {{ host.redirects | join(' ') }}; {{ self.https() -}} From b9eb66fe91ca19aaf43badaf2092cc5d194b74a7 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 30 Jul 2024 09:01:51 -0500 Subject: [PATCH 574/663] =?UTF-8?q?=E2=9C=A8=20Ubuntu=2024.04=20support=20?= =?UTF-8?q?(#1519)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Update boxes to Ubuntu 24.04 * Update CHANGELOG [ci skip] * build * 🩹 Create /run/sshd directory to avoid error * Update roles/sshd/tasks/main.yml Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com> --------- Co-authored-by: Scott Walkinshaw <scott.walkinshaw@gmail.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- CHANGELOG.md | 4 ++++ Vagrantfile | 9 +-------- roles/sshd/tasks/main.yml | 5 +++++ vagrant.default.yml | 5 ++--- 6 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f2cf0b2e27..f1145e78eb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: matrix: python-version: ['3.x'] diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 45e3434b14..22bd4601e1 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -11,7 +11,7 @@ on: jobs: test: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - run: mkdir $HOME/.ssh - name: Remove and cleanup mysql diff --git a/CHANGELOG.md b/CHANGELOG.md index c035df9bb0..bd2ad84e53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Update boxes to Ubuntu 24.04 [#1519](https://github.com/roots/trellis/pull/1519) +* Update MariaDB to 10.11 [#1520](https://github.com/roots/trellis/pull/1520) + ### 1.22.1: May 30th, 2024 * Fix Nginx apt-key is deprecated failure [#1518](https://github.com/roots/trellis/pull/1518) diff --git a/Vagrantfile b/Vagrantfile index 4997060552..9de3bd4be4 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,14 +19,7 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version vconfig.fetch('vagrant_require_version', '>= 2.1.0') Vagrant.configure('2') do |config| - box = vconfig.fetch('vagrant_box') - box_auto_arch = vconfig.fetch('vagrant_box_auto_arch', true) - - if box_auto_arch && !box.end_with?("-arm64") && apple_silicon? - box = "#{box}-arm64" - end - - config.vm.box = box + config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 4dc76960e5..8034fed796 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -9,6 +9,11 @@ label: "{{ item.key }}" notify: restart ssh +- name: Create the /run/sshd directory + file: + path: /run/sshd + state: directory + - name: Create a secure sshd_config template: src: "{{ sshd_config }}" diff --git a/vagrant.default.yml b/vagrant.default.yml index 0adc557981..ee4f54e931 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,14 +2,13 @@ vagrant_ip: '192.168.56.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-22.04' +vagrant_box: 'bento/ubuntu-24.04' vagrant_box_version: '>= 0' -vagrant_box_auto_arch: true vagrant_ansible_version: '2.10.7' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' vagrant_nfs_udp: false -vagrant_require_version: '>= 2.1.0' +vagrant_require_version: '>= 2.4.0' vagrant_install_plugins: true vagrant_plugins: From 68a9de2d795dd65e0b1ad7ba2b4e8b498584c790 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 11 Aug 2024 12:53:50 -0500 Subject: [PATCH 575/663] =?UTF-8?q?=F0=9F=91=B7=20Update=20Renovate=20conf?= =?UTF-8?q?ig=20-=20Ref=20#1423?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/renovate.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/renovate.json b/.github/renovate.json index f0a7a9ad79..d583c12a17 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,4 +1,9 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "enabledManagers": ["ansible-galaxy"] + "extends": [ + "config:base" + ], + "ansible-galaxy": { + "enabled": true + } } From 85b4e0969166ab19277c8d1ac55a808928968399 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 11 Aug 2024 13:06:58 -0500 Subject: [PATCH 576/663] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Update=20WP-CLI=20?= =?UTF-8?q?to=20v2.11.0=20(#1533)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://make.wordpress.org/cli/2024/08/08/wp-cli-v2-11-0-release-notes/ --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 205c81de25..62c58cfb21 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.9.0 +wp_cli_version: 2.11.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From aece810f817cce6416c61ea4d36cd9405818d900 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 11 Aug 2024 14:53:26 -0500 Subject: [PATCH 577/663] =?UTF-8?q?=F0=9F=91=B7=20Use=20Renovate=20for=20A?= =?UTF-8?q?nsible=20Galaxy=20roles=20(#1537)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 👷 Use Renovate for Ansible Galaxy roles * this is fucking ridiculous --- .github/renovate.json | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/renovate.json b/.github/renovate.json index d583c12a17..d4f07254d5 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,9 +1,18 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:base" + "extends": ["config:base"], + "customManagers": [ + { + "customType": "regex", + "fileMatch": ["^galaxy\\.ya?ml$"], + "matchStrings": [ + "- name: (?<depName>[^\\n]+)\\n\\s+src: (?<packageName>[^\\n]+)\\n\\s+version: (?<currentValue>[^\\n]+)" + ], + "datasourceTemplate": "galaxy", + "versioningTemplate": "loose" + } ], - "ansible-galaxy": { + "github-actions": { "enabled": true } } From 72ab6d9d32e2f4f8ce546b5d38bc80abc52e1f4e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 18:05:38 -0400 Subject: [PATCH 578/663] Update actions/cache action to v4 (#1534) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f1145e78eb..dba8169472 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: architecture: x64 cache: 'pip' - run: pip install -r requirements.txt - - uses: actions/cache@v2 + - uses: actions/cache@v4 with: path: vendor key: ${{ runner.os }}-galaxy-${{ hashFiles('galaxy.yml') }} From ebf54d1bb5a0b25e0b679632d3e8faf817ad9bab Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 18:05:53 -0400 Subject: [PATCH 579/663] Update actions/checkout action to v4 (#1535) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index dba8169472..bb8abbf8cd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: matrix: python-version: ['3.x'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 22bd4601e1..c0089baf7e 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -25,7 +25,7 @@ jobs: sudo apt-get remove --purge nginx* sudo apt-get autoremove sudo apt-get autoclean - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: actions/setup-python@v4 From 116764377372f51f7056016276664cb232944620 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 18:06:11 -0400 Subject: [PATCH 580/663] Update dependency composer to v1.9.2 (#1539) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index bc15459979..ed775fd5ce 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -2,7 +2,7 @@ roles: - name: composer src: geerlingguy.composer - version: 1.9.0 + version: 1.9.2 - name: ntp src: geerlingguy.ntp From 69cab1ed313db5af8cbb1d17f3fc9949b99e9bc0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 18:06:22 -0400 Subject: [PATCH 581/663] Update dependency swapfile to v2.0.38 (#1540) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index ed775fd5ce..74bb5f170f 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -14,7 +14,7 @@ roles: - name: swapfile src: oefenweb.swapfile - version: v2.0.36 + version: v2.0.38 - name: mailpit src: roots.mailpit From c1f1162481acae46ebf6be7d0d2e8da657cf3cad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 20:06:51 -0400 Subject: [PATCH 582/663] Update actions/setup-python action to v5 (#1538) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bb8abbf8cd..65f6a7b2bc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: python-version: ['3.x'] steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} architecture: x64 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index c0089baf7e..323f87c54b 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: '3.9' - uses: ./.github/actions/setup-step-ca From c1a8ec484c7698ea764e96a98087ee9c39387f29 Mon Sep 17 00:00:00 2001 From: Augusto Bennemann <augusto@augusto.dev> Date: Fri, 16 Aug 2024 13:03:48 -0300 Subject: [PATCH 583/663] Fix broken local development docs URL (#1543) * Fix broken URL * Update wordpress_sites.yml --------- Co-authored-by: Ben Word <ben@benword.com> --- group_vars/development/wordpress_sites.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 4a9f1d6f3b..4aad97a561 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -1,5 +1,5 @@ -# Documentation: https://roots.io/trellis/docs/local-development-setup/ -# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites +# Documentation: https://roots.io/trellis/docs/local-development/ +# `wordpress_sites` options: https://roots.io/trellis/docs/wordpress-sites/ # Define accompanying passwords/secrets in group_vars/development/vault.yml wordpress_sites: From a44d6872e1975cd583b711c2c753cf90cda8cbca Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 18 Aug 2024 18:23:53 -0400 Subject: [PATCH 584/663] Update dependency ntp to v2.5.0 (#1541) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 74bb5f170f..5a869fa7c2 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -6,7 +6,7 @@ roles: - name: ntp src: geerlingguy.ntp - version: 2.3.1 + version: 2.5.0 - name: logrotate src: nickhammond.logrotate From 1e505b335da384ef7f9758bf57d1ffc85df54461 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Mon, 19 Aug 2024 00:29:39 +0200 Subject: [PATCH 585/663] Conditionally add HTTPS inbound allow firewall rule (#1530) Add code to conditionally add HTTPS inbound allow firewall rule. Use `delete` parameter for toggling https firewall allow rule based on if any sites don't use SSL. --- group_vars/all/security.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index bac2bbb098..57c2bcdd7d 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -2,8 +2,12 @@ ferm_input_list: - type: dport_accept - dport: [http, https] + dport: [http] filename: nginx_accept + - type: dport_accept + dport: [https] + filename: nginx_accept_https + delete: "{{ not (sites_use_ssl | bool) }}" - type: dport_accept dport: [ssh] saddr: "{{ ip_whitelist }}" From ca9b648186a93e3927717ff9896c75957a5723dc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 18 Aug 2024 18:31:03 -0400 Subject: [PATCH 586/663] Fix tags for common variable validations (#1544) Because we validate variables related to apt, php, memcached, and sshd together, the PHP variables need to be loaded for the `sshd` tag as well. --- roles/common/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index cb126400f1..cadc613586 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -46,9 +46,9 @@ paths: - "{{ playbook_dir }}/roles/php/vars/" - tags: [php, memcached] + tags: [memcached, php, sshd] -- name: Verify dict format for apt package component variables +- name: Verify dict format for package component variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" when: package_vars_wrong_format | count @@ -63,9 +63,9 @@ sshd_packages_default: "{{ sshd_packages_default }}" sshd_packages_custom: "{{ sshd_packages_custom }}" package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" - tags: [sshd, memcached, php] + tags: [memcached, php, sshd] -- name: Verify dict format for apt package combined variables +- name: Verify dict format for package combined variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" when: package_vars_wrong_format | count @@ -76,7 +76,7 @@ php_extensions: "{{ php_extensions }}" sshd_packages: "{{ sshd_packages }}" package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" - tags: [sshd, memcached, php] + tags: [memcached, php, sshd] - name: Validate Ubuntu version debug: From dcb581b6df71f32dbf903d7268966873a0b7fa8d Mon Sep 17 00:00:00 2001 From: Augusto Bennemann <augusto@augusto.dev> Date: Mon, 19 Aug 2024 14:33:11 -0300 Subject: [PATCH 587/663] Allow overriding 'pm' in PHP-FPM's pool config (#1542) --- roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 77140141d4..e654f59aa7 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -49,6 +49,7 @@ robots_tag_header: "{{ item.value.robots_tag_header | default({}) }}" robots_tag_header_enabled: "{{ robots_tag_header.enabled | default(not_prod) }}" # PHP FPM +php_fpm_pm: 'dynamic' php_fpm_pm_max_children: 10 php_fpm_pm_start_servers: 1 php_fpm_pm_min_spare_servers: 1 diff --git a/roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 b/roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 index 1464745633..46699c9291 100644 --- a/roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 +++ b/roles/wordpress-setup/templates/php-fpm-pool-wordpress.conf.j2 @@ -6,7 +6,7 @@ listen.owner = www-data listen.group = www-data user = {{ web_user }} group = {{ web_group }} -pm = dynamic +pm = {{ php_fpm_pm }} pm.max_children = {{ php_fpm_pm_max_children }} pm.start_servers = {{ php_fpm_pm_start_servers }} pm.min_spare_servers = {{ php_fpm_pm_min_spare_servers }} From af7d98f3bb2468d3f719be883d660637155e6a67 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 19 Aug 2024 16:40:56 -0500 Subject: [PATCH 588/663] =?UTF-8?q?=F0=9F=91=B7=20Check=20and=20update=20W?= =?UTF-8?q?P-CLI=20version=20(#1545)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/wp-cli-version-check.yml | 37 ++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/workflows/wp-cli-version-check.yml diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml new file mode 100644 index 0000000000..ec07cef41f --- /dev/null +++ b/.github/workflows/wp-cli-version-check.yml @@ -0,0 +1,37 @@ +name: WP-CLI version check + +on: + schedule: + - cron: '0 0 * * *' + workflow_dispatch: + +jobs: + check-wp-cli-version: + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Get latest WP-CLI version + id: get-version + run: | + LATEST_VERSION=$(curl -s https://api.github.com/repos/wp-cli/wp-cli/releases/latest | jq -r .tag_name | sed 's/^v//') + echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT + + - name: Update wp_cli_version + run: | + sed -i "s/wp_cli_version: .*/wp_cli_version: ${{ steps.get-version.outputs.LATEST_VERSION }}/" roles/wp-cli/defaults/main.yml + + - name: Create pull request + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: Update WP-CLI version to ${{ steps.get-version.outputs.LATEST_VERSION }} + title: Update WP-CLI version to ${{ steps.get-version.outputs.LATEST_VERSION }} + body: | + This PR updates the WP-CLI version to the latest release (${{ steps.get-version.outputs.LATEST_VERSION }}). + branch: update-wp-cli-version + delete-branch: true From aa9a8bfd76b25000208da1e708702d00683580c6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 08:39:24 -0400 Subject: [PATCH 589/663] Update peter-evans/create-pull-request action to v7 (#1546) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/wp-cli-version-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml index ec07cef41f..9f18e99663 100644 --- a/.github/workflows/wp-cli-version-check.yml +++ b/.github/workflows/wp-cli-version-check.yml @@ -26,7 +26,7 @@ jobs: sed -i "s/wp_cli_version: .*/wp_cli_version: ${{ steps.get-version.outputs.LATEST_VERSION }}/" roles/wp-cli/defaults/main.yml - name: Create pull request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@v7 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Update WP-CLI version to ${{ steps.get-version.outputs.LATEST_VERSION }} From a5040add97ac2befc1325eb13c80ee8c96d15dc5 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 11 Sep 2024 09:44:33 -0500 Subject: [PATCH 590/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd2ad84e53..2c1287cd06 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,16 @@ -### HEAD -* Update boxes to Ubuntu 24.04 [#1519](https://github.com/roots/trellis/pull/1519) +### 1.23.0: September 11th, 2024 +* Ubuntu 24.04 support [#1519](https://github.com/roots/trellis/pull/1519) * Update MariaDB to 10.11 [#1520](https://github.com/roots/trellis/pull/1520) +* Update WP-CLI to v2.11.0 [#1533](https://github.com/roots/trellis/pull/1533) +* Update dependency ntp to v2.5.0 [#1541](https://github.com/roots/trellis/pull/1541) +* Update dependency swapfile to v2.0.38 [#1540](https://github.com/roots/trellis/pull/1540) +* Update dependency composer to v1.9.2 [#1539](https://github.com/roots/trellis/pull/1539) +* Conditionally add HTTPS inbound allow firewall rule [#1530](https://github.com/roots/trellis/pull/1530) +* Use `http2` and `http3` nginx directives [#1529](https://github.com/roots/trellis/pull/1529) +* Fix tags for common variable validations [#1544](https://github.com/roots/trellis/pull/1544) +* Allow overriding 'pm' in PHP-FPM's pool config [#1542](https://github.com/roots/trellis/pull/1542) +* Prevent warnings running composer as root [#1527](https://github.com/roots/trellis/pull/1527) +* Fix undefined method `exists?` error [#1524](https://github.com/roots/trellis/pull/1524) ### 1.22.1: May 30th, 2024 * Fix Nginx apt-key is deprecated failure [#1518](https://github.com/roots/trellis/pull/1518) From 136198953cf7bd9d54cfb4a41b38ef327e0ffd9d Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 13 Nov 2024 04:54:07 -0500 Subject: [PATCH 591/663] =?UTF-8?q?=F0=9F=93=84=20Update=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- LICENSE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.md b/LICENSE.md index 1b5cd27da6..9e47289f33 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) Roots Software Foundation LLC +Copyright (c) Roots Software LLC Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 9a45aab9dad405f849ab22648348444781121cfb Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 13 Nov 2024 04:54:30 -0500 Subject: [PATCH 592/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c3089ee80b..059d7b9c18 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="120" height="90"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> +<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> </div> ## Overview From 0aeed2a0a4fdaa3234594210dc350ee09f7d0ccd Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sat, 23 Nov 2024 18:23:16 +0100 Subject: [PATCH 593/663] Use proper `$host` for FastCGI `SERVER_NAME` param. (#1552) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 95b406439a..60b2b356d2 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -255,6 +255,7 @@ server { {% block fastcgi_basic -%} include fastcgi_params; + fastcgi_param SERVER_NAME $host; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_pass unix:/var/run/php-fpm-wordpress.sock; From 32dd18d223951cd17bc1a89558a3b0ad52b57268 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 21 Dec 2024 17:46:43 -0500 Subject: [PATCH 594/663] Fix Python string escape sequences (#1554) Python 3.12 now warng on invalid escape sequences in strings. This converts the strings to "raw" strings so the backslashes are treated literally. --- lib/trellis/plugins/callback/vars.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index e30b59687c..1a754d908d 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -47,8 +47,8 @@ def raw_vars(self, play, host, hostvars): if not isinstance(raw_vars, list): raise AnsibleError('The `raw_vars` variable must be defined as a list.') - patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in raw_vars if var.split('.')[0] in hostvars] - keys = set(pattern.split('\.')[0] for pattern in patterns) + patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', r'\.', var)) for var in raw_vars if var.split('.')[0] in hostvars] + keys = set(pattern.split(r'\.')[0] for pattern in patterns) for key in keys: if key in play.vars: play.vars[key] = self.raw_triage(key, play.vars[key], patterns) From 19b4bf65fde285fee1168e009e889d04e336651e Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 22 Dec 2024 13:33:23 -0500 Subject: [PATCH 595/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 059d7b9c18..d3c18a77b9 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> +<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> <a href="https://fusepress.co/sp/sign-up/"><img src="https://cdn.roots.io/app/uploads/fusepress.svg" alt="FusePress" width="120" height="90"></a> </div> ## Overview From ae31b0f2410c2458a45ba4c701414669c6de7896 Mon Sep 17 00:00:00 2001 From: Altan S <altansarisin@gmail.com> Date: Mon, 27 Jan 2025 19:05:46 +0100 Subject: [PATCH 596/663] add http_x_http_method_override var to fastcgi_cache_key directive (#1556) --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 6b60169863..8be21e6f78 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -66,7 +66,7 @@ http { fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }}; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_lock on; - fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method$http_origin; + fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method$http_origin$http_x_http_method_override; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; From 3b580fff9fac8c98b96c8ebe8a478b2f5d64f21f Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 20 Feb 2025 14:24:22 -0500 Subject: [PATCH 597/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d3c18a77b9..452555c19a 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> <a href="https://fusepress.co/sp/sign-up/"><img src="https://cdn.roots.io/app/uploads/fusepress.svg" alt="FusePress" width="120" height="90"></a> +<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> </div> ## Overview From 9e7e3a93ad73d02050614ce56fe5030033e14c27 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:38:44 -0500 Subject: [PATCH 598/663] Update dependency ntp to v2.7.0 (#1553) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 5a869fa7c2..a45014e00f 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -6,7 +6,7 @@ roles: - name: ntp src: geerlingguy.ntp - version: 2.5.0 + version: 2.7.0 - name: logrotate src: nickhammond.logrotate From 4dd189e26e2c122d202424a1308e9b64bd440365 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 27 Feb 2025 15:38:59 -0500 Subject: [PATCH 599/663] Update dependency swapfile to v2.0.42 (#1549) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index a45014e00f..574332d4d3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -14,7 +14,7 @@ roles: - name: swapfile src: oefenweb.swapfile - version: v2.0.38 + version: v2.0.42 - name: mailpit src: roots.mailpit From d1285d07e9097985635d58779f78401afeaca49d Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 27 Feb 2025 15:55:14 -0500 Subject: [PATCH 600/663] =?UTF-8?q?=F0=9F=94=A7=20FastCGI=20Cache:=20Stop?= =?UTF-8?q?=20ignoring=20Cache-Control=20headers=20(#1555)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 8be21e6f78..b62f4ef3ff 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -67,7 +67,7 @@ http { fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_lock on; fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method$http_origin$http_x_http_method_override; - fastcgi_ignore_headers Cache-Control Expires Set-Cookie; + fastcgi_ignore_headers Expires Set-Cookie; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; {% endblock %} From b044210fd81d275fcb198ae0bd631a83bd81840c Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 3 Mar 2025 10:21:57 -0500 Subject: [PATCH 601/663] Update build-before.yml for Sage 11 (#1559) --- deploy-hooks/build-before.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 06d3980fa7..2956aa116b 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -1,14 +1,14 @@ # Placeholder `deploy_build_before` hook for building theme assets on the # host machine and then copying the files to the remote server # -# ⚠️ This example assumes your theme is using Sage 10 +# ⚠️ This example assumes your theme is using Sage 11 # -# Uncomment the lines below if you are using Sage 10 +# Uncomment the lines below if you are using Sage 11 # and replace `sage` with your theme folder # # --- # - name: Install npm dependencies -# command: yarn +# command: npm install # delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" @@ -19,20 +19,20 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn build +# command: npm run build # delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # -# - name: Check for entrypoints +# - name: Check for manifest # stat: -# path: "{{ project_local_path }}/web/app/themes/sage/public/entrypoints.json" +# path: "{{ project_local_path }}/web/app/themes/sage/public/build/manifest.json" # delegate_to: localhost # register: entrypoints_data # - name: Entrypoints missing # ansible.builtin.fail: -# msg: "The theme is missing the public/entrypoints.json file" +# msg: "The theme is missing the build manifest file" # when: not entrypoints_data.stat.exists # # - name: Copy production assets From 94dc324df6d7da6aa3e0d0d964f49a789fb11899 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 6 Mar 2025 10:34:19 -0500 Subject: [PATCH 602/663] =?UTF-8?q?=F0=9F=94=A7=20PHP=208.4=20support=20(#?= =?UTF-8?q?1560)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/php/vars/8.4.