From ac336ee512a2130934892a56d4cc4314e821060c Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 22 Apr 2018 17:59:56 -0700 Subject: [PATCH 001/416] Add xdebug.remote_autostart to simplify xdebug sessions --- group_vars/development/php.yml | 1 + roles/xdebug/defaults/main.yml | 1 + roles/xdebug/templates/xdebug.ini.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 7b9af47888..8df88dc533 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -7,3 +7,4 @@ php_opcache_enable: 0 xdebug_remote_enable: 1 xdebug_remote_connect_back: 1 +xdebug_remote_autostart: 1 diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index b210759a30..3efa2ccfb2 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -3,6 +3,7 @@ php_xdebug_package: php-xdebug # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 +xdebug_remote_autostart: 0 xdebug_remote_host: localhost xdebug_remote_port: 9000 xdebug_remote_log: /tmp/xdebug.log diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 72435a2bf8..3490bc1d9b 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -6,6 +6,7 @@ zend_extension=xdebug.so ; Remote Debugging xdebug.remote_enable={{ xdebug_remote_enable }} xdebug.remote_connect_back={{ xdebug_remote_connect_back }} +xdebug.remote_autostart={{ xdebug_remote_autostart }} xdebug.remote_host={{ xdebug_remote_host }} xdebug.remote_port={{ xdebug_remote_port }} xdebug.remote_handler=dbgp From 9d5b3c5b5ac73fa34de7043c4d6af7ad52daf967 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 24 Apr 2018 09:57:57 -0600 Subject: [PATCH 002/416] Update logrotate doc URL [ci skip] --- group_vars/all/logrotate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/logrotate.yml b/group_vars/all/logrotate.yml index 438947254c..c6d24962c6 100644 --- a/group_vars/all/logrotate.yml +++ b/group_vars/all/logrotate.yml @@ -1,4 +1,4 @@ -# Documentation: https://galaxy.ansible.com/list#/roles/1117 +# Documentation: https://github.com/nickhammond/ansible-logrotate logrotate_scripts: - name: wordpress-sites path: "{{ www_root }}/**/logs/*.log" From 6f2fff5e24772de9311e4a4bf54a9000416d17ea Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:53:08 -0300 Subject: [PATCH 003/416] Update WP-CLI to 1.5.1. --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 7390b123bd..0430d8cf2f 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.5.0 +wp_cli_version: 1.5.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From e3dff5f012f752a2e9be41f8e9df6dcca9073227 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:54:38 -0300 Subject: [PATCH 004/416] Update changelog. [ci skip] --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..4709a091f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 221ef605780f6b5ada034ddaeadfa29ab35e0a83 Mon Sep 17 00:00:00 2001 From: jeremy Date: Fri, 27 Apr 2018 07:18:44 -0700 Subject: [PATCH 005/416] Update geerlingguy.composer 1.6.1->1.7.0 (#983) Update from `1.6.1` -> `1.7.0` which addresses #943 ([DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated.) --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4709a091f2..cd12d3525b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) diff --git a/requirements.yml b/requirements.yml index a5dbaf621d..69d229acd6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.6.1 + version: 1.7.0 - name: ntp src: geerlingguy.ntp From 51bf9984ffc36cc9502d315c796ce068d95b8ec7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Apr 2018 08:48:46 -0600 Subject: [PATCH 006/416] Update geerlingguy.ntp 1.5.2->1.6.0 (#984) Avoids deprecation warnings introduced in Ansible 2.4: "The use of 'include' for tasks has been deprecated." --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd12d3525b..0fe1e5e105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) diff --git a/requirements.yml b/requirements.yml index 69d229acd6..eb6c001e06 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 1.5.2 + version: 1.6.0 - name: logrotate src: nickhammond.logrotate From ee8c43762a1076bccbe4f7463074d0d913630055 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Fri, 27 Apr 2018 08:05:01 -0700 Subject: [PATCH 007/416] Enable nginx to start on boot (#980) --- CHANGELOG.md | 1 + roles/nginx/tasks/main.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fe1e5e105..f18678f700 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e38d61f526..3f0202792c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -43,3 +43,10 @@ path: "{{ nginx_path }}/sites-enabled/default" state: absent notify: reload nginx + +- name: Enable Nginx to start on boot + service: + name: nginx + enabled: yes + state: started + use: service From 67e2bc585e31c1142035d7b67a6e38aba6946330 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 29 Apr 2018 14:44:59 -0700 Subject: [PATCH 008/416] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..d29016b224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 38e3b7a152719b2d7a08f094901e86e4c439e23c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 3 May 2018 13:23:56 -0600 Subject: [PATCH 009/416] 'yarn run' -> 'yarn' [ci skip] --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 6c483c3f75..bfad9d6847 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -19,7 +19,7 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn run build:production +# command: yarn build:production # connection: local # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From c6b258e5d938f9154911a6768f1bd38292a89d4b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:32:52 -0600 Subject: [PATCH 010/416] Issue warning for all Ubuntu releases that are not Xenial (#986) --- roles/common/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7248ce50da..94eaa73e0d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -78,8 +78,7 @@ Development via Vagrant: `vagrant destroy && vagrant up` Staging/Production: Create a new server with Ubuntu 16.04 and provision - when: ansible_distribution_release == 'trusty' - run_once: true + when: ansible_distribution_release != 'xenial' - name: Check whether passlib is needed fail: From 46d6a2a92b79816592af5d3af1fafd218aa3533f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:16 -0600 Subject: [PATCH 011/416] Clarify that changelog entry indicates Trellis version (#987) --- lib/trellis/utils/output.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index cfb19176ad..9bcd31c992 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -29,7 +29,7 @@ def system(vagrant_version=None): else: change = re.search(r'^\*\s?(\[BREAKING\])?([^\(\n\[]+)', str, re.M|re.I) if change is not None: - changelog_msg = '\n Trellis at "{0}"'.format(change.group(2).strip()) + changelog_msg = '\n Trellis version (per changelog): "{0}"'.format(change.group(2).strip()) # Vagrant info, if available vagrant = ' Vagrant {0};'.format(vagrant_version) if vagrant_version else '' From b556ccdb2b3183eba4a9530b206a402422deeca3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:44 -0600 Subject: [PATCH 012/416] Validate python version on control machine (#988) --- lib/trellis/plugins/vars/version.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index d2a296aebf..df943b9f26 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -6,6 +6,7 @@ from ansible.errors import AnsibleError from distutils.version import LooseVersion from operator import ge, gt +from sys import version_info try: from __main__ import display @@ -13,6 +14,10 @@ from ansible.utils.display import Display display = Display() +if version_info[0] > 2: + raise AnsibleError(('Trellis does not yet support Python {}.{}.{}. \n' + 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) + version_requirement = '2.4.0.0' version_tested_max = '2.4.3.0' From 60b38c0afc2b129ee23cba46451d4d8a0d712f46 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 18 May 2018 18:41:13 +0800 Subject: [PATCH 013/416] Common: Install `git` instead of `git-core` Because `git-core` is now a dummy package of `git`. See: http://git.661346.n2.nabble.com/git-core-vs-git-package-on-ubuntu-tp7576083p7576085.html --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91e16ce907..786005e2f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 5e92f1487f..f34f62e723 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,7 +26,7 @@ apt_packages_default: build-essential: "{{ apt_package_state }}" python-mysqldb: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" - git-core: "{{ apt_package_state }}" + git: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" From e3315fef63f290757e5ab249c96c01dadb84a8c2 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 17:31:14 -0600 Subject: [PATCH 014/416] Add CSP frame-ancestors, make X-Frame-Options conditional (#977) The X-Frame-Options header has been obsoleted by the frame-ancestors directive. Retain the X-Frame-Options header for older browsers. Return empty X-Frame-Options header for WordPress Customizer content to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM option that WordPress adds on its own (Safari browser). Discussion in https://core.trac.wordpress.org/ticket/40020 --- CHANGELOG.md | 1 + .../h5bp/directive-only/extra-security.conf | 2 +- .../templates/wordpress-site.conf.j2 | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 786005e2f4..3390c67e7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf index 0ac46aa295..eb10e06ca4 100644 --- a/roles/nginx/templates/h5bp/directive-only/extra-security.conf +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -1,6 +1,6 @@ # The X-Frame-Options header indicates whether a browser should be allowed # to render a page within a frame or iframe. -add_header X-Frame-Options SAMEORIGIN always; +# add_header X-Frame-Options SAMEORIGIN always; # MIME type sniffing security protection # There are very few edge cases where you wouldn't want this enabled. diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d7a584bec1..ec074aaca1 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -161,6 +161,20 @@ server { {% endblock %} + {% block embed_security -%} + {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%} + add_header Content-Security-Policy "frame-ancestors 'self'" always; + + # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved + set $x_frame_options SAMEORIGIN; + if ($arg_customize_changeset_uuid) { + set $x_frame_options ""; + } + add_header X-Frame-Options $x_frame_options always; + + {% endif -%} + {% endblock -%} + {% block location_php -%} location ~ \.php$ { {% block location_php_basic -%} From 8aa18e9bfd5747f5b5d8209b4a44534ad9359d8d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 19:08:12 -0600 Subject: [PATCH 015/416] Improve failed_when rule for Wordpress Installed check (#991) In rare cases the wp_installed registered var may be missing the stderr attribute, so add a default to avoid related error. The `wp core is-installed` command return code is 1 if WP is simply not installed. However, in rare cases the command may return some other return code indicative of true failure, so fail if rc > 1. --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index dd23480bb1..29ee76cc8a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -10,7 +10,7 @@ chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed changed_when: false - failed_when: wp_installed.stderr != "" + failed_when: wp_installed.stderr | default("") != "" or wp_installed.rc > 1 - name: Get WP theme template and stylesheet roots shell: > From c3e59f3221a896fe44fa4956df9c74137cb0aaa9 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 20 May 2018 09:13:10 +0800 Subject: [PATCH 016/416] deploy.sh: Return non-zero exit code when misuse (#990) - Exit with `127` when not enough arguments - Exit with `1` when hosts file not exist See: http://www.tldp.org/LDP/abs/html/exitcodes.html --- CHANGELOG.md | 1 + bin/deploy.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3390c67e7a..7d9fc5a222 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) diff --git a/bin/deploy.sh b/bin/deploy.sh index 79d72c37d4..0b346e8e34 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -21,7 +21,7 @@ Examples: " } -[[ $# -lt 2 ]] && { show_usage; exit 0; } +[[ $# -lt 2 ]] && { show_usage; exit 127; } for arg do @@ -39,7 +39,7 @@ if [[ ! -e $HOSTS_FILE ]]; then echo echo "Available environments:" ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) - exit 0 + exit 1 fi $DEPLOY_CMD From c06894054b9aea5c8393c78a49ff92ee5ddf8997 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 20:33:26 -0600 Subject: [PATCH 017/416] Skip Acme Challenge failure message for non-failed sites (#993) --- roles/letsencrypt/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 298524cc07..fa564947dc 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -60,5 +60,5 @@ Make sure that a valid DNS record exists for {{ item.failed_hosts | join(', ') }} and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details. - when: not item | skipped and letsencrypt_test_challenges | failed + when: item is not skipped and item is failed with_items: "{{ letsencrypt_test_challenges.results }}" From 30ae7fe95370b24b955f971f90b3c8fe99d6473f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 20 May 2018 13:01:51 -0600 Subject: [PATCH 018/416] Bump Ansible version_tested_max to 2.5.3 (#981) * Bump Ansible version_tested_max to 2.5.3 Convert Jinja2 tests from filter format to `var is testname` format. Encourage users on Ansible 2.5.0 to upgrade to avoid erroneous warnings fixed in ansible/ansible 37538 --- CHANGELOG.md | 1 + deploy.yml | 2 +- lib/trellis/plugins/vars/version.py | 8 ++++++-- roles/common/defaults/main.yml | 2 +- roles/connection/defaults/main.yml | 2 +- roles/connection/tasks/main.yml | 2 +- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/update.yml | 2 +- roles/letsencrypt/defaults/main.yml | 2 +- roles/letsencrypt/tasks/nginx.yml | 2 +- roles/users/tasks/main.yml | 2 +- roles/wordpress-install/tasks/main.yml | 2 +- roles/xdebug-tunnel/tasks/main.yml | 4 ++-- server.yml | 2 +- vagrant.default.yml | 2 +- 15 files changed, 21 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d9fc5a222..ac328cd77a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) diff --git a/deploy.yml b/deploy.yml index 308c5bc4f0..e391a1b641 100644 --- a/deploy.yml +++ b/deploy.yml @@ -28,6 +28,6 @@ Ensure that your site's `repo` variable is defined in `group_vars/{{ env }}/wordpress_sites.yml` and uses the SSH format (example: git@github.com:roots/bedrock.git) More info: > https://roots.io/trellis/docs/deploys/ - when: project.repo is not defined or not project.repo | match("^ssh://.+@.+|.+@.+:.+") + when: project.repo is not defined or project.repo is not match("^ssh://.+@.+|.+@.+:.+") roles: - deploy diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index df943b9f26..ada7aeaf63 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -5,7 +5,7 @@ from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion -from operator import ge, gt +from operator import eq, ge, gt from sys import version_info try: @@ -19,7 +19,7 @@ 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) version_requirement = '2.4.0.0' -version_tested_max = '2.4.3.0' +version_tested_max = '2.5.3' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' @@ -29,6 +29,10 @@ u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) +if eq(LooseVersion(__version__), LooseVersion('2.5.0')): + display.warning(u'You Ansible version is {}. Consider upgrading your Ansible version to avoid ' + u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) + # Import BaseVarsPlugin after Ansible version check. # Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. from ansible.plugins.vars import BaseVarsPlugin diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index f34f62e723..c97104a18e 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -33,7 +33,7 @@ apt_packages_default: apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" -openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" +openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml index f6c42a8444..70219ac2e1 100644 --- a/roles/connection/defaults/main.yml +++ b/roles/connection/defaults/main.yml @@ -1,5 +1,5 @@ ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}" ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}" ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}" -openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.5', '>=') }}" +openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.5', '>=') }}" host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}" diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 92ba31315d..de07be3538 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -60,7 +60,7 @@ debug: msg: | Note: Ansible will attempt connections as user = {{ ansible_user }} - {% if not preferred_host_key_algorithms | skipped %} + {% if preferred_host_key_algorithms is not skipped %} Note: The host `{{ ansible_host }}` was not detected in known_hosts so Trellis prompted the host to offer a key type that will work with diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 29ee76cc8a..4c46ed35ea 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -23,7 +23,7 @@ chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false - failed_when: not wp_template_root.stderr | default('') | match("(|.*Could not get '" + item + "' option\. Does it exist\?)") + failed_when: wp_template_root.stderr | default('') is not match("(|.*Could not get '" + item + "' option\. Does it exist\?)") when: - wp_installed.rc == 0 - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 672784b3f8..0a456b0b10 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -49,7 +49,7 @@ More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding - when: git_clone | failed + when: git_clone is failed - include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 2bd7b12805..52b628fc7a 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" -letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" +letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index fa564947dc..c0578e4933 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -36,7 +36,7 @@ notify: disable temporary challenge sites - import_tasks: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" - when: challenge_site_confs | changed or challenge_sites_enabled | changed + when: challenge_site_confs is changed or challenge_sites_enabled is changed - name: Create test Acme Challenge file shell: touch {{ acme_tiny_challenges_directory }}/ping.txt diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e1487bc5c6..a9313429fe 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -67,5 +67,5 @@ tags: [connection-tests, sshd] - import_tasks: connection-warnings.yml - when: not admin_user_status | skipped and admin_user_status.rc != 0 + when: admin_user_status is not skipped and admin_user_status.rc != 0 tags: [connection-tests, sshd] diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 060f386d76..58b1f88f95 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -68,7 +68,7 @@ args: chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" with_items: "{{ wp_install.results }}" - when: item | changed + when: item is changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index b015c11099..9147f73733 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -20,9 +20,9 @@ SSH tunnel already closed! {% endif %} {{ xdebug_tunnel.stderr | default('Unknown error in handling Xdebug SSH tunnel') }} - when: xdebug_tunnel | failed or 'already' in xdebug_tunnel.stderr | default('') + when: xdebug_tunnel is failed or 'already' in xdebug_tunnel.stderr | default('') - name: Announce Xdebug SSH tunnel status debug: msg: SSH Tunnel was {{ xdebug_remote_enable | bool | ternary('created', 'closed') }}! - when: xdebug_tunnel | changed + when: xdebug_tunnel is changed diff --git a/server.yml b/server.yml index d4fb1b00c3..ac86b53f93 100644 --- a/server.yml +++ b/server.yml @@ -17,7 +17,7 @@ - name: Install Python 2.x raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson register: python_check - changed_when: not python_check.stdout | search('/usr/bin/python') + changed_when: python_check.stdout is not search('/usr/bin/python') - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} diff --git a/vagrant.default.yml b/vagrant.default.yml index ddcaca4737..c73a622a1c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' -vagrant_ansible_version: '2.4.3.0' +vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false vagrant_install_plugins: true From eb20979b7181d5eb800c15f031f804335918fbc7 Mon Sep 17 00:00:00 2001 From: Bradley Date: Mon, 21 May 2018 13:29:32 +1000 Subject: [PATCH 019/416] Add option to enable FastCGI background updates (#962) Enabled by default --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac328cd77a..0c032478c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 928e61c02d..8d622fb89a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,6 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in +nginx_cache_background_update: on # Nginx includes nginx_includes_templates_path: nginx-includes diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ec074aaca1..d731acad03 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -189,6 +189,7 @@ server { fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; + fastcgi_cache_background_update {{ item.value.cache.background_update | default(nginx_cache_background_update) }}; {% endif -%} {% endblock -%} From 54a108e2a5d9a9e0cf2c9c7c13e136b256622460 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 21 May 2018 11:00:50 -0600 Subject: [PATCH 020/416] Add quotes to nginx_cache_background_update value "on" Quotes prevent Ansible from interpolating the variable value as True. True is an invalid value for fastcgi_cache_background_update and would would make Nginx unable to reload. --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 8d622fb89a..5b2e1768ee 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,7 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in -nginx_cache_background_update: on +nginx_cache_background_update: "on" # Nginx includes nginx_includes_templates_path: nginx-includes From d52893c2e3759bd7a48a692b2321240a61005b12 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 3 Jun 2018 20:27:54 +0800 Subject: [PATCH 021/416] Verify `wp-cli.phar` checksum --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 1 + roles/wp-cli/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c032478c0..9b85267035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 0430d8cf2f..b1f1acf604 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,5 @@ wp_cli_version: 1.5.1 +wp_cli_phar_checksum: "sha512:8dd68c98c6fa00e1acc5e036f9393c8b052937045b5232e4aa0eb4f15773908eae48760607bc853a4f951bd5ba69e5050337e5d9dcfa48df87a12cebb1de3432" wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index c3f6770953..8888ff40d6 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -3,6 +3,7 @@ get_url: url: "{{ wp_cli_phar_url }}" dest: /tmp/wp-cli-{{ wp_cli_version }}.phar + checksum: "{{ wp_cli_phar_checksum }}" - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} From 571fa2379757a51092165f861a78fa93c2a42620 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 6 Jun 2018 20:41:52 +0800 Subject: [PATCH 022/416] build-bedore: Checkout project source code to local temporary directory --- CHANGELOG.md | 1 + deploy-hooks/build-before.yml | 15 ++++++++++++--- roles/deploy/defaults/main.yml | 3 +-- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b85267035..8e860a1f87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* build-before: Checkout project source code to local temporary directory ([#997](https://github.com/roots/trellis/pull/997)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index bfad9d6847..1e3405458c 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -7,11 +7,20 @@ # Uncomment the lines below and replace `sage` with your theme folder # # --- +# - name: Clone project files +# git: +# repo: "{{ project_git_repo }}" +# version: "{{ project_version }}" +# dest: "{{ project_build_path }}" +# force: yes +# no_log: true +# connection: local +# # - name: Install npm dependencies # command: yarn # connection: local # args: -# chdir: "{{ project_local_path }}/web/app/themes/sage" +# chdir: "{{ project_build_path }}/web/app/themes/sage" # # - name: Install Composer dependencies # command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts @@ -22,11 +31,11 @@ # command: yarn build:production # connection: local # args: -# chdir: "{{ project_local_path }}/web/app/themes/sage" +# chdir: "{{ project_build_path }}/web/app/themes/sage" # # - name: Copy production assets # synchronize: -# src: "{{ project_local_path }}/web/app/themes/sage/dist" +# src: "{{ project_build_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 8e04496fff..58d9222bb7 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -51,8 +51,7 @@ update_db_on_deploy: true # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" -project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" - +project_build_path: "{{ lookup('env', 'TMPDIR') | default('/tmp/', true) }}trellis/{{ site }}/{{ env }}" # Deploy hooks # For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks From f578bc9c613d2e8f62b4b01854c664c1840b7e06 Mon Sep 17 00:00:00 2001 From: Jason Hee Date: Mon, 11 Jun 2018 17:25:50 +0800 Subject: [PATCH 023/416] Change swap role --- requirements.yml | 4 ++-- server.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.yml b/requirements.yml index eb6c001e06..0f8ced04bc 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,8 +11,8 @@ version: e7a498d - name: swapfile - src: kamaln7.swapfile - version: 4850d8a + src: tersmitten.swapfile + version: v2.0.6 - name: mailhog src: geerlingguy.mailhog diff --git a/server.yml b/server.yml index ac86b53f93..cabcadec85 100644 --- a/server.yml +++ b/server.yml @@ -24,7 +24,7 @@ become: yes roles: - { role: common, tags: [common] } - - { role: swapfile, swapfile_size: 1GB, tags: [swapfile] } + - { role: swapfile, swapfile_size: 1GB, swapfile_file: /swapfile, tags: [swapfile] } - { role: fail2ban, tags: [fail2ban] } - { role: ferm, tags: [ferm] } - { role: ntp, tags: [ntp] } From 63cf66fd4701309ee972b31d5505c3c9289e723a Mon Sep 17 00:00:00 2001 From: Bill Ruddock Date: Thu, 14 Jun 2018 13:56:10 +0100 Subject: [PATCH 024/416] Allow local configuration of vagrant_mount_type In some circumstances it is not possible to use an NFS (e.g. in combination with ecryptfs). Allow user to configure vagrant mount type in vagrant.local.yml --- Vagrantfile | 11 +++++++---- vagrant.default.yml | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 7d60048c13..9758a3935d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -69,13 +69,16 @@ Vagrant.configure('2') do |config| bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') - if Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + vagrant_mount_type = vconfig.fetch('vagrant_mount_type') + + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] + config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type end - config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'] - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'] + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type + config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type else if !Vagrant.has_plugin? 'vagrant-bindfs' fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" diff --git a/vagrant.default.yml b/vagrant.default.yml index c73a622a1c..8820eaf08f 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -6,6 +6,7 @@ vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false +vagrant_mount_type: 'nfs' vagrant_install_plugins: true vagrant_plugins: From 04041e9e3d1495dbb752bb835a78d0f4cb91d186 Mon Sep 17 00:00:00 2001 From: Bill Ruddock Date: Thu, 14 Jun 2018 13:56:41 +0100 Subject: [PATCH 025/416] Rubocop fixes for Vagrantfile --- Vagrantfile | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 9758a3935d..e06ac3f5f7 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,7 @@ # vi: set ft=ruby : ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine -ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis' # absolute path to Ansible directory on virtual machine +ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis'.freeze # absolute path to Ansible directory on virtual machine require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'vagrant') require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'config') @@ -29,7 +29,7 @@ Vagrant.configure('2') do |config| # Fix for: "stdin: is not a tty" # https://github.com/mitchellh/vagrant/issues/1673#issuecomment-28288042 - config.ssh.shell = %{bash -c 'BASH_ENV=/etc/profile exec bash'} + config.ssh.shell = %(bash -c 'BASH_ENV=/etc/profile exec bash') # Required for NFS to work if vconfig.fetch('vagrant_ip') == 'dhcp' @@ -39,7 +39,7 @@ Vagrant.configure('2') do |config| config.hostmanager.ip_resolver = proc do |vm, _resolving_vm| if cached_addresses[vm.name].nil? if vm.communicate.ready? - vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |type, contents| + vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |_type, contents| cached_addresses[vm.name] = contents.split("\n").first[/(\d+\.\d+\.\d+\.\d+)/, 1] end end @@ -71,7 +71,7 @@ Vagrant.configure('2') do |config| vagrant_mount_type = vconfig.fetch('vagrant_mount_type') - if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd') + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? && !Vagrant.has_plugin?('vagrant-winnfsd')) vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type @@ -79,19 +79,17 @@ Vagrant.configure('2') do |config| config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type + elsif !Vagrant.has_plugin?('vagrant-bindfs') + fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else - if !Vagrant.has_plugin? 'vagrant-bindfs' - fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" - else - trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' - config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' - end - - config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' - config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' - config.bindfs.bind_folder bin_path, bin_path, perms: '0755' + trellis_config.wordpress_sites.each_pair do |name, site| + config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' + config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end + + config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' + config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' + config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end vconfig.fetch('vagrant_synced_folders', []).each do |folder| @@ -133,7 +131,7 @@ Vagrant.configure('2') do |config| ansible.tags = ENV['ANSIBLE_TAGS'] ansible.extra_vars = { 'vagrant_version' => Vagrant::VERSION } - if vars = ENV['ANSIBLE_VARS'] + if (vars = ENV['ANSIBLE_VARS']) extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] ansible.extra_vars.merge!(extra_vars) end @@ -152,8 +150,8 @@ Vagrant.configure('2') do |config| end # VMware Workstation/Fusion settings - ['vmware_fusion', 'vmware_workstation'].each do |provider| - config.vm.provider provider do |vmw, override| + %w(vmware_fusion vmware_workstation).each do |provider| + config.vm.provider provider do |vmw, _override| vmw.name = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') @@ -161,7 +159,7 @@ Vagrant.configure('2') do |config| end # Parallels settings - config.vm.provider 'parallels' do |prl, override| + config.vm.provider 'parallels' do |prl, _override| prl.name = config.vm.hostname prl.cpus = vconfig.fetch('vagrant_cpus') prl.memory = vconfig.fetch('vagrant_memory') From b2415fa49ce760c4272ee0792ff2de47ab579292 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 19 Jun 2018 12:54:51 -0400 Subject: [PATCH 026/416] Revert "build-before: Checkout project source code to local temporary directory" --- CHANGELOG.md | 1 - deploy-hooks/build-before.yml | 15 +++------------ roles/deploy/defaults/main.yml | 3 ++- 3 files changed, 5 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e860a1f87..9b85267035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ ### HEAD -* build-before: Checkout project source code to local temporary directory ([#997](https://github.com/roots/trellis/pull/997)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 1e3405458c..bfad9d6847 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -7,20 +7,11 @@ # Uncomment the lines below and replace `sage` with your theme folder # # --- -# - name: Clone project files -# git: -# repo: "{{ project_git_repo }}" -# version: "{{ project_version }}" -# dest: "{{ project_build_path }}" -# force: yes -# no_log: true -# connection: local -# # - name: Install npm dependencies # command: yarn # connection: local # args: -# chdir: "{{ project_build_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Install Composer dependencies # command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts @@ -31,11 +22,11 @@ # command: yarn build:production # connection: local # args: -# chdir: "{{ project_build_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Copy production assets # synchronize: -# src: "{{ project_build_path }}/web/app/themes/sage/dist" +# src: "{{ project_local_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 58d9222bb7..8e04496fff 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -51,7 +51,8 @@ update_db_on_deploy: true # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" -project_build_path: "{{ lookup('env', 'TMPDIR') | default('/tmp/', true) }}trellis/{{ site }}/{{ env }}" +project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" + # Deploy hooks # For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks From 1925b1cb631016c9de8d31dda9787fea97bd5de5 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 24 Jun 2018 22:40:17 -0700 Subject: [PATCH 027/416] update xdebug tunnel configuration: update ssh connections to allow tcp forwarding, updating ip address used to form the tunnel --- bin/xdebug-tunnel.sh | 4 +++- roles/xdebug-tunnel/defaults/main.yml | 2 +- xdebug-tunnel.yml | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh index 8f475677ac..112e7effe2 100755 --- a/bin/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -16,8 +16,10 @@ Examples: " } +ENABLE_TCP_FORWARDING= if [[ $1 == "open" ]]; then REMOTE_ENABLE=1 + ENABLE_TCP_FORWARDING="-e sshd_allow_tcp_forwarding=yes" elif [[ $1 == "close" ]]; then REMOTE_ENABLE=0 else @@ -39,4 +41,4 @@ if [[ -n $DEBUG ]]; then PARAMS="$PARAMS ${VERBOSITY:--vvvv}" fi -ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $SSH_HOST $PARAMS +ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $ENABLE_TCP_FORWARDING $SSH_HOST $PARAMS diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml index c9a52a144a..764f6a43fa 100644 --- a/roles/xdebug-tunnel/defaults/main.yml +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -6,5 +6,5 @@ xdebug_tunnel_control_identity: "{{ ansible_user_id }}" xdebug_tunnel_port_mapping: "{{ xdebug_tunnel_remote_port }}:{{ xdebug_tunnel_host }}:{{ xdebug_tunnel_local_port }}" xdebug_tunnel_ssh_user: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_user'] | default(admin_user) }}" -xdebug_tunnel_ssh_host: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_host'] | default(xdebug_tunnel_inventory_host) }}" +xdebug_tunnel_ssh_host: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_default_ipv4']['address'] | default(xdebug_tunnel_inventory_host) }}" xdebug_tunnel_user_at_host: "{{ xdebug_tunnel_ssh_user }}@{{ xdebug_tunnel_ssh_host }}" diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index a5e4dfb4e7..0c5d7eae17 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -9,6 +9,7 @@ hosts: "{{ xdebug_tunnel_inventory_host }}" become: yes roles: + - { role: sshd, tags: [sshd] } - { role: xdebug, tags: [xdebug] } - { role: xdebug-tunnel, tags: [xdebug-tunnel] } handlers: From c304a5f8aaa07d53ebe052248554c50e9660bb41 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 24 Jun 2018 22:43:24 -0700 Subject: [PATCH 028/416] update the changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b85267035..0c95738429 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) From 1c871b46e2de73b91448772ae953c305862a1747 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Tue, 26 Jun 2018 12:10:12 -0700 Subject: [PATCH 029/416] Disabling Xdebug requests in development Unless you're actively debugging, the remote feature of Xdebug isn't necessary. We'll disable by default. --- group_vars/development/php.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 8df88dc533..f1f28604ae 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,7 +4,3 @@ php_display_startup_errors: 'On' php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 - -xdebug_remote_enable: 1 -xdebug_remote_connect_back: 1 -xdebug_remote_autostart: 1 From ad47593a2eec8be76ae5658446e0fd638d99e27c Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Tue, 26 Jun 2018 14:34:03 -0700 Subject: [PATCH 030/416] Re-enable xdebug remote Got a little red happy in the previous commit. It was unnecessary to remove the xdebug remote defaults in development. This keeps it on for development with the ability to trigger debug requests with an HTTP param or Cookie without performance degradation. --- group_vars/development/php.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index f1f28604ae..7b9af47888 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,3 +4,6 @@ php_display_startup_errors: 'On' php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 + +xdebug_remote_enable: 1 +xdebug_remote_connect_back: 1 From 9cebffe6d74ecc7e4ecd967b00adb33ba5ec8c8d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 2 Jul 2018 21:34:13 +0800 Subject: [PATCH 031/416] Deploy: Remove obsoleted `git` remote checking Remove obsoleted `git` remote checking tasks introduced in #299 because recent Ansible versions are able to detect/handle `git` remote changes. See: https://discourse.roots.io/t/do-we-still-need-git-remote-checking-during-deploy/12639 --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 20 +------------------- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c95738429..9d454e4a3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 0a456b0b10..4170f658db 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -13,31 +13,13 @@ state: "{{ item.state | default('present') }}" with_items: "{{ known_hosts | default([]) }}" -- name: Check whether project source path is a git repo - stat: - path: "{{ project_source_path }}/.git" - register: git_project - -- name: Get current git remote URL - command: git config --get remote.origin.url - args: - chdir: "{{ project_source_path }}" - register: remote_origin_url - when: git_project.stat.exists - changed_when: false - -- name: Update git remote URL - command: git remote set-url origin {{ project_git_repo }} - args: - chdir: "{{ project_source_path }}" - when: git_project.stat.exists and remote_origin_url.stdout != project_git_repo - - name: Clone project files git: repo: "{{ project_git_repo }}" dest: "{{ project_source_path }}" version: "{{ project_version }}" accept_hostkey: "{{ project.repo_accept_hostkey | default(repo_accept_hostkey | default(true)) }}" + force: yes ignore_errors: true no_log: true register: git_clone From d4c4bad61137b2e520caa805393e34290ce0f73b Mon Sep 17 00:00:00 2001 From: "Gargano, Matthew" Date: Mon, 9 Jul 2018 17:54:00 -0400 Subject: [PATCH 032/416] #1011 change name of swapfile ansible requirement to match updated name on github --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 0f8ced04bc..c7f1fbf3c9 100644 --- a/requirements.yml +++ b/requirements.yml @@ -11,7 +11,7 @@ version: e7a498d - name: swapfile - src: tersmitten.swapfile + src: oefenweb.swapfile version: v2.0.6 - name: mailhog From 8bebf37e0a8ea1fa55171889cb5d1cde0aa8ee28 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 12 Aug 2018 22:26:23 +0800 Subject: [PATCH 033/416] Update wp-cli to 2.0.0 and verify its PGP signature --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 7 +++++-- roles/wp-cli/tasks/main.yml | 23 +++++++++++++++++++++-- roles/wp-cli/templates/wp-cli.pgp.gpg | Bin 0 -> 1233 bytes 4 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 roles/wp-cli/templates/wp-cli.pgp.gpg diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d454e4a3a..b67cdb2c9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) * Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index b1f1acf604..6dde088af1 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,7 +1,10 @@ -wp_cli_version: 1.5.1 -wp_cli_phar_checksum: "sha512:8dd68c98c6fa00e1acc5e036f9393c8b052937045b5232e4aa0eb4f15773908eae48760607bc853a4f951bd5ba69e5050337e5d9dcfa48df87a12cebb1de3432" +gpg2_package: gnupg2 +wp_cli_version: 2.0.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" +wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" +# Note: wp_cli_pgp_public_key must be in binary format +wp_cli_pgp_public_key: "{{ playbook_dir }}/roles/wp-cli/templates/wp-cli.pgp.gpg" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" wp_cli_completion_path: /etc/bash_completion.d/wp-completion.bash wp_cli_packages: [] diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 8888ff40d6..3916221cd0 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -1,9 +1,28 @@ --- -- name: Download WP-CLI +- name: Ensure gpg2 is installed + apt: + name: "{{ gpg2_package }}" + state: "{{ gpg2_package_state | default(apt_security_package_state) }}" + cache_valid_time: "{{ apt_cache_valid_time }}" + +- name: Download WP-CLI Phar get_url: url: "{{ wp_cli_phar_url }}" dest: /tmp/wp-cli-{{ wp_cli_version }}.phar - checksum: "{{ wp_cli_phar_checksum }}" + +- name: Download WP-CLI Phar Signature + get_url: + url: "{{ wp_cli_phar_asc_url }}" + dest: /tmp/wp-cli-{{ wp_cli_version }}.phar.asc + +- name: Copy WP-CLI release team public key + synchronize: + src: "{{ wp_cli_pgp_public_key }}" + dest: /tmp/wp-cli.pgp.gpg + +- name: Verify WP-CLI Phar Signature + command: gpg2 --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + changed_when: false - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} diff --git a/roles/wp-cli/templates/wp-cli.pgp.gpg b/roles/wp-cli/templates/wp-cli.pgp.gpg new file mode 100644 index 0000000000000000000000000000000000000000..dfc7b7bca0cc4a23fa5a8e1b9cd55c0151287f74 GIT binary patch literal 1233 zcmbQq$jcHfARx)e!Ej%KqtJP8ct)rBRgJ?RFT3A+>bvDf{Y@o~*0yswr;kXlUSaf{ ze|yEDO_hrOzIU-X)yd4iUclnEAWSwxE#t|Tb1tHN2P)@9e0%qHMT2qocY(!sKC}7v zE_*BZ;zQaN*QuHgyQgvAo*8?7Qg748KGqxezL_fB($aVCjPE(9C!a0emTunjN7;L?@i{=O$yq~IkU-Rc7F1$qtP0Zv_4MoeS_q&wN65ZM4)9`rz4A@dI&}xxVx>2r@D-Zcz;n&~^6lR0vAVNlh$HEmp88g0dXS z3v`onGWGI{((O7K{aA#7VP?T3&CJTp$-&OVCd$Fd#m&Sb#>C9XB*(}k-XNyPlDxiZ zVLx_`dk9+M@Y9={Gv)s*5 z>=iVg&N}Vd_k!7pA$5}BN2YY7?mE*v_fwu{Y~;O3X+o#0iJ^MrV3OBpB zC!Y_h2KT+sn9&(OXL`o`CpsbK&8KdOa_#z7HHXj0Tk^JD@=J%f-Nic*>2PnVq><$kvH`{OD4?}jp}=IOY`DOzt604uXeM@X^Z4I|M()V#Z$Pk#`EBx)3fJH z-r7>ge)V^Hil9Jr#n~+8$z7gG-`D+I5yxltZBm7rEuZ79M`5>i=LwyC{C;cp#)NFy z_($eZV6$EYPQF1Fb=F(IgSh0uyvwOd-g!AIvwGoSoeYUQ z!{(phblAyg#v%bsU*nmw~4J8qS91UoJ7 z@p_l}KzwcQ)_zL6 z`+TX*x3j04_|CmguzxJ~y2W^l^HUp-2G1>#Ei&zTuNa>!Y7x78@5Pd$rrw>ORtsGC zrz&xGzsCH1!EpsABX=AUwU}(I8eFX+ukEVyA?&1Sg^%G1si`7*{|>l6U$UEvw@>%P r1onWk4ci{(eq)a9dZhfhEu{H9hZFmY&>ufmw4UA)^xG-7rB@IDCGj|< literal 0 HcmV?d00001 From d85e67e89fdb74e9f472f1b783bfdf90e701a908 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Aug 2018 03:14:51 +0800 Subject: [PATCH 034/416] Add `--lock-never` to "Verify WP-CLI Phar Signature" task Fix https://github.com/roots/trellis/pull/1014#issuecomment-412357451 --- roles/wp-cli/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 3916221cd0..60fece125a 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -21,7 +21,7 @@ dest: /tmp/wp-cli.pgp.gpg - name: Verify WP-CLI Phar Signature - command: gpg2 --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar changed_when: false - name: Install WP-CLI From fc39721ff59344feff6f6d91e118a861f9695dc2 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Aug 2018 03:16:01 +0800 Subject: [PATCH 035/416] Use `copy` instead of `synchronize` Because `synchronize` uses `sudo rsync` under the hood while `copy` doesn't require `sudo`. --- roles/wp-cli/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 60fece125a..675596e141 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -16,7 +16,7 @@ dest: /tmp/wp-cli-{{ wp_cli_version }}.phar.asc - name: Copy WP-CLI release team public key - synchronize: + copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg From 978e97f3000fcc5710334d4d873954839ced62c0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 30 Aug 2018 13:37:18 -0600 Subject: [PATCH 036/416] Patreon --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 095957402f..9b49bd9dd2 100644 --- a/README.md +++ b/README.md @@ -92,11 +92,11 @@ A base Ubuntu 16.04 server is required for setting up remote servers. OS X users Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. -## Gold sponsors +## Trellis sponsors -Help support our open-source development efforts by [contributing to Trellis on OpenCollective](https://opencollective.com/trellis). +Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital ThemeIsle +Kinsta Harness Software KM Digital ThemeIsle ## Community From e661df1529d6d273d42b363ea055712f77279d36 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 31 Aug 2018 22:17:34 +0800 Subject: [PATCH 037/416] Update wp-cli to 2.0.1 --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b67cdb2c9c..31345cf62a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) * Update xdebug tunnel configuration ([#1007](https://github.com/roots/trellis/pull/1007)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 6dde088af1..4ce281bd85 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.0.0 +wp_cli_version: 2.0.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From d49acb3d4606b6a51021034cc58dca117acf24d6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 3 Sep 2018 11:20:59 -0600 Subject: [PATCH 038/416] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9b49bd9dd2..4740cb29c5 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital ThemeIsle +Kinsta Harness Software KM Digital ## Community From 30bc359fcbef8547994554045687a77f6670c5c8 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 30 Sep 2018 22:57:28 +0800 Subject: [PATCH 039/416] Allow customizing Nginx `worker_connections` --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 1 + roles/nginx/templates/nginx.conf.j2 | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 31345cf62a..2412e5e9ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) * Deploy: Remove obsoleted `git` remote checking ([#999](https://github.com/roots/trellis/pull/999)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 85178bb1c8..ed07b1c505 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -3,6 +3,7 @@ nginx_ppa: "ppa:nginx/development" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx +nginx_worker_connections: 8000 nginx_logs_root: /var/log/nginx nginx_user: www-data www-data nginx_fastcgi_buffers: 8 8k diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 3a0548a352..f4ef92d394 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -32,7 +32,7 @@ events { # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. # Should be < worker_rlimit_nofile. # Default: 512 - worker_connections 8000; + worker_connections {{ nginx_worker_connections }}; } {% endblock %} From 7c393a429ef7b78f22de1dc551d83e411b16e48d Mon Sep 17 00:00:00 2001 From: Mat Gargano Date: Sun, 11 Nov 2018 14:35:06 -0500 Subject: [PATCH 040/416] #1027 make output_buffering optional (#1028) Add output_buffering variable for PHP config --- roles/php/defaults/main.yml | 1 + roles/php/templates/php.ini.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index b2ecaf87d1..0e40746fd5 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -34,6 +34,7 @@ php_session_cookie_secure: 'Off' php_upload_max_filesize: 25M php_track_errors: 'Off' php_timezone: '{{ ntp_timezone }}' +php_output_buffering: 'Off' php_opcache_enable: 1 php_opcache_enable_cli: 1 diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php.ini.j2 index 3b899e7c91..84fe207c2e 100644 --- a/roles/php/templates/php.ini.j2 +++ b/roles/php/templates/php.ini.j2 @@ -17,6 +17,7 @@ track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off date.timezone = {{ php_timezone }} +output_buffering = {{ php_output_buffering }} [mysqlnd] mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} From 61b1ed9509f61c5e018db8279475e5cbacbbaef0 Mon Sep 17 00:00:00 2001 From: Barry Els Date: Wed, 14 Nov 2018 11:36:01 +0200 Subject: [PATCH 041/416] Update README.md For first time users it might be useful to be explicit about which directory they should be in before running `vagrant up`, else Vagrant will display an error (`A Vagrant environment or target machine is required to run this command.