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 roles/php/vars/8.4.yml diff --git a/roles/php/vars/8.4.yml b/roles/php/vars/8.4.yml new file mode 100644 index 0000000000..16aae1ed28 --- /dev/null +++ b/roles/php/vars/8.4.yml @@ -0,0 +1,18 @@ +php_extensions_default: + php8.4-bcmath: "{{ apt_package_state }}" + php8.4-cli: "{{ apt_package_state }}" + php8.4-curl: "{{ apt_package_state }}" + php8.4-dev: "{{ apt_package_state }}" + php8.4-fpm: "{{ apt_package_state }}" + php8.4-imagick: "{{ apt_package_state }}" + php8.4-intl: "{{ apt_package_state }}" + php8.4-mbstring: "{{ apt_package_state }}" + php8.4-mysql: "{{ apt_package_state }}" + php8.4-xml: "{{ apt_package_state }}" + php8.4-xmlrpc: "{{ apt_package_state }}" + php8.4-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.4-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.4-xdebug From c4c971415cdc01fe8324b0e281d149ba2ec9c1ff Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 6 Mar 2025 19:47:36 -0300 Subject: [PATCH 603/663] Remove Let's Encrypt contact email support (#1558) See https://letsencrypt.org/2025/01/22/ending-expiration-emails/ --- .github/files/wordpress_sites.yml | 3 --- roles/letsencrypt/tasks/setup.yml | 22 ---------------------- roles/letsencrypt/templates/renew-certs.py | 1 - 3 files changed, 26 deletions(-) diff --git a/.github/files/wordpress_sites.yml b/.github/files/wordpress_sites.yml index 8fa390b191..c005628990 100644 --- a/.github/files/wordpress_sites.yml +++ b/.github/files/wordpress_sites.yml @@ -1,6 +1,3 @@ -letsencrypt_contact_emails: - - admin@example.com - wordpress_sites: example.com: site_hosts: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 72664d0f42..b78a7b0d76 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -1,26 +1,4 @@ --- -- name: Fail if letsencrypt_contact_emails is not defined - fail: - msg: > - Error: the required `letsencrypt_contact_emails` variable is not defined or invalid. - - - Please define it in `groups_vars/all/main.yml` with at least one email (as a list/array, *not* a string): - - letsencrypt_contact_emails: - - changeme@example.com - - The contact email is used by Let's Encrypt to send expiry notices when a certificate is coming up for renewal. - - - See https://letsencrypt.org/docs/expiration-emails/ for more information. - - - Since Trellis attempts to renew certificates after {{ letsencrypt_min_renewal_age }} days ({{ 90 - letsencrypt_min_renewal_age }} days before renewal), - getting an expiry notice email means something has gone wrong giving you enough notice to fix the problem. - - when: (letsencrypt_contact_emails is not defined) or (letsencrypt_contact_emails is string) - - name: Create directories and set permissions file: mode: "{{ item.mode | default(omit) }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index b13ed8efa6..7b19561649 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -32,7 +32,6 @@ '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' '--csr {} ' - '--contact {{ letsencrypt_contact_emails | map('regex_replace', '(^.*$)', 'mailto:\\1') | join (' ') }} ' '--acme-dir {{ acme_tiny_challenges_directory }}' ).format(csr_path) From d4b6f29648ae0759f319eee8a9e4d4ace684224d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 6 Mar 2025 19:47:56 -0300 Subject: [PATCH 604/663] Remove OCSP stapling (#1557) Let's Encrypt is ending its OCSP support. See https://letsencrypt.org/2024/12/05/ending-ocsp/ for the timeline. This removes all OCSP stapling functionality in Trellis. While this could be kept for other SSL certificate providers, there are a few reasons to remove this entirely: 1. the certificate authority would need to provide OCSP support 2. the vast majority of Trellis users use Let's Encrypt only 3. there are privacy concerns regardless --- group_vars/all/helpers.yml | 1 - .../h5bp/directive-only/ssl-stapling.conf | 34 ------------------- .../templates/h5bp/directive-only/ssl.conf | 2 -- .../templates/wordpress-site.conf.j2 | 3 -- 4 files changed, 40 deletions(-) delete mode 100644 roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 29d2c29d8a..7db67b83f8 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -16,7 +16,6 @@ site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defin site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" -ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" diff --git a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf deleted file mode 100644 index 95cc175ce4..0000000000 --- a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf +++ /dev/null @@ -1,34 +0,0 @@ -# ---------------------------------------------------------------------- -# | Online Certificate Status Protocol stapling | -# ---------------------------------------------------------------------- - -# OCSP is a lightweight, only one record to help clients verify the validity of -# the server certificate. -# OCSP stapling allows the server to send its cached OCSP record during the TLS -# handshake, without the need of 3rd party OCSP responder. -# -# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling -# https://tools.ietf.org/html/rfc6066#section-8 -# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling -# -# (1) Use Cloudflare 1.1.1.1 DNS resolver -# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ -# -# (2) Use Google 8.8.8.8 DNS resolver -# https://developers.google.com/speed/public-dns/docs/using -# -# (3) Use Dyn DNS resolver -# https://help.dyn.com/internet-guide-setup/ - -ssl_stapling on; -ssl_stapling_verify on; - -resolver - # (1) - 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] - # (2) - 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] - # (3) - # 216.146.35.35 216.146.36.36 - valid=60s; -resolver_timeout 2s; diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index 20d98766b3..19e62f03b7 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -39,5 +39,3 @@ keepalive_timeout 300s; # up from 75 secs default # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. #ssl_certificate /etc/nginx/default_ssl.crt; #ssl_certificate_key /etc/nginx/default_ssl.key; - -# Consider using OCSP Stapling as shown in ssl-stapling.conf diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 60b2b356d2..2cf97593dc 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -79,9 +79,6 @@ server { {% if ssl_enabled -%} # SSL configuration include h5bp/directive-only/ssl.conf; - {% if ssl_stapling_enabled -%} - include h5bp/directive-only/ssl-stapling.conf; - {% endif -%} ssl_buffer_size 1400; # 1400 bytes to fit in one MTU From 1393efba949ea25c5db8ae368e199d4677756050 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson <joshua@orangepineapple.com> Date: Thu, 27 Mar 2025 10:23:52 -0500 Subject: [PATCH 605/663] Remove "production" from asset compilation titles (#1566) Clarifies that these steps run in all environments, not just production. --- deploy-hooks/build-before.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 2956aa116b..f437cc01c5 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -18,7 +18,7 @@ # args: # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # -# - name: Compile assets for production +# - name: Compile assets # command: npm run build # delegate_to: localhost # args: @@ -35,7 +35,7 @@ # msg: "The theme is missing the build manifest file" # when: not entrypoints_data.stat.exists # -# - name: Copy production assets +# - name: Copy compiled assets # synchronize: # src: "{{ project_local_path }}/web/app/themes/sage/public" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" From 7a4d492d36db1085951e9b9ac16991383d03a9d5 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 2 Apr 2025 10:45:49 -0400 Subject: [PATCH 606/663] =?UTF-8?q?=F0=9F=A9=B9=20Add=20retry=20to=20addin?= =?UTF-8?q?g=20PPA's=20(#1568)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/mariadb/tasks/main.yml | 4 ++++ roles/nginx/tasks/main.yml | 4 ++++ roles/php/tasks/main.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 58d8ea1717..723bf0e2da 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -8,6 +8,10 @@ apt_repository: repo: "{{ mariadb_ppa }}" update_cache: yes + register: result + until: result is success + retries: 3 + delay: 5 - name: Install MySQL client ansible.builtin.apt: diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 8b8641826d..12686d5334 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -8,6 +8,10 @@ apt_repository: repo: "{{ nginx_ppa }}" update_cache: yes + register: result + until: result is success + retries: 3 + delay: 5 - name: Install Nginx ansible.builtin.apt: diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 107a102047..164aeffdb3 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -3,6 +3,10 @@ apt_repository: repo: "ppa:ondrej/php" update_cache: yes + register: result + until: result is success + retries: 3 + delay: 5 - name: Install PHP and extensions apt: From 863ed99c7702cdacdc84195ea0b068e7b1693b62 Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Fri, 4 Apr 2025 10:02:53 +1100 Subject: [PATCH 607/663] Refactor PHP role to support future versions by default (#1511) Refactor php version vars to be dynamic by default whilst allowing overrides --- roles/common/tasks/main.yml | 4 +-- roles/php/vars/7.4.yml | 18 ------------ roles/php/vars/8.0.yml | 18 ------------ roles/php/vars/8.1.yml | 18 ------------ roles/php/vars/8.2.yml | 18 ------------ roles/php/vars/8.3.yml | 18 ------------ roles/php/vars/8.4.yml | 18 ------------ roles/php/vars/version-specific-defaults.yml | 29 ++++++++++++++++++++ roles/xdebug/tasks/main.yml | 11 ++++++-- 9 files changed, 40 insertions(+), 112 deletions(-) delete mode 100644 roles/php/vars/7.4.yml delete mode 100644 roles/php/vars/8.0.yml delete mode 100644 roles/php/vars/8.1.yml delete mode 100644 roles/php/vars/8.2.yml delete mode 100644 roles/php/vars/8.3.yml delete mode 100644 roles/php/vars/8.4.yml create mode 100644 roles/php/vars/version-specific-defaults.yml diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index cadc613586..6cb1fce1d8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -41,8 +41,8 @@ vars: params: files: - - '{{ php_version }}.yml' - - '7.4.yml' + - '{{ php_version }}.yml' # e.g. 8.2.yml + - version-specific-defaults.yml paths: - "{{ playbook_dir }}/roles/php/vars/" diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml deleted file mode 100644 index 61ab906904..0000000000 --- a/roles/php/vars/7.4.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php7.4-bcmath: "{{ apt_package_state }}" - php7.4-cli: "{{ apt_package_state }}" - php7.4-curl: "{{ apt_package_state }}" - php7.4-dev: "{{ apt_package_state }}" - php7.4-fpm: "{{ apt_package_state }}" - php7.4-imagick: "{{ apt_package_state }}" - php7.4-intl: "{{ apt_package_state }}" - php7.4-mbstring: "{{ apt_package_state }}" - php7.4-mysql: "{{ apt_package_state }}" - php7.4-xml: "{{ apt_package_state }}" - php7.4-xmlrpc: "{{ apt_package_state }}" - php7.4-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php7.4-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php7.4-xdebug diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml deleted file mode 100644 index 02eb376120..0000000000 --- a/roles/php/vars/8.0.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php8.0-bcmath: "{{ apt_package_state }}" - php8.0-cli: "{{ apt_package_state }}" - php8.0-curl: "{{ apt_package_state }}" - php8.0-dev: "{{ apt_package_state }}" - php8.0-fpm: "{{ apt_package_state }}" - php8.0-imagick: "{{ apt_package_state }}" - php8.0-intl: "{{ apt_package_state }}" - php8.0-mbstring: "{{ apt_package_state }}" - php8.0-mysql: "{{ apt_package_state }}" - php8.0-xml: "{{ apt_package_state }}" - php8.0-xmlrpc: "{{ apt_package_state }}" - php8.0-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php8.0-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php8.0-xdebug diff --git a/roles/php/vars/8.1.yml b/roles/php/vars/8.1.yml deleted file mode 100644 index 1b15ae2d4e..0000000000 --- a/roles/php/vars/8.1.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php8.1-bcmath: "{{ apt_package_state }}" - php8.1-cli: "{{ apt_package_state }}" - php8.1-curl: "{{ apt_package_state }}" - php8.1-dev: "{{ apt_package_state }}" - php8.1-fpm: "{{ apt_package_state }}" - php8.1-imagick: "{{ apt_package_state }}" - php8.1-intl: "{{ apt_package_state }}" - php8.1-mbstring: "{{ apt_package_state }}" - php8.1-mysql: "{{ apt_package_state }}" - php8.1-xml: "{{ apt_package_state }}" - php8.1-xmlrpc: "{{ apt_package_state }}" - php8.1-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php8.1-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php8.1-xdebug diff --git a/roles/php/vars/8.2.yml b/roles/php/vars/8.2.yml deleted file mode 100644 index 9fd5b87761..0000000000 --- a/roles/php/vars/8.2.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php8.2-bcmath: "{{ apt_package_state }}" - php8.2-cli: "{{ apt_package_state }}" - php8.2-curl: "{{ apt_package_state }}" - php8.2-dev: "{{ apt_package_state }}" - php8.2-fpm: "{{ apt_package_state }}" - php8.2-imagick: "{{ apt_package_state }}" - php8.2-intl: "{{ apt_package_state }}" - php8.2-mbstring: "{{ apt_package_state }}" - php8.2-mysql: "{{ apt_package_state }}" - php8.2-xml: "{{ apt_package_state }}" - php8.2-xmlrpc: "{{ apt_package_state }}" - php8.2-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php8.2-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php8.2-xdebug diff --git a/roles/php/vars/8.3.yml b/roles/php/vars/8.3.yml deleted file mode 100644 index 557f9726a5..0000000000 --- a/roles/php/vars/8.3.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php8.3-bcmath: "{{ apt_package_state }}" - php8.3-cli: "{{ apt_package_state }}" - php8.3-curl: "{{ apt_package_state }}" - php8.3-dev: "{{ apt_package_state }}" - php8.3-fpm: "{{ apt_package_state }}" - php8.3-imagick: "{{ apt_package_state }}" - php8.3-intl: "{{ apt_package_state }}" - php8.3-mbstring: "{{ apt_package_state }}" - php8.3-mysql: "{{ apt_package_state }}" - php8.3-xml: "{{ apt_package_state }}" - php8.3-xmlrpc: "{{ apt_package_state }}" - php8.3-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php8.3-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php8.3-xdebug diff --git a/roles/php/vars/8.4.yml b/roles/php/vars/8.4.yml deleted file mode 100644 index 16aae1ed28..0000000000 --- a/roles/php/vars/8.4.yml +++ /dev/null @@ -1,18 +0,0 @@ -php_extensions_default: - php8.4-bcmath: "{{ apt_package_state }}" - php8.4-cli: "{{ apt_package_state }}" - php8.4-curl: "{{ apt_package_state }}" - php8.4-dev: "{{ apt_package_state }}" - php8.4-fpm: "{{ apt_package_state }}" - php8.4-imagick: "{{ apt_package_state }}" - php8.4-intl: "{{ apt_package_state }}" - php8.4-mbstring: "{{ apt_package_state }}" - php8.4-mysql: "{{ apt_package_state }}" - php8.4-xml: "{{ apt_package_state }}" - php8.4-xmlrpc: "{{ apt_package_state }}" - php8.4-zip: "{{ apt_package_state }}" - -php_memcached_packages: - php8.4-memcached: "{{ apt_package_state }}" - -php_xdebug_package: php8.4-xdebug diff --git a/roles/php/vars/version-specific-defaults.yml b/roles/php/vars/version-specific-defaults.yml new file mode 100644 index 0000000000..b3bc73a075 --- /dev/null +++ b/roles/php/vars/version-specific-defaults.yml @@ -0,0 +1,29 @@ +# +# Set php version in group_vars/all/main.yml +# +# To override these defaults for a specific php version, duplicate this +# file to roles/php/vars/ and rename with your specific php version +# e.g. roles/php/vars/8.2.yml. +# +# You can then use e.g. +# php_extensions_default: +# php8.2-bcmath: "{{ apt_package_state }}" +# +php_extensions_default: + "php{{ php_version }}-bcmath": "{{ apt_package_state }}" + "php{{ php_version }}-cli": "{{ apt_package_state }}" + "php{{ php_version }}-curl": "{{ apt_package_state }}" + "php{{ php_version }}-dev": "{{ apt_package_state }}" + "php{{ php_version }}-fpm": "{{ apt_package_state }}" + "php{{ php_version }}-imagick": "{{ apt_package_state }}" + "php{{ php_version }}-intl": "{{ apt_package_state }}" + "php{{ php_version }}-mbstring": "{{ apt_package_state }}" + "php{{ php_version }}-mysql": "{{ apt_package_state }}" + "php{{ php_version }}-xml": "{{ apt_package_state }}" + "php{{ php_version }}-xmlrpc": "{{ apt_package_state }}" + "php{{ php_version }}-zip": "{{ apt_package_state }}" + +php_memcached_packages: + "php{{ php_version }}-memcached": "{{ apt_package_state }}" + +php_xdebug_package: "php{{ php_version }}-xdebug" diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 7b6248d1c0..f4d1d3acef 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -1,6 +1,13 @@ --- -- name: Include php{{ php_version }} related vars - include_vars: 'roles/php/vars/{{ php_version }}.yml' +- name: Import PHP version specific vars + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - '{{ php_version }}.yml' # e.g. 8.2.yml + - version-specific-defaults.yml + paths: + - "{{ playbook_dir }}/roles/php/vars/" - name: Install Xdebug apt: From f9b770be5eb3d58cee4c9d26215ac913b31a47d3 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson <josh@kinetic.com> Date: Fri, 11 Apr 2025 22:00:19 -0500 Subject: [PATCH 608/663] Flush rewrite rules at the end of each deploy (#1567) --- roles/deploy/defaults/main.yml | 3 +++ roles/deploy/hooks/finalize-after.yml | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index a2f2247f26..d5d05d7f91 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -49,6 +49,9 @@ project_current_path: "{{ project.current_path | default('current') }}" # Whether to run `wp core update-db` at end of each deploy update_db_on_deploy: true +# Whether to flush rewrite rules at end of each deploy +flush_rewrite_rules_on_deploy: true + # Most scripts are used in development instead of remote servers. Use with caution. composer_no_scripts: true # Whether to run `composer check-platform-reqs`. diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index c1c54c66e5..5a4809b659 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -31,6 +31,12 @@ chdir: "{{ deploy_helper.current_path }}" when: project.update_db_on_deploy | default(update_db_on_deploy) + - name: Flush rewrite rules + command: wp rewrite flush + args: + chdir: "{{ deploy_helper.current_path }}" + when: project.flush_rewrite_rules_on_deploy | default(flush_rewrite_rules_on_deploy) + when: wp_installed.rc == 0 - name: Reload php-fpm From a77ff8808600cdd4e0804673b5002f59be74d6c6 Mon Sep 17 00:00:00 2001 From: Johan <12563436+Dyras@users.noreply.github.com> Date: Sat, 12 Apr 2025 05:00:45 +0200 Subject: [PATCH 609/663] Replace link for creating CSP (#1564) * Replace link for creating CSP * Update extra-security.conf to match upstream * Update extra-security.conf without overwriting the three upper options --- .../h5bp/directive-only/extra-security.conf | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf index eb10e06ca4..2274628166 100644 --- a/roles/nginx/templates/h5bp/directive-only/extra-security.conf +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -10,8 +10,27 @@ add_header X-Content-Type-Options nosniff always; # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. add_header X-XSS-Protection "1; mode=block" always; -# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), -# you can tell the browser that it can only download content from the domains you explicitly allow -# CSP can be quite difficult to configure, and cause real issues if you get it wrong -# There is website that helps you generate a policy here http://cspisawesome.com/ +# Mitigate the risk of cross-site scripting and other content-injection +# attacks. +# +# This can be done by setting a Content Security Policy which permits +# trusted sources of content for your website. +# +# There is no policy that fits all websites, you will have to modify the +# `Content-Security-Policy` directives in the example depending on your needs. +# +# To make your CSP implementation easier, you can use an online CSP header +# generator such as: +# https://report-uri.com/home/generate/ +# +# It is encouraged that you validate your CSP header using a CSP validator +# such as: +# https://csp-evaluator.withgoogle.com +# +# https://www.w3.org/TR/CSP/ +# https://owasp.org/www-project-secure-headers/#content-security-policy +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# https://developers.google.com/web/fundamentals/security/csp +# https://content-security-policy.com/ + # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always; From 668f867067c25158bc6f66890cff63a87deeb50d Mon Sep 17 00:00:00 2001 From: Johan <12563436+Dyras@users.noreply.github.com> Date: Sat, 26 Apr 2025 15:17:42 +0200 Subject: [PATCH 610/663] Update build-after.yml to say Sage 11 instead of Sage 10 (#1570) --- deploy-hooks/build-after.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-hooks/build-after.yml b/deploy-hooks/build-after.yml index 7ed1b7e836..a06b4cae18 100644 --- a/deploy-hooks/build-after.yml +++ b/deploy-hooks/build-after.yml @@ -1,8 +1,8 @@ # Placeholder `deploy_build_after` hook # -# ⚠️ This example assumes your theme is using Sage 10 +# ⚠️ This example assumes your theme is using Sage 11 # -# Uncomment the lines below if you are using Sage 10 +# Uncomment the lines below if you are using Sage 11 # NOTE: this task will fail if Sage theme is not activated at time of deployment. # # --- From be3d9453edd3e032421070ea7037479c74d6d38d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 8 May 2025 11:10:38 -0400 Subject: [PATCH 611/663] Update WP-CLI version to 2.12.0 (#1574) Co-authored-by: retlehs <115911+retlehs@users.noreply.github.com> --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 62c58cfb21..f4ef131fcd 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.11.0 +wp_cli_version: 2.12.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 1ccf72c27e4689907ca112def329e453d4e3690e Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Wed, 21 May 2025 08:54:39 +1000 Subject: [PATCH 612/663] Allow removal of old SSH keys on provision (#1576) * Allow removal of old SSH keys by temporarily setting SSH access to the first non-empty SSH key Rel: roots/trellis#1087 * Remove reset_user_ssh_keys: false entry from security.yml to preference using extra vars via CLI --- roles/users/tasks/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index fb65473803..476ae92f80 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -51,6 +51,18 @@ validate: "/usr/sbin/visudo -cf %s" when: web_sudoers[0] is defined +- name: Replace all user SSH keys with first non-empty key + authorized_key: + user: "{{ item.name }}" + key: "{{ (item['keys'] | select('truthy') | list).0 }}" + exclusive: true + loop: "{{ users | default([]) }}" + loop_control: + label: "{{ item.name }}" + when: + - reset_user_ssh_keys | default(false) + - (item['keys'] | select('truthy') | list | length) > 0 + - name: Add user SSH keys authorized_key: user: "{{ item.0.name }}" From ed23739df6bff59bb7a274e502001d583b0e3a3d Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Wed, 21 May 2025 12:32:53 +1000 Subject: [PATCH 613/663] Filter Nginx includes by sites present on target server (#1573) --- roles/wordpress-setup/tasks/nginx-includes.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 265011cea0..135eb77614 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -6,14 +6,20 @@ register: nginx_includes_local_directory - block: - - name: Build list of Nginx includes templates + - name: Loop through site keys to build a list of Nginx includes templates per folder find: - paths: "{{ nginx_includes_templates_path }}" - pattern: "*.conf.j2" + paths: "{{ nginx_includes_templates_path }}/{{ item }}" + patterns: "*.conf.j2" recurse: yes + loop: "{{ wordpress_sites.keys() | list + ['all'] }}" become: no delegate_to: localhost - register: nginx_includes_templates + register: nginx_includes_folder_results + + - name: Flatten include template files into one list + set_fact: + nginx_includes_templates: + files: "{{ nginx_includes_folder_results.results | map(attribute='files') | flatten }}" - name: Create includes.d directories file: From 02181450e9afdc391881641a7ffa7465549da38d Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Wed, 21 May 2025 13:11:29 +1000 Subject: [PATCH 614/663] Allow cleaning apt sources on provision (#1578) --- group_vars/all/main.yml | 1 + roles/common/tasks/clean-apt-sources.yml | 19 +++++++++++++++++++ roles/common/tasks/main.yml | 4 ++++ 3 files changed, 24 insertions(+) create mode 100644 roles/common/tasks/clean-apt-sources.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 77a89e973d..a52d8ef441 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,6 +2,7 @@ apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest +apt_clean_sources: false composer_keep_updated: true php_version: "8.2" ntp_timezone: Etc/UTC diff --git a/roles/common/tasks/clean-apt-sources.yml b/roles/common/tasks/clean-apt-sources.yml new file mode 100644 index 0000000000..b4346539f2 --- /dev/null +++ b/roles/common/tasks/clean-apt-sources.yml @@ -0,0 +1,19 @@ +--- +- name: Clean stale APT sources from /etc/apt/sources.list.d + find: + paths: /etc/apt/sources.list.d + patterns: + - '*.list' + - '*.list.save' + - '*.list.distUpgrade' + use_regex: false + register: stale_sources + become: true + +- name: Remove stale APT source files + file: + path: "{{ item.path }}" + state: absent + loop: "{{ stale_sources.files }}" + when: stale_sources.matched > 0 + become: true diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 6cb1fce1d8..78de190925 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -137,6 +137,10 @@ when: openssh_6_8_plus and validate_ssh | default(true) tags: [sshd] +- name: Clean old APT sources + import_tasks: clean-apt-sources.yml + when: apt_clean_sources | default(false) + - name: Update apt packages apt: update_cache: yes From e8f10430d0c0cfab3478ef80acfb7b04b45d7ea9 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 25 Jun 2025 10:00:49 -0400 Subject: [PATCH 615/663] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Use=20PHP=208.3=20?