`) when the `Vagrantfile` is not found. --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4740cb29c5..36a8aac7fd 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,8 @@ Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) fo ## Local development setup 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` -2. Run `vagrant up` +2. Ensure you're in the trellis directory: `cd trellis` +3. Run `vagrant up` [Read the local development docs](https://roots.io/trellis/docs/local-development-setup/) for more information. From 4c69ace545647e8a5d3612811865e349a0b51725 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 22 Nov 2018 11:33:42 -0700 Subject: [PATCH 042/416] Add CodeFirst --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 36a8aac7fd..4d63869349 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital +Kinsta Harness Software KM Digital CodeFirst ## Community From 834966fc73f3524974d77d0d7078e73ef76c3eef Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 26 Nov 2018 11:35:15 -0700 Subject: [PATCH 043/416] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d63869349..36a8aac7fd 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital CodeFirst +Kinsta Harness Software KM Digital ## Community From 07710171cc047536ce0b6748029266e4041ec9fa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:14 -0500 Subject: [PATCH 044/416] Update python version requirement Support both 2 and 3 but check for Ansible version --- lib/trellis/plugins/vars/version.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index ada7aeaf63..d2fd307abc 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,12 +14,13 @@ from ansible.utils.display import Display display = Display() -if version_info[0] > 2: - raise AnsibleError(('Trellis does not yet support Python {}.{}.{}. \n' - 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) - version_requirement = '2.4.0.0' version_tested_max = '2.5.3' +python3_required_version = '2.5.3' + +if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): + raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' + 'Either downgrade to Python 2 or update your Ansible version to {}.').format(__version__, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' From e7f7ebbd00c0234e121b275ea06488452bb26c27 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:46 -0500 Subject: [PATCH 045/416] Fix unicode reference --- lib/trellis/utils/output.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 9bcd31c992..89b073b9c7 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -9,6 +9,7 @@ from ansible import __version__ from ansible.module_utils._text import to_text +from ansible.module_utils.six import string_types def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry @@ -89,7 +90,7 @@ def display(obj, result): # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks if isinstance(msg, list): msg = '\n'.join([to_text(x) for x in msg]) - elif not isinstance(msg, unicode): + elif not isinstance(msg, string_types): msg = to_text(msg) # Wrap text From 5b9b6586ad01b58cda26dccc26a30ad461caae00 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 18:56:55 -0500 Subject: [PATCH 046/416] Update iteritems usage It no longer exists in Python 3. We can use `items()` which both have and pipe to `list` in Jinja. --- roles/common/tasks/main.yml | 4 ++-- roles/letsencrypt/defaults/main.yml | 2 +- roles/mariadb/defaults/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 94eaa73e0d..212df3c2de 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -48,7 +48,7 @@ php_extensions_custom: "{{ php_extensions_custom }}" sshd_packages_default: "{{ sshd_packages_default }}" sshd_packages_custom: "{{ sshd_packages_custom }}" - package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [sshd, memcached, php] - name: Verify dict format for apt package combined variables @@ -61,7 +61,7 @@ memcached_packages: "{{ memcached_packages }}" php_extensions: "{{ php_extensions }}" sshd_packages: "{{ sshd_packages }}" - package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "[{% for k,v in package_vars.items() | list if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [sshd, memcached, php] - name: Validate Ubuntu version diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 52b628fc7a..e7f6c7a742 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,4 +1,4 @@ -sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" +sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index fbb1a13579..576ade7076 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -8,4 +8,4 @@ mariadb_server_package: mariadb-server mysql_binary_logging_disabled: true mysql_root_user: root -sites_using_remote_db: "[{% for name, site in wordpress_sites.iteritems() if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" +sites_using_remote_db: "[{% for name, site in wordpress_sites.items() | list if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" From 8f265c1b9c4a6da35a7e4c3b8cd31ead024db568 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Nov 2018 19:05:51 -0500 Subject: [PATCH 047/416] Update logrotate Old version was using `iteritems()` which doesnt work in Python 3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c7f1fbf3c9..c8d23a67ca 100644 --- a/requirements.yml +++ b/requirements.yml @@ -8,7 +8,7 @@ - name: logrotate src: nickhammond.logrotate - version: e7a498d + version: v0.0.5 - name: swapfile src: oefenweb.swapfile From 046881a7bd397d66582c4ee29e763258138e0cf1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 1 Dec 2018 19:13:11 -0500 Subject: [PATCH 048/416] Support Python 3 HTTP imports --- roles/letsencrypt/library/test_challenges.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py index 8c075cc5a8..d7f4a8cc2c 100644 --- a/roles/letsencrypt/library/test_challenges.py +++ b/roles/letsencrypt/library/test_challenges.py @@ -2,7 +2,12 @@ # -*- coding: utf-8 -*- import socket -from httplib import HTTPConnection, HTTPException + +try: + from httplib import HTTPConnection, HTTPException +except ImportError: + # Python 3 + from http.client import HTTPConnection, HTTPException DOCUMENTATION = ''' --- From c67d78b2dc07455d7e02f7271a27171217ce2d53 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 1 Dec 2018 20:05:01 -0500 Subject: [PATCH 049/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2412e5e9ed..c3173b8c1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) * [BREAKING] Update wp-cli to 2.0.0 and verify its PGP signature ([#1014](https://github.com/roots/trellis/pull/1014)) From 771d4ec5b145f4513a2f16fe12906947e72adcda Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Dec 2018 22:12:04 -0500 Subject: [PATCH 050/416] Python version compatibility fixes This fixes some more Python 2/3 compatibility issues. --- deploy-hooks/build-before.yml | 4 ++-- deploy.yml | 4 ++-- lib/trellis/plugins/callback/vars.py | 6 +++--- roles/common/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 2 +- roles/xdebug-tunnel/tasks/main.yml | 2 +- server.yml | 15 +++++++++++---- 7 files changed, 21 insertions(+), 14 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index bfad9d6847..e6893432ba 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -9,7 +9,7 @@ # --- # - name: Install npm dependencies # command: yarn -# connection: local +# delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # @@ -20,7 +20,7 @@ # # - name: Compile assets for production # command: yarn build:production -# connection: local +# delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # diff --git a/deploy.yml b/deploy.yml index e391a1b641..4d88bb2151 100644 --- a/deploy.yml +++ b/deploy.yml @@ -16,12 +16,12 @@ remote_user: "{{ web_user }}" pre_tasks: - name: Ensure site is valid - connection: local + delegate_to: localhost fail: msg: "Site `{{ site | default('') }}` is not valid. Available sites to deploy: {{ wordpress_sites.keys() | join(', ') }}" when: wordpress_sites[site | default('')] is not defined - name: Ensure repo is valid - connection: local + delegate_to: localhost fail: msg: | Invalid Git repository. diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 83ab22c505..b4e079983a 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -26,7 +26,7 @@ def __init__(self): def raw_triage(self, key_string, item, patterns): # process dict values if isinstance(item, AnsibleMapping): - return AnsibleMapping(dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in item.iteritems())) + return AnsibleMapping(dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in iteritems(item))) # process list values elif isinstance(item, AnsibleSequence): @@ -68,7 +68,7 @@ def cli_options(self): '--vault-password-file': 'vault_password_file', } - for option,value in strings.iteritems(): + for option,value in iteritems(strings): if getattr(self._options, value, False): options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) @@ -92,7 +92,7 @@ def darwin_without_passlib(self): def v2_playbook_on_play_start(self, play): env = play.get_variable_manager().get_vars(play=play).get('env', '') - env_group = next((group for key,group in play.get_variable_manager()._inventory.groups.iteritems() if key == env), False) + env_group = next((group for key,group in iteritems(play.get_variable_manager()._inventory.groups) if key == env), False) if env_group: env_group.set_priority(20) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 212df3c2de..85ac087664 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -145,7 +145,7 @@ - name: Retrieve SSH client IP ipify_facts: - connection: local + delegate_to: localhost become: no when: env != 'development' and ssh_client_ip_lookup | default(true) tags: [fail2ban, ferm] diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index a9859b0afb..960a82fdf1 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -7,7 +7,7 @@ pattern: "*.conf.j2" recurse: yes become: no - connection: local + delegate_to: localhost register: nginx_includes_templates - name: Warn about deprecated Nginx includes directory diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 9147f73733..86a84909c0 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -6,7 +6,7 @@ {% else %} ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' {% endif %} - connection: local + delegate_to: localhost become: no register: xdebug_tunnel ignore_errors: true diff --git a/server.yml b/server.yml index cabcadec85..3fb35be82c 100644 --- a/server.yml +++ b/server.yml @@ -14,10 +14,17 @@ gather_facts: false become: yes tasks: - - name: Install Python 2.x - raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson - register: python_check - changed_when: python_check.stdout is not search('/usr/bin/python') + - block: + - name: Find path to python interpreter + raw: which python3 || which python + register: python_path + changed_when: false + - name: Set path to python interpreter on remote + set_fact: + ansible_python_interpreter: "{{ python_path.stdout }}" + when: python_path.rc == 0 + when: ansible_python_interpreter is not defined + tags: always - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} From 51bda7eddae277f323cdb24e9776c56906176fb6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Dec 2018 22:16:48 -0500 Subject: [PATCH 051/416] Add Python 3.6 to Travis --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b1da0a6349..59ec6f6dce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,7 @@ language: python -python: 2.7 +python: + - 2.7 + - 3.6 sudo: false cache: pip install: From 56994310b762d52ef752315505305a18762b5251 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Dec 2018 16:35:16 -0500 Subject: [PATCH 052/416] Remove ansible_python_interpreter in server.yml This was changing the interpreter/version of Python used on remote hosts in `server.yml` to support Python 2 or 3. However, this doesn't work in all cases yet because we're installing Python 2 specific packages on servers. So for now Python 3 support is limited to the host/control machine which is the bigger issue anyway. Even Ubuntu 18.04 still defaults to Python 2. --- server.yml | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/server.yml b/server.yml index 3fb35be82c..45b574a6c4 100644 --- a/server.yml +++ b/server.yml @@ -9,23 +9,6 @@ roles: - { role: connection, tags: [connection, always] } -- name: Install prerequisites - hosts: web:&{{ env }} - gather_facts: false - become: yes - tasks: - - block: - - name: Find path to python interpreter - raw: which python3 || which python - register: python_path - changed_when: false - - name: Set path to python interpreter on remote - set_fact: - ansible_python_interpreter: "{{ python_path.stdout }}" - when: python_path.rc == 0 - when: ansible_python_interpreter is not defined - tags: always - - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} become: yes From 446afe4802b165d442c5d848f3a24c9e284a588e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:36:15 -0400 Subject: [PATCH 053/416] Update Vagrant box to ubuntu-18.04 --- vagrant.default.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 8820eaf08f..24b4360407 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,8 +2,8 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '>= 201801.02.0' +vagrant_box: 'bento/ubuntu-18.04' +vagrant_box_version: '>= 201807.12.0' vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From d97c176e25b7d32b1a00694fa0039a6e74642fd5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:36:31 -0400 Subject: [PATCH 054/416] Remove invalid sshd macs --- roles/sshd/defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index deedd28e00..2936d98ffc 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -46,11 +46,9 @@ sshd_login_grace_time: 30 sshd_macs_default: - hmac-sha2-512-etm@openssh.com - hmac-sha2-256-etm@openssh.com - - hmac-ripemd160-etm@openssh.com - umac-128-etm@openssh.com - hmac-sha2-512 - hmac-sha2-256 - - hmac-ripemd160 sshd_macs_extra: [] From 4621471f0b37fecc03c6112e1e87dbc08c659f7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:08 -0400 Subject: [PATCH 055/416] Update Mariadb --- roles/mariadb/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 576ade7076..89f7b57ea0 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ -mariadb_keyserver: keyserver.ubuntu.com +mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64,i386,ppc64el] http://ftp.osuosl.org/pub/mariadb/repo/10.2/ubuntu xenial main" +mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From b757fcf12a047d5b136ce73d68d8408959e5389c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:28 -0400 Subject: [PATCH 056/416] Python version compatibility --- roles/common/defaults/main.yml | 20 +++++++++++++++----- server.yml | 17 +++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index c97104a18e..9a6f6693c3 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -20,16 +20,26 @@ site_keys_by_env_pair: "[ {% endfor %} ]" -apt_packages_default: - python-software-properties: "{{ apt_package_state }}" - python-pycurl: "{{ apt_package_state }}" +_apt_packages_default: build-essential: "{{ apt_package_state }}" - python-mysqldb: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" - git: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" + git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" +apt_packages_python: + '2': + python-software-properties: "{{ apt_package_state }}" + python-mysqldb: "{{ apt_package_state }}" + python-pycurl: "{{ apt_package_state }}" + '3': + python3-software-properties: "{{ apt_package_state }}" + python3-mysqldb: "{{ apt_package_state }}" + python3-pycurl: "{{ apt_package_state }}" + +python_major_version: "{{ ansible_python_version[0] }}" +apt_packages_default: "{{ _apt_packages_default | combine(apt_packages_python[python_major_version]) }}" + apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" diff --git a/server.yml b/server.yml index 45b574a6c4..1656b3ec88 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,23 @@ roles: - { role: connection, tags: [connection, always] } +- name: Set ansible_python_interpreter + hosts: web:&{{ env }} + gather_facts: false + become: yes + tasks: + - block: + - name: Get Ubuntu release + raw: lsb_release -cs + register: ubuntu_release + changed_when: false + - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + set_fact: + ansible_python_interpreter: python3 + when: ubuntu_release.stdout_lines[0] == 'bionic' + when: ansible_python_interpreter is not defined + tags: always + - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} become: yes From c76ca569e5d5442dcf834df1c8c63a5332e00bed Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 May 2018 21:37:47 -0400 Subject: [PATCH 057/416] Update Ubuntu version validation --- roles/common/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 85ac087664..f4535561de 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -67,7 +67,7 @@ - name: Validate Ubuntu version debug: msg: | - Trellis is built for Ubuntu 16.04 Xenial as of https://github.com/roots/trellis/pull/626 + Trellis is built for Ubuntu 18.04 Bionic as of https://github.com/roots/trellis/pull/992 Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} @@ -77,8 +77,8 @@ Development via Vagrant: `vagrant destroy && vagrant up` - Staging/Production: Create a new server with Ubuntu 16.04 and provision - when: ansible_distribution_release != 'xenial' + Staging/Production: Create a new server with Ubuntu 18.04 and provision + when: ansible_distribution_release != 'bionic' - name: Check whether passlib is needed fail: From 28e9850f69c7e83e5cd4ec5888274e8f6fec6db6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 10 Dec 2018 18:19:21 -0500 Subject: [PATCH 058/416] Add CHANGELOG entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c3173b8c1a..6c3fa6e880 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) * Update wp-cli to 2.0.1 ([#1019](https://github.com/roots/trellis/pull/1019)) From ac4b511d6a6b37bb89f5d2014364f1bacc57e480 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 11 Dec 2018 23:15:37 -0500 Subject: [PATCH 059/416] Update README for 18.04 --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 36a8aac7fd..d3e0f729c6 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -* Ubuntu 16.04 Xenial LTS +* Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) * PHP 7.2 * MariaDB (a drop-in MySQL replacement) @@ -71,7 +71,9 @@ Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) fo For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. -A base Ubuntu 16.04 server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. +A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. + +Note: Ubuntu 16.04 (Xenial) is still supported as well. See [#992](https://github.com/roots/trellis/pull/992) for details on the minor changes needed to run it. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` From ff496aeeb1a6fed1d50723386a5afac89844add3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 20:00:56 -0500 Subject: [PATCH 060/416] Set ansible_python_interpreter in dev Via new python_interpreter role --- dev.yml | 7 +++++++ roles/python_interpreter/tasks/main.yml | 11 +++++++++++ server.yml | 14 ++------------ 3 files changed, 20 insertions(+), 12 deletions(-) create mode 100644 roles/python_interpreter/tasks/main.yml diff --git a/dev.yml b/dev.yml index b55f73df09..dfe6e8dc06 100644 --- a/dev.yml +++ b/dev.yml @@ -1,4 +1,11 @@ --- +- name: Set ansible_python_interpreter + hosts: web:&development + gather_facts: false + become: yes + roles: + - { role: python_interpreter, tags: [always] } + - name: "WordPress Server: Install LEMP Stack with PHP 7.2 and MariaDB MySQL" hosts: web:&development become: yes diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml new file mode 100644 index 0000000000..8935abe901 --- /dev/null +++ b/roles/python_interpreter/tasks/main.yml @@ -0,0 +1,11 @@ +- block: + - name: Get Ubuntu release + raw: lsb_release -cs + register: ubuntu_release + changed_when: false + - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + set_fact: + ansible_python_interpreter: python3 + when: ubuntu_release.stdout | trim == 'bionic' + when: ansible_python_interpreter is not defined + tags: always diff --git a/server.yml b/server.yml index 1656b3ec88..57ce25288b 100644 --- a/server.yml +++ b/server.yml @@ -13,18 +13,8 @@ hosts: web:&{{ env }} gather_facts: false become: yes - tasks: - - block: - - name: Get Ubuntu release - raw: lsb_release -cs - register: ubuntu_release - changed_when: false - - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic - set_fact: - ansible_python_interpreter: python3 - when: ubuntu_release.stdout_lines[0] == 'bionic' - when: ansible_python_interpreter is not defined - tags: always + roles: + - { role: python_interpreter, tags: [always] } - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} From df38788d8b267f863c603fc8812876128b3d1aa0 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 23:46:23 -0500 Subject: [PATCH 061/416] Fix Python 3 compat error message --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index d2fd307abc..38127cd9a2 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -20,7 +20,7 @@ if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' - 'Either downgrade to Python 2 or update your Ansible version to {}.').format(__version__, python3_required_version)) + 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' From d6f24119773bb235f8b77fed470a48adc26f5f6d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 12 Dec 2018 23:56:22 -0500 Subject: [PATCH 062/416] Fix python 3 Ansible compatibility check >= 2.5.3 is only required if you're running Python 3 on the host. --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 38127cd9a2..86b6b8b14b 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -18,7 +18,7 @@ version_tested_max = '2.5.3' python3_required_version = '2.5.3' -if version_info[0] == 2 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): +if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) From 4587eca602aa0e9ca7c764afcbd1b7f7ceefcfbc Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 14:17:51 -0700 Subject: [PATCH 063/416] Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` --- CHANGELOG.md | 1 + Vagrantfile | 15 +++++++++++---- bin/ssh-vagrant-config.sh | 8 ++++++++ bin/xdebug-tunnel.sh | 3 +-- 4 files changed, 21 insertions(+), 6 deletions(-) create mode 100755 bin/ssh-vagrant-config.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c3fa6e880..af490d2498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) * Allow customizing Nginx `worker_connections` ([#1021](https://github.com/roots/trellis/pull/1021)) diff --git a/Vagrantfile b/Vagrantfile index e06ac3f5f7..b4e57ca282 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,6 +1,3 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis'.freeze # absolute path to Ansible directory on virtual machine @@ -135,9 +132,19 @@ Vagrant.configure('2') do |config| extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] ansible.extra_vars.merge!(extra_vars) end + + if !Vagrant::Util::Platform.windows? + config.trigger.after :up do |trigger| + # Add Vagrant ssh-config to ~/.ssh/config + trigger.run = { + path: File.join(provisioning_path, 'bin/ssh-vagrant-config.sh'), + args: [main_hostname] + } + end + end end - # Virtualbox settings + # VirtualBox settings config.vm.provider 'virtualbox' do |vb| vb.name = config.vm.hostname vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] diff --git a/bin/ssh-vagrant-config.sh b/bin/ssh-vagrant-config.sh new file mode 100755 index 0000000000..77ea4ddd50 --- /dev/null +++ b/bin/ssh-vagrant-config.sh @@ -0,0 +1,8 @@ +#!/bin/bash +vagrant_host=$1 + +# Add Vagrant ssh-config to ~/.ssh/config +sed "/^$/d;s/Host /$NL&/" ~/.ssh/config | sed '/^Host '"$vagrant_host"'$/,/^$/d;' > config && +cat config > ~/.ssh/config && +rm config && +vagrant ssh-config --host ${vagrant_host} >> ~/.ssh/config diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh index 112e7effe2..e60e4d48bb 100755 --- a/bin/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -1,5 +1,4 @@ -#!/usr/bin/env bash - +#!/bin/bash show_usage() { echo " Usage: bin/xdebug-tunnel.sh From 30eafb1e58060bacfd678cb3a53abc7c18a0f59c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 13 Dec 2018 21:07:40 -0500 Subject: [PATCH 064/416] Fix keys usage for Python 2/3 compat --- roles/common/tasks/disable_challenge_sites.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml index 455d7f0cad..7995565b3a 100644 --- a/roles/common/tasks/disable_challenge_sites.yml +++ b/roles/common/tasks/disable_challenge_sites.yml @@ -3,5 +3,5 @@ file: path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item }}.conf" state: absent - with_items: "{{ wordpress_sites.keys() }}" + with_items: "{{ wordpress_sites.keys() | list }}" notify: reload nginx From ec94e94e423a1b1ec4ecf5351789f12679c0969b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 13 Dec 2018 21:20:36 -0500 Subject: [PATCH 065/416] Don't force install Ansible Galaxy in dev By default Vagrant runs `ansible-galaxy` with the `--force` option causing every Galaxy role to be re-downloaded *every* time. This is annoying, slow, and wasteful. This customizes the `galaxy_command` to run without the `--force` flag. --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index b4e57ca282..949d7bba1b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -119,6 +119,7 @@ Vagrant.configure('2') do |config| ansible.playbook = File.join(provisioning_path, 'dev.yml') ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') + ansible.galaxy_command = 'ansible-galaxy install --role-file=%{role_file} --roles-path=%{roles_path}' ansible.groups = { 'web' => ['default'], From fc86158dae2e5985b6b55c55dad89746b024e8e6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 19:49:01 -0700 Subject: [PATCH 066/416] Ansible 2.7 compatibility --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- roles/connection/tasks/main.yml | 2 +- vagrant.default.