= =?UTF-8?q?by=20default=20(#1580)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- group_vars/all/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index a52d8ef441..c0df7453f4 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -4,7 +4,7 @@ apt_security_package_state: latest apt_dev_package_state: latest apt_clean_sources: false composer_keep_updated: true -php_version: "8.2" +php_version: "8.3" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www From f848a0101341df85c660829aacfdd2833d6f7617 Mon Sep 17 00:00:00 2001 From: Tang Rufus <tangrufus@gmail.com> Date: Thu, 10 Jul 2025 13:16:58 +0100 Subject: [PATCH 616/663] `wp-cli-version-check.yml`: Use `gh` to fetch WP CLI release info (#1585) --- .github/workflows/wp-cli-version-check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml index 9f18e99663..9964cf3a00 100644 --- a/.github/workflows/wp-cli-version-check.yml +++ b/.github/workflows/wp-cli-version-check.yml @@ -18,8 +18,10 @@ jobs: - name: Get latest WP-CLI version id: get-version run: | - LATEST_VERSION=$(curl -s https://api.github.com/repos/wp-cli/wp-cli/releases/latest | jq -r .tag_name | sed 's/^v//') + LATEST_VERSION=$(gh release view --repo wp-cli/wp-cli --json 'tagName' --template '{{slice .tagName 1}}') echo "LATEST_VERSION=$LATEST_VERSION" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} - name: Update wp_cli_version run: | From d999d24710eac7c099118b43a6fc037083b37905 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Mon, 21 Jul 2025 04:52:31 +0200 Subject: [PATCH 617/663] Add `X-Cache-Enabled` HTTP header (#1513) --- roles/nginx/templates/nginx.conf.j2 | 17 ++++++++++++++++- .../templates/wordpress-site.conf.j2 | 3 +++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index b62f4ef3ff..9bf734f535 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -50,7 +50,22 @@ pid /run/nginx.pid; {% endblock %} http { - {% block http_begin %}{% endblock %} + {% block http_begin %} + map $upstream_cache_status $header_x_cache_enabled { + default true; + BYPASS ""; + } + + map $server_addr:$remote_addr $is_loopback_request { + "~^([^:]+):\1$" 1; + default 0; + } + + map $is_loopback_request:$header_x_cache_enabled $loopback_header_x_cache_enabled { + default ""; + 1:true true; + } + {% endblock %} {% block server_tokens -%} # Hide nginx version information. diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2cf97593dc..91e52f495b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -21,6 +21,9 @@ server { index index.php index.htm index.html; add_header Fastcgi-Cache $upstream_cache_status; + # Additional proxy header for WordPress (notably its Site Health check) + add_header X-Cache-Enabled $loopback_header_x_cache_enabled; + # Specify a charset charset utf-8; From fe6d470cbed71f87cd8ba5ae40c8ec885a9a1931 Mon Sep 17 00:00:00 2001 From: zak-wearecore <54408655+zak-wearecore@users.noreply.github.com> Date: Tue, 29 Jul 2025 13:50:56 +0100 Subject: [PATCH 618/663] Run ferm role when letsencrypt tag is defined on provision (#1588) Fix for: https://github.com/roots/trellis/issues/1587 --- server.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server.yml b/server.yml index be9a456eb4..eb08de3c68 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ - { role: common, tags: [common] } - { role: swapfile, swapfile_size: 1GB, swapfile_file: /swapfile, tags: [swapfile] } - { role: fail2ban, tags: [fail2ban] } - - { role: ferm, tags: [ferm] } + - { role: ferm, tags: [ferm, letsencrypt] } - { role: ntp, tags: [ntp] } - { role: users, tags: [users] } - { role: sshd, tags: [sshd] } From 2cb663d6396c4911f7cd19b13fc9cd50f3298959 Mon Sep 17 00:00:00 2001 From: John <john.kraczek@gmail.com> Date: Wed, 30 Jul 2025 12:08:57 -0600 Subject: [PATCH 619/663] Update acme_tiny_repo (#1582) Update to fix issue: Change in Let's Encrypt response broke client if contact is set --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 3d924c6678..867ac96687 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr(' letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: 'cb094cf3efa34acef8c7139c8480e2135422e755' +acme_tiny_commit: '1b61d3001cb9c11380557ffebda5d358ce64375c' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt From 0c95ea163dcdb41344e59b519453310eadc61619 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 11 Aug 2025 11:33:21 -0400 Subject: [PATCH 620/663] Update actions/checkout action to v5 (#1591) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/wp-cli-version-check.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65f6a7b2bc..3b84c52e31 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: matrix: python-version: ['3.x'] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 323f87c54b..9843fa389c 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -25,7 +25,7 @@ jobs: sudo apt-get remove --purge nginx* sudo apt-get autoremove sudo apt-get autoclean - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 - uses: actions/setup-python@v5 diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml index 9964cf3a00..055883ea79 100644 --- a/.github/workflows/wp-cli-version-check.yml +++ b/.github/workflows/wp-cli-version-check.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Get latest WP-CLI version id: get-version From 608621e2410711ca73918b863059e62755612fae Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 13 Aug 2025 22:14:08 -0400 Subject: [PATCH 621/663] Replace deprecation distutils version usage (#1590) `disutils` was used to compare version numbers but it's deprecated and causes warnings which might result in Ansible skipping this plugin. This replaces `distutils` with `packaging.version.Version` instead. --- lib/trellis/plugins/vars/version.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index e05b94e800..c18ad1582c 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -1,7 +1,6 @@ from ansible import __version__ from ansible.errors import AnsibleError -from distutils.version import LooseVersion -from operator import eq, ge, gt +from packaging.version import Version from platform import python_version, python_version_tuple try: @@ -18,10 +17,10 @@ ' Python 2 reached end of life in 2020 and is unmaintained.\n' 'Python 3 is required as of Trellis version v1.15.0.').format(python_version())) -if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): +if Version(__version__) < Version(version_requirement): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) -elif gt(LooseVersion(__version__), LooseVersion(version_tested_max)): +elif Version(__version__) > Version(version_tested_max): display.warning(u'Your Ansible version is {} but this version of Trellis has only been tested for ' u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) From 2517385d9f5333855ba4508826895854cca9018c Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 14 Aug 2025 21:16:06 -0400 Subject: [PATCH 622/663] =?UTF-8?q?=E2=9C=A8=20Add=20Redis=20object=20cach?= =?UTF-8?q?e=20support=20(#1589)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/files/vault.yml | 12 ++ .github/files/wordpress_sites.yml | 19 ++++ .github/workflows/integration.yml | 37 +++++- dev.yml | 3 +- group_vars/all/helpers.yml | 24 +++- group_vars/development/wordpress_sites.yml | 1 + roles/deploy/vars/main.yml | 21 +++- roles/php/vars/version-specific-defaults.yml | 3 + roles/redis/defaults/main.yml | 88 +++++++++++++++ roles/redis/handlers/main.yml | 5 + roles/redis/tasks/main.yml | 41 +++++++ roles/redis/templates/redis.conf.j2 | 105 ++++++++++++++++++ roles/wordpress-setup/defaults/main.yml | 20 ++++ .../templates/wordpress-site.conf.j2 | 4 +- server.yml | 3 +- 15 files changed, 379 insertions(+), 7 deletions(-) create mode 100644 roles/redis/defaults/main.yml create mode 100644 roles/redis/handlers/main.yml create mode 100644 roles/redis/tasks/main.yml create mode 100644 roles/redis/templates/redis.conf.j2 diff --git a/.github/files/vault.yml b/.github/files/vault.yml index 0dd232f46a..2fe50eb559 100644 --- a/.github/files/vault.yml +++ b/.github/files/vault.yml @@ -34,3 +34,15 @@ vault_wordpress_sites: secure_auth_salt: "generateme" logged_in_salt: "generateme" nonce_salt: "generateme" + redis.example.com: + env: + db_password: example_dbpassword + # Generate your keys here: https://roots.io/salts.html + auth_key: "generateme" + secure_auth_key: "generateme" + logged_in_key: "generateme" + nonce_key: "generateme" + auth_salt: "generateme" + secure_auth_salt: "generateme" + logged_in_salt: "generateme" + nonce_salt: "generateme" diff --git a/.github/files/wordpress_sites.yml b/.github/files/wordpress_sites.yml index c005628990..1d52ba9b6f 100644 --- a/.github/files/wordpress_sites.yml +++ b/.github/files/wordpress_sites.yml @@ -29,3 +29,22 @@ wordpress_sites: provider: letsencrypt cache: enabled: false + redis.example.com: + site_hosts: + - canonical: redis.example.com + redirects: + - www.redis.example.com + local_path: ../site + repo: git@github.com:roots/bedrock.git + branch: master + multisite: + enabled: false + ssl: + enabled: false + provider: letsencrypt + cache: + enabled: true + object_cache: + enabled: true + provider: redis + database: 0 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 9843fa389c..e646b70d89 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -43,7 +43,7 @@ jobs: run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com - name: Update configs run: | - sudo echo "127.0.0.1 www.example.com example.com www.example-https.com example-https.com" | sudo tee -a /etc/hosts + sudo echo "127.0.0.1 www.example.com example.com www.example-https.com example-https.com www.redis.example.com redis.example.com" | sudo tee -a /etc/hosts cp ../../.github/files/inventory hosts/production cp ../../.github/files/wordpress_sites.yml group_vars/production/wordpress_sites.yml cp ../../.github/files/vault.yml group_vars/production/vault.yml @@ -74,3 +74,38 @@ jobs: working-directory: /srv/www/example-https.com/current - name: Verify install run: curl -s https://example-https.com | grep "<title>Example HTTPS" + - name: Deploy Redis site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production redis.example.com + working-directory: example.com + - name: Install WordPress on Redis site + run: | + wp core install --url="http://redis.example.com" --title="Redis Example" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" + working-directory: /srv/www/redis.example.com/current + - name: Verify Redis service + run: | + systemctl is-active redis-server + redis-cli ping + - name: Verify PHP Redis extension + run: php -m | grep redis + - name: Test Redis basic functionality + run: | + redis-cli SET test_key "test_value" + redis-cli GET test_key | grep "test_value" + - name: Verify Redis environment variables + run: | + grep "WP_REDIS_HOST" /srv/www/redis.example.com/current/.env + grep "WP_REDIS_PORT" /srv/www/redis.example.com/current/.env + grep "WP_REDIS_DATABASE" /srv/www/redis.example.com/current/.env + - name: Verify Redis site install + run: curl -s http://redis.example.com | grep "<title>Redis Example" + - name: Verify FastCGI cache on example.com + run: | + # First request - check headers + echo "=== First request ===" + curl -I http://example.com | grep -i "fastcgi-cache" + # Second request - check headers + echo "=== Second request ===" + curl -I http://example.com | grep -i "fastcgi-cache" + # Third request - check headers (should be HIT by now) + echo "=== Third request ===" + curl -I http://example.com | grep -iE "fastcgi-cache: (MISS|HIT|STALE)" diff --git a/dev.yml b/dev.yml index 8625caa3fe..148f9a55b8 100644 --- a/dev.yml +++ b/dev.yml @@ -14,7 +14,8 @@ - { role: mailpit, tags: [mailpit, mailhog, mail] } - { role: php, tags: [php] } - { role: xdebug, tags: [php, xdebug] } - - { role: memcached, tags: [memcached] } + - { role: memcached, tags: [memcached], when: sites_using_memcached | count } + - { role: redis, tags: [redis], when: sites_using_redis | count } - { role: nginx, tags: [nginx] } - { role: logrotate, tags: [logrotate] } - { role: composer, tags: [composer] } diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 7db67b83f8..c1fb606d83 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -10,7 +10,29 @@ wordpress_env_defaults: domain_current_site: "{{ site_hosts_canonical | first }}" wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log" -site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" +# Redis cache environment variables (when enabled) +redis_cache_env: + wp_redis_host: "{{ item.value.object_cache.host | default('127.0.0.1') }}" + wp_redis_port: "{{ item.value.object_cache.port | default(6379) }}" + wp_redis_database: "{{ item.value.object_cache.database | default(0) }}" + wp_redis_prefix: "{{ item.value.object_cache.prefix | default(item.key | underscore + '_') }}" + wp_cache_key_salt: "{{ item.key }}_{{ env }}" + +# Memcached cache environment variables (when enabled) +memcached_cache_env: + wp_memcached_host: "{{ item.value.object_cache.host | default('127.0.0.1') }}" + wp_memcached_port: "{{ item.value.object_cache.port | default(11211) }}" + wp_memcached_prefix: "{{ item.value.object_cache.prefix | default(item.key | underscore + '_') }}" + wp_cache_key_salt: "{{ item.key }}_{{ env }}" + +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), object_cache_enabled_redis | ternary(redis_cache_env, {}), object_cache_enabled_memcached | ternary(memcached_cache_env, {}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" + +object_cache_enabled_redis: "{{ item.value.object_cache.enabled | default(false) and item.value.object_cache.provider | default('') == 'redis' }}" +object_cache_enabled_memcached: "{{ item.value.object_cache.enabled | default(false) and item.value.object_cache.provider | default('') == 'memcached' }}" + +# Sites using Redis or Memcached object cache +sites_using_redis: "[{% for name, site in wordpress_sites.items() | list if site.object_cache.enabled | default(false) and site.object_cache.provider | default('') == 'redis' %}'{{ name }}',{% endfor %}]" +sites_using_memcached: "[{% for name, site in wordpress_sites.items() | list if site.object_cache.enabled | default(false) and site.object_cache.provider | default('') == 'memcached' %}'{{ name }}',{% endfor %}]" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 4aad97a561..fc77199f30 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -19,3 +19,4 @@ wordpress_sites: enabled: false xmlrpc: enabled: false + diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index 1a7612f9bb..2b5e6ba81e 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -12,4 +12,23 @@ wordpress_env_defaults: wp_debug_log: "{{ project_root }}/logs/debug.log" wp_post_revisions: true -site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" +# Redis cache environment variables for deployment +deploy_redis_cache_env: + wp_redis_host: "{{ project.object_cache.host | default('127.0.0.1') }}" + wp_redis_port: "{{ project.object_cache.port | default(6379) }}" + wp_redis_database: "{{ project.object_cache.database | default(0) }}" + wp_redis_prefix: "{{ project.object_cache.prefix | default(site | underscore + '_') }}" + wp_cache_key_salt: "{{ site }}_{{ env }}" + +# Memcached cache environment variables for deployment +deploy_memcached_cache_env: + wp_memcached_host: "{{ project.object_cache.host | default('127.0.0.1') }}" + wp_memcached_port: "{{ project.object_cache.port | default(11211) }}" + wp_memcached_prefix: "{{ project.object_cache.prefix | default(site | underscore + '_') }}" + wp_cache_key_salt: "{{ site }}_{{ env }}" + +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), deploy_object_cache_enabled_redis | ternary(deploy_redis_cache_env, {}), deploy_object_cache_enabled_memcached | ternary(deploy_memcached_cache_env, {}), project.env | default({}), vault_wordpress_sites[site].env) }}" + +# Helper variables for deploy object cache conditions +deploy_object_cache_enabled_redis: "{{ project.object_cache.enabled | default(false) and project.object_cache.provider | default('') == 'redis' }}" +deploy_object_cache_enabled_memcached: "{{ project.object_cache.enabled | default(false) and project.object_cache.provider | default('') == 'memcached' }}" diff --git a/roles/php/vars/version-specific-defaults.yml b/roles/php/vars/version-specific-defaults.yml index b3bc73a075..8d1bfb2e69 100644 --- a/roles/php/vars/version-specific-defaults.yml +++ b/roles/php/vars/version-specific-defaults.yml @@ -26,4 +26,7 @@ php_extensions_default: php_memcached_packages: "php{{ php_version }}-memcached": "{{ apt_package_state }}" +php_redis_packages: + "php{{ php_version }}-redis": "{{ apt_package_state }}" + php_xdebug_package: "php{{ php_version }}-xdebug" diff --git a/roles/redis/defaults/main.yml b/roles/redis/defaults/main.yml new file mode 100644 index 0000000000..2a3bcf6148 --- /dev/null +++ b/roles/redis/defaults/main.yml @@ -0,0 +1,88 @@ +--- +# Basic Redis configuration +redis_daemonize: "yes" +redis_pidfile: /run/redis/redis-server.pid +redis_port: 6379 +redis_bind_interface: 127.0.0.1 +redis_unixsocket: /var/run/redis/redis.sock +redis_timeout: 0 +redis_tcp_keepalive: 0 + +# Logging +redis_loglevel: notice +redis_logfile: /var/log/redis/redis-server.log + +# Database configuration +redis_databases: 16 + +# Persistence - RDB snapshots +redis_save: + - "900 1" + - "300 10" + - "60 10000" + +redis_stop_writes_on_bgsave_error: "yes" +redis_rdbcompression: "yes" +redis_rdbchecksum: "yes" +redis_dbfilename: dump.rdb +redis_dir: /var/lib/redis + +# Memory management +redis_maxclients: 10000 +redis_maxmemory: 256mb +redis_maxmemory_policy: allkeys-lru +redis_maxmemory_samples: 5 + +# Append Only File (AOF) persistence +redis_appendonly: "no" +redis_appendfilename: appendonly.aof +redis_appendfsync: everysec +redis_no_appendfsync_on_rewrite: "no" +redis_auto_aof_rewrite_percentage: 100 +redis_auto_aof_rewrite_min_size: 64mb +redis_aof_load_truncated: "yes" + +# Advanced configuration +redis_lua_time_limit: 5000 +redis_slowlog_log_slower_than: 10000 +redis_slowlog_max_len: 128 +redis_latency_monitor_threshold: 0 + +# Hash table optimizations +redis_hash_max_ziplist_entries: 512 +redis_hash_max_ziplist_value: 64 +redis_list_max_ziplist_entries: 512 +redis_list_max_ziplist_value: 64 +redis_set_max_intset_entries: 512 +redis_zset_max_ziplist_entries: 128 +redis_zset_max_ziplist_value: 64 +redis_hll_sparse_max_bytes: 3000 +redis_activerehashing: "yes" + +# Client output buffer limits +redis_client_output_buffer_limit_normal: "0 0 0" +redis_client_output_buffer_limit_replica: "256mb 64mb 60" +redis_client_output_buffer_limit_pubsub: "32mb 8mb 60" + +# Misc +redis_hz: 10 +redis_aof_rewrite_incremental_fsync: "yes" + +# Security +redis_requirepass: false +redis_disabled_commands: + - FLUSHDB + - FLUSHALL + - KEYS + - CONFIG + - SHUTDOWN + +# Custom configuration +redis_includes: [] +redis_extra_config: {} + +redis_packages_default: + redis-server: "{{ apt_package_state }}" + +redis_packages_custom: {} +redis_packages: "{{ redis_packages_default | combine(php_redis_packages, redis_packages_custom) }}" \ No newline at end of file diff --git a/roles/redis/handlers/main.yml b/roles/redis/handlers/main.yml new file mode 100644 index 0000000000..d3d79a6b91 --- /dev/null +++ b/roles/redis/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart redis + service: + name: redis-server + state: restarted \ No newline at end of file diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml new file mode 100644 index 0000000000..f7b17ca1eb --- /dev/null +++ b/roles/redis/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Install Redis and PHP extension + apt: + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: true + cache_valid_time: "{{ apt_cache_valid_time }}" + loop: "{{ redis_packages | dict2items }}" + loop_control: + label: "{{ item.key }}" + +- name: Create Redis configuration file + template: + src: redis.conf.j2 + dest: /etc/redis/redis.conf + owner: redis + group: redis + mode: 0640 + notify: restart redis + +- name: Create Redis socket directory + file: + path: /var/run/redis + state: directory + owner: redis + group: redis + mode: 0755 + when: redis_unixsocket is defined + +- name: Add web user to redis group for socket access + user: + name: "{{ web_user }}" + groups: redis + append: true + when: redis_unixsocket is defined + +- name: Ensure Redis is started and enabled + service: + name: redis-server + state: started + enabled: true \ No newline at end of file diff --git a/roles/redis/templates/redis.conf.j2 b/roles/redis/templates/redis.conf.j2 new file mode 100644 index 0000000000..cc8dff18e2 --- /dev/null +++ b/roles/redis/templates/redis.conf.j2 @@ -0,0 +1,105 @@ +# {{ ansible_managed }} + +# Network configuration +bind {{ redis_bind_interface }} +port {{ redis_port }} + +{% if redis_unixsocket %} +unixsocket {{ redis_unixsocket }} +unixsocketperm 770 +{% endif %} + +# General configuration +daemonize {{ redis_daemonize }} +pidfile {{ redis_pidfile }} +timeout {{ redis_timeout }} +tcp-keepalive {{ redis_tcp_keepalive }} + +# Logging +loglevel {{ redis_loglevel }} +logfile {{ redis_logfile }} + +# Database configuration +databases {{ redis_databases }} + +# RDB persistence +{% for save in redis_save %} +save {{ save }} +{% endfor %} + +stop-writes-on-bgsave-error {{ redis_stop_writes_on_bgsave_error }} +rdbcompression {{ redis_rdbcompression }} +rdbchecksum {{ redis_rdbchecksum }} +dbfilename {{ redis_dbfilename }} +dir {{ redis_dir }} + +# Memory management +maxclients {{ redis_maxclients }} +{% if redis_maxmemory %} +maxmemory {{ redis_maxmemory }} +maxmemory-policy {{ redis_maxmemory_policy }} +maxmemory-samples {{ redis_maxmemory_samples }} +{% endif %} + +# AOF persistence +appendonly {{ redis_appendonly }} +appendfilename {{ redis_appendfilename }} +appendfsync {{ redis_appendfsync }} +no-appendfsync-on-rewrite {{ redis_no_appendfsync_on_rewrite }} +auto-aof-rewrite-percentage {{ redis_auto_aof_rewrite_percentage }} +auto-aof-rewrite-min-size {{ redis_auto_aof_rewrite_min_size }} +aof-load-truncated {{ redis_aof_load_truncated }} + +# Lua scripting +lua-time-limit {{ redis_lua_time_limit }} + +# Slow log +slowlog-log-slower-than {{ redis_slowlog_log_slower_than }} +slowlog-max-len {{ redis_slowlog_max_len }} + +# Latency monitoring +latency-monitor-threshold {{ redis_latency_monitor_threshold }} + +# Event notification +notify-keyspace-events "" + +# Hash table optimizations +hash-max-ziplist-entries {{ redis_hash_max_ziplist_entries }} +hash-max-ziplist-value {{ redis_hash_max_ziplist_value }} +list-max-ziplist-entries {{ redis_list_max_ziplist_entries }} +list-max-ziplist-value {{ redis_list_max_ziplist_value }} +set-max-intset-entries {{ redis_set_max_intset_entries }} +zset-max-ziplist-entries {{ redis_zset_max_ziplist_entries }} +zset-max-ziplist-value {{ redis_zset_max_ziplist_value }} +hll-sparse-max-bytes {{ redis_hll_sparse_max_bytes }} + +# Rehashing +activerehashing {{ redis_activerehashing }} + +# Client output buffer limits +client-output-buffer-limit normal {{ redis_client_output_buffer_limit_normal }} +client-output-buffer-limit replica {{ redis_client_output_buffer_limit_replica }} +client-output-buffer-limit pubsub {{ redis_client_output_buffer_limit_pubsub }} + +# Miscellaneous +hz {{ redis_hz }} +aof-rewrite-incremental-fsync {{ redis_aof_rewrite_incremental_fsync }} + +# Security +{% if redis_requirepass %} +requirepass {{ redis_requirepass }} +{% endif %} + +{% for command in redis_disabled_commands %} +rename-command {{ command }} "" +{% endfor %} + +# Includes +{% for include in redis_includes %} +include {{ include }} +{% endfor %} + +# Custom configuration +{% for key, value in redis_extra_config.items() %} +{{ key }} {{ value }} +{% endfor %} \ No newline at end of file diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index e654f59aa7..b6ab6ebd28 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -26,6 +26,26 @@ nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.ph nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in nginx_cache_background_update: "on" +# Cache configuration helpers +cache_config: "{{ item.value.cache | default({}) }}" +object_cache_config: "{{ item.value.object_cache | default({}) }}" + +# FastCGI cache - enabled when cache.enabled is true (backward compatible) +fastcgi_cache_enabled: "{{ cache_config.enabled | default(false) }}" + +# Object cache - enabled when object_cache.enabled is true +object_cache_enabled: "{{ object_cache_config.enabled | default(false) }}" +object_cache_provider: "{{ object_cache_config.provider | default('redis') }}" + +# Object cache defaults +redis_host: "{{ object_cache_config.host | default('127.0.0.1') }}" +redis_port: "{{ object_cache_config.port | default(6379) }}" +redis_database: "{{ object_cache_config.database | default(0) }}" +redis_password: "{{ object_cache_config.password | default('') }}" +redis_prefix: "{{ object_cache_config.prefix | default('') }}" +memcached_host: "{{ object_cache_config.host | default('127.0.0.1') }}" +memcached_port: "{{ object_cache_config.port | default(11211) }}" + # Nginx includes nginx_includes_templates_path: nginx-includes nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }})/(.*)\\.j2$" diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 91e52f495b..3f091a7519 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -38,7 +38,7 @@ server { {% endblock -%} {% block cache_conditions -%} - {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + {% if fastcgi_cache_enabled -%} # Fastcgi cache conditions set $skip_cache 0; @@ -242,7 +242,7 @@ server { {% endblock -%} {% block cache_config -%} - {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + {% if fastcgi_cache_enabled -%} # Fastcgi cache settings fastcgi_cache wordpress; fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; diff --git a/server.yml b/server.yml index eb08de3c68..0ec179c061 100644 --- a/server.yml +++ b/server.yml @@ -23,7 +23,8 @@ - { role: mariadb, tags: [mariadb] } - { role: ssmtp, tags: [ssmtp, mail] } - { role: php, tags: [php] } - - { role: memcached, tags: [memcached] } + - { role: memcached, tags: [memcached], when: sites_using_memcached | count } + - { role: redis, tags: [redis], when: sites_using_redis | count } - { role: nginx, tags: [nginx] } - { role: logrotate, tags: [logrotate] } - { role: composer, tags: [composer] } From d3f514ad11f8bc2b50192386b703cc1cbc15b6f1 Mon Sep 17 00:00:00 2001 From: Bill Ruddock <bill.ruddock@fatsoma.com> Date: Fri, 15 Aug 2025 03:32:30 +0100 Subject: [PATCH 623/663] Fix HSTS header omitted parts (#1592) None seems to be replaced by an empty string by ansible. This can result in the Strict-Transport-Security header with a value like "max-age=1234; ; " or "max-age=1234; includeSubdomains; " Follow the ansible playbook guide example for omitting items from a list using the special omit variable. --- roles/wordpress-setup/defaults/main.yml | 4 ++-- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index b6ab6ebd28..87197b6df5 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -17,8 +17,8 @@ nginx_hsts_preload: false # HSTS helpers hsts_max_age: "{{ item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) }}" -hsts_include_subdomains: "{{ item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', None) }}" -hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) }}" +hsts_include_subdomains: "{{ item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', omit) }}" +hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', omit) }}" # Fastcgi cache params nginx_cache_duration: 30s diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 3f091a7519..c792f77ef5 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -86,7 +86,7 @@ server { ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} - add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') | trim }}"; + add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('equalto', omit) | join('; ') | trim }}"; {% endif -%} {% if item.value.ssl.client_cert_url is defined -%} From 7c50c290fc59fd932a67ebea462ede8b89a57a2f Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 8 Sep 2025 19:09:50 -0400 Subject: [PATCH 624/663] Change npm command to 'npm ci' in build example (#1597) --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index f437cc01c5..2d246c6831 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -8,7 +8,7 @@ # # --- # - name: Install npm dependencies -# command: npm install +# command: npm ci # delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From 74c6b73fcdbbb1c820fd89e3c0c862a55f865dc8 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 11 Sep 2025 05:35:41 -0400 Subject: [PATCH 625/663] Add ansible-core version constraint (#1600) --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index 5955db3396..ea21fa4034 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ ansible>=2.10.0 +ansible-core<2.19.0 passlib From 605670aa125506470a55a7f6263da389d7bdc0fc Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 19 Sep 2025 09:54:39 -0400 Subject: [PATCH 626/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 452555c19a..14d3f3df8c 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). <div align="center"> -<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://worksitesafety.ca/careers/"><img src="https://cdn.roots.io/app/uploads/worksite-safety.svg" alt="Worksite Safety" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> +<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> </div> ## Overview From 852af29f458c4bf7b83ed0f2f09d33bd53619889 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 19 Sep 2025 11:38:21 -0400 Subject: [PATCH 627/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c1287cd06..39755f265b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,41 @@ +### 1.26.0: Sept 19, 2025 +* Update actions/checkout action to v5 [#1591](https://github.com/roots/trellis/pull/1591) +* Replace deprecated `distutils` version usage [#1590](https://github.com/roots/trellis/pull/1590) +* ✨ Add Redis object cache support [#1589](https://github.com/roots/trellis/pull/1589) +* Fix HSTS header omitted parts [#1592](https://github.com/roots/trellis/pull/1592) +* Change npm command to 'npm ci' in build example [#1597](https://github.com/roots/trellis/pull/1597) +* Add ansible-core version constraint [#1600](https://github.com/roots/trellis/pull/1600) + +### 1.25.0: July 31, 2025 +* Allow removal of old SSH keys on provision [#1576](https://github.com/roots/trellis/pull/1576) +* Filter Nginx includes by sites present on target server [#1573](https://github.com/roots/trellis/pull/1573) +* Allow cleaning apt sources on provision [#1578](https://github.com/roots/trellis/pull/1578) +* ⬆️ Use PHP 8.3 by default [#1580](https://github.com/roots/trellis/pull/1580) +* `wp-cli-version-check.yml`: Use `gh` to fetch WP CLI release info [#1585](https://github.com/roots/trellis/pull/1585) +* Add `X-Cache-Enabled` HTTP header [#1513](https://github.com/roots/trellis/pull/1513) +* Run ferm role when letsencrypt tag is defined on provision [#1588](https://github.com/roots/trellis/pull/1588) +* Update acme_tiny_repo [#1582](https://github.com/roots/trellis/pull/1582) + +### 1.24.1: May 8th, 2025 +* Update WP-CLI version to 2.12.0 [#1574](https://github.com/roots/trellis/pull/1574) + +### 1.24.0: April 21st, 2025 +* Use proper `$host` for FastCGI `SERVER_NAME` param [#1552](https://github.com/roots/trellis/pull/1552) +* Fix Python string escape sequences [#1554](https://github.com/roots/trellis/pull/1554) +* Mitigate REST API cache poisoning via Method Override [#1556](https://github.com/roots/trellis/pull/1556) +* Update dependency ntp to v2.7.0 [#1553](https://github.com/roots/trellis/pull/1553) +* Update dependency swapfile to v2.0.42 [#1549](https://github.com/roots/trellis/pull/1549) +* 🔧 FastCGI Cache: Stop ignoring Cache-Control headers [#1555](https://github.com/roots/trellis/pull/1555) +* Update build-before.yml for Sage 11 [#1559](https://github.com/roots/trellis/pull/1559) +* 🔧 PHP 8.4 support [#1560](https://github.com/roots/trellis/pull/1560) +* Remove Let's Encrypt contact email support [#1558](https://github.com/roots/trellis/pull/1558) +* Remove OCSP stapling [#1557](https://github.com/roots/trellis/pull/1557) +* Remove "production" from asset compilation titles [#1566](https://github.com/roots/trellis/pull/1566) +* 🩹 Add retry to adding PPA's [#1568](https://github.com/roots/trellis/pull/1568) +* Refactor PHP role to support future versions by default [#1511](https://github.com/roots/trellis/pull/1511) +* Flush rewrite rules at the end of each deploy [#1567](https://github.com/roots/trellis/pull/1567) +* Replace link for creating CSP [#1564](https://github.com/roots/trellis/pull/1564) + ### 1.23.0: September 11th, 2024 * Ubuntu 24.04 support [#1519](https://github.com/roots/trellis/pull/1519) * Update MariaDB to 10.11 [#1520](https://github.com/roots/trellis/pull/1520) From b5b0a5f9e684c5812f39c21c01a14eb3c0b40eee Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 25 Sep 2025 12:22:13 -0400 Subject: [PATCH 628/663] =?UTF-8?q?=F0=9F=93=9D=20Update=20README=20[ci=20?= =?UTF-8?q?skip]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 14d3f3df8c..04855b85fb 100644 --- a/README.md +++ b/README.md @@ -5,13 +5,9 @@ </p> <p align="center"> - <a href="https://github.com/roots/trellis/actions/workflows/ci.yml"> - <img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/trellis/ci.yml?branch=master&logo=github&label=CI&style=flat-square"> - </a> - - <a href="https://twitter.com/rootswp"> - <img alt="Follow Roots" src="https://img.shields.io/badge/follow%20@rootswp-1da1f2?logo=twitter&logoColor=ffffff&message=&style=flat-square"> - </a> + <a href="https://github.com/roots/trellis/actions/workflows/ci.yml"><img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/roots/trellis/ci.yml?branch=master&logo=github&label=CI&style=flat-square"></a> + <a href="https://twitter.com/rootswp"><img alt="Follow Roots" src="https://img.shields.io/badge/follow%20@rootswp-1da1f2?logo=twitter&logoColor=ffffff&message=&style=flat-square"></a> + <a href="https://github.com/sponsors/roots"><img src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&style=flat-square&logoColor=ffffff&message=" alt="Sponsor Roots"></a> </p> <p align="center">Ansible-powered LEMP stack for WordPress</strong></p> @@ -20,14 +16,13 @@ <a href="https://roots.io/trellis/">Website</a>    <a href="https://roots.io/trellis/docs/installation/">Documentation</a>    <a href="https://github.com/roots/trellis/releases">Releases</a>    <a href="https://discourse.roots.io/">Community</a> </p> +## Support us -## Sponsors +We're dedicated to pushing modern WordPress development forward through our open source projects, and we need your support to keep building. You can support our work by purchasing [Radicle](https://roots.io/radicle/), our recommended WordPress stack, or by [sponsoring us on GitHub](https://github.com/sponsors/roots). Every contribution directly helps us create better tools for the WordPress ecosystem. -Trellis is an open source project and completely free to use. If you've benefited from our projects and would like to support our future endeavors, please consider [sponsoring Roots](https://github.com/sponsors/roots). +### Sponsors -<div align="center"> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> -</div> ## Overview From fbcc20fe1a53fd6761ceb7cacdf037cdfd41150e Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sat, 27 Sep 2025 19:32:36 -0400 Subject: [PATCH 629/663] Add WordPress sites to `/etc/hosts` (#1606) --- dev.yml | 1 + roles/hosts/tasks/main.yml | 7 +++++++ server.yml | 1 + 3 files changed, 9 insertions(+) create mode 100644 roles/hosts/tasks/main.yml diff --git a/dev.yml b/dev.yml index 148f9a55b8..5cec9d18ae 100644 --- a/dev.yml +++ b/dev.yml @@ -8,6 +8,7 @@ - { role: common, tags: [common] } - { role: fail2ban, tags: [fail2ban] } - { role: ferm, tags: [ferm] } + - { role: hosts, tags: [hosts] } - { role: ntp, tags: [ntp] } - { role: sshd, tags: [sshd] } - { role: mariadb, tags: [mariadb] } diff --git a/roles/hosts/tasks/main.yml b/roles/hosts/tasks/main.yml new file mode 100644 index 0000000000..b8fa6b60fa --- /dev/null +++ b/roles/hosts/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Add WordPress sites to /etc/hosts + lineinfile: + path: /etc/hosts + line: "127.0.0.1 {{ item }}" + create: yes + with_items: "{{ wordpress_sites.values() | map(attribute='site_hosts') | list | flatten | map(attribute='canonical') | list | union(wordpress_sites.values() | map(attribute='site_hosts') | list | flatten | selectattr('redirects', 'defined') | map(attribute='redirects') | list | flatten) }}" \ No newline at end of file diff --git a/server.yml b/server.yml index 0ec179c061..d30eb2f88b 100644 --- a/server.yml +++ b/server.yml @@ -17,6 +17,7 @@ - { role: swapfile, swapfile_size: 1GB, swapfile_file: /swapfile, tags: [swapfile] } - { role: fail2ban, tags: [fail2ban] } - { role: ferm, tags: [ferm, letsencrypt] } + - { role: hosts, tags: [hosts] } - { role: ntp, tags: [ntp] } - { role: users, tags: [users] } - { role: sshd, tags: [sshd] } From 71dca9107aab1c898a04bc2070483ca56dfd79fa Mon Sep 17 00:00:00 2001 From: Johan <12563436+Dyras@users.noreply.github.com> Date: Sun, 5 Oct 2025 17:50:35 +0200 Subject: [PATCH 630/663] Set php_fpm_process_control_timeout to 10 to prevent deploy downtime (#1603) --- roles/php/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 2b150021ed..a807a80da4 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -40,5 +40,5 @@ php_fpm_set_emergency_restart_threshold: false php_fpm_emergency_restart_threshold: 0 php_fpm_set_emergency_restart_interval: false php_fpm_emergency_restart_interval: 0 -php_fpm_set_process_control_timeout: false -php_fpm_process_control_timeout: 0 +php_fpm_set_process_control_timeout: true +php_fpm_process_control_timeout: 10 From 1bc03317a8d2141995a8533df9a9993fcdab945c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 5 Oct 2025 17:30:26 -0400 Subject: [PATCH 631/663] Update dependency ntp to v3 (#1605) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 574332d4d3..ba6ae77132 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -6,7 +6,7 @@ roles: - name: ntp src: geerlingguy.ntp - version: 2.7.0 + version: 3.0.0 - name: logrotate src: nickhammond.logrotate From e10618ffe679dab06ad7119ee0b32658286e5a59 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sun, 5 Oct 2025 17:32:54 -0400 Subject: [PATCH 632/663] =?UTF-8?q?=E2=9C=A8=20Flush=20cache=20after=20dep?= =?UTF-8?q?loy=20(#1604)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/deploy/hooks/finalize-after.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 5a4809b659..75673c6587 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -37,6 +37,11 @@ chdir: "{{ deploy_helper.current_path }}" when: project.flush_rewrite_rules_on_deploy | default(flush_rewrite_rules_on_deploy) + - name: Flush cache + command: wp cache flush + args: + chdir: "{{ deploy_helper.current_path }}" + when: wp_installed.rc == 0 - name: Reload php-fpm From 95883bfd1b1a9c0a0dae07c1f92b8964923c5ee2 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 6 Oct 2025 14:32:12 -0400 Subject: [PATCH 633/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 39755f265b..002ab0185a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,9 @@ -### 1.26.0: Sept 19, 2025 +### 1.26.1: October 6, 2025 +* Add WordPress sites to `/etc/hosts` [#1606](https://github.com/roots/trellis/pull/1606) +* Set php_fpm_process_control_timeout to 10 to prevent deploy downtime [#1603](https://github.com/roots/trellis/pull/1603) +* Flush cache after deploy [#1604](https://github.com/roots/trellis/pull/1604) + +### 1.26.0: September 19, 2025 * Update actions/checkout action to v5 [#1591](https://github.com/roots/trellis/pull/1591) * Replace deprecated `distutils` version usage [#1590](https://github.com/roots/trellis/pull/1590) * ✨ Add Redis object cache support [#1589](https://github.com/roots/trellis/pull/1589) From 6e8f063815a0324f2aac0da078344305d4611f51 Mon Sep 17 00:00:00 2001 From: zak-wearecore <54408655+zak-wearecore@users.noreply.github.com> Date: Wed, 8 Oct 2025 13:57:11 +0100 Subject: [PATCH 634/663] Remove FLUSHDB from redis_disabled_commands (#1609) --- roles/redis/defaults/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/redis/defaults/main.yml b/roles/redis/defaults/main.yml index 2a3bcf6148..f1355fa74c 100644 --- a/roles/redis/defaults/main.yml +++ b/roles/redis/defaults/main.yml @@ -18,7 +18,7 @@ redis_databases: 16 # Persistence - RDB snapshots redis_save: - "900 1" - - "300 10" + - "300 10" - "60 10000" redis_stop_writes_on_bgsave_error: "yes" @@ -71,7 +71,6 @@ redis_aof_rewrite_incremental_fsync: "yes" # Security redis_requirepass: false redis_disabled_commands: - - FLUSHDB - FLUSHALL - KEYS - CONFIG @@ -85,4 +84,4 @@ redis_packages_default: redis-server: "{{ apt_package_state }}" redis_packages_custom: {} -redis_packages: "{{ redis_packages_default | combine(php_redis_packages, redis_packages_custom) }}" \ No newline at end of file +redis_packages: "{{ redis_packages_default | combine(php_redis_packages, redis_packages_custom) }}" From ff29c02e1de85494ec5ba3a0a641be6fb1d7ebc0 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 13 Oct 2025 19:21:56 -0400 Subject: [PATCH 635/663] Refactor User password hash creation (#1607) Use `mkpasswd` on the server instead of Ansible's `password_hash` on the host which requires the `passlib` dependency on macOS. --- lib/trellis/plugins/callback/vars.py | 11 ----------- requirements.txt | 1 - roles/common/tasks/main.yml | 21 --------------------- roles/users/tasks/main.yml | 15 ++++++++++++++- 4 files changed, 14 insertions(+), 34 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 1a754d908d..544df440bb 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -79,16 +79,6 @@ def cli_options(self): return ' '.join(options) - def darwin_without_passlib(self): - if not sys.platform.startswith('darwin'): - return False - - try: - import passlib.hash - return False - except: - return True - def v2_playbook_on_play_start(self, play): play_context = PlayContext(play=play) @@ -103,4 +93,3 @@ def v2_playbook_on_play_start(self, play): host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) - host.vars['darwin_without_passlib'] = self.darwin_without_passlib() diff --git a/requirements.txt b/requirements.txt index ea21fa4034..6ca4ad1de4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ ansible>=2.10.0 ansible-core<2.19.0 -passlib diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 78de190925..bcc9076120 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -96,27 +96,6 @@ Staging/Production: Create a new server with Ubuntu 20.04 and provision when: ansible_distribution_version is version('18.04', '<') -- name: Check whether passlib is needed - fail: - msg: | - Ansible on macOS requires Python's passlib module to create user password hashes - - If you're seeing this error message, you likely didn't use trellis-cli to create your project. - We highly recommend installing and using trellis-cli to manage your Trellis projects. - - See https://github.com/roots/trellis-cli for more documentation. - - For existing projects, you can run `trellis init` which will manage the dependencies automatically and fix this problem - as long as you use the `trellis` commands (like `trellis provision`) afterwards. - - To fix this manually, use pip to install the package: pip install passlib - - If pip is not installed, you'll have to install it first. - See https://stackoverflow.com/questions/17271319/how-do-i-install-pip-on-macos-or-os-x for many options. - - when: env != 'development' and darwin_without_passlib | default(false) - run_once: true - - name: Retrieve local SSH client's settings per host set_fact: ssh_client_ciphers: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep ciphers') }}" diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 476ae92f80..13af67c9f0 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -28,12 +28,25 @@ when: not sshd_permit_root_login tags: sshd +- name: Hash user passwords + command: + cmd: | + mkpasswd -m sha-512 --salt={{ (item.salt | default(''))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x") }} + stdin: "{{ item.password }}" + loop: "{{ vault_users | default([]) }}" + loop_control: + label: "{{ item.name }}" + when: item.password is defined + register: user_passwords_hashed + no_log: true + changed_when: false + - name: Setup users user: name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ "!" }}{% endfor %}' + password: "{{ (user_passwords_hashed.results | selectattr('item.name', 'equalto', item.name) | map(attribute='stdout') | first) | default(omit) }}" state: present shell: /bin/bash update_password: "{{ item.update_password | default('always') }}" From 2b3875a484f3097c5178d90aecd5b133639677e5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 19:22:56 -0400 Subject: [PATCH 636/663] Update actions/setup-python action to v6 (#1596) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b84c52e31..e59dc87aba 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: python-version: ['3.x'] steps: - uses: actions/checkout@v5 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} architecture: x64 diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index e646b70d89..cdf096fabd 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@v5 with: fetch-depth: 0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@v6 with: python-version: '3.9' - uses: ./.github/actions/setup-step-ca From dce9ff083b50bb20f556ae7bd143c9d5a7cf5284 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 13 Oct 2025 19:25:09 -0400 Subject: [PATCH 637/663] Improve common var definitions (#1593) --- roles/common/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 1b098c4fdc..7f598fad8a 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -40,8 +40,8 @@ apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" -overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" -overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" -overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" -host_key_types: "[{% for path in sshd_host_keys %}'{{ path | regex_replace('/etc/ssh/ssh_host_(.+)_key', '\\1') | regex_replace('dsa', 'ssh-dss')}}',{% endfor %}]" -overlapping_host_keys: "{% for key in host_key_types if key in ssh_client_host_key_algorithms %}{{ key }},{% endfor %}" +overlapping_ciphers: "{{ (sshd_ciphers_default + sshd_ciphers_extra) | intersect(ssh_client_ciphers) }}" +overlapping_kex: "{{ (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) | intersect(ssh_client_kex) }}" +overlapping_macs: "{{ (sshd_macs_default + sshd_macs_extra) | intersect(ssh_client_macs) }}" +host_key_types: "{{ sshd_host_keys | map('regex_replace', '/etc/ssh/ssh_host_(.+)_key', '\\1') | map('regex_replace', 'dsa', 'ssh-dss') | list }}" +overlapping_host_keys: "{{ host_key_types | intersect(ssh_client_host_key_algorithms) | join(',') }}" From a644a427afb1b20321405bf3c0225f58645907aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 13 Oct 2025 23:26:04 -0400 Subject: [PATCH 638/663] Add `select_sites` custom filter (#1611) Simplifies complex Jinja templating logic which is brittle and breaks across Ansible versions. --- group_vars/all/helpers.yml | 6 ++-- lib/trellis/plugins/filter/filters.py | 44 +++++++++++++++++++++++++-- roles/letsencrypt/defaults/main.yml | 2 +- roles/mariadb/defaults/main.yml | 2 +- 4 files changed, 47 insertions(+), 7 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index c1fb606d83..28bc5202c7 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -31,15 +31,15 @@ object_cache_enabled_redis: "{{ item.value.object_cache.enabled | default(false) object_cache_enabled_memcached: "{{ item.value.object_cache.enabled | default(false) and item.value.object_cache.provider | default('') == 'memcached' }}" # Sites using Redis or Memcached object cache -sites_using_redis: "[{% for name, site in wordpress_sites.items() | list if site.object_cache.enabled | default(false) and site.object_cache.provider | default('') == 'redis' %}'{{ name }}',{% endfor %}]" -sites_using_memcached: "[{% for name, site in wordpress_sites.items() | list if site.object_cache.enabled | default(false) and site.object_cache.provider | default('') == 'memcached' %}'{{ name }}',{% endfor %}]" +sites_using_redis: "{{ (wordpress_sites | select_sites('object_cache.enabled', 'true') | select_sites('object_cache.provider', 'eq', 'redis')).keys() | list }}" +sites_using_memcached: "{{ (wordpress_sites | select_sites('object_cache.enabled', 'true') | select_sites('object_cache.provider', 'eq', 'memcached')).keys() | list }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" -sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" +sites_use_ssl: "{{ (wordpress_sites | select_sites('ssl.enabled', 'true') | length) > 0 }}" composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" # Default `type` is `http-basic`. diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index 8b4f624232..ce0f2aaa1d 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -2,6 +2,7 @@ from ansible import errors from ansible.module_utils.six import string_types +from jinja2 import pass_environment def to_env(dict_value): envs = ["{0}='{1}'".format(key.upper(), str(value).replace("'","\\'")) for key, value in sorted(dict_value.items())] @@ -11,11 +12,50 @@ def underscore(value): ''' Convert dots to underscore in a string ''' return value.replace('.', '_') -class FilterModule(object): - ''' Trellis jinja2 filters ''' +def get_nested_attr(data, attr_path): + """Helper to safely get a nested attribute from a dict.""" + keys = attr_path.split('.') + for key in keys: + if not isinstance(data, dict) or key not in data: + return None + data = data[key] + return data + +@pass_environment +def select_sites(env, sites, attr_path, test_name='defined', *args): + """ + A filter that mimics selectattr but works on nested attributes safely. + It uses Jinja's own built-in tests. + """ + test_func = env.tests.get(test_name) + if test_func is None: + raise Exception(f"Unknown Jinja2 test '{test_name}'") + + if not isinstance(sites, dict): + return {} + + result = {} + for name, site_data in sites.items(): + value_to_test = get_nested_attr(site_data, attr_path) + # For most tests, we skip sites where the attribute doesn't exist. + if value_to_test is None and test_name != 'defined': + continue + + # Handle tests that don't take arguments, like 'true' or 'false' + if not args and test_name in ['true', 'false', 'undefined', 'defined']: + if test_func(value_to_test): + result[name] = site_data + # Handle tests that do take arguments + elif test_func(value_to_test, *args): + result[name] = site_data + + return result + +class FilterModule(object): def filters(self): return { + 'select_sites': select_sites, 'to_env': to_env, 'underscore': underscore, } diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 867ac96687..965a286124 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,4 +1,4 @@ -sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" +sites_using_letsencrypt: "{{ (wordpress_sites | select_sites('ssl.enabled', 'true') | select_sites('ssl.provider', 'eq', 'letsencrypt')).keys() | list }}" site_uses_letsencrypt: "{{ (ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt') | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 3aa0af0969..a163dd33ac 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -7,7 +7,7 @@ mariadb_server_package: mariadb-server mysql_binary_logging_disabled: true mysql_root_user: root -sites_using_remote_db: "[{% for name, site in wordpress_sites.items() | list if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" +sites_using_remote_db: "{{ (wordpress_sites | select_sites('env.db_host', 'ne', 'localhost')).keys() | list }}" mariadb_set_innodb_buffer_pool_size: false mariadb_innodb_buffer_pool_size: 128M From 787b7727428d7b6ed5b4ac1e366224c05271ec3b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 13 Oct 2025 23:39:28 -0400 Subject: [PATCH 639/663] Remove complex duplicate sites validation (#1612) This is a complicated validation for an uncommon edge case. It's also using brittle loops in jinja which is prone to break on Ansible upgrades. This was originally added in https://github.com/roots/trellis/pull/910. --- roles/common/defaults/main.yml | 20 -------------------- roles/common/tasks/main.yml | 22 ---------------------- 2 files changed, 42 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 7f598fad8a..0e18efa8af 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,25 +1,5 @@ ntp_timezone: Etc/UTC -env_groups: "{{ ['development', 'staging', 'production'] | intersect(group_names) }}" - -envs_with_wp_sites: "{{ - lookup('filetree', playbook_dir + '/group_vars') | - selectattr('path', 'match', '(' + env_groups | join('|') + ')/wordpress_sites\\.yml$') | - map(attribute='path') | map('regex_replace', '([^/]*)/.*', '\\1') | list -}}" - -site_keys_by_env_pair: "[ - {% for env_pair in envs_with_wp_sites | combinations(2) | list %} - { - 'env_pair': {{ env_pair }}, - 'site_keys': {{ - (vars[env_pair[0] + '_sites'].wordpress_sites | default({})).keys() | intersect( - (vars[env_pair[1] + '_sites'].wordpress_sites | default({})).keys()) - }} - }, - {% endfor %} -]" - apt_packages_default: build-essential: "{{ apt_package_state }}" cron: "{{ apt_package_state }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bcc9076120..4596bc66c5 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,26 +1,4 @@ --- -- block: - - name: Load wordpress_sites.yml vars into <env>_sites vars - include_vars: - file: group_vars/{{ item }}/wordpress_sites.yml - name: "{{ item }}_sites" - loop: "{{ envs_with_wp_sites }}" - when: envs_with_wp_sites | count > 1 - - - name: Fail if there are duplicate site keys within host's wordpress_sites - fail: - msg: > - If you put multiple environments on `{{ inventory_hostname }}`, `wordpress_sites` - must use different site keys per environment. Adjust the following site keys that - are duplicated between the `{{ item.env_pair | join('` and `') }}` groups: - {{ item.site_keys | to_nice_yaml | indent(2) }} - when: item.site_keys | count - loop: "{{ site_keys_by_env_pair }}" - - when: - - env_groups | count > 1 - - validate_site_keys | default(true) | bool - - name: Validate wordpress_sites fail: msg: "{{ lookup('template', 'wordpress_sites.j2') }}" From 55f2870ea2c13de44a25187cec098217dfebf33a Mon Sep 17 00:00:00 2001 From: antti-ucla <antti@humnet.ucla.edu> Date: Tue, 14 Oct 2025 18:39:48 -0700 Subject: [PATCH 640/663] Add a User-Agent header to test_challenges.py. (#1595) --- roles/letsencrypt/library/test_challenges.