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index af490d2498..2338fcc498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) * Python 3 support ([#1031](https://github.com/roots/trellis/pull/1031)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 86b6b8b14b..81e0e28365 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.5.3' +version_tested_max = '2.7.5' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index de07be3538..0675e77bf4 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -53,7 +53,7 @@ - block: - name: Set remote user for each host set_fact: - ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot']) | count) | ternary('root', admin_user)) }}" + ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot', '\e[0;33mroot']) | count) | ternary('root', admin_user)) }}" check_mode: no - name: Announce which user was selected diff --git a/vagrant.default.yml b/vagrant.default.yml index 24b4360407..03ff4689b6 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.5.3' +vagrant_ansible_version: '2.7.5' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 9a26f30e7187a22a2a69bb9153ab1115596105bf Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 13 Dec 2018 19:57:32 -0700 Subject: [PATCH 067/416] Require Vagrant >= 2.1.0 --- CHANGELOG.md | 1 + README.md | 2 +- Vagrantfile | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2338fcc498..6b134c2bda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) * [BREAKING] Add Ubuntu 18.04 support and default to it ([#992](https://github.com/roots/trellis/pull/992)) diff --git a/README.md b/README.md index d3e0f729c6..5f11d40657 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.0.1 +* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 ## Installation diff --git a/Vagrantfile b/Vagrantfile index b4e57ca282..f672a2373f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.0.1' +Vagrant.require_version '>= 2.1.0' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') From c122be4c8b5ac23b69d72d9bdd1cf39849e64060 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 14 Dec 2018 13:28:20 +0000 Subject: [PATCH 068/416] Allow overriding rollback variables --- CHANGELOG.md | 1 + roles/rollback/defaults/main.yml | 2 ++ rollback.yml | 5 ----- 3 files changed, 3 insertions(+), 5 deletions(-) create mode 100644 roles/rollback/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b134c2bda..9c781f4c32 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) * Add Vagrant `ssh-config` to `~/.ssh/config` on `vagrant up` ([#1042](https://github.com/roots/trellis/pull/1042)) diff --git a/roles/rollback/defaults/main.yml b/roles/rollback/defaults/main.yml new file mode 100644 index 0000000000..08d321ee62 --- /dev/null +++ b/roles/rollback/defaults/main.yml @@ -0,0 +1,2 @@ +project_root: "{{ www_root }}/{{ site }}" +project_current_path: "{{ wordpress_sites[site].current_path | default('current') }}" diff --git a/rollback.yml b/rollback.yml index f3e0405a92..47a01bbc38 100644 --- a/rollback.yml +++ b/rollback.yml @@ -14,10 +14,5 @@ - name: Rollback a Deploy hosts: web:&{{ env }} remote_user: "{{ web_user }}" - - vars: - project_root: "{{ www_root }}/{{ site }}" - project_current_path: "{{ wordpress_sites[site].current_path | default('current') }}" - roles: - rollback From fdd9b7372a1439062b06ad0ad3672aa20fac7f7c Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 16 Dec 2018 15:55:32 +0000 Subject: [PATCH 069/416] Add `vault_wordpress_env_defaults` --- CHANGELOG.md | 1 + group_vars/all/helpers.yml | 2 +- group_vars/all/main.yml | 1 + group_vars/all/vault.yml | 6 ++++++ 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c781f4c32..60cf069c92 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) * Bump Ansible `version_tested_max` to 2.7.5 ([#1045](https://github.com/roots/trellis/pull/1045)) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 7b89c15ebf..11bb881d43 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -9,7 +9,7 @@ wordpress_env_defaults: wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" domain_current_site: "{{ site_hosts_canonical | first }}" -site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 68ef57b68e..e7f9bd85fc 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -20,4 +20,5 @@ raw_vars: - vault_mysql_root_password - vault_users.*.password - vault_users.*.salt + - vault_wordpress_env_defaults - vault_wordpress_sites diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index 19a21ae41e..fc11d9d9c2 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,2 +1,8 @@ # Documentation: https://roots.io/trellis/docs/vault/ vault_mail_password: smtp_password + +# Variables to accompany `wordpress_env_defaults` in `group_vars/all/helpers.yml` +# Note: These values can be overriden by `vault_wordpress_sites.*.env` +# +# vault_wordpress_env_defaults: +# my_api_key: 'available to all environments' From 83f716307ec5d18186724245e94e52cceeeea3c1 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 17 Dec 2018 10:19:17 +0000 Subject: [PATCH 070/416] Fix: `vault_wordpress_env_defaults` not populated during deploy Follow up on #1048 --- CHANGELOG.md | 1 + roles/deploy/vars/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60cf069c92..995696ef3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) * Require Vagrant >= 2.1.0 ([#1046](https://github.com/roots/trellis/pull/1046)) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index cb51f14823..aea2f70a6e 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -8,4 +8,4 @@ wordpress_env_defaults: wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" -site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" +site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 56df5b56c6ab39ba07654e36f241c726dcbeb66f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 17 Dec 2018 19:43:02 -0500 Subject: [PATCH 071/416] Fix Vagrant trigger path This path should always be local on the host. --- CHANGELOG.md | 1 + Vagrantfile | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 995696ef3a..e13054cb2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) * Allow overriding rollback variables ([#1047](https://github.com/roots/trellis/pull/1047)) diff --git a/Vagrantfile b/Vagrantfile index f672a2373f..1ce9f4be4c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -137,7 +137,7 @@ Vagrant.configure('2') do |config| config.trigger.after :up do |trigger| # Add Vagrant ssh-config to ~/.ssh/config trigger.run = { - path: File.join(provisioning_path, 'bin/ssh-vagrant-config.sh'), + path: File.join(ANSIBLE_PATH, 'bin/ssh-vagrant-config.sh'), args: [main_hostname] } end From c0bef6d42217de099fd1f765076111f921dc0114 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 19 Dec 2018 14:04:32 -0700 Subject: [PATCH 072/416] Update to PHP 7.3 --- CHANGELOG.md | 1 + README.md | 2 +- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/defaults/main.yml | 24 ++++++++++++------------ roles/php/tasks/main.yml | 22 +++++++++++----------- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/xdebug/tasks/main.yml | 10 +++++----- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 12 files changed, 39 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e13054cb2d..4b02e34136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) diff --git a/README.md b/README.md index 5f11d40657..8ba7beb4b2 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Trellis will configure a server with the following and more: * Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.2 +* PHP 7.3 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt integration for free SSL certificates diff --git a/dev.yml b/dev.yml index dfe6e8dc06..4159951902 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.2 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.3 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 7704ef18b7..2290fea7de 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.2-fpm *" + - "/usr/sbin/service php7.3-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 762b6caece..ad0488c90b 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.2-fpm + name: php7.3-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 0ce90d3893..f7c2a1f756 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.2-fpm reload + shell: sudo service php7.3-fpm reload args: warn: false diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 0e40746fd5..f59a03b044 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,18 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.2-cli: "{{ apt_package_state }}" - php7.2-common: "{{ apt_package_state }}" - php7.2-curl: "{{ apt_package_state }}" - php7.2-dev: "{{ apt_package_state }}" - php7.2-fpm: "{{ apt_package_state }}" - php7.2-gd: "{{ apt_package_state }}" - php7.2-mbstring: "{{ apt_package_state }}" - php7.2-mysql: "{{ apt_package_state }}" - php7.2-opcache: "{{ apt_package_state }}" - php7.2-xml: "{{ apt_package_state }}" - php7.2-xmlrpc: "{{ apt_package_state }}" - php7.2-zip: "{{ apt_package_state }}" + php7.3-cli: "{{ apt_package_state }}" + php7.3-common: "{{ apt_package_state }}" + php7.3-curl: "{{ apt_package_state }}" + php7.3-dev: "{{ apt_package_state }}" + php7.3-fpm: "{{ apt_package_state }}" + php7.3-gd: "{{ apt_package_state }}" + php7.3-mbstring: "{{ apt_package_state }}" + php7.3-mysql: "{{ apt_package_state }}" + php7.3-opcache: "{{ apt_package_state }}" + php7.3-xml: "{{ apt_package_state }}" + php7.3-xmlrpc: "{{ apt_package_state }}" + php7.3-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 90f2bd5fcc..ceaf843c05 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,38 +1,38 @@ --- -- name: Add PHP 7.2 PPA +- name: Add PHP 7.3 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.2 +- name: Install PHP 7.3 apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.2-fpm service +- name: Start php7.3-fpm service service: - name: php7.2-fpm + name: php7.3-fpm state: started enabled: true -- name: Check for existing php7.1-fpm service +- name: Check for existing php7.2-fpm service stat: - path: /etc/init.d/php7.1-fpm - register: php71_status + path: /etc/init.d/php7.2-fpm + register: php72_status -- name: Stop php7.1-fpm service if it exists +- name: Stop php7.2-fpm service if it exists service: - name: php7.1-fpm + name: php7.2-fpm state: stopped enabled: false register: service_stopped - when: php71_status.stat.exists + when: php72_status.stat.exists notify: reload php-fpm - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.2/fpm/php.ini + dest: /etc/php/7.3/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 1b2119b225..59e3dc60f4 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,13 +26,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.2/fpm/pool.d/wordpress.conf + dest: /etc/php/7.3/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.2/fpm/pool.d/www.conf /etc/php/7.2/fpm/pool.d/www.disabled + command: mv /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.disabled args: - creates: /etc/php/7.2/fpm/pool.d/www.disabled + creates: /etc/php/7.3/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 79118f7d05..deadc88c50 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,13 +9,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.2/mods-available/xdebug.ini + dest: /etc/php/7.3/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.2/mods-available/xdebug.ini - dest: /etc/php/7.2/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.3/mods-available/xdebug.ini + dest: /etc/php/7.3/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -23,12 +23,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.2/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.3/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.2/cli/conf.d/20-xdebug.ini + path: /etc/php/7.3/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index 57ce25288b..7c44723477 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 0c5d7eae17..2c8a975438 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.2-fpm + name: php7.3-fpm state: reloaded From d59eb8ca6e0ee9cde03c1702a84c1d7c8c771db9 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Wed, 19 Dec 2018 20:04:34 -0800 Subject: [PATCH 073/416] Enable ability to change users role `update_password` value (#767) --- CHANGELOG.md | 1 + roles/users/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e13054cb2d..41ff298cfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) * Fix: `vault_wordpress_env_defaults` not populated during deploy ([#1049](https://github.com/roots/trellis/pull/1049)) * Add `vault_wordpress_env_defaults` ([#1048](https://github.com/roots/trellis/pull/1048)) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a9313429fe..8c1403c0be 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -36,7 +36,7 @@ password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' state: present shell: /bin/bash - update_password: always + update_password: "{{ item.update_password | default('always') }}" with_items: "{{ users }}" - name: Add web user sudoers items for services From 60975e0899ce3f1e9567a638667621a8f30f2e70 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 20 Dec 2018 19:16:54 -0700 Subject: [PATCH 074/416] Update README [ci skip] --- README.md | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5f11d40657..43f1c56297 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. - Local development environment with Vagrant - High-performance production servers -- One-command deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites +- Zero-downtime deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites ## What's included @@ -17,15 +17,14 @@ Trellis will configure a server with the following and more: * PHP 7.2 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) -* Let's Encrypt integration for free SSL certificates +* Let's Encrypt for free SSL certificates * HTTP/2 support (requires SSL) * Composer * WP-CLI * sSMTP (mail delivery) * MailHog * Memcached -* Fail2ban -* ferm +* Fail2ban and ferm ## Documentation @@ -35,6 +34,7 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: +* [Composer](https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx) * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 @@ -53,9 +53,18 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). -1. Create a new project directory: `$ mkdir example.com && cd example.com` -2. Clone Trellis: `$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git` -3. Clone Bedrock: `$ git clone --depth=1 git@github.com:roots/bedrock.git site && rm -rf site/.git` +1. Create a new project directory: +```plain +$ mkdir example.com && cd example.com +``` +2. Install Trellis: +```plain +$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git +``` +3. Install Bedrock into the `site` directory: +```plain +$ composer create-project roots/bedrock site +``` Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). @@ -73,8 +82,6 @@ For remote servers, installing Ansible locally is an additional requirement. See A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. -Note: Ubuntu 16.04 (Xenial) is still supported as well. See [#992](https://github.com/roots/trellis/pull/992) for details on the minor changes needed to run it. - 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) From a5bc6e0c7ce3914a982b5861af18a4f260d08f05 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 19 Dec 2018 21:54:06 -0500 Subject: [PATCH 075/416] Use Ruby for ssh-config trigger --- CHANGELOG.md | 1 + Vagrantfile | 8 ++++---- bin/ssh-vagrant-config.sh | 8 -------- lib/trellis/vagrant.rb | 21 +++++++++++++++++++++ 4 files changed, 26 insertions(+), 12 deletions(-) delete mode 100755 bin/ssh-vagrant-config.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index cef32c0613..7911a595af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) * Fix Vagrant trigger path ([#1051](https://github.com/roots/trellis/pull/1051)) diff --git a/Vagrantfile b/Vagrantfile index cb6616dcbc..3b2ce8a521 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -137,10 +137,10 @@ Vagrant.configure('2') do |config| if !Vagrant::Util::Platform.windows? config.trigger.after :up do |trigger| # Add Vagrant ssh-config to ~/.ssh/config - trigger.run = { - path: File.join(ANSIBLE_PATH, 'bin/ssh-vagrant-config.sh'), - args: [main_hostname] - } + trigger.info = "Adding vagrant ssh-config for #{main_hostname } to ~/.ssh/config" + trigger.ruby do + update_ssh_config(main_hostname) + end end end end diff --git a/bin/ssh-vagrant-config.sh b/bin/ssh-vagrant-config.sh deleted file mode 100755 index 77ea4ddd50..0000000000 --- a/bin/ssh-vagrant-config.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -vagrant_host=$1 - -# Add Vagrant ssh-config to ~/.ssh/config -sed "/^$/d;s/Host /$NL&/" ~/.ssh/config | sed '/^Host '"$vagrant_host"'$/,/^$/d;' > config && -cat config > ~/.ssh/config && -rm config && -vagrant ssh-config --host ${vagrant_host} >> ~/.ssh/config diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index d991d71330..980004caa5 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -76,3 +76,24 @@ def which(cmd) system("#{path} --help", %i(out err) => File::NULL) end end + +def update_ssh_config(main_hostname) + regexp = /(Host #{Regexp.quote(main_hostname)}(?:(?!^Host).)*)/m + config_file = File.expand_path('~/.ssh/config') + vagrant_ssh_config = `vagrant ssh-config --host #{main_hostname}`.chomp + + if File.exists?(config_file) + FileUtils.cp(config_file, "#{config_file}.trellis_backup") + ssh_config = File.read(config_file) + + content = if ssh_config =~ regexp + ssh_config.gsub(regexp, vagrant_ssh_config) + else + ssh_config << "\n#{vagrant_ssh_config}" + end + + File.write(config_file, content) + else + File.write(config_file, vagrant_ssh_config) + end +end From 929d31f53396ddca8da49969c968f0ed6f110afb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 27 Dec 2018 10:22:13 -0700 Subject: [PATCH 076/416] 1.0.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7911a595af..09c7a5820e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.0: December 27th, 2018 * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) From 32778c53bf3dcbaa3d1e7e73c245b3c80311ba43 Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Thu, 27 Dec 2018 11:18:14 -0800 Subject: [PATCH 077/416] Hyper-V and SMB folder sync compatibility (#1035) --- Vagrantfile | 24 +++++++++++++++++++++--- lib/trellis/vagrant.rb | 8 ++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 3b2ce8a521..7302b3b126 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -68,14 +68,23 @@ Vagrant.configure('2') do |config| vagrant_mount_type = vconfig.fetch('vagrant_mount_type') + extra_options = if vagrant_mount_type == 'smb' + { + smb_username: vconfig.fetch('vagrant_smb_username', 'vagrant'), + smb_password: vconfig.fetch('vagrant_smb_password', 'vagrant'), + } + else + {} + end + if vagrant_mount_type != 'nfs' || Vagrant::Util::Platform.wsl? || (Vagrant::Util::Platform.windows? && !Vagrant.has_plugin?('vagrant-winnfsd')) vagrant_mount_type = nil if vagrant_mount_type == 'nfs' trellis_config.wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'], type: vagrant_mount_type + config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: mount_options(vagrant_mount_type, dmode: 776, fmode: 775), type: vagrant_mount_type, **extra_options end - config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'], type: vagrant_mount_type - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'], type: vagrant_mount_type + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 644), type: vagrant_mount_type, **extra_options + config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 755), type: vagrant_mount_type, **extra_options elsif !Vagrant.has_plugin?('vagrant-bindfs') fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else @@ -173,4 +182,13 @@ Vagrant.configure('2') do |config| prl.memory = vconfig.fetch('vagrant_memory') prl.update_guest_tools = true end + + # Hyper-V settings + config.vm.provider 'hyperv' do |h| + h.vmname = config.vm.hostname + h.cpus = vconfig.fetch('vagrant_cpus') + h.memory = vconfig.fetch('vagrant_memory') + h.enable_virtualization_extensions = true + h.linked_clone = true + end end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 980004caa5..be53f5790c 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -49,6 +49,14 @@ def nfs_path(path) "/vagrant-nfs-#{File.basename(path)}" end +def mount_options(mount_type, dmode:, fmode:) + if mount_type == 'smb' + ["vers=3.02", "mfsymlinks", "dir_mode=0#{dmode}", "file_mode=0#{fmode}", "sec=ntlm"] + else + ["dmode=#{dmode}", "fmode=#{fmode}"] + end +end + def post_up_message msg = 'Your Trellis Vagrant box is ready to use!' msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine" From cda4d06aea1104c187c4c5ddb6c86b9635bbbd68 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 27 Dec 2018 15:38:00 -0700 Subject: [PATCH 078/416] Update CHANGELOG [ci skip] --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09c7a5820e..7556991b0a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### 1.0.0: December 27th, 2018 +* Hyper-V and SMB folder sync compatibility ([#1035](https://github.com/roots/trellis/pull/1035)) * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) * Update to PHP 7.3 ([#1052](https://github.com/roots/trellis/pull/1052)) * Enable per-user `update_password` behavior ([#767](https://github.com/roots/trellis/pull/767)) From fb8ec64110c7c55a474ca5a41bce73a031e22fc0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 2 Jan 2019 14:50:39 -0600 Subject: [PATCH 079/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02634cf40c..a55700a457 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital +Kinsta Harness Software KM Digital itineris Hébergement Web Québec ## Community From 899455ec836b122828066ffd1e699a427e384266 Mon Sep 17 00:00:00 2001 From: ouun <32090713+ouun@users.noreply.github.com> Date: Mon, 7 Jan 2019 16:18:57 +0100 Subject: [PATCH 080/416] Let's Encrypt compatibility with python3 (#1057) --- roles/letsencrypt/templates/renew-certs.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 88cd133419..22a6640641 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import os import sys @@ -15,15 +15,15 @@ if os.access(cert_path, os.F_OK): stat = os.stat(cert_path) - print 'Certificate file ' + cert_path + ' already exists' + print('Certificate file ' + cert_path + ' already exists') if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' + print('The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') continue - print 'Generating certificate for ' + site + print('Generating certificate for ' + site) - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' @@ -35,19 +35,19 @@ cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print 'Error while generating certificate for ' + site - print e.output + print('Error while generating certificate for ' + site) + print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(cert_path, 'wb') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(''.join([cert, intermediate_cert])) + with open(bundled_cert_path, 'wb') as bundled_file: + bundled_file.write(b''.join(b[cert, intermediate_cert])) - print 'Created certificate for ' + site + print('Created certificate for ' + site) if failed: sys.exit(1) From a721ef61b95adc9e56d974b73de81c2cfbb1e4c7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 7 Jan 2019 19:15:07 -0500 Subject: [PATCH 081/416] Fix renew-certs.py We don't need to deal with bytes and binary modes here. The solution was to set `universal_newlines=True` on `check_output` to ensure we get back a string and not bytes. --- roles/letsencrypt/templates/renew-certs.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 22a6640641..c6fe3014b8 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -32,20 +32,20 @@ ).format(site, letsencrypt_cert_ids[site]) try: - cert = check_output(cmd, stderr=STDOUT, shell=True) + cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) except CalledProcessError as e: failed = True print('Error while generating certificate for ' + site) print(e.output) else: - with open(cert_path, 'wb') as cert_file: + with open(cert_path, 'w') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'wb') as bundled_file: - bundled_file.write(b''.join(b[cert, intermediate_cert])) + with open(bundled_cert_path, 'w') as bundled_file: + bundled_file.write(cert.join([intermediate_cert])) print('Created certificate for ' + site) From 4ea4c94636341fab171e4cc2f14077f83ee1f48f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 13:58:23 -0700 Subject: [PATCH 082/416] Revert "Merge pull request #1059 from roots/renew-certs-fix" This reverts commit 8ffc7b83ea806f158ab8ab63147c1e675f65c5b7, reversing changes made to 899455ec836b122828066ffd1e699a427e384266. --- roles/letsencrypt/templates/renew-certs.