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py index 8d5899e745..f9d2299ddc 100644 --- a/roles/letsencrypt/library/test_challenges.py +++ b/roles/letsencrypt/library/test_challenges.py @@ -43,7 +43,9 @@ def get_status(host, path, file): try: conn = HTTPConnection(host) - conn.request('HEAD', '/{0}/{1}'.format(path, file)) + conn.request('HEAD', '/{0}/{1}'.format(path, file), None, { + 'User-Agent': 'Trellis Ansible test_challenges module' + }) res = conn.getresponse() except (HTTPException, socket.timeout, socket.error): return 0 From 471dcd3f7d5761ccb3d1cd92014fba45801b633f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 14 Oct 2025 23:05:57 -0400 Subject: [PATCH 641/663] Revert "Improve common var definitions (#1593)" (#1613) This reverts commit dce9ff083b50bb20f556ae7bd143c9d5a7cf5284. --- roles/common/defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 0e18efa8af..6decfa5d12 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -20,8 +20,8 @@ apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" -overlapping_ciphers: "{{ (sshd_ciphers_default + sshd_ciphers_extra) | intersect(ssh_client_ciphers) }}" -overlapping_kex: "{{ (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) | intersect(ssh_client_kex) }}" -overlapping_macs: "{{ (sshd_macs_default + sshd_macs_extra) | intersect(ssh_client_macs) }}" -host_key_types: "{{ sshd_host_keys | map('regex_replace', '/etc/ssh/ssh_host_(.+)_key', '\\1') | map('regex_replace', 'dsa', 'ssh-dss') | list }}" -overlapping_host_keys: "{{ host_key_types | intersect(ssh_client_host_key_algorithms) | join(',') }}" +overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" +overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" +overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" +host_key_types: "[{% for path in sshd_host_keys %}'{{ path | regex_replace('/etc/ssh/ssh_host_(.+)_key', '\\1') | regex_replace('dsa', 'ssh-dss')}}',{% endfor %}]" +overlapping_host_keys: "{% for key in host_key_types if key in ssh_client_host_key_algorithms %}{{ key }},{% endfor %}" From e805cb23b268c3434614f8221d0d61ceb1d28e12 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 14 Oct 2025 23:11:18 -0400 Subject: [PATCH 642/663] Update dependency python to 3.14 (#1562) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/integration.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index cdf096fabd..8ed9cc79f6 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -30,7 +30,7 @@ jobs: fetch-depth: 0 - uses: actions/setup-python@v6 with: - python-version: '3.9' + python-version: '3.14' - uses: ./.github/actions/setup-step-ca - uses: roots/setup-trellis-cli@v1 with: From c93f4ad0706b2fd39124077a293864037db7f2b7 Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Thu, 16 Oct 2025 08:23:15 +1100 Subject: [PATCH 643/663] Set git depth to 1 for deploy role (#1616) --- roles/deploy/tasks/update.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 36e97346aa..0039e4a780 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -30,6 +30,7 @@ version: "{{ project_version }}" accept_hostkey: "{{ project.repo_accept_hostkey | default(repo_accept_hostkey | default(true)) }}" force: yes + depth: 1 ignore_errors: true no_log: true register: git_clone From e22176f028d69a536871f8f291060fc65bd8855c Mon Sep 17 00:00:00 2001 From: Dale Grant <dale@codeand.com.au> Date: Thu, 16 Oct 2025 08:23:54 +1100 Subject: [PATCH 644/663] Set php-fpm log_level to fix 'unknown value' (#1615) --- roles/php/templates/php-fpm.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/php/templates/php-fpm.conf.j2 b/roles/php/templates/php-fpm.conf.j2 index 57c5fc4922..0c86ca4a1c 100644 --- a/roles/php/templates/php-fpm.conf.j2 +++ b/roles/php/templates/php-fpm.conf.j2 @@ -43,7 +43,7 @@ error_log = /var/log/php{{ php_version }}-fpm.log ; Log level ; Possible Values: alert, error, warning, notice, debug ; Default Value: notice -;log_level = notice +log_level = notice ; Log limit on number of characters in the single line (log entry). If the ; line is over the limit, it is wrapped on multiple lines. The limit is for From acf369856aa0ea58ae99d178508e9d4de195f545 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 15 Oct 2025 22:42:19 -0400 Subject: [PATCH 645/663] Use double quotes for env values (#1617) Updates the `to_env` filter to use double quotes for values instead of single quotes. This preserves literal newline character as a multiline string. Co-authored-by: Pacotole <pacotole@crea.me> --- lib/trellis/plugins/filter/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index ce0f2aaa1d..9480446a8e 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -5,7 +5,7 @@ from jinja2 import pass_environment def to_env(dict_value): - envs = ["{0}='{1}'".format(key.upper(), str(value).replace("'","\\'")) for key, value in sorted(dict_value.items())] + envs = ['{0}="{1}"'.format(key.upper(), str(value).replace('"', '\\"')) for key, value in sorted(dict_value.items())] return "\n".join(envs) def underscore(value): From 2bc7bfe96fafd33badc8be5e880072145eae6212 Mon Sep 17 00:00:00 2001 From: Lucas Demea <lucas@digital-swing.com> Date: Thu, 16 Oct 2025 05:06:13 +0200 Subject: [PATCH 646/663] fix: add missing ssl directives (#1476) --- roles/wordpress-setup/templates/no-default.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/templates/no-default.conf.j2 b/roles/wordpress-setup/templates/no-default.conf.j2 index 8bd1a85e98..6a047dee7b 100644 --- a/roles/wordpress-setup/templates/no-default.conf.j2 +++ b/roles/wordpress-setup/templates/no-default.conf.j2 @@ -19,5 +19,6 @@ server { listen 443 ssl default_server deferred; ssl_reject_handshake on; + include h5bp/directive-only/ssl.conf; } {% endif %} From 503edb4ec3573c72d4f0125a1f06783a21f29cb3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 15 Oct 2025 23:21:55 -0400 Subject: [PATCH 647/663] Remove SSH settings validation (#1614) This is a complex validation that was overly defensive and mostly needed back when new OpenSSH ciphers caused more version incompatibilities in ~2016. These incompatibilities are much less likely to occur now so we can remove these validations. --- roles/common/defaults/main.yml | 7 ----- roles/common/tasks/main.yml | 20 -------------- roles/common/templates/validate_ssh_msg.j2 | 32 ---------------------- 3 files changed, 59 deletions(-) delete mode 100644 roles/common/templates/validate_ssh_msg.j2 diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 6decfa5d12..425a5c795f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -18,10 +18,3 @@ apt_packages_default: apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" - -openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" -overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" -overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" -overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" -host_key_types: "[{% for path in sshd_host_keys %}'{{ path | regex_replace('/etc/ssh/ssh_host_(.+)_key', '\\1') | regex_replace('dsa', 'ssh-dss')}}',{% endfor %}]" -overlapping_host_keys: "{% for key in host_key_types if key in ssh_client_host_key_algorithms %}{{ key }},{% endfor %}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 4596bc66c5..dcf156a5da 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -74,26 +74,6 @@ Staging/Production: Create a new server with Ubuntu 20.04 and provision when: ansible_distribution_version is version('18.04', '<') -- name: Retrieve local SSH client's settings per host - set_fact: - ssh_client_ciphers: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep ciphers') }}" - ssh_client_kex: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep kexalgorithms') }}" - ssh_client_macs: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep macs') }}" - ssh_client_host_key_algorithms: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep hostkeyalgorithms') }}" - when: openssh_6_8_plus and validate_ssh | default(true) - tags: [sshd] - -- name: Validate compatible settings between SSH client and server - assert: - that: - - overlapping_ciphers | count - - overlapping_kex | count - - overlapping_macs | count - - overlapping_host_keys | count - msg: "{{ lookup('template', 'validate_ssh_msg.j2') }}" - when: openssh_6_8_plus and validate_ssh | default(true) - tags: [sshd] - - name: Clean old APT sources import_tasks: clean-apt-sources.yml when: apt_clean_sources | default(false) diff --git a/roles/common/templates/validate_ssh_msg.j2 b/roles/common/templates/validate_ssh_msg.j2 deleted file mode 100644 index 6d49d95aef..0000000000 --- a/roles/common/templates/validate_ssh_msg.j2 +++ /dev/null @@ -1,32 +0,0 @@ -{% macro msg(param_name, ssh_client_values, sshd_config_values, overlap_values, param_var_name) %} -{% if not overlap_values | count %} -{{ param_name }} your SSH Client is making available for {{ ansible_host }}: -{% for item in ssh_client_values.replace(' ',',').split(',') if item != param_name | lower %} - - {{ item }} -{% endfor %} - -{{ (param_name != 'HostKeyAlgorithms') | ternary(param_name, 'HostKeys') }} the host {{ ansible_host }} will accept/use after sshd role: -{% for item in sshd_config_values %} - - {{ item }} -{% endfor %} - -Create a corresponding value between the two. Adjust either of the following: - - your SSH client's {{ param_name }} option (recommended) - - the `{{ param_var_name }}` Trellis variable - ---------------------------------------------------- - -{% endif %} -{% endmacro -%} - -Your local SSH client settings will not support the settings that the sshd role will apply to the SSH server (on {{ ansible_host }}). - -See https://github.com/roots/trellis/tree/master/roles/sshd#ciphers-kexalgorithms-and-macs ---------------------------------------------------- - -{{ msg('Ciphers', ssh_client_ciphers, sshd_ciphers_default + sshd_ciphers_extra, overlapping_ciphers, 'sshd_ciphers_extra') -}} -{{ msg('KexAlgorithms', ssh_client_kex, sshd_kex_algorithms_default + sshd_kex_algorithms_extra, overlapping_kex, 'sshd_kex_algorithms_extra') -}} -{{ msg('MACs', ssh_client_macs, sshd_macs_default + sshd_macs_extra, overlapping_macs, 'sshd_macs_extra') -}} -{{ msg('HostKeyAlgorithms', ssh_client_host_key_algorithms, sshd_host_keys, overlapping_host_keys, 'sshd_host_keys') -}} - -To disable this validation and warning, define `validate_ssh: false` From d02814a192bfd3df569185f0c0be23446d122c89 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 15 Oct 2025 23:56:17 -0400 Subject: [PATCH 648/663] Remove timezone validation (#1618) NTP role will fail on its own with a helpful message: ``` TASK [ntp : Set timezone.] ***************************************************** fatal: [default]: FAILED! => {"changed": false, "msg": "Error message:\ngiven timezone \"lol_nope\" is not available"} ``` --- roles/common/tasks/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index dcf156a5da..b196902862 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -91,17 +91,6 @@ loop_control: label: "{{ item.key }}" -- name: Validate timezone variable - stat: - path: /usr/share/zoneinfo/{{ ntp_timezone }} - register: timezone_path - changed_when: false - -- name: Explain timezone error - fail: - msg: "{{ ntp_timezone }} is not a valid timezone. For a list of valid timezones, check https://php.net/manual/en/timezones.php" - when: not timezone_path.stat.exists - - name: Add myhostname to nsswitch.conf to ensure resolvable hostname lineinfile: backrefs: yes From aa1905c5d051b36c7eec4cf02d589501dc544dcc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 15 Oct 2025 23:56:47 -0400 Subject: [PATCH 649/663] Remove memcached_fs_file_max setting (#1619) `memcached_fs_file_max` would set the `fs.file-max` (max open file descriptors) to that value. This was likely done to ensure a high number of memcached connections was possible, but the default value is high enough. Plus this is a global setting and not memcached specific. --- roles/memcached/defaults/main.yml | 1 - roles/memcached/tasks/main.yml | 6 ------ 2 files changed, 7 deletions(-) diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 0e9ba87761..88500be54e 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -1,6 +1,5 @@ --- memcached_cache_size: 64 -memcached_fs_file_max: 756024 memcached_listen_ip: 127.0.0.1 memcached_max_conn: 1024 memcached_port: 11211 diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index c638f2cb85..c9cb0a3b44 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -15,12 +15,6 @@ mode: '0644' notify: restart memcached -- name: Set the max open file descriptors - sysctl: - name: fs.file-max - value: "{{ memcached_fs_file_max | string }}" - state: present - - name: Start the memcached service service: name: memcached From 6156b76ff4dc99936f725f94eabd90337310d93e Mon Sep 17 00:00:00 2001 From: Johan <12563436+Dyras@users.noreply.github.com> Date: Mon, 20 Oct 2025 14:54:41 +0200 Subject: [PATCH 650/663] Remove dot in network database message (#1621) --- roles/deploy/hooks/finalize-after.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 75673c6587..7e0152d5fe 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -20,7 +20,7 @@ label: "{{ item[0].item }}" when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool and item[1] is match(deploy_helper.releases_path) - - name: Warn about updating network database. + - name: Warn about updating network database debug: msg: "Updating the network database could take a long time with a large number of sites." when: project.update_db_on_deploy | default(update_db_on_deploy) and project.multisite.enabled | default(false) From 9eea90d60c16fff31655cfc1fed2a89949efd333 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Wed, 22 Oct 2025 20:18:44 -0500 Subject: [PATCH 651/663] Drop Vagrant support (#1622) --- .gitignore | 2 - Vagrantfile | 212 -------------------------------- dev.yml | 1 - group_vars/development/main.yml | 2 +- lib/trellis/config.rb | 76 ------------ lib/trellis/vagrant.rb | 123 ------------------ roles/common/tasks/main.yml | 24 ---- roles/deploy/defaults/main.yml | 2 +- vagrant.default.yml | 28 ----- 9 files changed, 2 insertions(+), 468 deletions(-) delete mode 100644 Vagrantfile delete mode 100644 lib/trellis/config.rb delete mode 100644 lib/trellis/vagrant.rb delete mode 100644 vagrant.default.yml diff --git a/.gitignore b/.gitignore index 5fd7350b2b..ad8836dc4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,4 @@ .vault_pass -.vagrant -vagrant.local.yml vendor/roles *.py[co] *.retry diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 9de3bd4be4..0000000000 --- a/Vagrantfile +++ /dev/null @@ -1,212 +0,0 @@ -ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine -ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis'.freeze # absolute path to Ansible directory on virtual machine - -require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'vagrant') -require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'config') -require 'yaml' - -vconfig = YAML.load_file("#{ANSIBLE_PATH}/vagrant.default.yml") - -if File.exist?("#{ANSIBLE_PATH}/vagrant.local.yml") - local_config = YAML.load_file("#{ANSIBLE_PATH}/vagrant.local.yml") - vconfig.merge!(local_config) if local_config -end - -ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_install_plugins') - -trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) - -Vagrant.require_version vconfig.fetch('vagrant_require_version', '>= 2.1.0') - -Vagrant.configure('2') do |config| - config.vm.box = vconfig.fetch('vagrant_box') - config.vm.box_version = vconfig.fetch('vagrant_box_version') - config.ssh.forward_agent = true - config.vm.post_up_message = post_up_message - - # Fix for: "stdin: is not a tty" - # https://github.com/mitchellh/vagrant/issues/1673#issuecomment-28288042 - config.ssh.shell = %(bash -c 'BASH_ENV=/etc/profile exec bash') - - # Required for NFS to work - if vconfig.fetch('vagrant_ip') == 'dhcp' - config.vm.network :private_network, type: 'dhcp', hostsupdater: 'skip' - - cached_addresses = {} - config.hostmanager.ip_resolver = proc do |vm| - if cached_addresses[vm.name].nil? - if vm.communicate.ready? - vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |_type, contents| - cached_addresses[vm.name] = contents.split("\n").first[/(\d+\.\d+\.\d+\.\d+)/, 1] - end - end - end - cached_addresses[vm.name] - end - else - config.vm.network :private_network, ip: vconfig.fetch('vagrant_ip'), hostsupdater: 'skip' - end - - main_hostname, *hostnames = trellis_config.site_hosts_canonical - config.vm.hostname = main_hostname - - if Vagrant.has_plugin?('vagrant-hostmanager') && !trellis_config.multisite_subdomains? - redirects = trellis_config.site_hosts_redirects - - config.hostmanager.enabled = true - config.hostmanager.manage_host = true - config.hostmanager.aliases = hostnames + redirects - elsif Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? - config.landrush.enabled = true - config.landrush.tld = trellis_config.site_hosts_canonical.reject { |host| host.end_with?(".#{main_hostname}") } - hostnames.each { |host| config.landrush.host host, vconfig.fetch('vagrant_ip') } - else - fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" - end - - vagrant_mount_type = vconfig.fetch('vagrant_mount_type') - - extra_options = if vagrant_mount_type == 'smb' - { - smb_username: vconfig.fetch('vagrant_smb_username', nil), - smb_password: vconfig.fetch('vagrant_smb_password', nil), - } - else - {} - end - - if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? && !Vagrant.has_plugin?('vagrant-winnfsd')) - vagrant_mount_type = nil if vagrant_mount_type == 'nfs' - trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: mount_options(vagrant_mount_type, dmode: 776, fmode: 775), type: vagrant_mount_type, **extra_options - end - - config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 644), type: vagrant_mount_type, **extra_options - elsif !Vagrant.has_plugin?('vagrant-bindfs') - fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" - else - trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs', nfs_udp: vconfig.fetch('vagrant_nfs_udp') - config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' - end - - config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs', nfs_udp: vconfig.fetch('vagrant_nfs_udp') - config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' - end - - vconfig.fetch('vagrant_synced_folders', []).each do |folder| - options = { - type: folder.fetch('type', 'nfs'), - nfs_udp: folder.fetch('nfs_udp', false), - create: folder.fetch('create', false), - mount_options: folder.fetch('mount_options', []) - } - - destination_folder = folder.fetch('bindfs', true) ? nfs_path(folder['destination']) : folder['destination'] - - config.vm.synced_folder folder['local_path'], destination_folder, options - - if folder.fetch('bindfs', true) - config.bindfs.bind_folder destination_folder, folder['destination'], folder.fetch('bindfs_options', {}) - end - end - - provisioner = local_provisioning? ? :ansible_local : :ansible - provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH - - config.vm.provision provisioner do |ansible| - if local_provisioning? - ansible.install_mode = 'pip' - ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-pip' - ansible.provisioning_path = provisioning_path - ansible.version = vconfig.fetch('vagrant_ansible_version') - end - - ansible.compatibility_mode = '2.0' - ansible.playbook = File.join(provisioning_path, 'dev.yml') - ansible.galaxy_role_file = File.join(provisioning_path, 'galaxy.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] - ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') - - if which('trellis') - ansible.galaxy_command = 'trellis galaxy install' - end - - ansible.groups = { - 'web' => ['default'], - 'development' => ['default'] - } - - ansible.tags = ENV['ANSIBLE_TAGS'] - ansible.extra_vars = { 'vagrant_version' => Vagrant::VERSION } - - if (vars = ENV['ANSIBLE_VARS']) - extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] - ansible.extra_vars.merge!(extra_vars) - end - - if local_provisioning? - ansible.extra_vars.merge!('vagrant_local_provisioning' => true) - end - - if !Vagrant::Util::Platform.windows? - config.trigger.after :up do |trigger| - # Add Vagrant ssh-config to ~/.ssh/config - trigger.info = "Adding vagrant ssh-config for #{main_hostname } to ~/.ssh/config" - trigger.ruby do - update_ssh_config(main_hostname) - end - end - end - end - - # VirtualBox settings - config.vm.provider 'virtualbox' do |vb| - vb.name = config.vm.hostname - vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] - vb.customize ['modifyvm', :id, '--memory', vconfig.fetch('vagrant_memory')] - vb.customize ['modifyvm', :id, '--ioapic', vconfig.fetch('vagrant_ioapic', 'on')] - - # Fix for slow external network connections - vb.customize ['modifyvm', :id, '--natdnshostresolver1', vconfig.fetch('vagrant_natdnshostresolver', 'on')] - vb.customize ['modifyvm', :id, '--natdnsproxy1', vconfig.fetch('vagrant_natdnsproxy', 'on')] - end - - # VMware Workstation/Fusion settings - %w(vmware_fusion vmware_workstation).each do |provider| - config.vm.provider provider do |vmw| - vmw.vmx['displayName'] = config.vm.hostname - vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') - vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') - end - end - - # Parallels settings - config.vm.provider 'parallels' do |prl| - prl.name = config.vm.hostname - prl.cpus = vconfig.fetch('vagrant_cpus') - prl.memory = vconfig.fetch('vagrant_memory') - prl.update_guest_tools = true - - # Parallels handles DNS resolution itself when used in conjunction with landrush - if Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? - config.landrush.guest_redirect_dns = false - end - end - - # Hyper-V settings - config.vm.provider 'hyperv' do |h| - h.vmname = config.vm.hostname - h.cpus = vconfig.fetch('vagrant_cpus') - h.memory = vconfig.fetch('vagrant_memory') - h.enable_virtualization_extensions = true - h.linked_clone = true - end - - # Libvirt/KVM settings - config.vm.provider 'libvirt' do |lv| - lv.driver = "kvm" - lv.title = config.vm.hostname - lv.cpus = vconfig.fetch('vagrant_cpus') - lv.memory = vconfig.fetch('vagrant_memory') - end -end diff --git a/dev.yml b/dev.yml index 5cec9d18ae..e36905a2b5 100644 --- a/dev.yml +++ b/dev.yml @@ -2,7 +2,6 @@ - name: "WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL" hosts: web:&development become: yes - remote_user: vagrant roles: - { role: common, tags: [common] } diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index 7fa791436b..2723db8565 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,4 +1,4 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml -web_user: "{{ ansible_user | default ('vagrant') }}" +web_user: "{{ ansible_user | default ('web') }}" diff --git a/lib/trellis/config.rb b/lib/trellis/config.rb deleted file mode 100644 index 5dae571c70..0000000000 --- a/lib/trellis/config.rb +++ /dev/null @@ -1,76 +0,0 @@ -# frozen_string_literal: true - -require 'vagrant' -require 'yaml' - -module Trellis - class Config - def initialize(root_path:) - @root_path = root_path - end - - def multisite_subdomains? - @using_multisite_subdomains ||= begin - wordpress_sites.any? do |(_name, site)| - next false unless multisite = site['multisite'] - multisite.fetch('enabled', false) && multisite.fetch('subdomains', false) - end - end - end - - def site_hosts_canonical - @site_hosts_canonical ||= site_hosts.map { |host| host['canonical'] } - end - - def site_hosts_redirects - @site_hosts_redirects ||= site_hosts.flat_map { |host| host['redirects'] }.compact - end - - def site_hosts - @site_hosts ||= begin - wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] }.tap do |hosts| - fail_with message: template_content if malformed?(site_hosts: hosts) - end - end - end - - def wordpress_sites - @wordpress_sites ||= begin - content['wordpress_sites'].tap do |sites| - fail_with message: "No sites found in #{path}." if sites.to_h.empty? - end - end - end - - def content - @content ||= begin - fail_with message: "#{path} was not found. Please check `root_path`." unless exist? - YAML.load_file(path) - end - end - - private - - def malformed?(site_hosts:) - site_hosts.any? do |host| - !host.is_a?(Hash) || !host.key?('canonical') - end - end - - def exist? - File.exist?(path) - end - - def path - File.join(@root_path, 'group_vars', 'development', 'wordpress_sites.yml') - end - - def template_content - File.read(File.join(@root_path, 'roles', 'common', 'templates', 'site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') - end - - def fail_with(message:) - raise Vagrant::Errors::VagrantError.new, message - end - end -end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb deleted file mode 100644 index 31ae27449a..0000000000 --- a/lib/trellis/vagrant.rb +++ /dev/null @@ -1,123 +0,0 @@ -# Set Ansible paths relative to Ansible directory -ENV['ANSIBLE_CONFIG'] = File.join(ANSIBLE_PATH, 'ansible.cfg') -ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" -ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" -ENV['ANSIBLE_LIBRARY'] = "~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" -ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') -ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" - -def apple_silicon? - return false unless Vagrant::Util::Platform.darwin? - - arch = `uname -m`.chomp - case arch - when "x86_64" - translated = `sysctl -in sysctl.proc_translated`.chomp - translated == "1" - when "arm64" - true - end -end - -def ensure_plugins(plugins) - logger = Vagrant::UI::Colored.new - installed = false - - plugins.each do |plugin| - plugin_name = plugin['name'] - manager = Vagrant::Plugin::Manager.instance - - next if manager.installed_plugins.has_key?