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index c6fe3014b8..22a6640641 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -32,20 +32,20 @@ ).format(site, letsencrypt_cert_ids[site]) try: - cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) + cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True print('Error while generating certificate for ' + site) print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(cert_path, 'wb') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(cert.join([intermediate_cert])) + with open(bundled_cert_path, 'wb') as bundled_file: + bundled_file.write(b''.join(b[cert, intermediate_cert])) print('Created certificate for ' + site) From 51e8f74460caa669054297613963480c9ea3b76c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 13:58:37 -0700 Subject: [PATCH 083/416] Revert "Let's Encrypt compatibility with python3 (#1057)" This reverts commit 899455ec836b122828066ffd1e699a427e384266. --- roles/letsencrypt/templates/renew-certs.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 22a6640641..88cd133419 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!/usr/bin/env python import os import sys @@ -15,15 +15,15 @@ if os.access(cert_path, os.F_OK): stat = os.stat(cert_path) - print('Certificate file ' + cert_path + ' already exists') + print 'Certificate file ' + cert_path + ' already exists' if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print('The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') + print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' continue - print('Generating certificate for ' + site) + print 'Generating certificate for ' + site - cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' @@ -35,19 +35,19 @@ cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print('Error while generating certificate for ' + site) - print(e.output) + print 'Error while generating certificate for ' + site + print e.output else: - with open(cert_path, 'wb') as cert_file: + with open(cert_path, 'w') as cert_file: cert_file.write(cert) with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: intermediate_cert = intermediate_cert_file.read() - with open(bundled_cert_path, 'wb') as bundled_file: - bundled_file.write(b''.join(b[cert, intermediate_cert])) + with open(bundled_cert_path, 'w') as bundled_file: + bundled_file.write(''.join([cert, intermediate_cert])) - print('Created certificate for ' + site) + print 'Created certificate for ' + site if failed: sys.exit(1) From a34df5d71e264c9a75bf7b042e85a48c15f29855 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 14:45:40 -0700 Subject: [PATCH 084/416] Add Python 2 explicitly --- CHANGELOG.md | 3 +++ roles/common/defaults/main.yml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7556991b0a..89dad22fe6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) + ### 1.0.0: December 27th, 2018 * Hyper-V and SMB folder sync compatibility ([#1035](https://github.com/roots/trellis/pull/1035)) * Use Ruby script for ssh-config trigger ([#1053](https://github.com/roots/trellis/pull/1053)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 9a6f6693c3..18dd294ade 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,6 +26,8 @@ _apt_packages_default: dbus: "{{ apt_package_state }}" git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" + python2.7-minimal: "{{ apt_package_state }}" + unzip: "{{ apt_package_state }}" apt_packages_python: '2': From c5a4f7ec42672bf642596df70b970bb5257e8dda Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 8 Jan 2019 20:20:01 -0700 Subject: [PATCH 085/416] Use python package --- roles/common/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 18dd294ade..1dcdd38d15 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,7 +26,7 @@ _apt_packages_default: dbus: "{{ apt_package_state }}" git: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" - python2.7-minimal: "{{ apt_package_state }}" + python: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" apt_packages_python: From ad6cb1511ef504a76030e0773a6de15ecacfd1b1 Mon Sep 17 00:00:00 2001 From: Mockey Date: Sun, 13 Jan 2019 22:03:37 +0100 Subject: [PATCH 086/416] Don't add hsts header for self-signed --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d731acad03..93e55511ee 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -78,7 +78,9 @@ server { ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU + {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + {% endif -%} {% if item.value.ssl.client_cert_url is defined -%} ssl_verify_client on; From bd05a61d4c00e99db9332b431ead1cec248a7889 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 16 Jan 2019 17:24:27 -0700 Subject: [PATCH 087/416] 1.0.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89dad22fe6..d02af4cb87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.1: January 16th, 2019 * Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) ### 1.0.0: December 27th, 2018 From 4ee90a1aebd96e0697c6fe86f100a49b37e9e8d6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 21 Jan 2019 21:47:44 -0500 Subject: [PATCH 088/416] Revert "Don't force install Ansible Galaxy in dev" --- Vagrantfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 7302b3b126..307c0b7f56 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -128,7 +128,6 @@ Vagrant.configure('2') do |config| ansible.playbook = File.join(provisioning_path, 'dev.yml') ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') - ansible.galaxy_command = 'ansible-galaxy install --role-file=%{role_file} --roles-path=%{roles_path}' ansible.groups = { 'web' => ['default'], From c3bb86a0df3ea0c5915542374d5edf09d579705d Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Sun, 3 Feb 2019 14:52:30 -0800 Subject: [PATCH 089/416] Update Nginx Mainline ppa --- roles/nginx/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index ed07b1c505..c82941bcc7 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,5 +1,5 @@ --- -nginx_ppa: "ppa:nginx/development" +nginx_ppa: "ppa:nginx/mainline" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From 005577460c9229329ad67157db32c1d35bb6a0eb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 21 Feb 2019 16:42:46 -0700 Subject: [PATCH 090/416] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a55700a457..2bb3fea9c0 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ Make sure all dependencies have been installed before moving on: * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +**Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. + ## Installation The recommended directory structure for a Trellis project looks like: @@ -66,8 +68,6 @@ $ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git $ composer create-project roots/bedrock site ``` -Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). - ## Local development setup 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` From e6b29b7a926a8953513670adc0e4de70c012fb01 Mon Sep 17 00:00:00 2001 From: Louis-Michel Couture Date: Wed, 27 Feb 2019 20:47:51 -0500 Subject: [PATCH 091/416] Mark vars that shouldn't be templated with AnsibleUnsafe instead of raw --- lib/trellis/plugins/callback/vars.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index b4e079983a..a93a9ae79b 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -12,6 +12,7 @@ from ansible.playbook.task import Task from ansible.plugins.callback import CallbackBase from ansible.template import Templar +from ansible.utils.unsafe_proxy import wrap_var class CallbackModule(CallbackBase): @@ -35,7 +36,7 @@ def raw_triage(self, key_string, item, patterns): # wrap values if they match raw_vars pattern elif isinstance(item, AnsibleUnicode): match = next((pattern for pattern in patterns if re.match(pattern, key_string)), None) - return AnsibleUnicode(''.join(['{% raw %}', item, '{% endraw %}'])) if not item.startswith(('{% raw', '{%raw')) and match else item + return wrap_var(item) if match else item else: return item From 19b0ce6da683d7038484e55b6a312776057a04a6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 10 Mar 2019 22:36:42 -0400 Subject: [PATCH 092/416] Update CHANGELOG --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d02af4cb87..bea8c90b7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) +* Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) +* [REVERT] Don't force install Ansible Galaxy in dev ([#1064](https://github.com/roots/trellis/pull/1064)) + ### 1.0.1: January 16th, 2019 * Add Python 2 explicitly ([#1061](https://github.com/roots/trellis/pull/1061)) From 7493db663afde2ab88d694af428dd1bdafd3ba18 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 12 Mar 2019 16:36:23 -0600 Subject: [PATCH 093/416] Remove community health files so that defaults from roots/.github are used --- .github/CONTRIBUTING.md | 1 - .github/ISSUE_TEMPLATE.md | 65 ---------------------------------- CODE_OF_CONDUCT.md | 74 --------------------------------------- 3 files changed, 140 deletions(-) delete mode 100644 .github/CONTRIBUTING.md delete mode 100644 .github/ISSUE_TEMPLATE.md delete mode 100644 CODE_OF_CONDUCT.md diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md deleted file mode 100644 index 5867feed23..0000000000 --- a/.github/CONTRIBUTING.md +++ /dev/null @@ -1 +0,0 @@ -Please read [Contributing to Roots Projects](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md deleted file mode 100644 index 425c793cf0..0000000000 --- a/.github/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,65 +0,0 @@ -## Submit a feature request or bug report - -- [ ] I've read the [guidelines for Contributing to Roots Projects](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) -- [ ] This is a feature request -- [ ] This is a bug report -- [ ] This request isn't a duplicate of an [existing issue](https://github.com/roots/trellis/issues) -- [ ] I've read the [docs](https://roots.io/trellis/docs) and followed them (if applicable) -- [ ] This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/c/trellis) forums - -Replace any `X` with your information. - ---- - -**What is the current behavior?** - -X - - -**What is the expected or desired behavior?** - -X - ---- - -## Bug report - -(delete this section if not applicable) - -**Please provide steps to reproduce, including full log output:** - -X - -**Please describe your local environment:** - -Ansible version: X - -OS: X - -Vagrant version: X - -**Where did the bug happen? Development or remote servers?** - -X - -**Please provide a repository or your `wordpress_sites` config (if possible):** - -X - -**Is there a related [Discourse](https://discourse.roots.io/) thread or were any utilized (please link them)?** - -X - ---- - -## Feature Request - -(delete this section if not applicable) - -**Please provide use cases for changing the current behavior:** - -X - -**Other relevant information:** - -X diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index f663c4792c..0000000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,74 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as -contributors and maintainers pledge to making participation in our project and -our community a harassment-free experience for everyone, regardless of age, body -size, disability, ethnicity, gender identity and expression, level of experience, -nationality, personal appearance, race, religion, or sexual identity and -orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment -include: - -* Using welcoming and inclusive language -* Being respectful of differing viewpoints and experiences -* Gracefully accepting constructive criticism -* Focusing on what is best for the community -* Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery and unwelcome sexual attention or - advances -* Trolling, insulting/derogatory comments, and personal or political attacks -* Public or private harassment -* Publishing others' private information, such as a physical or electronic - address, without explicit permission -* Other conduct which could reasonably be considered inappropriate in a - professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable -behavior and are expected to take appropriate and fair corrective action in -response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or -reject comments, commits, code, wiki edits, issues, and other contributions -that are not aligned to this Code of Conduct, or to ban temporarily or -permanently any contributor for other behaviors that they deem inappropriate, -threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. Examples of -representing a project or community include using an official project e-mail -address, posting via an official social media account, or acting as an appointed -representative at an online or offline event. Representation of a project may be -further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at team@roots.io. All -complaints will be reviewed and investigated and will result in a response that -is deemed necessary and appropriate to the circumstances. The project team is -obligated to maintain confidentiality with regard to the reporter of an incident. -Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good -faith may face temporary or permanent repercussions as determined by other -members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, -available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html - -[homepage]: https://www.contributor-covenant.org - From 2e5bc068b3607cf3dc95f5b1f075ee6201d2a990 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 13 Mar 2019 10:16:27 -0600 Subject: [PATCH 094/416] Update CHANGELOG [ci skip] --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bea8c90b7c..c8eb748e1c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.2: March 13th, 2019 * Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) * Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) * [REVERT] Don't force install Ansible Galaxy in dev ([#1064](https://github.com/roots/trellis/pull/1064)) From 06618ae5b068783ce21f57f240f4f7e7feebb5a9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Wed, 13 Mar 2019 22:11:23 -0500 Subject: [PATCH 095/416] Prevent direct access for .blade.php files --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 93e55511ee..2067ee1701 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -121,6 +121,13 @@ server { deny all; } {% endblock %} + + {% block blade_php -%} + # Prevent .blade.php files from being accessed directly. + location ~* \.(blade.php)$ { + deny all; + } + {% endblock %} {% block location_primary -%} location / { From b93146aefe01336c7e87506223970d8706b14f4f Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:18:51 -0500 Subject: [PATCH 096/416] Prevent Twig files --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2067ee1701..8767ee9e57 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -122,9 +122,9 @@ server { } {% endblock %} - {% block blade_php -%} - # Prevent .blade.php files from being accessed directly. - location ~* \.(blade.php)$ { + {% block blade_twig_php -%} + # Prevent Blade and Twig files from being accessed directly. + location ~* \.(blade.php|twig)$ { deny all; } {% endblock %} From b6e4f1bd35fd6de8631a8db4cfe637da05fe4ba3 Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:21:12 -0500 Subject: [PATCH 097/416] Minor wording change --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 8767ee9e57..28d16562ae 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -122,8 +122,8 @@ server { } {% endblock %} - {% block blade_twig_php -%} - # Prevent Blade and Twig files from being accessed directly. + {% block blade_twig_templates -%} + # Prevent Blade and Twig templates from being accessed directly. location ~* \.(blade.php|twig)$ { deny all; } From b428092dec172fd2181be3876b66099e9afc08b6 Mon Sep 17 00:00:00 2001 From: Brandon Date: Thu, 14 Mar 2019 00:50:38 -0500 Subject: [PATCH 098/416] Escape period --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 28d16562ae..b9fd7205ca 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,7 +124,7 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade.php|twig)$ { + location ~* \.(blade\.php|twig)$ { deny all; } {% endblock %} From c877b575c01757c005e10458b848984ae2e581e9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Tue, 26 Mar 2019 00:37:06 -0500 Subject: [PATCH 099/416] Handle traversed requested paths Return a 401 in all cases to prevent snooping --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b9fd7205ca..6d7b49dc2f 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,8 +124,8 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php|twig)$ { - deny all; + location ~* \.(blade\.php)(/.*)?$ { + return 401; } {% endblock %} From f41e400648f97eedc4ff59c806955d51b27c1026 Mon Sep 17 00:00:00 2001 From: Brandon Date: Tue, 26 Mar 2019 00:37:47 -0500 Subject: [PATCH 100/416] Re-add Twig support --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 6d7b49dc2f..0579f91dfd 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,7 +124,7 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php)(/.*)?$ { + location ~* \.(blade\.php|twig)(/.*)?$ { return 401; } {% endblock %} From 978d46f4584029bdf2577760167ed27adb48a269 Mon Sep 17 00:00:00 2001 From: Brandon Date: Fri, 29 Mar 2019 03:14:18 -0500 Subject: [PATCH 101/416] Revert to original regex Revert to a 403 (`deny all`) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 0579f91dfd..b9fd7205ca 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -124,8 +124,8 @@ server { {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. - location ~* \.(blade\.php|twig)(/.*)?$ { - return 401; + location ~* \.(blade\.php|twig)$ { + deny all; } {% endblock %} From 0517fd70a4e9ce3995b95ebc8467047338a9a5b8 Mon Sep 17 00:00:00 2001 From: Igor Buyanov Date: Thu, 11 Apr 2019 11:22:20 +0300 Subject: [PATCH 102/416] Show custom error message if external IP resolution fails --- roles/common/tasks/main.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f4535561de..514767e8f0 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -144,8 +144,12 @@ when: env == 'development' - name: Retrieve SSH client IP - ipify_facts: - delegate_to: localhost - become: no - when: env != 'development' and ssh_client_ip_lookup | default(true) - tags: [fail2ban, ferm] + block: + - ipify_facts: + delegate_to: localhost + become: no + when: env != 'development' and ssh_client_ip_lookup | default(true) + tags: [fail2ban, ferm] + rescue: + - fail: + msg: "External IP resolution failed. Check that your DNS servers are working. Try to disable DNSCrypt if you are using it." From 512d8f93607593a6c56227db3e71893efbf32c2c Mon Sep 17 00:00:00 2001 From: Nathan Knowler Date: Fri, 12 Apr 2019 11:03:48 -0600 Subject: [PATCH 103/416] Use all canonical site hosts for Landrush TLD (#1077) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Use all canonical site hosts for Landrush TLD This is useful if you want to use WordPress’ multisite domain mapping locally and if you’ve specified canonical hosts which are not sub-domains of the main canonical host. * Filter subdomains for Landrush TLD resolver This filters out subdomains of the main hostname for the Landrush TLD(s). This way it only adds necessary resolvers. For example, of the following: - `example.test` (main hostname) - `subdomain.example.test` - `client.test` We tell Landrush (dnsmaq) to only create: - `/etc/resolver/example.test` - `/etc/resolver/client.test` Because `example.test` handles `subdomain.example.test`. --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 307c0b7f56..698415ba9b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -58,7 +58,7 @@ Vagrant.configure('2') do |config| config.hostmanager.aliases = hostnames + redirects elsif Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? config.landrush.enabled = true - config.landrush.tld = config.vm.hostname + config.landrush.tld = trellis_config.site_hosts_canonical.reject { |host| host.end_with?(".#{main_hostname}") } hostnames.each { |host| config.landrush.host host, vconfig.fetch('vagrant_ip') } else fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" From f293d7aed7389805ddfe8e69346df5e9d2894de4 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 30 Apr 2019 14:08:54 -0600 Subject: [PATCH 104/416] Update CHANGELOG [ci skip] --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8eb748e1c..dbc7c82cac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### 1.0.3: April 30th, 2019 +* Prevent direct access for `.blade.php` files ([#1075](https://github.com/roots/trellis/pull/1075)) +* Show custom error message if external IP resolution fails ([#1078](https://github.com/roots/trellis/pull/1078)) +* Use all canonical site hosts for Landrush TLD ([#1077](https://github.com/roots/trellis/pull/1077)) + ### 1.0.2: March 13th, 2019 * Improve handling of vars with `AnsibleUnsafe` ([#1071](https://github.com/roots/trellis/pull/1071)) * Update name of Nginx PPA (`development` to `mainline`) ([#1068](https://github.com/roots/trellis/pull/1068)) From 2eba500eefea91c5b87a8a7b6d625bc5276cca0d Mon Sep 17 00:00:00 2001 From: Alyson Melo Date: Thu, 13 Jun 2019 09:11:35 -0600 Subject: [PATCH 105/416] Update apt packages before checking essentials This step will prevent errors such as: No package matching 'build-essential' is available --- roles/common/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 514767e8f0..aeff82462d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -110,6 +110,10 @@ when: openssh_6_8_plus and validate_ssh | default(true) tags: [sshd] +- name: Update apt packages + apt: + update_cache: yes + - name: Checking essentials apt: name: "{{ item.key }}" From 3121d4c02a4e53f5596874ab1873292f5214267a Mon Sep 17 00:00:00 2001 From: Richard Smolenski Date: Tue, 18 Jun 2019 17:50:45 -0700 Subject: [PATCH 106/416] Fixed Vagrant VMware provider display name --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 698415ba9b..2343d732ef 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -168,7 +168,7 @@ Vagrant.configure('2') do |config| # VMware Workstation/Fusion settings %w(vmware_fusion vmware_workstation).each do |provider| config.vm.provider provider do |vmw, _override| - vmw.name = config.vm.hostname + vmw.vmx['displayName'] = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') end From 5c995c6fcb2b59dcc62244e5d8968b736b09fbf2 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 13 Jul 2019 11:21:44 -0600 Subject: [PATCH 107/416] Update README [ci skip] --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2bb3fea9c0..25cc040669 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) [![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) +[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From e489fe793062d012569e7879541809fd2b220f7b Mon Sep 17 00:00:00 2001 From: QWp6t Date: Mon, 15 Jul 2019 09:28:44 -0700 Subject: [PATCH 108/416] chore(readme): Use brand color for Twitter follow badge [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 25cc040669..8bc578df13 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) [![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) -[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square)](https://twitter.com/rootswp) +[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From a4828e559e7d60deb13916bb8b6c9b3c83e9cd2c Mon Sep 17 00:00:00 2001 From: Brandon Date: Sun, 21 Jul 2019 16:44:18 -0500 Subject: [PATCH 109/416] Move to CircleCI (#1092) --- .circleci/config.yml | 100 +++++++++++++++++++++++++++++++++++++++++++ .gitattributes | 2 + .travis.yml | 13 ------ 3 files changed, 102 insertions(+), 13 deletions(-) create mode 100644 .circleci/config.yml create mode 100644 .gitattributes delete mode 100644 .travis.yml diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000000..92bb47d633 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,100 @@ +version: 2.1 + +orbs: + trellis: + executors: + python-2: + docker: + - image: 'circleci/python:2-stretch' + python-3: + docker: + - image: 'circleci/python:3-stretch' + + jobs: + syntax-check: + parameters: + ansible-version: + type: string + python-version: + type: enum + enum: ['3', '2'] + executor: python-<< parameters.python-version >> + steps: + - run: python --version + - checkout + - restore_cache: + keys: + - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + - run: + name: Install Python dependencies in a venv + command: | + virtualenv venv + . venv/bin/activate + pip install ansible<< parameters.ansible-version >> + ansible --version + - run: + name: Install Galaxy roles + command: | + . venv/bin/activate + ansible-galaxy install -r requirements.yml + - save_cache: + key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + paths: + - venv + - vendor + - run: + name: Check Playbook syntax + command: | + . venv/bin/activate + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + +workflows: + syntax-check: + jobs: + - trellis/syntax-check: + name: syntax-check-python-3-ansible-latest + python-version: '3' + ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.8 + python-version: '3' + ansible-version: ~=2.8.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.7 + python-version: '3' + ansible-version: ~=2.7.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.6 + python-version: '3' + ansible-version: ~=2.6.0 + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.5 + python-version: '3' + ansible-version: ~=2.5.0 + + - trellis/syntax-check: + name: syntax-check-python-2-ansible-latest + python-version: '2' + ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.8 + python-version: '2' + ansible-version: ~=2.8.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.7 + python-version: '2' + ansible-version: ~=2.7.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.6 + python-version: '2' + ansible-version: ~=2.6.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.5 + python-version: '2' + ansible-version: ~=2.5.0 + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.4 + python-version: '2' + ansible-version: ~=2.4.0 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..41c1519e9f --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +/.circleci export-ignore +/.gitattributes export-ignore diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 59ec6f6dce..0000000000 --- a/.travis.yml +++ /dev/null @@ -1,13 +0,0 @@ -language: python -python: - - 2.7 - - 3.6 -sudo: false -cache: pip -install: - - pip install ansible -script: - - ansible-galaxy install --force -r requirements.yml -p vendor/roles - - ansible-playbook --syntax-check -e env=development deploy.yml - - ansible-playbook --syntax-check -e env=development dev.yml - - ansible-playbook --syntax-check -e env=development server.yml From e5ff8d907c44206b1124b79f6c85a35b289b7c98 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 16:20:51 +0100 Subject: [PATCH 110/416] Deploy: Setup composer authentications --- roles/deploy/hooks/build-after.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 6c8c462984..ca0c45e82c 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -17,6 +17,14 @@ no_log: true when: project.packagist_token is defined +- name: Setup composer authentications + composer: + command: config + arguments: --auth http-basic.{{ item.hostname }} {{ item.username }} {{ item.password }} + working_dir: "{{ deploy_helper.new_release_path }}" + no_log: true + loop: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + - name: Install Composer dependencies composer: no_scripts: yes From 2ae64fbb432d5d1026231cfc562f80fc25902174 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:33:07 +0100 Subject: [PATCH 111/416] wordpress-install: Setup composer authentications --- .../tasks/composer-authentications.yml | 10 ++++++++++ roles/wordpress-install/tasks/main.yml | 8 ++++++++ 2 files changed, 18 insertions(+) create mode 100644 roles/wordpress-install/tasks/composer-authentications.yml diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml new file mode 100644 index 0000000000..d1b344f6f3 --- /dev/null +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -0,0 +1,10 @@ +--- +- name: "Setup composer authentications - {{ site }}" + composer: + command: config + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} + working_dir: "{{ working_dir }}" + no_log: true + loop: "{{ composer_authentications }}" + loop_control: + loop_var: composer_authentication diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 58b1f88f95..da13e0252c 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -34,6 +34,14 @@ when: item.value.packagist_token is defined with_dict: "{{ wordpress_sites }}" +- include_tasks: tasks/composer-authentications.yml + vars: + site: "{{ item.key }}" + working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + no_log: true + with_dict: "{{ wordpress_sites }}" + - name: Install Dependencies with Composer composer: no_dev: no From c6228174a5f689df95bde698c4065d3ca6894a77 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:37:27 +0100 Subject: [PATCH 112/416] Bump ansible `version_requirement` to `2.5.0.0` --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 81e0e28365..360017b1e8 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.4.0.0' +version_requirement = '2.5.0.0' version_tested_max = '2.7.5' python3_required_version = '2.5.3' From 162595f870a5ad422cd4fe406fc0bfa6da262a2b Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 22 Jun 2019 18:51:09 +0100 Subject: [PATCH 113/416] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dbc7c82cac..0fe094747a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) + ### 1.0.3: April 30th, 2019 * Prevent direct access for `.blade.php` files ([#1075](https://github.com/roots/trellis/pull/1075)) * Show custom error message if external IP resolution fails ([#1078](https://github.com/roots/trellis/pull/1078)) From bfb1e11dbd03e9e49d86103549aa9f39d03bfe7d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 21 Jul 2019 16:28:11 +0100 Subject: [PATCH 114/416] Remove `Setup packagist.com authentication` task See: https://github.com/roots/trellis/pull/1091#issuecomment-504694388 --- group_vars/all/helpers.yml | 6 ++++++ roles/deploy/hooks/build-after.yml | 18 ++++++++---------- .../tasks/composer-authentications.yml | 4 ++++ roles/wordpress-install/tasks/main.yml | 10 ---------- 4 files changed, 18 insertions(+), 20 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 11bb881d43..20a70ecf80 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -18,3 +18,9 @@ ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default( ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" sites_use_ssl: "{{ wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count > 0 }}" + +# For backward compatibility, to be removed in Trellis v2. +site_packagist_org_authentications: + - { hostname: repo.packagist.com, username: token, password: "{{ vault_wordpress_sites[site].packagist_token | default('') }}" } +site_composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" +composer_authentications: "{{ site_packagist_org_authentications + site_composer_authentications }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index ca0c45e82c..50546933ac 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -9,21 +9,19 @@ msg: "Unable to find a `composer.json` file in the root of '{{ deploy_helper.new_release_path }}'. Make sure your repo has a `composer.json` file in its root or edit `repo_subtree_path` for '{{ site }}' in `wordpress_sites.yml` so it points to the directory with a `composer.json` file." when: not composer_json.stat.exists -- name: Setup packagist.com authentication - composer: - command: config - arguments: --auth http-basic.repo.packagist.com token {{ project.packagist_token }} - working_dir: "{{ deploy_helper.new_release_path }}" - no_log: true - when: project.packagist_token is defined - - name: Setup composer authentications composer: command: config - arguments: --auth http-basic.{{ item.hostname }} {{ item.username }} {{ item.password }} + arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true - loop: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" + when: + - composer_authentication.hostname is defined and composer_authentication.hostname != "" + - composer_authentication.username is defined and composer_authentication.username != "" + - composer_authentication.password is defined and composer_authentication.password != "" + loop: "{{ composer_authentications }}" + loop_control: + loop_var: composer_authentication - name: Install Composer dependencies composer: diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index d1b344f6f3..86a5d914c1 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -5,6 +5,10 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ working_dir }}" no_log: true + when: + - composer_authentication.hostname is defined and composer_authentication.hostname != "" + - composer_authentication.username is defined and composer_authentication.username != "" + - composer_authentication.password is defined and composer_authentication.password != "" loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index da13e0252c..5b32fcbe33 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -25,20 +25,10 @@ become: no with_items: "{{ known_hosts | default([]) }}" -- name: Setup packagist.com authentication - composer: - command: config - arguments: --auth http-basic.repo.packagist.com token {{ item.value.packagist_token }} - working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - no_log: true - when: item.value.packagist_token is defined - with_dict: "{{ wordpress_sites }}" - - include_tasks: tasks/composer-authentications.yml vars: site: "{{ item.key }}" working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - composer_authentications: "{{ vault_wordpress_sites[site].composer_authentications | default([]) }}" no_log: true with_dict: "{{ wordpress_sites }}" From 05ed27bb4049c7fe7549f69092e03054b9f38f3b Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 22 Jul 2019 13:13:45 +0100 Subject: [PATCH 115/416] CircleCI: Remove ansible 2.4 from the test matrix --- .circleci/config.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 92bb47d633..fb4e7afafd 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -94,7 +94,3 @@ workflows: name: syntax-check-python-2-ansible-2.5 python-version: '2' ansible-version: ~=2.5.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.4 - python-version: '2' - ansible-version: ~=2.4.0 From 4ceb95ba2e2254bf2156802239d7934d5b1095ab Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 24 Jul 2019 12:24:07 +0100 Subject: [PATCH 116/416] Setup composer authentications: Add label --- roles/deploy/hooks/build-after.yml | 1 + roles/wordpress-install/tasks/composer-authentications.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 50546933ac..6626ab24f5 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -22,6 +22,7 @@ loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication + label: "{{ composer_authentication.hostname }}" - name: Install Composer dependencies composer: diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 86a5d914c1..10dd26efb8 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -12,3 +12,4 @@ loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication + label: "{{ composer_authentication.hostname }}" From 9c5ac561a8df49bfa3c5294dea543687f74ed18a Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 24 Jul 2019 12:26:26 +0100 Subject: [PATCH 117/416] Setup composer authentications: Set `changed_when` to `false` --- roles/deploy/hooks/build-after.yml | 1 + roles/wordpress-install/tasks/composer-authentications.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 6626ab24f5..c637d12882 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -15,6 +15,7 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ deploy_helper.new_release_path }}" no_log: true + changed_when: false when: - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 10dd26efb8..9d0a8368d3 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -5,6 +5,7 @@ arguments: --auth http-basic.{{ composer_authentication.hostname }} {{ composer_authentication.username }} {{ composer_authentication.password }} working_dir: "{{ working_dir }}" no_log: true + changed_when: false when: - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" From faaf213ae2186c6ccf55159becd8910e20c82bf1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 24 Jul 2019 08:44:27 -0400 Subject: [PATCH 118/416] Update CHANGELOG for #1086 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fe094747a..1e46c793a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) ### 1.0.3: April 30th, 2019 From 7971ad8b76b61724d1a24f81cdeda2b10d8488a3 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 31 Jul 2019 20:00:13 -0600 Subject: [PATCH 119/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8bc578df13..ce5e901a91 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Harness Software KM Digital itineris Hébergement Web Québec +Kinsta KM Digital Hébergement Web Québec ## Community From 207c5f461a4981ac1f351839091fa9c1594929d0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 1 Aug 2019 10:12:02 -0600 Subject: [PATCH 120/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ce5e901a91..ccfdc9c748 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Hébergement Web Québec +Kinsta KM Digital ## Community From e86edb8f9ee2bd4a4c4572c4d4b9c644fd0e65c9 Mon Sep 17 00:00:00 2001 From: Brandon Date: Sat, 3 Aug 2019 08:23:24 -0500 Subject: [PATCH 121/416] Change build badge to CircleCI [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ccfdc9c748..b0463db682 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Trellis [![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) -[![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) +[![Build Status](https://img.shields.io/circleci/build/gh/roots/trellis?style=flat-square)](https://circleci.com/gh/roots/trellis) [![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) Ansible playbooks for setting up a LEMP stack for WordPress. From 4d135203f6d485a098214f783e39b5490685d92b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 21 Jun 2019 13:09:42 -0400 Subject: [PATCH 122/416] Ensure ssh config dir exists before writing file This assumed `~/.ssh/` would exist and just the file didn't. Now it will create the directory as well if it doesn't exist. --- lib/trellis/vagrant.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index be53f5790c..fa60ad0112 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -102,6 +102,7 @@ def update_ssh_config(main_hostname) File.write(config_file, content) else + FileUtils.mkdir_p(File.dirname(config_file), mode: 0700) File.write(config_file, vagrant_ssh_config) end end From d0c7ece9fc1e53465d23abb508cd33b064d9dc01 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:31:06 -0400 Subject: [PATCH 123/416] Add .trellis dir This will be used for trellis-cli integration --- .gitignore | 1 + .trellis/.gitkeep | 0 2 files changed, 1 insertion(+) create mode 100644 .trellis/.gitkeep diff --git a/.gitignore b/.gitignore index 5168a936a0..d0fc5f0aa7 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ vagrant.local.yml vendor/roles *.py[co] *.retry +.trellis/virtualenv diff --git a/.trellis/.gitkeep b/.trellis/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From 846041dac3c400041e8492d4fffea85dde3b53a3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:33:01 -0400 Subject: [PATCH 124/416] Rename requirements.yml to galaxy.yml --- .circleci/config.yml | 6 +++--- Vagrantfile | 2 +- requirements.yml => galaxy.yml | 0 3 files changed, 4 insertions(+), 4 deletions(-) rename requirements.yml => galaxy.yml (100%) diff --git a/.circleci/config.yml b/.circleci/config.yml index fb4e7afafd..78cb92c462 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -24,7 +24,7 @@ orbs: - checkout - restore_cache: keys: - - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - run: name: Install Python dependencies in a venv command: | @@ -36,9 +36,9 @@ orbs: name: Install Galaxy roles command: | . venv/bin/activate - ansible-galaxy install -r requirements.yml + ansible-galaxy install -r galaxy.yml - save_cache: - key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "requirements.yml" }} + key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} paths: - venv - vendor diff --git a/Vagrantfile b/Vagrantfile index 2343d732ef..33e41fdfd3 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -126,7 +126,7 @@ Vagrant.configure('2') do |config| ansible.compatibility_mode = '2.0' ansible.playbook = File.join(provisioning_path, 'dev.yml') - ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] + ansible.galaxy_role_file = File.join(provisioning_path, 'galaxy.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') ansible.groups = { diff --git a/requirements.yml b/galaxy.yml similarity index 100% rename from requirements.yml rename to galaxy.yml From 634f4aa2136ad3db218889402e603bd8243c0622 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 10 Aug 2019 17:41:21 -0400 Subject: [PATCH 125/416] Add pip requirements.txt --- requirements.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000000..76b46f967b --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +ansible>=2.5.0.0,<=2.7.5 +passlib From 9c6878c4222ac595b096e97b54e82887632615cc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 11:42:11 -0400 Subject: [PATCH 126/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e46c793a3..adfdd8bf49 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) * Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) From 6e384cbca417e8bd7beb4435fe2ef5f513c41a84 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 11:47:40 -0400 Subject: [PATCH 127/416] Bump swapfile role to v2.0.22 Fixes #1098 --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index c8d23a67ca..1674a7c9e7 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.6 + version: v2.0.22 - name: mailhog src: geerlingguy.mailhog From 37608dc822664e040c8cf4c5b7cb36e60945d4f9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 23:46:20 -0400 Subject: [PATCH 128/416] Add issue closer action --- .github/workflows/issues.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/issues.yml diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml new file mode 100644 index 0000000000..f2b2474ec3 --- /dev/null +++ b/.github/workflows/issues.yml @@ -0,0 +1,14 @@ +name: Issue closer +on: [issues] +jobs: + autoclose: + runs-on: ubuntu-latest + steps: + - name: Autoclose issues that did not follow issue template + uses: roots/issue-closer@v1.1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-close-message: "Hi @${issue.user.login}, +It looks like the issue template is missing from this issue. Please take a look at the [Contribution Guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md), which will tell you **exactly** what your ticket has to contain in order to be processable. +Please **do not** use the issue tracker for personal support requests. Use [Roots Discourse](https://discourse.roots.io/) to ask the Roots community for help, or [hire someone from the community](https://discourse.roots.io/c/jobs)." + issue-pattern: ".*guidelines for Contributing.*" From e776cc0ad94cb0c4caf8550695fcb828cac1eb29 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 1 Sep 2019 23:52:59 -0400 Subject: [PATCH 129/416] 1.1.0 changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index adfdd8bf49..380db5525c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### Head +### 1.1.0: September 1st, 2019 +* Update swapfile role to v2.0.22 ([#1101](https://github.com/roots/trellis/pull/1101)) * Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) * Update apt packages before checking essentials task ([#1086](https://github.com/roots/trellis/pull/1086)) * Setup composer HTTP basic authentication for multiple repositories ([#1091](https://github.com/roots/trellis/pull/1091)) From 66d1445b0d72ee81631c4d55b287b8da72e3747f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 11:16:07 -0400 Subject: [PATCH 130/416] Bump ansible requirement to 2.7.12 --- lib/trellis/plugins/vars/version.py | 4 ++-- requirements.txt | 2 +- vagrant.default.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 360017b1e8..2eabc291f2 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,8 +14,8 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.5.0.0' -version_tested_max = '2.7.5' +version_requirement = '2.7.12' +version_tested_max = '2.7.13' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 76b46f967b..24d75f725e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.5.0.0,<=2.7.5 +ansible>=2.7.12,<2.8 passlib diff --git a/vagrant.default.yml b/vagrant.default.yml index 03ff4689b6..64b48f7dfe 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.7.5' +vagrant_ansible_version: '2.7.12' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 32a33749bc98c99a09b59ab0a13561a03a7b260e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 13:21:15 -0400 Subject: [PATCH 131/416] Remove old versions on CI --- .circleci/config.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 78cb92c462..5ab3ba4cdf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -65,14 +65,6 @@ workflows: name: syntax-check-python-3-ansible-2.7 python-version: '3' ansible-version: ~=2.7.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.6 - python-version: '3' - ansible-version: ~=2.6.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.5 - python-version: '3' - ansible-version: ~=2.5.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-latest @@ -86,11 +78,3 @@ workflows: name: syntax-check-python-2-ansible-2.7 python-version: '2' ansible-version: ~=2.7.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.6 - python-version: '2' - ansible-version: ~=2.6.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.5 - python-version: '2' - ansible-version: ~=2.5.0 From 143be087cf133c9f202b8c6f6de6dd1dd90bdbaf Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 3 Sep 2019 19:43:31 -0400 Subject: [PATCH 132/416] Fix issues with Vagrant ansible_local provisioner --- Vagrantfile | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 33e41fdfd3..8e2e4ec215 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -117,9 +117,23 @@ Vagrant.configure('2') do |config| provisioner = local_provisioning? ? :ansible_local : :ansible provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH + # Fix for https://github.com/hashicorp/vagrant/issues/10914 + if local_provisioning? + config.vm.provision 'shell', inline: <<~SHELL + sudo apt-get update -y -qq && + sudo dpkg-reconfigure libc6 && + export DEBIAN_FRONTEND=noninteractive && + sudo -E apt-get -q --option \"Dpkg::Options::=--force-confold\" --assume-yes install libssl1.1 + SHELL + end + config.vm.provision provisioner do |ansible| if local_provisioning? ansible.install_mode = 'pip' + if Vagrant::VERSION >= '2.2.4' + # Fix for https://github.com/hashicorp/vagrant/issues/10950 + ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' + end ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end From f825790e9e4c030b4e421709191c7b46198d0573 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 3 Sep 2019 19:55:22 -0400 Subject: [PATCH 133/416] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 380db5525c..a794203afd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) +* Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) + ### 1.1.0: September 1st, 2019 * Update swapfile role to v2.0.22 ([#1101](https://github.com/roots/trellis/pull/1101)) * Add pip `requirements.txt` and rename `requirements.yml` to `galaxy.yml` ([#1100](https://github.com/roots/trellis/pull/1100)) From cd4f9151194c705e9bd3e101ff17b2648733448e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 19:49:45 -0400 Subject: [PATCH 134/416] Update galaxy packages --- galaxy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 1674a7c9e7..dbebc804ac 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,10 +1,10 @@ - name: composer src: geerlingguy.composer - version: 1.7.0 + version: 1.7.6 - name: ntp src: geerlingguy.ntp - version: 1.6.0 + version: 1.6.4 - name: logrotate src: nickhammond.logrotate @@ -16,4 +16,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.1.3 + version: 2.1.4 From 967658cef61c044bbdd327b262834fd1d50e6e67 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 19:53:26 -0400 Subject: [PATCH 135/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a794203afd..a95784b614 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) * Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) From 129ad95aa9233d2d866631c828adeda8c9214500 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 2 Sep 2019 13:19:44 -0400 Subject: [PATCH 136/416] Update callback plugin CLI options changed a lot in 2.8. This updates our callback plugin to support both 2.7 and 2.8 by normalizing each case into a dict. Ref: https://github.com/ansible/ansible/pull/50069 --- lib/trellis/plugins/callback/vars.py | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index a93a9ae79b..338d8f9597 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -22,7 +22,14 @@ class CallbackModule(CallbackBase): CALLBACK_NAME = 'vars' def __init__(self): - self._options = cli.options if cli else None + super(CallbackModule, self).