(plugin_name) - - logger.warn("Installing plugin #{plugin_name}") - - manager.install_plugin( - plugin_name, - sources: plugin.fetch('source', %w(https://rubygems.org/ https://gems.hashicorp.com/)), - version: plugin['version'] - ) - - installed = true - end - - if installed - logger.warn('`vagrant up` must be re-run now that plugins are installed') - exit - end -end - -def fail_with_message(msg) - fail Vagrant::Errors::VagrantError.new, msg -end - -def local_provisioning? - @local_provisioning ||= Vagrant::Util::Platform.windows? || !which('ansible-playbook') || ENV['FORCE_ANSIBLE_LOCAL'] -end - -def local_site_path(site) - File.expand_path(site['local_path'], ANSIBLE_PATH) -end - -def nfs_path(path) - "/vagrant-nfs-#{File.basename(path)}" -end - -def mount_options(mount_type, dmode:, fmode:) - if mount_type == 'smb' - ["vers=3.02", "mfsymlinks", "dir_mode=0#{dmode}", "file_mode=0#{fmode}", "sec=ntlm"] - elsif mount_type == 'parallels' - ["share"] - else - ["dmode=#{dmode}", "fmode=#{fmode}"] - end -end - -def post_up_message - msg = 'Your Trellis Vagrant box is ready to use!' - msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine" - msg << "\n for any post-provision modifications." - msg << "\n* You can SSH into the machine with `vagrant ssh`." - msg << "\n* Then navigate to your WordPress sites at `/srv/www`" - msg << "\n or to your Trellis files at `#{ANSIBLE_PATH_ON_VM}`." - - msg -end - -def remote_site_path(site_name, site) - "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" -end - -def which(cmd) - exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : [''] - - paths = ENV['PATH'].split(File::PATH_SEPARATOR).flat_map do |path| - exts.map { |ext| File.join(path, "#{cmd}#{ext}") } - end - - paths.any? do |path| - next unless File.executable?(path) && !File.directory?(path) - system("#{path} --help", %i(out err) => File::NULL) - end -end - -def update_ssh_config(main_hostname) - regexp = /(Host #{Regexp.quote(main_hostname)}(?:(?!^Host).)*)/m - config_file = File.expand_path('~/.ssh/config') - vagrant_ssh_config = `vagrant ssh-config --host #{main_hostname}`.chomp - - if File.exist?(config_file) - FileUtils.cp(config_file, "#{config_file}.trellis_backup") - ssh_config = File.read(config_file) - - content = if ssh_config =~ regexp - ssh_config.gsub(regexp, vagrant_ssh_config) - else - ssh_config << "\n#{vagrant_ssh_config}" - end - - File.write(config_file, content) - else - FileUtils.mkdir_p(File.dirname(config_file), mode: 0700) - File.write(config_file, vagrant_ssh_config) - end -end diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b196902862..c427dc1b68 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -56,24 +56,6 @@ package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [memcached, php, sshd] -- name: Validate Ubuntu version - debug: - msg: | - Ubuntu 18.04 Bionic is the minimum supported version of Ubuntu in Trellis 1.0+ (as of https://github.com/roots/trellis/pull/992) - - 20.04 Focal is the recommend version for Trellis 1.7+ (as of https://github.com/roots/trellis/pull/1197) - - Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} - - We recommend you re-create your server to get the best experience. - - Note: both of these methods will delete all your existing data. It's up to you to backup what's needed and restore it. - - Development via Vagrant: `vagrant destroy && vagrant up` - - Staging/Production: Create a new server with Ubuntu 20.04 and provision - when: ansible_distribution_version is version('18.04', '<') - - name: Clean old APT sources import_tasks: clean-apt-sources.yml when: apt_clean_sources | default(false) @@ -100,12 +82,6 @@ regexp: ^(hosts\:((?!myhostname).)*)$ state: present -- name: Generate SSH key for vagrant user for ansible_local provisioning - user: - name: vagrant - generate_ssh_key: yes - when: vagrant_local_provisioning | default(false) - - block: - name: Retrieve SSH client IP ipify_facts: diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index d5d05d7f91..a0682cd86a 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -62,7 +62,7 @@ composer_classmap_authoritative: true # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" -project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" +project_local_path: "{{ (lookup('env', 'USER') == 'web') | ternary(project_root + '/' + project_current_path, project.local_path) }}" project_public_path: "{{ project.public_path | default('web') }}" project_upload_path: "{{ project.upload_path | default('app/uploads') }}" diff --git a/vagrant.default.yml b/vagrant.default.yml deleted file mode 100644 index ee4f54e931..0000000000 --- a/vagrant.default.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -vagrant_ip: '192.168.56.5' -vagrant_cpus: 1 -vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-24.04' -vagrant_box_version: '>= 0' -vagrant_ansible_version: '2.10.7' -vagrant_skip_galaxy: false -vagrant_mount_type: 'nfs' -vagrant_nfs_udp: false -vagrant_require_version: '>= 2.4.0' - -vagrant_install_plugins: true -vagrant_plugins: - - name: vagrant-bindfs - - name: vagrant-hostmanager - -# Array of synced folders: -# - local_path: . -# destination: /path/on/vm -# create: false -# type: nfs -# nfs_udp: false -# bindfs: true -# mount_options: [] -# bindfs_options: {} -# See https://www.vagrantup.com/docs/synced-folders/basic_usage.html#mount_options -vagrant_synced_folders: [] From 946f43c931b42044195af3e966cc1658fb7fd827 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Thu, 23 Oct 2025 07:32:52 -0500 Subject: [PATCH 652/663] Update CHANGELOG [ci skip] --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 002ab0185a..0b8d9b71c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +### 1.27.0: October 23, 2025 +* Drop Vagrant support [#1622](https://github.com/roots/trellis/pull/1622) +* Remove dot in network database message [#1621](https://github.com/roots/trellis/pull/1621) +* Remove memcached_fs_file_max setting [#1619](https://github.com/roots/trellis/pull/1619) +* Remove timezone validation [#1618](https://github.com/roots/trellis/pull/1618) +* Remove SSH settings validation [#1614](https://github.com/roots/trellis/pull/1614) +* Add missing SSL directives [#1476](https://github.com/roots/trellis/pull/1476) +* Use double quotes for env values [#1617](https://github.com/roots/trellis/pull/1617) +* Set php-fpm log_level to fix 'unknown value' [#1615](https://github.com/roots/trellis/pull/1615) +* Set git depth to 1 for deploy role [#1616](https://github.com/roots/trellis/pull/1616) +* Update dependency python to 3.14 [#1562](https://github.com/roots/trellis/pull/1562) +* Add a User-Agent header to test_challenges.py. [#1595](https://github.com/roots/trellis/pull/1595) +* Remove complex duplicate sites validation [#1612](https://github.com/roots/trellis/pull/1612) +* Add select_sites custom filter [#1611](https://github.com/roots/trellis/pull/1611) +* Refactor User password hash creation [#1607](https://github.com/roots/trellis/pull/1607) +* Remove FLUSHDB from redis_disabled_commands [#1609](https://github.com/roots/trellis/pull/1609) + ### 1.26.1: October 6, 2025 * Add WordPress sites to `/etc/hosts` [#1606](https://github.com/roots/trellis/pull/1606) * Set php_fpm_process_control_timeout to 10 to prevent deploy downtime [#1603](https://github.com/roots/trellis/pull/1603) From e23b98932f795bf5eca42aa73b5b0257e5c724cf Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 24 Oct 2025 10:25:16 -0500 Subject: [PATCH 653/663] Remove CHANGELOG [ci skip] --- CHANGELOG.md | 683 --------------------------------------------------- 1 file changed, 683 deletions(-) delete mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index 0b8d9b71c3..0000000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,683 +0,0 @@ -### 1.27.0: October 23, 2025 -* Drop Vagrant support [#1622](https://github.com/roots/trellis/pull/1622) -* Remove dot in network database message [#1621](https://github.com/roots/trellis/pull/1621) -* Remove memcached_fs_file_max setting [#1619](https://github.com/roots/trellis/pull/1619) -* Remove timezone validation [#1618](https://github.com/roots/trellis/pull/1618) -* Remove SSH settings validation [#1614](https://github.com/roots/trellis/pull/1614) -* Add missing SSL directives [#1476](https://github.com/roots/trellis/pull/1476) -* Use double quotes for env values [#1617](https://github.com/roots/trellis/pull/1617) -* Set php-fpm log_level to fix 'unknown value' [#1615](https://github.com/roots/trellis/pull/1615) -* Set git depth to 1 for deploy role [#1616](https://github.com/roots/trellis/pull/1616) -* Update dependency python to 3.14 [#1562](https://github.com/roots/trellis/pull/1562) -* Add a User-Agent header to test_challenges.py. [#1595](https://github.com/roots/trellis/pull/1595) -* Remove complex duplicate sites validation [#1612](https://github.com/roots/trellis/pull/1612) -* Add select_sites custom filter [#1611](https://github.com/roots/trellis/pull/1611) -* Refactor User password hash creation [#1607](https://github.com/roots/trellis/pull/1607) -* Remove FLUSHDB from redis_disabled_commands [#1609](https://github.com/roots/trellis/pull/1609) - -### 1.26.1: October 6, 2025 -* Add WordPress sites to `/etc/hosts` [#1606](https://github.com/roots/trellis/pull/1606) -* Set php_fpm_process_control_timeout to 10 to prevent deploy downtime [#1603](https://github.com/roots/trellis/pull/1603) -* Flush cache after deploy [#1604](https://github.com/roots/trellis/pull/1604) - -### 1.26.0: September 19, 2025 -* Update actions/checkout action to v5 [#1591](https://github.com/roots/trellis/pull/1591) -* Replace deprecated `distutils` version usage [#1590](https://github.com/roots/trellis/pull/1590) -* ✨ Add Redis object cache support [#1589](https://github.com/roots/trellis/pull/1589) -* Fix HSTS header omitted parts [#1592](https://github.com/roots/trellis/pull/1592) -* Change npm command to 'npm ci' in build example [#1597](https://github.com/roots/trellis/pull/1597) -* Add ansible-core version constraint [#1600](https://github.com/roots/trellis/pull/1600) - -### 1.25.0: July 31, 2025 -* Allow removal of old SSH keys on provision [#1576](https://github.com/roots/trellis/pull/1576) -* Filter Nginx includes by sites present on target server [#1573](https://github.com/roots/trellis/pull/1573) -* Allow cleaning apt sources on provision [#1578](https://github.com/roots/trellis/pull/1578) -* ⬆️ Use PHP 8.3 by default [#1580](https://github.com/roots/trellis/pull/1580) -* `wp-cli-version-check.yml`: Use `gh` to fetch WP CLI release info [#1585](https://github.com/roots/trellis/pull/1585) -* Add `X-Cache-Enabled` HTTP header [#1513](https://github.com/roots/trellis/pull/1513) -* Run ferm role when letsencrypt tag is defined on provision [#1588](https://github.com/roots/trellis/pull/1588) -* Update acme_tiny_repo [#1582](https://github.com/roots/trellis/pull/1582) - -### 1.24.1: May 8th, 2025 -* Update WP-CLI version to 2.12.0 [#1574](https://github.com/roots/trellis/pull/1574) - -### 1.24.0: April 21st, 2025 -* Use proper `$host` for FastCGI `SERVER_NAME` param [#1552](https://github.com/roots/trellis/pull/1552) -* Fix Python string escape sequences [#1554](https://github.com/roots/trellis/pull/1554) -* Mitigate REST API cache poisoning via Method Override [#1556](https://github.com/roots/trellis/pull/1556) -* Update dependency ntp to v2.7.0 [#1553](https://github.com/roots/trellis/pull/1553) -* Update dependency swapfile to v2.0.42 [#1549](https://github.com/roots/trellis/pull/1549) -* 🔧 FastCGI Cache: Stop ignoring Cache-Control headers [#1555](https://github.com/roots/trellis/pull/1555) -* Update build-before.yml for Sage 11 [#1559](https://github.com/roots/trellis/pull/1559) -* 🔧 PHP 8.4 support [#1560](https://github.com/roots/trellis/pull/1560) -* Remove Let's Encrypt contact email support [#1558](https://github.com/roots/trellis/pull/1558) -* Remove OCSP stapling [#1557](https://github.com/roots/trellis/pull/1557) -* Remove "production" from asset compilation titles [#1566](https://github.com/roots/trellis/pull/1566) -* 🩹 Add retry to adding PPA's [#1568](https://github.com/roots/trellis/pull/1568) -* Refactor PHP role to support future versions by default [#1511](https://github.com/roots/trellis/pull/1511) -* Flush rewrite rules at the end of each deploy [#1567](https://github.com/roots/trellis/pull/1567) -* Replace link for creating CSP [#1564](https://github.com/roots/trellis/pull/1564) - -### 1.23.0: September 11th, 2024 -* Ubuntu 24.04 support [#1519](https://github.com/roots/trellis/pull/1519) -* Update MariaDB to 10.11 [#1520](https://github.com/roots/trellis/pull/1520) -* Update WP-CLI to v2.11.0 [#1533](https://github.com/roots/trellis/pull/1533) -* Update dependency ntp to v2.5.0 [#1541](https://github.com/roots/trellis/pull/1541) -* Update dependency swapfile to v2.0.38 [#1540](https://github.com/roots/trellis/pull/1540) -* Update dependency composer to v1.9.2 [#1539](https://github.com/roots/trellis/pull/1539) -* Conditionally add HTTPS inbound allow firewall rule [#1530](https://github.com/roots/trellis/pull/1530) -* Use `http2` and `http3` nginx directives [#1529](https://github.com/roots/trellis/pull/1529) -* Fix tags for common variable validations [#1544](https://github.com/roots/trellis/pull/1544) -* Allow overriding 'pm' in PHP-FPM's pool config [#1542](https://github.com/roots/trellis/pull/1542) -* Prevent warnings running composer as root [#1527](https://github.com/roots/trellis/pull/1527) -* Fix undefined method `exists?` error [#1524](https://github.com/roots/trellis/pull/1524) - -### 1.22.1: May 30th, 2024 -* Fix Nginx apt-key is deprecated failure [#1518](https://github.com/roots/trellis/pull/1518) - -### 1.22.0: April 24th, 2024 -* Fix MariaDB apt-key is deprecated failure [#1515](https://github.com/roots/trellis/pull/1515) -* Default to PHP 8.2, add PHP 8.3 support [#1514](https://github.com/roots/trellis/pull/1514) -* Add PHP JIT and enable it by default [#1505](https://github.com/roots/trellis/pull/1505) -* Update wp_cli_version to 2.9.0 [#1508](https://github.com/roots/trellis/pull/1508) -* Add `cron` to default `apt` packages [#1506](https://github.com/roots/trellis/pull/1506) -* Enable PHP OPCache overwrites for `max_wasted_percentage` & `huge_code_pages` [#1503](https://github.com/roots/trellis/pull/1503) -* Add MariaDB server config for optimizatons [#1497](https://github.com/roots/trellis/pull/1497) -* Add PHP-FPM conf and tuning settings [#1496](https://github.com/roots/trellis/pull/1496) -* CLI config updates [#1486](https://github.com/roots/trellis/pull/1486) -* Update Bitbucket Cloud SSH Host Keys [#1492](https://github.com/roots/trellis/pull/1492) -* Add Libvirt to the Vagrant config file [#1490](https://github.com/roots/trellis/pull/1490) - -**Full Changelog**: https://github.com/roots/trellis/compare/v1.21.0...v1.22.0 - -### 1.21.0: April 5th, 2023 -* Add optional PHP 8.2 support [#1485](https://github.com/roots/trellis/pull/1485) -* Default to PHP 8.1 [#1484](https://github.com/roots/trellis/pull/1484) -* Use appropriate mount_option for 'parallels' provider [#1481](https://github.com/roots/trellis/pull/1481) - -**Full Changelog**: https://github.com/roots/trellis/compare/v1.20.1...v1.21.0 - -### 1.20.1: March 7th, 2023 -* Fix invalid arg error in ferm task [#1480](https://github.com/roots/trellis/pull/1480) -* Fix `ansible_user` references for local provisioning [#1479](https://github.com/roots/trellis/pull/1479) -* Fix HSTS header by trimming whitespace [#1478](https://github.com/roots/trellis/pull/1478) -* Replace MailHog with Mailpit [#1474](https://github.com/roots/trellis/pull/1474) - -**Full Changelog**: https://github.com/roots/trellis/compare/v1.20.0...v1.20.1 - -### 1.20.0: February 12th, 2023 -* Set development web_user to ansible_user [#1464](https://github.com/roots/trellis/pull/1464) -* Update boxes to Ubuntu 22.04 [#1461](https://github.com/roots/trellis/pull/1461) -* Composer Authentications: Fix `loop_var` already in use issue [#1469](https://github.com/roots/trellis/pull/1469) -* Install wp as the default user [#1470](https://github.com/roots/trellis/pull/1470) -* Allow non-default upload_path [#1471](https://github.com/roots/trellis/pull/1471) -* Vagrant: disable NFS udp by default [#1472](https://github.com/roots/trellis/pull/1472) -* Run SSH key generate task for local provision only [#1473](https://github.com/roots/trellis/pull/1473) -* Disable xmlrpc by default [#1467](https://github.com/roots/trellis/pull/1467) - -**Full Changelog**: https://github.com/roots/trellis/compare/v1.19.0...v1.20.0 - -### 1.19.0: January 2nd, 2023 -* Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles [#1413](https://github.com/roots/trellis/pull/1413) -* Prevent ansible-core 2.13.6 [#1448](https://github.com/roots/trellis/pull/1448) -* Enable PHP opcache in development [#1447](https://github.com/roots/trellis/pull/1447) -* Remove deprecated warn usage [#1450](https://github.com/roots/trellis/pull/1450) -* Composer Authentication: Add support for `bearer`, `gitlab-oauth`, `gitlab-token`, `github-oauth` and `bitbucket-oauth` principles [#1413](https://github.com/roots/trellis/pull/1413) -* Update `wp_cli_version` to 2.7.1 [#1451](https://github.com/roots/trellis/pull/1451) -* Disable chown site directory task by default [#1452](https://github.com/roots/trellis/pull/1452) -* Update oefenweb.swapfile role [#1455](https://github.com/roots/trellis/pull/1455) -* Allow remote and local databases for a site [#1457](https://github.com/roots/trellis/pull/1457) -* Fix standard output for multisite cron job [#1458](https://github.com/roots/trellis/pull/1458) -* Fix sshd config - set AcceptEnv conditionally [#1453](https://github.com/roots/trellis/pull/1453) - -### 1.18.0: November 8th, 2022 -* Fix xdebug role by including PHP vars ([#1429](https://github.com/roots/trellis/pull/1429)) -* Automate ARM64 Vagrant box support for Apple Silicon ([#1431](https://github.com/roots/trellis/pull/1431)) -* Support ARM64 arch in Mailhog role ([#1432](https://github.com/roots/trellis/pull/1432)) -* Only allow Nginx caching for GET and HEAD requests ([#1435](https://github.com/roots/trellis/pull/1435)) - -### 1.17.0: September 27th, 2022 -* [BREAKING] Disable HSTS `includeSubdomains` by default ([#1409](https://github.com/roots/trellis/pull/1409)) -* Don't use sudo for composer authentications in dev ([#1427](https://github.com/roots/trellis/pull/1427)) -* Sage 10 deploy: Fail if entrypoints are missing ([#1426](https://github.com/roots/trellis/pull/1426)) -* Nginx: add "text/javascript" to gzip_types ([#1424](https://github.com/roots/trellis/pull/1424)) -* Disable Landrush DNS Resolver in Parallels ([#1421](https://github.com/roots/trellis/pull/1421)) -* Remove dynamic SSH key host checks ([#1419](https://github.com/roots/trellis/pull/1419)) -* Update Vagrant required version ([#1420](https://github.com/roots/trellis/pull/1420)) -* Remove custom output callback plugin ([#1418](https://github.com/roots/trellis/pull/1418)) -* Migrage `with_X` looping usage to `loop` ([#1416](https://github.com/roots/trellis/pull/1416)) -* Fix backwards compat for ssl.no-default conf ([#1415](https://github.com/roots/trellis/pull/1415)) -* Simplify Nginx no-default sites for HTTPS ([#1414](https://github.com/roots/trellis/pull/1414)) -* Improve composer authentications password default ([#1412](https://github.com/roots/trellis/pull/1412)) -* Run composer check-platform-reqs during deploy ([#1411](https://github.com/roots/trellis/pull/1411)) -* Fix #905, #831 - Update hb5p Nginx configs ([#1406](https://github.com/roots/trellis/pull/1406)) - -### 1.16.0: July 18th, 2022 -* Fix Ansible 6 support - remove broken and unused `cli` import ([#1404](https://github.com/roots/trellis/pull/1404)) -* Fix #1400 - update shared path permission ([#1403](https://github.com/roots/trellis/pull/1403)) -* Update requirements.yml to new format ([#1402](https://github.com/roots/trellis/pull/1402)) -* Set journald max log file size ([#1399](https://github.com/roots/trellis/pull/1399)) -* Stop old php-fpm services before starting new one ([#1395](https://github.com/roots/trellis/pull/1395)) -* Fix ansible incompatibility in git connection error ([#1397](https://github.com/roots/trellis/pull/1397)) -* Update Ansible version requirement ([#1396](https://github.com/roots/trellis/pull/1396)) - -### 1.15.0: June 8th, 2022 -* Add variables for web and uploads paths ([#1378](https://github.com/roots/trellis/pull/1378)) -* Fix WP is-installed check during deploys for multisite installs ([#1388](https://github.com/roots/trellis/pull/1388)) -* Set `mjs` as `application/javascript` in Nginx confs ([#1383](https://github.com/roots/trellis/pull/1383)) -* Change MariaDB PPA repo ([#1384](https://github.com/roots/trellis/pull/1384)) -* Allow newer Vagrant versions on Linux ([#1382](https://github.com/roots/trellis/pull/1382)) -* Remove redundant `ansible_connection=local` and comments ([#1380](https://github.com/roots/trellis/pull/1380)) -* Update `build-after` deploy hook example for Sage 10 ([#1377](https://github.com/roots/trellis/pull/1377)) -* Update `geerlingguy.ntp` role to `2.3.1` ([#1376](https://github.com/roots/trellis/pull/1376)) -* Add built-in fail2ban filters ([#1375](https://github.com/roots/trellis/pull/1375)) -* Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) -* Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) - -### 1.14.0: February 16th, 2022 -* Fix #1026 - Preserve nested path for copied folders between deploys ([#1364](https://github.com/roots/trellis/pull/1364)) -* Fix #1354 - Ensure correct PHP version is set ([#1365](https://github.com/roots/trellis/pull/1365)) -* Create mysql my.cnf credentials file earlier ([#1360](https://github.com/roots/trellis/pull/1360)) -* Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) -* Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) -* Deploy hook build example: update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) - -### 1.13.0: January 21st, 2022 -* Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) -* Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) -* Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) -* Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) - -### 1.12.0: January 3rd, 2022 -* Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) -* Update default Vagrant IP to 192.168.56.5 ([#1341](https://github.com/roots/trellis/pull/1341)) -* Remove old WP customizer frame options hack ([#1338](https://github.com/roots/trellis/pull/1338)) -* Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) -* Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) - -### 1.11.0: December 10th, 2021 -* Bump minimum ansible version to `2.10.0` and add `ansible-base` to requirements ([#1334](https://github.com/roots/trellis/pull/1334)) -* Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) -* Set max supported Vagrant version to `< 2.2.19` ([#1332](https://github.com/roots/trellis/pull/1332)) -* Bump `vagrant_ansible_version` to `2.10.7` ([#1329](https://github.com/roots/trellis/pull/1329)) -* Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) -* Add PHP 8.1 support ([#1325](https://github.com/roots/trellis/pull/1325)) - -### 1.10.0: November 28th, 2021 -* Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) -* Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) -* Enable pipelining for local Ansible connections ([#1323](https://github.com/roots/trellis/pull/1323)) - -### 1.9.1: November 11th, 2021 -* Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) -* Remove explicit arch deb options for MariaDB (improves ARM support) ([#1318](https://github.com/roots/trellis/pull/1318)) - -### 1.9.0: October 27th, 2021 -* Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) -* Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) -* Define `composer_authentications` default ([#1315](https://github.com/roots/trellis/pull/1315)) -* Fix #1311 - Remove explicit permission for site directory ([#1314](https://github.com/roots/trellis/pull/1314)) -* Fix #1277 - Disable PHP CLI memory limit ([#1278](https://github.com/roots/trellis/pull/1278)) -* Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) -* Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) -* Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) -* Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) - -### 1.8.0: February 12th, 2021 -* Set permissions on all file related tasks ([#1270](https://github.com/roots/trellis/pull/1270)) -* Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) -* Bump `vagrant_ansible_version` to `2.9.10` ([#1268](https://github.com/roots/trellis/pull/1268)) -* Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) - -### 1.7.1: January 20th, 2021 -* Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) -* Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) -* Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) -* Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) -* Fix security issue with empty password ([#1256](https://github.com/roots/trellis/pull/1256)) - -### 1.7.0: November 9th, 2020 -* Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) - -### 1.6.0: November 5th, 2020 -* Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) -* Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) -* Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) -* Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) -* Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) -* Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) - -### 1.5.0: August 5th, 2020 -* Improve Nginx reloading for failed Let's Encrypt certificates ([#1207](https://github.com/roots/trellis/pull/1207)) -* Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) -* Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) -* Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) -* Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) -* Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) -* Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) -* [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) -* Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) -* Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) -* Update CircleCI Config ([#1184](https://github.com/roots/trellis/pull/1184)) - -### 1.4.0: April 2nd, 2020 -* Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) -* Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) -* Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) -* `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) -* Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) -* Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) -* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder ([#1145](https://github.com/roots/trellis/pull/1145)) -* Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) -* Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) -* Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) -* Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) -* Lint: Fix: `[306] Shells that use pipes should set the pipefail option ([#1153](https://github.com/roots/trellis/pull/1153)) -* Lint: Fix `[301] Commands should not change things if nothing needs doing ([#1139](https://github.com/roots/trellis/pull/1139)) -* Void rolled back releases ([#1148](https://github.com/roots/trellis/pull/1148)) -* Add `WP_DEBUG_LOG` to `.env` on deploy ([#1160](https://github.com/roots/trellis/pull/1160)) - -### 1.3.0: December 7th, 2019 -* Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) -* Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) -* Block dependency manager files in Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) - -### 1.2.0: October 11th, 2019 -* Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) -* Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) -* Update WP CLI to v2.3.0 ([#1109](https://github.com/roots/trellis/pull/1109)) -* Ansible 2.8.x support ([#1103](https://github.com/roots/trellis/pull/1103)) -* Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) -* Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) -* Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) - -### 1.1.0: September 1st, 2019 -* Update swapfile role to v2.0.22 ([#1101](https://github.com/roots/trellis/pull/1101)) -* Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) -* Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) -* Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) - -### 1.0.3: April 30th, 2019 -* Prevent direct access for `.blade.php` files ([#1075](https://github.com/roots/trellis/pull/1075)) -* Show custom error message if external IP resolution fails ([#1078](https://github.com/roots/trellis/pull/1078)) -* Use all canonical site hosts for Landrush TLD ([#1077](https://github.com/roots/trellis/pull/1077)) - -### 1.0.2: March 13th, 2019 -* Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) -* Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) -* [REVERT] Don't force install Ansible Galaxy in dev ([#1064](https://github.com/roots/trellis/pull/1064)) - -### 1.0.1: January 16th, 2019 -* Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) - -### 1.0.0: December 27th, 2018 -* Hyper-V and SMB folder sync compatibility ([#1035](https://github.com/roots/trellis/pull/1035)) -* Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) -* Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) -* Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) -* Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) -* Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) -* Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) -* Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) -* Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) -* Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) -* Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) -* [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) -* Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) -* Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) -* Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) -* [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) -* Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) -* Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) -* Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) -* Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) -* Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) -* deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) -* Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) -* Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) -* Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) -* Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) -* Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) -* Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) -* Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) -* Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) -* Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) -* Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) -* Add support for sSMTP revaliases configuration ([#956](https://github.com/roots/trellis/pull/956)) -* Add support for includes.d on all sites ([#966](https://github.com/roots/trellis/pull/966)) -* Fix `--subdomains` flag in the Install WP task ([#968](https://github.com/roots/trellis/pull/968)) -* Ensure Diffie-Hellman group is generated for Let's Encrypt ([#964](https://github.com/roots/trellis/pull/964)) -* Fix `raw_vars` feature to properly handle int values ([#959](https://github.com/roots/trellis/pull/959)) -* [BREAKING] Update Ansible default plugin paths in config files ([#958](https://github.com/roots/trellis/pull/958)) -* Add Nginx `ssl.no-default.conf` to drop requests for unknown hosts ([#888](https://github.com/roots/trellis/pull/888)) -* [BREAKING] Disable memcached UDP support by default ([#955](https://github.com/roots/trellis/pull/955)) -* Git: Ignore `vagrant.local.yml`([#953](https://github.com/roots/trellis/pull/953)) -* Update to PHP 7.2 ([#929](https://github.com/roots/trellis/pull/929)) -* Fix `failed_when` in `template_root` check with wp-cli 1.5.0 ([#948](https://github.com/roots/trellis/pull/948)) -* Bump Ansible `version_tested_max` to 2.4.3.0 ([#945](https://github.com/roots/trellis/pull/945)) -* Update wp-cli to 1.5.0 ([#944](https://github.com/roots/trellis/pull/944)) -* Update `vagrant_box_version` to `>= 201801.02.0` ([#939](https://github.com/roots/trellis/pull/939)) -* Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) -* Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) -* Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) - -### 1.0.0-rc.2: November 13th, 2017 -* Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) -* Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) -* Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) -* Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) -* Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) -* Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) -* Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) -* [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) -* Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) -* Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) -* Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854)) -* Vagrant: Support DHCP ([#892](https://github.com/roots/trellis/pull/892)) -* Extract Trellis::Config ([#890](https://github.com/roots/trellis/pull/890)) -* Redirect directly to https canonical domain ([#889](https://github.com/roots/trellis/pull/889)) -* WordPress Setup: Add Nginx `ssl_client_certificate` ([#869](https://github.com/roots/trellis/pull/869)) -* Update h5bp/server-configs-nginx ([#876](https://github.com/roots/trellis/pull/876)) -* Update ansible galaxy roles ([#872](https://github.com/roots/trellis/pull/872)) -* Update wp-cli to 1.3.0 ([#871](https://github.com/roots/trellis/pull/871)) -* Add ansible_local support for non-Windows ([#824](https://github.com/roots/trellis/pull/824)) -* Load `modules-enabled` config files in Nginx ([#859](https://github.com/roots/trellis/pull/859)) -* Only include \*.conf files in Nginx `sites-enabled/` ([#862](https://github.com/roots/trellis/pull/862)) -* Add `fastcgi_read_timeout` to Nginx config ([#860](https://github.com/roots/trellis/pull/860)) -* Allow customization of the Nginx package name and PPA ([#858](https://github.com/roots/trellis/pull/858)) -* Nginx microcaching: skip caching WP API requests ([#855](https://github.com/roots/trellis/pull/855)) -* Allow overriding more php-fpm params ([#856](https://github.com/roots/trellis/pull/856)) -* Accommodate child themes: Update WP `stylesheet_root` separately ([#850](https://github.com/roots/trellis/pull/850)) -* Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) -* Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) -* Update WP-CLI to 1.2.1 ([#838](https://github.com/roots/trellis/pull/838)) -* Auto-install Vagrant plugins ([#829](https://github.com/roots/trellis/pull/829)) -* Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) -* Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) -* Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) - -### 1.0.0-rc.1: April 7th, 2017 -* Add vault_wordpress_sites validation ([#823](https://github.com/roots/trellis/pull/823)) -* Use dynamic HostKeyAlgorithms SSH option for unknown hosts ([#798](https://github.com/roots/trellis/pull/798)) -* Accommodate deploy hook vars formatted as lists of includes ([#815](https://github.com/roots/trellis/pull/815)) -* Check Ansible version before Ansible validates task attributes ([#797](https://github.com/roots/trellis/pull/797)) -* Add additional Nginx sites configurations support ([#793](https://github.com/roots/trellis/pull/793)) -* Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745)) -* Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787)) -* Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762)) -* Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766)) -* Forward extra bin/deploy.sh parameters to ansible-playbook ([#748](https://github.com/roots/trellis/pull/748)) -* Update WP-CLI to 1.1.0 ([#759](https://github.com/roots/trellis/pull/759)) -* Add DOMAIN_CURRENT_SITE to default env variables ([#760](https://github.com/roots/trellis/pull/760)) -* Fix formatting of `set_fact` for `ansible_become_pass` ([#758](https://github.com/roots/trellis/pull/758)) -* Require Ansible 2.2.0.0 or greater ([#726](https://github.com/roots/trellis/pull/726)) -* [BREAKING] Use more secure sshd defaults ([#744](https://github.com/roots/trellis/pull/744)) -* Add basic git repo host keys to `known_hosts` ([#751](https://github.com/roots/trellis/pull/751)) -* Accommodate template inheritance for nginx confs ([#740](https://github.com/roots/trellis/pull/740)) -* Add `apt_packages_custom` to customize Apt packages ([#735](https://github.com/roots/trellis/pull/735)) -* Enable Let's Encrypt to detect updated `site_hosts` ([#630](https://github.com/roots/trellis/pull/630)) -* Add `SKIP_GALAXY` env var to skip galaxy install in Vagrant ([#734](https://github.com/roots/trellis/pull/734)) -* Avoid `loop.first` variable in conditional jinja loops ([#729](https://github.com/roots/trellis/pull/729)) -* Use dynamic `local_path` to accommodate Ansible running on VM ([#725](https://github.com/roots/trellis/pull/725)) -* [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728)) -* `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724)) -* Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723)) -* Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720)) -* Create `/home/vagrant/trellis` bindfs mount with proper permissions ([#705](https://github.com/roots/trellis/pull/705)) - -### 0.9.9: December 14th, 2016 -* Create `project_shared_children` files if they do not exist ([#706](https://github.com/roots/trellis/pull/706)) -* Diffie-Hellman params now conditional on SSL status ([#709](https://github.com/roots/trellis/pull/709)) -* Update PHP to 7.1 ([#695](https://github.com/roots/trellis/pull/695)) -* Update WP-CLI to 1.0.0 ([#708](https://github.com/roots/trellis/pull/708)) -* Ansible-Local for Vagrant boxes on Windows ([#690](https://github.com/roots/trellis/pull/690)) -* Install MariaDB via Ubuntu's official distro packages ([#693](https://github.com/roots/trellis/pull/693)) -* Fix 404s by moving skip_cache conditions to server block ([#692](https://github.com/roots/trellis/pull/692)) -* Nginx includes: Move templates dir, fix 'No such file' error ([#687](https://github.com/roots/trellis/pull/687)) -* [BREAKING] Move shell scripts to bin/ directory ([#680](https://github.com/roots/trellis/pull/680)) -* Add myhostname to nsswitch.conf to ensure resolvable hostname ([#686](https://github.com/roots/trellis/pull/686)) -* Add `bin/xdebug-tunnel.sh` to manage Xdebug and SSH tunnels on remote hosts ([#678](https://github.com/roots/trellis/pull/678)) -* Move Xdebug installation/configuration into its own role ([#678](https://github.com/roots/trellis/pull/678)) -* Disable wp-cron emails ([#685](https://github.com/roots/trellis/pull/685)) -* Make `raw_vars` compatible with play vars and Ansible 2.1 ([#684](https://github.com/roots/trellis/pull/684)) -* Ensure there is always at least one PHP-FPM pool defined ([#682](https://github.com/roots/trellis/pull/682)) -* Update galaxy roles for Ansible 2.2 compatibility ([#681](https://github.com/roots/trellis/pull/681)) -* Update to WP-CLI 0.25.0 for WP 4.7 compat ([#673](https://github.com/roots/trellis/pull/673)) -* Enable per-site setup for permalink structure ([#661](https://github.com/roots/trellis/pull/661)) -* WP 4.6 Compat: set WP_HOME/SITEURL directly ([#647](https://github.com/roots/trellis/pull/647)) -* Create WordPress php-fpm conf after web_root exists ([#642](https://github.com/roots/trellis/pull/642)) -* Fix #637 - Fix condition for permalink structure task ([#643](https://github.com/roots/trellis/pull/643)) -* Fix #639 - WP 4.6 compatibility: update WP-CLI to 0.24.1 ([#640](https://github.com/roots/trellis/pull/640)) - -### 0.9.8: August 14th, 2016 -* Ansible 2.1 compatibility fixes ([#631](https://github.com/roots/trellis/pull/631)) -* [BREAKING] Upgrade Ubuntu from 14.04 Trusty to 16.04 Xenial ([#626](https://github.com/roots/trellis/pull/626)) -* [BREAKING] Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) -* Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) -* [BREAKING] Require explicit redirects and drop `www_redirect` ([#622](https://github.com/roots/trellis/pull/622)) -* Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) -* Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) -* Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) -* Add `current_path` var and default to enable custom current release path ([#607](https://github.com/roots/trellis/pull/607)) -* Add Vagrant post up message ([#602](https://github.com/roots/trellis/pull/602)) -* Fix #468 - Use curl to install wp-cli tab completions ([#593](https://github.com/roots/trellis/pull/593)) -* Require Ansible 2.0.2 and remove deploy_helper ([#579](https://github.com/roots/trellis/pull/579)) -* Add connection-related cli options to ping command ([#578](https://github.com/roots/trellis/pull/578)) -* Wrap my.cnf password in quotes ([#577](https://github.com/roots/trellis/pull/577)) -* Update to WP-CLI v0.23.1 ([#576](https://github.com/roots/trellis/pull/576)) -* Fix #563 - Improve remote databases ([#573](https://github.com/roots/trellis/pull/573)) -* Fix #569 - Only skip subdomains for non-www domains ([#570](https://github.com/roots/trellis/pull/570)) -* Enable Let's Encrypt to transition http sites to https ([#565](https://github.com/roots/trellis/pull/565)) - -### 0.9.7: April 10th, 2016 -* Fix #550 - Properly skip permalink setup for MU ([#551](https://github.com/roots/trellis/pull/551)) -* Escape salts and keys to avoid templating errors ([#548](https://github.com/roots/trellis/pull/548)) -* Add plugin to pretty print Ansible msg output ([#544](https://github.com/roots/trellis/pull/544)) -* Fix #482 - Multisite is-installed deploy check ([#543](https://github.com/roots/trellis/pull/543)) -* Skip setting permalink for multisite installs ([#546](https://github.com/roots/trellis/pull/546)) -* Fix #489 - Add $realpath_root to fastcgi_cache_key ([#542](https://github.com/roots/trellis/pull/542)) -* Move modules and plugins to `lib/trellis` directory ([#538](https://github.com/roots/trellis/pull/538)) -* Automatically set `wp_home` and `wp_siteurl` variables ([#533](https://github.com/roots/trellis/pull/533)) -* Switch to Let's Encrypt X3 intermediate certificate and fix chain issues ([#534](https://github.com/roots/trellis/pull/534)) -* Supply better defaults for `db_name` and `db_user` ([#529](https://github.com/roots/trellis/pull/529)) -* Fix deploy env template to use valid ansible vars ([#530](https://github.com/roots/trellis/pull/530)) -* Simplify and improve `wordpress_sites` with better defaults ([#528](https://github.com/roots/trellis/pull/528)) -* Allow option for WinNFSD sync folder provider on Windows ([#527](https://github.com/roots/trellis/pull/527)) -* Improve Let's Encrypt challenge pre-flight tests ([#526](https://github.com/roots/trellis/pull/526)) -* `reverse_www` filter improvements (ignore subdomains) ([#525](https://github.com/roots/trellis/pull/525)) -* Fix deprecation warnings on deploy, use current stable WP-CLI ([#523](https://github.com/roots/trellis/pull/523)) -* Fix #520 - Disable MariaDB binary logging by default ([#521](https://github.com/roots/trellis/pull/521)) -* Let's Encrypt integration ([#518](https://github.com/roots/trellis/pull/518)) -* Improve Git repo format validation ([#516](https://github.com/roots/trellis/pull/516)) -* Fix #505 - Git ignore \*.retry file -* Fix Ansible deprecations for bare variables ([#510](https://github.com/roots/trellis/pull/510)) -* Fixes #508 - update php-xdebug config file path ([#509](https://github.com/roots/trellis/pull/509)) -* Add php-mbstring extension ([#504](https://github.com/roots/trellis/pull/504)) -* Add more necessary PHP extensions ([#503](https://github.com/roots/trellis/pull/503)) - -### 0.9.6: February 18th, 2016 -* Update to latest ansible-role-mailhog version ([#497](https://github.com/roots/trellis/pull/497)) -* Add `reverse_www` filter to fix `www_redirect` ([#486](https://github.com/roots/trellis/pull/486)) -* Add IP address variable, move some variables to top of Vagrantfile ([#494](https://github.com/roots/trellis/pull/494)) -* Keep Composer updated ([#493](https://github.com/roots/trellis/pull/493)) -* Use prestissimo Composer plugin ([#492](https://github.com/roots/trellis/pull/492)) -* Use ansible-role-composer ([#491](https://github.com/roots/trellis/pull/491)) -* Fix bad `curl` output ([#490](https://github.com/roots/trellis/pull/490)) -* Fixes #410 - Default to 1 CPU in Vagrant ([#487](https://github.com/roots/trellis/pull/487)) - -### 0.9.5: February 10th, 2016 -* Fix Nginx includes for Ansible 2.0 ([#473](https://github.com/roots/trellis/pull/473)) -* Use `ondrej/php` PPA since `ondrej/php-7.0` is deprecated ([#479](https://github.com/roots/trellis/pull/479)) -* Fix Ansible 2.x deploys and require version 2.x ([#478](https://github.com/roots/trellis/pull/478)) -* Update to PHP 7.0 and remove HHVM ([#432](https://github.com/roots/trellis/pull/432)) -* Windows: Sync `hosts` dir with proper permissions ([#460](https://github.com/roots/trellis/pull/460)) -* Fix `inventory_file` variable in connection tests ([#470](https://github.com/roots/trellis/pull/470)) -* Fix conditional logic for permalink setup task ([#467](https://github.com/roots/trellis/pull/467)) -* Fix permalink setup during WordPress Install ([#466](https://github.com/roots/trellis/pull/466)) -* Fix deploy pre-flight check for verifying repo ([#463](https://github.com/roots/trellis/pull/463)) -* Ansible 2.0 compatibility ([#461](https://github.com/roots/trellis/pull/461)) -* Add pre-flight checks for common deploy problems ([#459](https://github.com/roots/trellis/pull/459)) -* Prevent duplicate hosts entries made by `vagrant-hostsupdater` ([#458](https://github.com/roots/trellis/pull/458)) -* Fix README's `ansible-playbook` command for server.yml ([#456](https://github.com/roots/trellis/pull/456)) -* Fix development hosts file ([#455](https://github.com/roots/trellis/pull/455)) -* Add tags to select includes and tasks ([#453](https://github.com/roots/trellis/pull/453)) -* Improve Git deploy implementation via `git archive` ([#451](https://github.com/roots/trellis/pull/451)) -* Replace strip_www with optional redirect to www/non-www ([#452](https://github.com/roots/trellis/pull/452)) -* Accommodate file encryption via ansible vault ([#317](https://github.com/roots/trellis/pull/317)) -* Fixes #353 - Allow insecure curl reqs for cron ([#450](https://github.com/roots/trellis/pull/450)) -* Fixes #374 - Remove composer vendor/bin from $PATH ([#449](https://github.com/roots/trellis/pull/449)) -* Refactor hosts files ([#313](https://github.com/roots/trellis/pull/313)) -* Fixes #436 - Let WP handle 404s for PHP files ([#448](https://github.com/roots/trellis/pull/448)) -* Fixes #297 - Use `php_flag` vs `php_admin_flag` ([#447](https://github.com/roots/trellis/pull/447)) -* Fixes #316 - Set WP permalink structure during install ([#316](https://github.com/roots/trellis/pull/316)) -* Switch to https://api.ipify.org for IP lookup ([#444](https://github.com/roots/trellis/pull/444)) -* Replace `vagrant-hostsupdater` with `vagrant-hostmanager` ([#442](https://github.com/roots/trellis/pull/442)) -* Switch to mainline Nginx, replaces SPDY with HTTP2 ([#389](https://github.com/roots/trellis/issues/389)) -* Add `wp core update-db` to deploy finalize hook ([#411](https://github.com/roots/trellis/pull/411)) -* Use WP-CLI 0.21.1 ([#392](https://github.com/roots/trellis/pull/392)) -* Add variable for whitelisted IPs ([#435](https://github.com/roots/trellis/pull/435)) - -### 0.9.3: November 29th, 2015 -* Nginx role improvements: use more h5bp configs ([#428](https://github.com/roots/trellis/pull/428)) -* Add global `deploy_before` and `deploy_after` hooks ([#427](https://github.com/roots/trellis/pull/427)) -* Fix HSTS headers ([#424](https://github.com/roots/trellis/pull/424)) -* Notify Windows users about SSH forwarding ([#423](https://github.com/roots/trellis/pull/423)) -* Use append_privs for WP DB privileges ([#422](https://github.com/roots/trellis/pull/422)) -* Stop WP cron job emails ([#421](https://github.com/roots/trellis/pull/421)) -* Add WP-CLI bash completion script ([#407](https://github.com/roots/trellis/pull/407)) -* Add Composer config `github-oauth` variable ([#402](https://github.com/roots/trellis/pull/402)) -* Fix copy project local files in example hook ([#404](https://github.com/roots/trellis/pull/404)) -* Update cron variable to match Bedrock ([#394](https://github.com/roots/trellis/pull/394)) -* Add deploy_build_before example hook for theme assets ([#397](https://github.com/roots/trellis/pull/37)) -* Use curl instead of dig for IP lookups ([#390](https://github.com/roots/trellis/pull/390)) -* Update SSL cipher suite ([#386](https://github.com/roots/trellis/pull/386)) -* Support for other Vagrant providers (VirtualBox, VMWare, Parallels) ([#340](https://github.com/roots/trellis/pull/340)) -* Specify versions for Ansible Galaxy requirements ([#385](https://github.com/roots/trellis/pull/385)) -* Adds ability to configure [HSTS headers](https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security) with site variables. ([#388](https://github.com/roots/trellis/pull/388)) - -### 0.9.2: October 15th, 2015 -* Add dev's IP to ferm whitelist ([#381](https://github.com/roots/trellis/pull/381)) -* Add nonempty option to config.bindfs.bind_folder ([#382](https://github.com/roots/trellis/pull/382)) -* Add proper hooks for task files during deploys ([#378](https://github.com/roots/trellis/pull/378)) -* Fix logrotate's Nginx postrotate script ([#377](https://github.com/roots/trellis/pull/377)) -* Add static HTML files as fallbacks for Nginx's `index` directive ([#376](https://github.com/roots/trellis/pull/376)) -* Use Windows environment variable to determine number of CPUs ([#366](https://github.com/roots/trellis/pull/366)) -* Check for galaxy roles before `vagrant up` ([#365](https://github.com/roots/trellis/pull/365)) -* Install Xdebug by default in development environment ([#363](https://github.com/roots/trellis/pull/363)) -* Ensure admin_user can connect before disabling root ([#345](https://github.com/roots/trellis/pull/345)) -* Prevent PHP execution in uploads directory ([#356](https://github.com/roots/trellis/pull/356)) -* Update h5bp Nginx configs ([#355](https://github.com/roots/trellis/pull/355)) -* Convert sshd role variables to booleans ([#344](https://github.com/roots/trellis/pull/344)) -* Add check to validate `subtree_path` during deploy ([#334](https://github.com/roots/trellis/pull/334)) -* Rename WP site variable `subtree` to `subtree_path` ([#329](https://github.com/roots/trellis/pull/329)) -* Add extra HTTP security headers ([#322](https://github.com/roots/trellis/pull/322)) -* HHVM restart cron job fix ([#327](https://github.com/roots/trellis/pull/327)) -* Improve SSH remote user detection ([#321](https://github.com/roots/trellis/pull/321)) -* Add variable + better default for Nginx fastcgi buffers ([#302](https://github.com/roots/trellis/pull/302)) -* WP Multisite install fixes ([#319](https://github.com/roots/trellis/pull/319)) -* Re-organize `group_vars` files into subdirectories and separate files ([#308](https://github.com/roots/trellis/pull/308)) - -### 0.9.1: August 18th, 2015 -* Capture development mail with MailHog ([#304](https://github.com/roots/trellis/pull/304)) -* Update git remote URL before cloning on deploys ([#299](https://github.com/roots/trellis/pull/299)) -* Allow user to set the timezone ([#301](https://github.com/roots/trellis/pull/301)) -* Improvements to custom Nginx includes ([#242](https://github.com/roots/trellis/pull/242)) -* Fix comment in