__init__() + + # handle Ansible 2.7 and 2.8 cases by normalizing each into a dict + try: + from ansible import context + self._options = context.CLIARGS + except ImportError: + self._options = vars(cli.options) if cli else {} def raw_triage(self, key_string, item, patterns): # process dict values @@ -70,13 +77,13 @@ def cli_options(self): } for option,value in iteritems(strings): - if getattr(self._options, value, False): - options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) + if self._options.get(value, False): + options.append("{0}='{1}'".format(option, str(self._options.get(value)))) - for inventory in getattr(self._options, 'inventory'): + for inventory in self._options.get('inventory'): options.append("--inventory='{}'".format(str(inventory))) - if getattr(self._options, 'ask_vault_pass', False): + if self._options.get('ask_vault_pass', False): options.append('--ask-vault-pass') return ' '.join(options) @@ -98,11 +105,10 @@ def v2_playbook_on_play_start(self, play): env_group.set_priority(20) for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): - # it should be ok to remove dummy Task() once minimum required Ansible >= 2.4.2 - hostvars = play.get_variable_manager().get_vars(play=play, host=host, task=Task()) + hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) - host.vars['ssh_args_default'] = PlayContext(play=play, options=self._options)._ssh_args.default + host.vars['ssh_args_default'] = PlayContext(play=play)._ssh_args.default host.vars['cli_options'] = self.cli_options() - host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) - host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) + host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) + host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) host.vars['darwin_without_passlib'] = self.darwin_without_passlib() From a2fa7df5ef423805bc2235e1c6caa498dfc14bc5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Sep 2019 20:42:27 -0400 Subject: [PATCH 137/416] Relaxy ansible version constraints --- lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 2eabc291f2..93c325ab34 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.7.12' -version_tested_max = '2.7.13' +version_tested_max = '2.8.4' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 24d75f725e..eb776ef0e2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.7.12,<2.8 +ansible>=2.7.12,<2.9 passlib From d4922a31cef884f6f5eca23c94ae14fd99ae57ba Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 12 Sep 2019 22:29:01 -0400 Subject: [PATCH 138/416] CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a95784b614..8911db48bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible 2.8.x support ([#1103](https://github.com/roots/trellis/pull/1103)) * Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) * Bump ansible requirement to 2.7.12([#1102](https://github.com/roots/trellis/pull/1102)) From 96eac3b54c58d87cc5df51552d58d12752324d04 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 27 Sep 2019 13:06:21 +0100 Subject: [PATCH 139/416] Update WP CLI to v 2.3.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 4ce281bd85..13fe52b49f 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.0.1 +wp_cli_version: 2.3.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 757a4c5642b5d67b4343ba9149569d2abb1a0f78 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 30 Sep 2019 17:36:49 -0600 Subject: [PATCH 140/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b0463db682..874f792a8e 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital +Kinsta KM Digital KM Digital ## Community From a36eb264024b6eb2e34b863509020dee9de64631 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 30 Sep 2019 19:13:42 -0600 Subject: [PATCH 141/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 874f792a8e..447222f7da 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital KM Digital +Kinsta KM Digital Scale Dynamix ## Community From dda882ae6d0b5bbefe426e597e1f437e6ceb7485 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 5 Oct 2019 15:48:05 +0100 Subject: [PATCH 142/416] Ansible 2.8 support: Generate self-signed certificates --- .../tasks/self-signed-certificate.yml | 33 ++++++++++++------- .../templates/self-signed-openssl-config.j2 | 7 ++++ 2 files changed, 29 insertions(+), 11 deletions(-) create mode 100644 roles/wordpress-setup/templates/self-signed-openssl-config.j2 diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 9410380fef..64e355fce2 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -1,18 +1,24 @@ --- +- name: Ensure openssl configs directory are present + file: + path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" + state: directory + mode: "0755" + +- name: Template openssl configs + template: + src: self-signed-openssl-config.j2 + dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" + with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" + when: + - sites_use_ssl + - ssl_enabled + - item.value.ssl.provider | default('manual') == 'self-signed' + - name: Generate self-signed certificates shell: "openssl req -new -newkey rsa:2048 \ -days 3650 -nodes -x509 -sha256 \ - -extensions req_ext -config <( \ -cat <<' EOF'\n -[req]\n -prompt = no\n -distinguished_name = req_dn\n -[req_dn]\n -commonName = {{ item.value.site_hosts[0].canonical }}\n -[req_ext]\n -subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }}\n -EOF\n - ) \ + -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: executable: "/bin/bash" @@ -24,3 +30,8 @@ EOF\n - ssl_enabled - item.value.ssl.provider | default('manual') == 'self-signed' notify: reload nginx + +- name: Clean up openssl configs directory + file: + path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" + state: absent diff --git a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 new file mode 100644 index 0000000000..8babe10d98 --- /dev/null +++ b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 @@ -0,0 +1,7 @@ +[req] +prompt = no +distinguished_name = req_dn +[req_dn] +commonName = {{ item.value.site_hosts[0].canonical }} +[req_ext] +subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }} From 16d2cf8e96ed01357386ed8f4a498d5e713836ce Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Oct 2019 23:36:07 -0400 Subject: [PATCH 143/416] Lets Encrypt ACME v2 support --- roles/letsencrypt/defaults/main.yml | 8 ++--- roles/letsencrypt/tasks/certificates.yml | 2 +- roles/letsencrypt/tasks/setup.yml | 6 ---- roles/letsencrypt/templates/renew-certs.py | 40 +++++++++------------- 4 files changed, 20 insertions(+), 36 deletions(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index e7f6c7a742..4b9d9b26b8 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr(' letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' +acme_tiny_commit: 'cb094cf3efa34acef8c7139c8480e2135422e755' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt @@ -24,14 +24,10 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" # KWXliiWjUORxDxI1c56Rw2VCIExnFjWJAdSLv6/XaQWo2T7U28bkKbAlCF9= # -----END RSA PRIVATE KEY----- -letsencrypt_ca: 'https://acme-v01.api.letsencrypt.org' +letsencrypt_ca: 'https://acme-v02.api.letsencrypt.org' letsencrypt_account_key: '{{ acme_tiny_data_directory }}/account.key' -letsencrypt_intermediate_cert_path: /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem -letsencrypt_intermediate_cert_url: 'https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem' -letsencrypt_intermediate_cert_sha256sum: 'e446c5e9dbef9d09ac9f7027c034602492437a05ff6c40011d7235fca639c79a' - letsencrypt_keys_dir: "{{ nginx_ssl_path }}/letsencrypt" letsencrypt_certs_dir: "{{ nginx_ssl_path }}/letsencrypt" diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index ea22ced1ab..480d910253 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -15,7 +15,7 @@ - name: Generate Lets Encrypt certificate IDs shell: | - echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit, letsencrypt_intermediate_cert_sha256sum] | join('\n') }}" | + echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit] | join('\n') }}" | cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - | md5sum | cut -c -7 register: generate_cert_ids diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 6c0d6afcc7..6d3cd762aa 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -37,9 +37,3 @@ args: creates: "{{ letsencrypt_account_key }}" when: letsencrypt_account_key_source_content is not defined and letsencrypt_account_key_source_file is not defined - -- name: Download intermediate certificate - get_url: - url: "{{ letsencrypt_intermediate_cert_url }}" - dest: "{{ letsencrypt_intermediate_cert_path }}" - sha256sum: "{{ letsencrypt_intermediate_cert_sha256sum }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 88cd133419..6d4b5f0304 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -10,44 +10,38 @@ letsencrypt_cert_ids = {{ letsencrypt_cert_ids }} for site in {{ sites_using_letsencrypt }}: - cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '.cert') bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '-bundled.cert') - if os.access(cert_path, os.F_OK): - stat = os.stat(cert_path) - print 'Certificate file ' + cert_path + ' already exists' + if os.access(bundled_cert_path, os.F_OK): + stat = os.stat(bundled_cert_path) + print('Certificate file ' + bundled_cert_path + ' already exists') if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print ' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n' + print(' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') continue - print 'Generating certificate for ' + site + print('Generating certificate for ' + site) - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' - '--quiet ' - '--ca {{ letsencrypt_ca }} ' - '--account-key {{ letsencrypt_account_key }} ' - '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' - '--acme-dir {{ acme_tiny_challenges_directory }}' - ).format(site, letsencrypt_cert_ids[site]) + cmd = ( + '/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + '--quiet ' + '--ca {{ letsencrypt_ca }} ' + '--account-key {{ letsencrypt_account_key }} ' + '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' + '--acme-dir {{ acme_tiny_challenges_directory }}' + ).format(site, letsencrypt_cert_ids[site]) try: cert = check_output(cmd, stderr=STDOUT, shell=True) except CalledProcessError as e: failed = True - print 'Error while generating certificate for ' + site - print e.output + print('Error while generating certificate for ' + site) + print(e.output) else: - with open(cert_path, 'w') as cert_file: + with open(bundled_cert_path, 'w') as cert_file: cert_file.write(cert) - with open('{{ letsencrypt_intermediate_cert_path }}') as intermediate_cert_file: - intermediate_cert = intermediate_cert_file.read() - - with open(bundled_cert_path, 'w') as bundled_file: - bundled_file.write(''.join([cert, intermediate_cert])) - - print 'Created certificate for ' + site + print('Created certificate for ' + site) if failed: sys.exit(1) From 61a4faaa7ed0082c386112a51a81ff3e997e8bda Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 11 Oct 2019 20:25:44 -0400 Subject: [PATCH 144/416] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8911db48bd..24046b21d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ### HEAD +* Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) +* Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) +* Update WP CLI to v2.3.0 ([#1109](https://github.com/roots/trellis/pull/1109)) * Ansible 2.8.x support ([#1103](https://github.com/roots/trellis/pull/1103)) * Bump galaxy dependency versions ([#1105](https://github.com/roots/trellis/pull/1105)) * Fix issues with Vagrant ansible_local provisioner ([#1104](https://github.com/roots/trellis/pull/1104)) From 7287d177569917cf9f853cc9dc26c8a1cb65a2ab Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 11 Oct 2019 20:27:27 -0400 Subject: [PATCH 145/416] 1.2.0 Changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 24046b21d9..fe208741e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) * Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) * Update WP CLI to v2.3.0 ([#1109](https://github.com/roots/trellis/pull/1109)) From c279a99335e90f5226dcb842f798c4849e0ffe57 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 14 Oct 2019 22:09:49 -0400 Subject: [PATCH 146/416] Fix Vagrant pip_install_cmd conditional `pip_install_cmd` only exists in 2.2.5+ --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 8e2e4ec215..dc23764f3a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -130,7 +130,7 @@ Vagrant.configure('2') do |config| config.vm.provision provisioner do |ansible| if local_provisioning? ansible.install_mode = 'pip' - if Vagrant::VERSION >= '2.2.4' + if Vagrant::VERSION >= '2.2.5' # Fix for https://github.com/hashicorp/vagrant/issues/10950 ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' end From e35e23034729ab9651db64238043f3d60fe8c390 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 13 Oct 2019 22:11:13 +0100 Subject: [PATCH 147/416] wordpress-setup: Block dependency manager files by Nginx Block these dependency managers: - composer - npm - yarn - bundler --- CHANGELOG.md | 3 ++ .../templates/wordpress-site.conf.j2 | 30 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fe208741e4..ebc06bfd63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* wordpress-setup: Block dependency manager files by Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) + ### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) * Fix self-signed certificates in Ansible 2.8 ([#1110](https://github.com/roots/trellis/pull/1110)) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b9fd7205ca..ab0c182dc7 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -129,6 +129,36 @@ server { } {% endblock %} + {% block dependency_managers -%} + # composer + location ~* composer\.(json|lock)$ { + deny all; + } + + location ~* auth\.json$ { + deny all; + } + + # npm + location ~* package(-lock)?\.json$ { + deny all; + } + + # yarn + location ~* yarn\.lock$ { + deny all; + } + + # bundler + location ~* Gemfile(\.lock)?$ { + deny all; + } + + location ~* gems\.(rb|locked)?$ { + deny all; + } + {% endblock %} + {% block location_primary -%} location / { try_files $uri $uri/ /index.php?$args; From b2dbf594ccd5bbad8f56e98b8618078bbc4919a9 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 9 Nov 2019 18:06:41 +0000 Subject: [PATCH 148/416] Remove unused optional block arguments --- Vagrantfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index dc23764f3a..d59cdb3b5a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -33,7 +33,7 @@ Vagrant.configure('2') do |config| config.vm.network :private_network, type: 'dhcp', hostsupdater: 'skip' cached_addresses = {} - config.hostmanager.ip_resolver = proc do |vm, _resolving_vm| + config.hostmanager.ip_resolver = proc do |vm| if cached_addresses[vm.name].nil? if vm.communicate.ready? vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |_type, contents| @@ -181,7 +181,7 @@ Vagrant.configure('2') do |config| # VMware Workstation/Fusion settings %w(vmware_fusion vmware_workstation).each do |provider| - config.vm.provider provider do |vmw, _override| + config.vm.provider provider do |vmw| vmw.vmx['displayName'] = config.vm.hostname vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') @@ -189,7 +189,7 @@ Vagrant.configure('2') do |config| end # Parallels settings - config.vm.provider 'parallels' do |prl, _override| + config.vm.provider 'parallels' do |prl| prl.name = config.vm.hostname prl.cpus = vconfig.fetch('vagrant_cpus') prl.memory = vconfig.fetch('vagrant_memory') From 0efcf58b9a9436bee1b848233ac3efc64321f5c1 Mon Sep 17 00:00:00 2001 From: Rob Record Date: Thu, 14 Nov 2019 14:02:36 +0000 Subject: [PATCH 149/416] Change self-signed certificate expiry time from 3650 days to 825, the new maximum time allowed under macOS Catalina --- roles/wordpress-setup/tasks/self-signed-certificate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 64e355fce2..fa995d15cc 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -17,7 +17,7 @@ - name: Generate self-signed certificates shell: "openssl req -new -newkey rsa:2048 \ - -days 3650 -nodes -x509 -sha256 \ + -days 825 -nodes -x509 -sha256 \ -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: From 77729cf5991afcb14f693015a157176b6b6942ae Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 15:31:40 -0500 Subject: [PATCH 150/416] Add git_sha and release_version to .env on deploy This will provide `GIT_SHA` and `RELEASE_VERSION` env variables. They can be useful for many purposes including application/error monitoring software. --- roles/deploy/vars/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index aea2f70a6e..7015d3451b 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -7,5 +7,7 @@ wordpress_env_defaults: wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" + git_sha: "{{ git_clone.after }}" + release_version: "{{ deploy_helper.new_release }}" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 22adab323123dd3ea3cc315aa3d0bfadc9cdd29d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 17:43:10 -0500 Subject: [PATCH 151/416] Update CHANGELOG --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebc06bfd63..4ef86f10ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ -### Head -* wordpress-setup: Block dependency manager files by Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) +### HEAD +* Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) +* Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) +* Block dependency manager files in Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) ### 1.2.0: October 11th, 2019 * Lets Encrypt ACME v2 support ([#1114](https://github.com/roots/trellis/pull/1114)) From 3eff48a99706e0367325cb46b783812e3b84b180 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 Dec 2019 17:44:24 -0500 Subject: [PATCH 152/416] v1.3.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ef86f10ba..84e59ca325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) * Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) * Block dependency manager files in Nginx ([#1116](https://github.com/roots/trellis/pull/1116)) From 4fe4e66e4e4d77a780d5217577e0bd31f00eb12e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 11 Dec 2019 22:39:48 -0500 Subject: [PATCH 153/416] Fix subjectAltName for self-signed certificates In some cases the `subjectAltName` for self-signed SSL certificates were invalid due to `DNS:` being both prepended *and* appended to each domain when it should only be a prefix. This tweaks `regex_replace` to anchor at the start of the string only. Before: ``` subjectAltName = DNS:example.testDNS:,DNS:www.example.testDNS: ``` After: ``` subjectAltName = DNS:example.test,DNS:www.example.test ``` --- roles/wordpress-setup/templates/self-signed-openssl-config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 index 8babe10d98..9ba1054aef 100644 --- a/roles/wordpress-setup/templates/self-signed-openssl-config.j2 +++ b/roles/wordpress-setup/templates/self-signed-openssl-config.j2 @@ -4,4 +4,4 @@ distinguished_name = req_dn [req_dn] commonName = {{ item.value.site_hosts[0].canonical }} [req_ext] -subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }} +subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(^.*$)', 'DNS:\\1') | join(',') }} From 2801a8b58ad35703647a574c6a9a723e4f7c06aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 11 Dec 2019 21:26:34 -0500 Subject: [PATCH 154/416] Use modern SSL config for Nginx Based off of h5bp's config: https://github.com/h5bp/server-configs-nginx/blob/611ed7507bc200b81867423f6061fe79b2f606e8/h5bp/ssl/policy_modern.conf Drops TLSv1 and TLSv2.1 and updates the cipher suite. Cipher suite compatibility details: https://cryptcheck.fr/suite/ECDHE+AES:!SHA TLS 1.2 compatibility: https://caniuse.com/#feat=tls1-2 TLS 1.3 compatibility: https://caniuse.com/#feat=tls1-3 --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index cf5cfaa6cc..0b67f328f1 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -1,10 +1,6 @@ -# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add -# SSLv3 to the list of protocols below. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - -# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx -ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; -ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers EECDH+CHACHA20:EECDH+AES; +ssl_prefer_server_ciphers on; # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. From bd8912edb8abaa20b12f02984f8e23fd33c3c446 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 09:32:37 -0500 Subject: [PATCH 155/416] Disable ssl_session_tickets --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index 0b67f328f1..bb8bd0aa76 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -21,7 +21,7 @@ ssl_session_timeout 24h; # # Note that you'll have to define and rotate the keys securely by yourself. In absence # of such infrastructure, consider turning off session tickets: -#ssl_session_tickets off; +ssl_session_tickets off; # Use a higher keepalive timeout to reduce the need for repeated handshakes keepalive_timeout 300s; # up from 75 secs default From b6cae7844f704353132cdcae18088e6adf8560b6 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 09:32:45 -0500 Subject: [PATCH 156/416] Update stapling config --- .../h5bp/directive-only/ssl-stapling.conf | 35 ++++++++++++++++--- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf index d15bf972ba..95cc175ce4 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl-stapling.conf @@ -1,9 +1,34 @@ -# OCSP stapling... +# ---------------------------------------------------------------------- +# | Online Certificate Status Protocol stapling | +# ---------------------------------------------------------------------- + +# OCSP is a lightweight, only one record to help clients verify the validity of +# the server certificate. +# OCSP stapling allows the server to send its cached OCSP record during the TLS +# handshake, without the need of 3rd party OCSP responder. +# +# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling +# https://tools.ietf.org/html/rfc6066#section-8 +# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling +# +# (1) Use Cloudflare 1.1.1.1 DNS resolver +# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ +# +# (2) Use Google 8.8.8.8 DNS resolver +# https://developers.google.com/speed/public-dns/docs/using +# +# (3) Use Dyn DNS resolver +# https://help.dyn.com/internet-guide-setup/ + ssl_stapling on; ssl_stapling_verify on; -#trusted cert must be made up of your intermediate certificate followed by root certificate -#ssl_trusted_certificate /path/to/ca.crt; - -resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; +resolver + # (1) + 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] + # (2) + 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] + # (3) + # 216.146.35.35 216.146.36.36 + valid=60s; resolver_timeout 2s; From 258c8843371b95b77bdd7322f06ee338e2b08e4d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 24 Dec 2019 11:16:22 -0500 Subject: [PATCH 157/416] Update roles/nginx/templates/h5bp/directive-only/ssl.conf Co-Authored-By: Austin Pray --- roles/nginx/templates/h5bp/directive-only/ssl.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/directive-only/ssl.conf b/roles/nginx/templates/h5bp/directive-only/ssl.conf index bb8bd0aa76..20d98766b3 100644 --- a/roles/nginx/templates/h5bp/directive-only/ssl.conf +++ b/roles/nginx/templates/h5bp/directive-only/ssl.conf @@ -1,6 +1,6 @@ ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES; -ssl_prefer_server_ciphers on; +ssl_prefer_server_ciphers off; # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. From 5c09ae9cec67dcc87bb7371774888bd2721c7f65 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 5 Jan 2020 00:31:28 +0000 Subject: [PATCH 158/416] Update `wp_cli_version` to 2.4.0 See: https://make.wordpress.org/cli/2019/11/12/wp-cli-v2-4-0-release-notes/ --- CHANGELOG.md | 3 +++ roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 84e59ca325..fac73c5b2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### Head +* Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) + ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) * Lower self-signed certificate expiry time for macOS Cataline support ([#1120](https://github.com/roots/trellis/pull/1120)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 13fe52b49f..f13bd98c4a 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.3.0 +wp_cli_version: 2.4.