Vagrantfile: use absolute path for ANSIBLE_PATH ([#292](https://github.com/roots/trellis/pull/292)) -* Fix remote user handling for AWS ([#290](https://github.com/roots/trellis/pull/290)) - -### 0.9.0: August 3rd, 2015 -* Allow auto-generation of self signed SSL certificate -* Merge secure-root.yml into server.yml -* Bump Ansible requirement to >= 1.9.2 -* Validate that at least the minimum required version of Ansible is used -* Fix PHP error handling -* Flush wp db theme roots on deploy -* Stop recursive copying of vendor -* Update the bin/windows.sh script with absolute path -* Conditionally copy .env into web root -* Add subtree commented out -* Add Composer binary path to the default path -* Change base box to stock Ubuntu 14.04 -* Rename bedrock-ansible to Trellis -* Restore strip_www functionality -* Protect against Logjam attack by generating a strong and unique Diffie-Hellman group -* Move SSH key handling to users role -* Fix multisite conditional in wordpress-site.conf -* Allow use of FastCGI caching -* Wrap octal mode in quotes -* Fix project_shared_children mode defaults -* Allow for custom permissions for shared sources -* Provide a mechanism for custom Nginx includes -* Add trailing slash to WP core rewrite, preventing possible redirect loop -* Insert full path to service command, add hhvm restart minute -* Disable exposing PHP version to the world -* wordpress-install improvements -* Nginx h5bp config improvements -* Make composer self-update idempotent -* Fix project_subtree conditional -* Remove redundant site_name when naming log files -* Fix project_subtree check -* Fix conditional check for multi-site deploys -* Fix .env generation for wordpress-install -* Mirror `server_name` in SSL and non-SSL blocks -* Windows compatibility -* Add swapfile role -* Nginx: better worker_processes setting -* Use inventory_hostname instead of ansible_hostname -* Update Ansible version requirements -* Add information on how to deploy with the git strategy -* Define provider as virtualbox to avoid failure -* Don't set HSTS header over HTTP -* Add note about generating keys from the WordPress API -* Use site instead of example.com -* Be consistent with roots-example-project repo -* Add vagrant-hostsupdater to requirements -* SSL support -* Vagrant: resolve site paths relative to Ansible -* Subtree should be defined on a site -* Remove static IP from site_hosts -* Deploy improvements -* WP subdomain multisite support -* Add xdebug role -* Add logrotate role -* Add ntpd role -* Ansible deploys -* HHVM implementation -* Add SMTP role -* Install php5-memcached -* Update to PHP 5.6 -* Simplify Vagrantfile -* Add better SSH defaults -* Add fail2ban, ferm for added security -* Remove naming restriction on Bedrock path -* Add vagrant-bindfs for custom NFS permissions -* Limit `sendfile off` directive to development env -* Add better upload size and execution time defaults -* Use H5BP server configs -* Hardcode Vagrant VM memory to 1GB -* Replace dots in cron file names -* Use NFS for shared folders and better performance -* Tagged playbook roles - -### 0.4.0: September 9th, 2014 -* Complete memcached implementation -* Better PHP production configs: errors and opcache -* Always set fastcgi param `SCRIPT_FILENAME` in Nginx for better version compatibility - -### 0.3.0: August 20th, 2014 -* Ansible 1.6.8 compatibility (bug fix) -* Fix for slow network connections -* Nginx reload after DB import -* Integrate vagrant-hostsupdater -* Improve organization and file/folder structure -* MySQL password support -* Memcached role -* Improved hosts file and group_vars for separate environments - -### 0.2.0: May 15th, 2014 -* Add roots/bedrock Vagrant box -* Add `run_composer` option to `wordpress_sites` so Composer can be run on the VM removing the requirement for it on the host -* Remove upgrade role since we can't control package versions with it - -### 0.1.1: May 1st, 2014 -* Initial release From 730395df79792075ee69b50339de030e77a00706 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sat, 25 Oct 2025 10:39:44 -0500 Subject: [PATCH 654/663] Update README [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 04855b85fb..bf51c4ccb4 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ We're dedicated to pushing modern WordPress development forward through our open ### Sponsors -<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://bonsai.so/"><img src="https://cdn.roots.io/app/uploads/bonsai.svg" alt="Bonsai" width="120" height="90"></a> +<a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="120" height="90"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="120" height="90"></a> <a href="https://www.itineris.co.uk/"><img src="https://cdn.roots.io/app/uploads/itineris.svg" alt="Itineris" width="120" height="90"></a> <a href="https://kinsta.com/?kaid=OFDHAJIXUDIV"><img src="https://cdn.roots.io/app/uploads/kinsta.svg" alt="Kinsta" width="120" height="90"></a> ## Overview From 835a98301d0566f1ca0c1df297bcb551704399e7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 15 Nov 2025 13:33:46 -0500 Subject: [PATCH 655/663] Use sudo for become method (#1624) These tasks related to creating directories are run on mounted directories for local VMs. Using `sudo` as the `become_method` can provide better guarantees that the UID/GIDs mapping are preserved properly. This might only matter for VM solutions like LXD but it shouldn't change solutions like Lima that already work correctly. --- roles/wordpress-install/tasks/directories.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index ab53524b1d..ed9277812f 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -9,6 +9,7 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" + become_method: sudo - name: Create shared folder of sites file: @@ -20,6 +21,7 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" + become_method: sudo - name: Change site owner to user file: @@ -31,4 +33,5 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" + become_method: sudo when: chown_site_directory | default(false) From 97b48cc3d3bc0753bce98fb5affa91c0267bba35 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 9 Dec 2025 21:19:21 -0500 Subject: [PATCH 656/663] chore(deps): update peter-evans/create-pull-request action to v8 (#1627) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/wp-cli-version-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml index 055883ea79..7c081f4c5f 100644 --- a/.github/workflows/wp-cli-version-check.yml +++ b/.github/workflows/wp-cli-version-check.yml @@ -28,7 +28,7 @@ jobs: sed -i "s/wp_cli_version: .*/wp_cli_version: ${{ steps.get-version.outputs.LATEST_VERSION }}/" roles/wp-cli/defaults/main.yml - name: Create pull request - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@v8 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: Update WP-CLI version to ${{ steps.get-version.outputs.LATEST_VERSION }} From 953bce5a0bad0a552f81952e2a3164e2b7a8d025 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 08:13:51 -0500 Subject: [PATCH 657/663] chore(deps): update actions/checkout action to v6 (#1626) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- .github/workflows/integration.yml | 2 +- .github/workflows/wp-cli-version-check.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e59dc87aba..51b7427915 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,7 @@ jobs: matrix: python-version: ['3.x'] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 - uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 8ed9cc79f6..bf32548037 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -25,7 +25,7 @@ jobs: sudo apt-get remove --purge nginx* sudo apt-get autoremove sudo apt-get autoclean - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - uses: actions/setup-python@v6 diff --git a/.github/workflows/wp-cli-version-check.yml b/.github/workflows/wp-cli-version-check.yml index 7c081f4c5f..ef230fc092 100644 --- a/.github/workflows/wp-cli-version-check.yml +++ b/.github/workflows/wp-cli-version-check.yml @@ -13,7 +13,7 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Get latest WP-CLI version id: get-version From 0f5bc4255fe3cd6c63b5b35c00ef5b1e8093e3f9 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 30 Dec 2025 17:17:51 -0600 Subject: [PATCH 658/663] Git branch: Default to main (#1629) --- group_vars/production/wordpress_sites.yml | 2 +- group_vars/staging/wordpress_sites.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index fc94943c51..168b36a385 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -11,7 +11,7 @@ wordpress_sites: local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) repo: git@github.com:example/example.com.git # replace with your Git repo URL repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo - branch: master + branch: main multisite: enabled: false ssl: diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml index bf588be06b..36d83199f2 100644 --- a/group_vars/staging/wordpress_sites.yml +++ b/group_vars/staging/wordpress_sites.yml @@ -11,7 +11,7 @@ wordpress_sites: local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) repo: git@github.com:example/example.com.git # replace with your Git repo URL repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo - branch: master + branch: main multisite: enabled: false ssl: From 7377a7b356c2e021a79aa5fe421363279b5a9790 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Dec 2025 14:39:30 -0500 Subject: [PATCH 659/663] chore(deps): update actions/cache action to v5 (#1628) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51b7427915..f13c072c01 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,7 @@ jobs: architecture: x64 cache: 'pip' - run: pip install -r requirements.txt - - uses: actions/cache@v4 + - uses: actions/cache@v5 with: path: vendor key: ${{ runner.os }}-galaxy-${{ hashFiles('galaxy.yml') }} From 320cbd1721d2ebe58e372490a746df5e92d0a9cc Mon Sep 17 00:00:00 2001 From: Altan S <altansarisin@gmail.com> Date: Wed, 31 Dec 2025 20:40:37 +0100 Subject: [PATCH 660/663] feat(plugins): deny access to .txt and .md files in plugin directories (#1625) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index c792f77ef5..300a4265ca 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -170,6 +170,13 @@ server { } {% endblock %} + {% block plugin_theme_docs_files -%} + # Block .txt and .md files in plugins, mu-plugins, and themes directories to prevent version disclosure + location ~* /app/(plugins|mu-plugins|themes)/.+\.(txt|md)$ { + deny all; + } + {% endblock %} + {% block location_primary -%} location / { try_files $uri $uri/ /index.php?$args; From 703c9f7c7413b75434096d252ffd3f1b7401676d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 12 Jan 2026 21:52:22 -0500 Subject: [PATCH 661/663] chore(deps): update dependency ntp to v4 (#1631) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index ba6ae77132..cd134b8748 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -6,7 +6,7 @@ roles: - name: ntp src: geerlingguy.ntp - version: 3.0.0 + version: 4.0.0 - name: logrotate src: nickhammond.logrotate From a8b88f1d70545f7c138c5b2479b02c4eddde3ba9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Mon, 12 Jan 2026 22:59:10 -0500 Subject: [PATCH 662/663] Ansible 2.19 support (#1620) * Sets ansible_python_interpreter to /usr/bin/python3 for CI tests running against localhost. This ensures Ansible uses system Python where apt-installed python3-pymysql is available, rather than the virtualenv Python which lacks MySQL libraries. * Ansible 2.19's stricter templating no longer implicitly converts string dict literals to actual dicts. Use Jinja2's dict() constructor with zip() to properly build the letsencrypt_cert_ids dictionary. * Ansible 2.19's stricter undefined handling causes errors when using 'is defined' on nested dict attributes that don't exist. Use the 'in' operator to safely check for optional keys in ssl and xmlrpc configs. --- .github/files/inventory | 4 ++-- dev.yml | 4 ++-- requirements.txt | 1 - roles/common/defaults/main.yml | 2 +- roles/common/handlers/main.yml | 3 +++ roles/common/tasks/disable_challenge_sites.yml | 1 + roles/common/tasks/main.yml | 12 ++++++------ roles/common/tasks/reload_nginx.yml | 2 ++ roles/letsencrypt/defaults/main.yml | 8 +++++++- roles/letsencrypt/tasks/nginx.yml | 4 ++-- roles/mariadb/tasks/main.yml | 5 ++++- roles/sshd/templates/ssh_config.j2 | 2 +- roles/sshd/templates/sshd_config.j2 | 2 +- roles/wordpress-install/tasks/main.yml | 2 ++ roles/wordpress-setup/tasks/database.yml | 1 + roles/wordpress-setup/tasks/nginx-client-cert.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 2 +- roles/wordpress-setup/tasks/nginx.yml | 6 +++--- .../wordpress-setup/templates/wordpress-site.conf.j2 | 8 ++++---- server.yml | 6 +++--- 20 files changed, 47 insertions(+), 30 deletions(-) diff --git a/.github/files/inventory b/.github/files/inventory index 87d5779a91..c3b78d3ee0 100644 --- a/.github/files/inventory +++ b/.github/files/inventory @@ -1,4 +1,4 @@ [production] -localhost ansible_connection=local +localhost ansible_connection=local ansible_python_interpreter=/usr/bin/python3 [web] -localhost ansible_connection=local +localhost ansible_connection=local ansible_python_interpreter=/usr/bin/python3 diff --git a/dev.yml b/dev.yml index e36905a2b5..4388cd55da 100644 --- a/dev.yml +++ b/dev.yml @@ -14,8 +14,8 @@ - { role: mailpit, tags: [mailpit, mailhog, mail] } - { role: php, tags: [php] } - { role: xdebug, tags: [php, xdebug] } - - { role: memcached, tags: [memcached], when: sites_using_memcached | count } - - { role: redis, tags: [redis], when: sites_using_redis | count } + - { role: memcached, tags: [memcached], when: sites_using_memcached | count > 0 } + - { role: redis, tags: [redis], when: sites_using_redis | count > 0 } - { role: nginx, tags: [nginx] } - { role: logrotate, tags: [logrotate] } - { role: composer, tags: [composer] } diff --git a/requirements.txt b/requirements.txt index 6ca4ad1de4..3d111fca09 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1 @@ ansible>=2.10.0 -ansible-core<2.19.0 diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 425a5c795f..6651ac5ec3 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -12,7 +12,7 @@ apt_packages_default: libnss-myhostname: "{{ apt_package_state }}" python3: "{{ apt_package_state }}" python3-software-properties: "{{ apt_package_state }}" - python3-mysqldb: "{{ apt_package_state }}" + python3-pymysql: "{{ apt_package_state }}" python3-pycurl: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 0b98ca248d..96c4a52c09 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -6,15 +6,18 @@ service: name: memcached state: restarted + become: yes - name: reload php-fpm service: name: php{{ php_version }}-fpm state: reloaded + become: yes - name: restart journald service: name: systemd-journald state: restarted + become: yes - import_tasks: reload_nginx.yml diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml index 32c12667e9..e7999fe65b 100644 --- a/roles/common/tasks/disable_challenge_sites.yml +++ b/roles/common/tasks/disable_challenge_sites.yml @@ -5,3 +5,4 @@ state: absent loop: "{{ wordpress_sites.keys() | list }}" notify: reload nginx + become: yes diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c427dc1b68..2c1a3e25ad 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -2,7 +2,7 @@ - name: Validate wordpress_sites fail: msg: "{{ lookup('template', 'wordpress_sites.j2') }}" - when: wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count + when: wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count > 0 tags: [wordpress] - name: Validate format of site_hosts @@ -11,7 +11,7 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" - when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count + when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count > 0 tags: [letsencrypt, wordpress] - name: Import PHP version specific vars @@ -29,7 +29,7 @@ - name: Verify dict format for package component variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" - when: package_vars_wrong_format | count + when: package_vars_wrong_format | count > 0 vars: package_vars: apt_packages_default: "{{ apt_packages_default }}" @@ -40,20 +40,20 @@ php_extensions_custom: "{{ php_extensions_custom }}" sshd_packages_default: "{{ sshd_packages_default }}" sshd_packages_custom: "{{ sshd_packages_custom }}" - package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "{{ package_vars | dict2items | rejectattr('value', 'mapping') | map(attribute='key') | list }}" tags: [memcached, php, sshd] - name: Verify dict format for package combined variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" - when: package_vars_wrong_format | count + when: package_vars_wrong_format | count > 0 vars: package_vars: apt_packages: "{{ apt_packages }}" memcached_packages: "{{ memcached_packages }}" php_extensions: "{{ php_extensions }}" sshd_packages: "{{ sshd_packages }}" - package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "{{ package_vars | dict2items | rejectattr('value', 'mapping') | map(attribute='key') | list }}" tags: [memcached, php, sshd] - name: Clean old APT sources diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index 9d30718aa9..f11305fb0e 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -3,8 +3,10 @@ command: nginx -t notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" changed_when: true + become: yes - name: perform nginx reload service: name: nginx state: reloaded + become: yes diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 965a286124..4c7ca84aaa 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,13 @@ sites_using_letsencrypt: "{{ (wordpress_sites | select_sites('ssl.enabled', 'true') | select_sites('ssl.provider', 'eq', 'letsencrypt')).keys() | list }}" site_uses_letsencrypt: "{{ (ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt') | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" -letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" +letsencrypt_cert_ids: >- + {{ dict((generate_cert_ids | default({'results':[]})).results + | selectattr('stdout', 'defined') + | map(attribute='item.key') + | zip((generate_cert_ids | default({'results':[]})).results + | selectattr('stdout', 'defined') + | map(attribute='stdout'))) }} acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '1b61d3001cb9c11380557ffebda5d358ce64375c' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 229f6ff4b2..3cf03f006f 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -24,7 +24,7 @@ register: challenge_site_confs when: - site_uses_letsencrypt - - missing_hosts | count + - missing_hosts | count > 0 loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" @@ -37,7 +37,7 @@ register: challenge_sites_enabled when: - site_uses_letsencrypt - - missing_hosts | count + - missing_hosts | count > 0 loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 723bf0e2da..1c1f978503 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -57,7 +57,9 @@ host: "{{ item }}" password: "{{ mysql_root_password }}" check_implicit_admin: yes + column_case_sensitive: no state: present + login_unix_socket: /var/run/mysqld/mysqld.sock no_log: true loop: - "{{ inventory_hostname }}" @@ -67,9 +69,10 @@ - name: Delete anonymous MySQL server users mysql_user: - user: "" + name: "" host: "{{ item }}" state: absent + column_case_sensitive: no no_log: true loop: - localhost diff --git a/roles/sshd/templates/ssh_config.j2 b/roles/sshd/templates/ssh_config.j2 index 488b188e96..03910f3e07 100644 --- a/roles/sshd/templates/ssh_config.j2 +++ b/roles/sshd/templates/ssh_config.j2 @@ -17,7 +17,7 @@ Host * KexAlgorithms {{ (ssh_kex_algorithms_default | default(sshd_kex_algorithms_default) + ssh_kex_algorithms_extra | default(sshd_kex_algorithms_extra)) | join(',') }} MACs {{ (ssh_macs_default | default(sshd_macs_default) + ssh_macs_extra | default(sshd_macs_extra)) | join(',') }} PasswordAuthentication {{ ssh_password_authentication | default(sshd_password_authentication) | ternary('yes', 'no') }} - {% if ssh_send_env | count %} + {% if ssh_send_env | count > 0 %} SendEnv {{ ssh_send_env | join(' ') }} {% endif -%} StrictHostKeyChecking {{ ssh_strict_host_key_checking }} diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 47af53e470..d4371fd4b2 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -13,7 +13,7 @@ ListenAddress {{ address }} Protocol {{ sshd_protocol }} -{% if sshd_accept_env | count %} +{% if sshd_accept_env | count > 0 %} AcceptEnv {{ sshd_accept_env | join(' ') }} {% endif -%} AllowAgentForwarding {{ sshd_allow_agent_forwarding | ternary('yes', 'no') }} diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 6119154b47..9f1f7beaec 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -65,6 +65,8 @@ args: chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" loop: "{{ wp_install.results }}" + loop_control: + label: "{{ item.item.key }}" when: item is changed - name: Update WP Multisite Home URL diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 4fed3d97c1..f238b977a3 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -23,6 +23,7 @@ login_host: "{{ site_env.db_host }}" login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" + column_case_sensitive: no no_log: true loop: "{{ wordpress_sites | dict2items }}" loop_control: diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml index 7e11e90de8..c6f7a6e03f 100644 --- a/roles/wordpress-setup/tasks/nginx-client-cert.yml +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -7,4 +7,4 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" - when: ssl_enabled and item.value.ssl.client_cert_url is defined + when: ssl_enabled and 'client_cert_url' in item.value.ssl diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 135eb77614..703915c720 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -31,7 +31,7 @@ map('regex_replace', nginx_includes_pattern, '\\2') | map('dirname') | unique | list | sort }}" - when: nginx_includes_templates.files | count + when: nginx_includes_templates.files | count > 0 - name: Template files out to includes.d template: diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 9f81d32c23..183bf9b91f 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -7,7 +7,7 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" - when: ssl_enabled and item.value.ssl.cert is defined + when: ssl_enabled and 'cert' in item.value.ssl notify: reload nginx - name: Copy SSL key @@ -18,7 +18,7 @@ loop: "{{ wordpress_sites | dict2items }}" loop_control: label: "{{ item.key }}" - when: ssl_enabled and item.value.ssl.key is defined + when: ssl_enabled and 'key' in item.value.ssl notify: reload nginx - import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" @@ -48,8 +48,8 @@ src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" state: link force: yes - when: item.enabled | default(true) loop: "{{ nginx_sites_confs }}" + when: item.enabled | default(true) notify: reload nginx tags: nginx-sites diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 300a4265ca..d1d67232d8 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -89,12 +89,12 @@ server { add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('equalto', omit) | join('; ') | trim }}"; {% endif -%} - {% if item.value.ssl.client_cert_url is defined -%} + {% if 'client_cert_url' in item.value.ssl -%} ssl_verify_client on; ssl_client_certificate {{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt; {% endif -%} - {% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%} + {% if item.value.ssl.provider | default('manual') == 'manual' and 'cert' in item.value.ssl and 'key' in item.value.ssl -%} ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; @@ -184,7 +184,7 @@ server { {% endblock %} {% block disable_xmlrpc -%} - {% if item.value.xmlrpc.enabled is defined and item.value.xmlrpc.enabled == false %} + {% if 'xmlrpc' in item.value and item.value.xmlrpc.enabled | default(true) == false %} location ~* xmlrpc\.php$ { return 444; } @@ -294,7 +294,7 @@ server { {% endblock -%} {%- block redirects_domains %} -{% if site_hosts_redirects | default([]) | count %} +{% if site_hosts_redirects | default([]) | count > 0 %} # Redirect some domains {% endif %} {% for host in item.value.site_hosts if host.redirects | default([]) %} diff --git a/server.yml b/server.yml index d30eb2f88b..47da811172 100644 --- a/server.yml +++ b/server.yml @@ -24,11 +24,11 @@ - { role: mariadb, tags: [mariadb] } - { role: ssmtp, tags: [ssmtp, mail] } - { role: php, tags: [php] } - - { role: memcached, tags: [memcached], when: sites_using_memcached | count } - - { role: redis, tags: [redis], when: sites_using_redis | count } + - { role: memcached, tags: [memcached], when: sites_using_memcached | count > 0 } + - { role: redis, tags: [redis], when: sites_using_redis | count > 0 } - { role: nginx, tags: [nginx] } - { role: logrotate, tags: [logrotate] } - { role: composer, tags: [composer] } - { role: wp-cli, tags: [wp-cli] } - - { role: letsencrypt, tags: [letsencrypt], when: sites_using_letsencrypt | count } + - { role: letsencrypt, tags: [letsencrypt], when: sites_using_letsencrypt | count > 0 } - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] } From fe21a3550b45e7666b575a1980e6a4dcaa0d1350 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 16 Jan 2026 08:25:45 -0500 Subject: [PATCH 663/663] Fix `ansible_user` detection condition (#1635) The previous solution relied on matching against ANSI control codes which was brittle. This broke (again) on Ansible 2.20 because color codes are now displayed which breaks this `intersect` substring match expression. The simpler solution is to just check for the Ansible `CHANGED` output which means the raw command and connection succeeded. --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 5bbbf6eee9..73c2f018d6 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -43,7 +43,7 @@ - block: - name: Set remote user for each host set_fact: - ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot', '\e[0;33mroot']) | count) | ternary('root', admin_user)) }}" + ansible_user: "{{ ansible_user | default(('| CHANGED |' in connection_status.stdout) | ternary('root', admin_user)) }}" check_mode: no - name: Announce which user was selected