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 2c6476c102f55f5897aa9ecf95b39c5fcbda2230 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 11 Jan 2020 17:01:54 +0000 Subject: [PATCH 159/416] Allow `composer install` without `--no-scripts` during deploy --- CHANGELOG.md | 1 + roles/deploy/defaults/main.yml | 3 +++ roles/deploy/hooks/build-after.yml | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fac73c5b2e..8c7dc9b85a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) +* Allow `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 8e04496fff..5f4f68cc02 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -48,6 +48,9 @@ project_current_path: "{{ project.current_path | default('current') }}" # Whether to run `wp core update-db` at end of each deploy update_db_on_deploy: true +# Most scripts are used in development instead of remote servers. Use with caution. +composer_no_scripts: true + # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index c637d12882..bf2d649c73 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -27,5 +27,5 @@ - name: Install Composer dependencies composer: - no_scripts: yes + no_scripts: "{{ composer_no_scripts }}" working_dir: "{{ deploy_helper.new_release_path }}" From 6caea96afa66b12d27d43c7ede7850070a659d57 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 13 Jan 2020 15:59:56 +0000 Subject: [PATCH 160/416] CircleCI: Test `rollback.yml` --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 5ab3ba4cdf..9a4413ab93 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -49,6 +49,7 @@ orbs: ansible-playbook --syntax-check -e env=development deploy.yml ansible-playbook --syntax-check -e env=development dev.yml ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml workflows: syntax-check: From 7299d378be52cd3d5967db72469555525b98a47c Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:27:34 +0000 Subject: [PATCH 161/416] Lint: Fix `[501] become_user requires become to work as expected` --- roles/wp-cli/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 675596e141..fe3d85c62d 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -46,6 +46,7 @@ - name: Install WP-CLI packages command: wp package install {{ item }} + become: true become_user: "{{ web_user }}" register: wp_cli_packages_installed changed_when: From 5c3df4ec187f1fc45aabf3052534abfd021ea61f Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:35:03 +0000 Subject: [PATCH 162/416] Lint: Fix `[601] Don't compare to literal True/False` --- roles/rollback/tasks/user-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/rollback/tasks/user-release.yml b/roles/rollback/tasks/user-release.yml index 6e356e1bc0..073506659e 100644 --- a/roles/rollback/tasks/user-release.yml +++ b/roles/rollback/tasks/user-release.yml @@ -13,7 +13,7 @@ - name: Fail if user-specified release doesn't exist or is already active fail: msg: "Cannot switch to release {{ release }}. Either it does not exist or it is the active release." - when: specified.stat.isdir | default(False) == False or current_release.stdout_lines[0] == release + when: not (specified.stat.isdir | default(False)) or current_release.stdout_lines[0] == release - name: Create new_release_path variable set_fact: From cb70709791c0e349415ae5ee113b483a3bf8d3fc Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:43:57 +0000 Subject: [PATCH 163/416] Lint: Fix `[504] Do not use 'local_action', use 'delegate_to: localhost'` --- roles/connection/tasks/main.yml | 5 +++-- roles/users/tasks/main.yml | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 0675e77bf4..86ba0476a1 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -16,9 +16,10 @@ - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} - local_action: | - command ansible {{ inventory_hostname }} -m raw -a whoami + command: | + ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv + delegate_to: localhost environment: ANSIBLE_SSH_ARGS: "{{ ssh_args_default }} {{ ansible_ssh_extra_args | default('') }}" failed_when: false diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 8c1403c0be..e84f720333 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -58,7 +58,8 @@ - keys - name: Check whether Ansible can connect as admin_user - local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} + command: ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} + delegate_to: localhost failed_when: false changed_when: false become: no From 34689c23b82e1b5b58526c7dff03b34dcff65589 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:07:39 +0000 Subject: [PATCH 164/416] Lint: Fix `[602] Don't compare to empty string` --- roles/connection/tasks/main.yml | 2 +- roles/wordpress-install/tasks/composer-authentications.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 0675e77bf4..5381a9fa1f 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - ansible_ssh_extra_args | default('') == '' + - not (not ansible_ssh_extra_args) - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 9d0a8368d3..8d8445fa86 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -7,9 +7,9 @@ no_log: true changed_when: false when: - - composer_authentication.hostname is defined and composer_authentication.hostname != "" - - composer_authentication.username is defined and composer_authentication.username != "" - - composer_authentication.password is defined and composer_authentication.password != "" + - not (not composer_authentication.hostname) + - not (not composer_authentication.username) + - not (not composer_authentication.password) loop: "{{ composer_authentications }}" loop_control: loop_var: composer_authentication From 2686136c9c635fa56991647ffd6635933438f523 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:28:38 +0000 Subject: [PATCH 165/416] Lint: Fix `[305] Use shell only when shell functionality is required` --- roles/letsencrypt/tasks/nginx.yml | 8 ++++---- roles/wordpress-setup/tasks/self-signed-certificate.yml | 3 +-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index c0578e4933..20b97e63b1 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -39,10 +39,10 @@ when: challenge_site_confs is changed or challenge_sites_enabled is changed - name: Create test Acme Challenge file - shell: touch {{ acme_tiny_challenges_directory }}/ping.txt - args: - creates: "{{ acme_tiny_challenges_directory }}/ping.txt" - warn: false + file: + path: "{{ acme_tiny_challenges_directory }}/ping.txt" + state: touch + mode: '0644' - name: Test Acme Challenges test_challenges: diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index fa995d15cc..35e04f712b 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -16,12 +16,11 @@ - item.value.ssl.provider | default('manual') == 'self-signed' - name: Generate self-signed certificates - shell: "openssl req -new -newkey rsa:2048 \ + command: "openssl req -new -newkey rsa:2048 \ -days 825 -nodes -x509 -sha256 \ -extensions req_ext -config {{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf \ -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: - executable: "/bin/bash" chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" From 0da67ad1b63acf22945f8da805cc79e8053a1af8 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 14:48:42 +0000 Subject: [PATCH 166/416] CircleCI: Test `xdebug-tunnel.yml` --- .circleci/config.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9a4413ab93..f71bbe5faf 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -50,6 +50,7 @@ orbs: ansible-playbook --syntax-check -e env=development dev.yml ansible-playbook --syntax-check -e env=development server.yml ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml workflows: syntax-check: From 8ac97859a0a52daf5a5475d563802dad2da21d55 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 12:14:21 +0000 Subject: [PATCH 167/416] Lint: Fix `[502] All tasks should be named` --- roles/common/tasks/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index aeff82462d..1559a76a89 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -147,13 +147,14 @@ generate_ssh_key: yes when: env == 'development' -- name: Retrieve SSH client IP - block: - - ipify_facts: +- block: + - name: Retrieve SSH client IP + ipify_facts: delegate_to: localhost become: no when: env != 'development' and ssh_client_ip_lookup | default(true) tags: [fail2ban, ferm] rescue: - - fail: + - name: Fail when unable to retrieve SSH client IP + fail: msg: "External IP resolution failed. Check that your DNS servers are working. Try to disable DNSCrypt if you are using it." From 00524b0f9daf84d13e35bc3a433fdc38a25a2ac6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:59:21 +0000 Subject: [PATCH 168/416] Lint: Fix `[303] rsync used in place of synchronize module` --- roles/wordpress-install/tasks/main.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 5b32fcbe33..d5491a2808 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -11,10 +11,12 @@ with_dict: "{{ wordpress_sites }}" - name: Copy .env file into web root - command: rsync -ac --info=NAME /tmp/{{ item.key }}.env {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env + synchronize: + src: "/tmp/{{ item.key }}.env" + dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" + checksum: true with_dict: "{{ wordpress_sites }}" - register: env_file - changed_when: env_file.stdout == item.key + '.env' + delegate_to: "{{ inventory_hostname }}" - name: Add known_hosts known_hosts: From 11c51eeff34c0217ef5427c54fa03edd218f4464 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 19 Jan 2020 13:57:12 +0000 Subject: [PATCH 169/416] `composer install` with `--classmap-authoritative` during deploy See: - https://getcomposer.org/doc/articles/autoloader-optimization.md#optimization-level-2-a-authoritative-class-maps - https://docs.ansible.com/ansible/latest/modules/composer_module.html#parameters --- CHANGELOG.md | 3 ++- deploy-hooks/build-before.yml | 2 +- roles/deploy/defaults/main.yml | 2 ++ roles/deploy/hooks/build-after.yml | 1 + 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c7dc9b85a..2019359cd1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) -* Allow `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) +* `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) +* Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index e6893432ba..a42b124490 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -14,7 +14,7 @@ # chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Install Composer dependencies -# command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts +# command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts --classmap-authoritative # args: # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 5f4f68cc02..b6b5e6c74d 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -50,6 +50,8 @@ update_db_on_deploy: true # Most scripts are used in development instead of remote servers. Use with caution. composer_no_scripts: true +# Whether to autoload classes from classmap only. +composer_classmap_authoritative: true # Helpers project: "{{ wordpress_sites[site] }}" diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index bf2d649c73..8e7daf91dc 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -28,4 +28,5 @@ - name: Install Composer dependencies composer: no_scripts: "{{ composer_no_scripts }}" + classmap_authoritative: "{{ composer_classmap_authoritative }}" working_dir: "{{ deploy_helper.new_release_path }}" From 6cc4fc763dd7be8ad4a430a0b31dc05833d7be73 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 21 Jan 2020 19:48:02 +0000 Subject: [PATCH 170/416] Fix `DEPLOY_UNFINISHED` not being copied over to `release` The tar generated by git archive doesn't include `DEPLOY_UNFINISHED` https://github.com/roots/trellis/blob/ab70d8ed84ef54054de2024e5c2639e047c0b905/roles/deploy/tasks/prepare.yml#L29-L39 --- CHANGELOG.md | 1 + roles/deploy/tasks/prepare.yml | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2019359cd1..bd0ee3b14d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 9181b43f51..2d05f4df8e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -5,11 +5,6 @@ loop_var: include_path tags: deploy-prepare-before -- name: write unfinished file - file: - path: "{{ project_source_path }}/{{ deploy_helper.unfinished_filename }}" - state: touch - - name: Check for project repo subtree stat: path: "{{ project_source_path }}/{{ project.repo_subtree_path }}" @@ -38,6 +33,11 @@ chdir: "{{ project_source_path }}" when: project.repo_subtree_path is defined +- name: write unfinished file + file: + path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" + state: touch + - include_tasks: "{{ include_path }}" with_items: "{{ deploy_prepare_after | default([]) }}" loop_control: From 283ff5846653a30712cb51188ef048fc20040dad Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 21 Jan 2020 19:51:31 +0000 Subject: [PATCH 171/416] Deploy: Remove untracked files from project folder --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2019359cd1..09318ae2c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 4170f658db..61bb72013a 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -24,6 +24,13 @@ no_log: true register: git_clone +- name: Remove untracked files from project folder + command: git clean -fdx + args: + chdir: "{{ project_source_path }}" + register: git_clean + changed_when: not not(git_clean.stdout) + - name: Failed connection to remote repo fail: msg: | From be72a6b3f2dab4a31d4fa6fa59c811387d4b6400 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 26 Jan 2020 13:00:31 -0500 Subject: [PATCH 172/416] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b29818aa5a..8a64e6a704 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,9 @@ ### Head * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) +* Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) +* Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) From e3c41b6f77582af6864867161ef11d9456e9f052 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 26 Jan 2020 13:18:25 -0500 Subject: [PATCH 173/416] Add trellis-cli instructions to README --- README.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 77 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 447222f7da..7d056980af 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. - Local development environment with Vagrant - High-performance production servers - Zero-downtime deploys for your [Bedrock](https://roots.io/bedrock/)-based WordPress sites +- [trellis-cli](https://github.com/roots/trellis-cli) for easier management ## What's included @@ -35,14 +36,23 @@ Full documentation is available at [https://roots.io/trellis/docs/](https://root Make sure all dependencies have been installed before moving on: -* [Composer](https://getcomposer.org/doc/00-intro.md#installation-linux-unix-osx) * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +* **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) **Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. ## Installation +### Using trellis-cli + +Create a new project: +```bash +$ trellis new example.com +``` + +### Manual + The recommended directory structure for a Trellis project looks like: ```shell @@ -56,6 +66,8 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). + + 1. Create a new project directory: ```plain $ mkdir example.com && cd example.com @@ -71,6 +83,18 @@ $ composer create-project roots/bedrock site ## Local development setup +### Using trellis-cli + +1. Review the automatically created site in `group_vars/development/wordpress_sites.yml` +2. Customize settings if necessary + +Start the Vagrant virtual machine: +```bash +$ trellis up +``` + +### Manual + 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` @@ -79,23 +103,68 @@ $ composer create-project roots/bedrock site ## Remote server setup (staging/production) -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. - -A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. +A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) -4. Run `ansible-playbook server.yml -e env=` to provision the server + +### Using trellis-cli + +Initialize Trellis (Virtualenv) environment: +```bash +$ trellis init +``` + +Provision the server: +```bash +$ trellis provision production +``` + +Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet *and* provision it in a single command: +```bash +$ trellis droplet create production +``` + +### Manual + +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. + +Provision the server: +```bash +$ ansible-playbook server.yml -e env= +``` [Read the remote server docs](https://roots.io/trellis/docs/remote-server-setup/) for more information. ## Deploying to remote servers 1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars//wordpress_sites.yml` file -2. Set the `branch` you want to deploy -3. Run `./bin/deploy.sh ` -4. To rollback a deploy, run `ansible-playbook rollback.yml -e "site= env="` +2. Set the `branch` you want to deploy (defaults to `master`) + +### Using trellis-cli + +Deploy a site: +```bash +$ trellis deploy +``` + +Rollback a deploy: +```bash +$ trellis rollback +``` + +### Manual + +Deploy a site: +```bash +$ ./bin/deploy.sh +``` + +Rollback a deploy: +```bash +$ ansible-playbook rollback.yml -e "site= env=" +``` [Read the deploys docs](https://roots.io/trellis/docs/deploys/) for more information. From 099962c416ad59ba4b436eda9828693e16a6feef Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 27 Jan 2020 12:24:27 +0000 Subject: [PATCH 174/416] Nginx: Block `composer/installed.json` --- CHANGELOG.md | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8a64e6a704..872957ed6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) +* Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ab0c182dc7..0e3b1270df 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -121,7 +121,7 @@ server { deny all; } {% endblock %} - + {% block blade_twig_templates -%} # Prevent Blade and Twig templates from being accessed directly. location ~* \.(blade\.php|twig)$ { @@ -135,6 +135,10 @@ server { deny all; } + location ~* composer/installed\.json$ { + deny all; + } + location ~* auth\.json$ { deny all; } @@ -143,12 +147,12 @@ server { location ~* package(-lock)?\.json$ { deny all; } - + # yarn location ~* yarn\.lock$ { deny all; } - + # bundler location ~* Gemfile(\.lock)?$ { deny all; From ca56ae5f0b2b262af173d4a0b025e2f69d883621 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 11 Feb 2020 15:45:05 -0700 Subject: [PATCH 175/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d056980af..797441b887 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Scale Dynamix +Kinsta KM Digital Nestify ## Community From 24b40b6c3880943097202f1d31cd73e6f8bad518 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Thu, 13 Feb 2020 17:55:18 +0000 Subject: [PATCH 176/416] Run `git clean` after checking `git clone` is successful --- CHANGELOG.md | 1 + roles/deploy/tasks/update.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 872957ed6f..5f9d9836f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) +* Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 61bb72013a..305bc82f59 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -24,13 +24,6 @@ no_log: true register: git_clone -- name: Remove untracked files from project folder - command: git clean -fdx - args: - chdir: "{{ project_source_path }}" - register: git_clean - changed_when: not not(git_clean.stdout) - - name: Failed connection to remote repo fail: msg: | @@ -40,6 +33,13 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed +- name: Remove untracked files from project folder + command: git clean -fdx + args: + chdir: "{{ project_source_path }}" + register: git_clean + changed_when: not not(git_clean.stdout) + - include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" loop_control: From e2a532dc4b2f4183d9e151475d60ebfdb1c5d199 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 16 Feb 2020 17:27:18 +0000 Subject: [PATCH 177/416] Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` --- CHANGELOG.md | 1 + roles/xdebug-tunnel/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f9d9836f9..8dee7ada8b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) +* Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 86a84909c0..88a8dd9b60 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -2,7 +2,7 @@ - name: Create or close Xdebug SSH tunnel command: | {% if xdebug_remote_enable | bool %} - ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host}} '{{ xdebug_tunnel_control_identity }}' + ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host }} '{{ xdebug_tunnel_control_identity }}' {% else %} ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' {% endif %} From 88dc16004b17088b14c72ccbbb57ef5e9b3dcef9 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 15 Jan 2020 11:51:07 +0000 Subject: [PATCH 178/416] Lint: Fix `[301] Commands should not change things if nothing needs doing` --- roles/common/tasks/reload_nginx.yml | 1 + roles/rollback/tasks/prior-release.yml | 2 ++ roles/rollback/tasks/user-release.yml | 1 + roles/xdebug-tunnel/tasks/main.yml | 1 + 4 files changed, 5 insertions(+) diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index 952a6082e0..5e30a58704 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -2,6 +2,7 @@ - name: reload nginx command: nginx -t notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" + changed_when: false - name: perform nginx reload service: diff --git a/roles/rollback/tasks/prior-release.yml b/roles/rollback/tasks/prior-release.yml index 1788aeebe8..402ee77d20 100644 --- a/roles/rollback/tasks/prior-release.yml +++ b/roles/rollback/tasks/prior-release.yml @@ -4,6 +4,7 @@ args: chdir: "{{ project_root }}" register: current_release_position + changed_when: false - name: Fail if current release is the oldest available release fail: @@ -15,6 +16,7 @@ args: chdir: "{{ project_root }}" register: releases + changed_when: false - name: Create new_release_path variable set_fact: diff --git a/roles/rollback/tasks/user-release.yml b/roles/rollback/tasks/user-release.yml index 073506659e..d360cccda3 100644 --- a/roles/rollback/tasks/user-release.yml +++ b/roles/rollback/tasks/user-release.yml @@ -9,6 +9,7 @@ args: chdir: "{{ project_root }}" register: current_release + changed_when: false - name: Fail if user-specified release doesn't exist or is already active fail: diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 88a8dd9b60..2a23b104c0 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -10,6 +10,7 @@ become: no register: xdebug_tunnel ignore_errors: true + changed_when: false - name: Interpret and present Xdebug SSH tunnel errors fail: From c54aebf6690b0cdd1956a0d3a4dba768a2dd43ce Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 16:21:30 +0000 Subject: [PATCH 179/416] `nginx -t` awlays changed to trigger `notify` --- roles/common/tasks/reload_nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index 5e30a58704..9d30718aa9 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -2,7 +2,7 @@ - name: reload nginx command: nginx -t notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" - changed_when: false + changed_when: true - name: perform nginx reload service: From 78ebc8100101a0f863ff5360c21ff723962168ec Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 16:26:47 +0000 Subject: [PATCH 180/416] `Create or close Xdebug SSH tunnel` awlays changed to trigger `notify` --- roles/xdebug-tunnel/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 2a23b104c0..84ec403faf 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -10,7 +10,7 @@ become: no register: xdebug_tunnel ignore_errors: true - changed_when: false + changed_when: true - name: Interpret and present Xdebug SSH tunnel errors fail: From c46da697badfb96b53a0ab3a25734beca1a56696 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 16 Feb 2020 18:10:10 +0000 Subject: [PATCH 181/416] Lint: Fix: `[306] Shells that use pipes should set the pipefail option` --- CHANGELOG.md | 1 + roles/deploy/tasks/prepare.yml | 10 ++++++++-- roles/letsencrypt/tasks/certificates.yml | 3 +++ roles/rollback/tasks/prior-release.yml | 5 ++++- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..fb29d1a7b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Lint: Fix: `[306] Shells that use pipes should set the pipefail option ([#1153](https://github.com/roots/trellis/pull/1153)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2d05f4df8e..3befa99dac 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -22,15 +22,21 @@ state: directory - name: Run git archive to populate new build dir - shell: git archive {{ project_version }} | tar xf - -C {{ deploy_helper.new_release_path }} + shell: | + set -eo pipefail + git archive {{ project_version }} | tar xf - -C {{ deploy_helper.new_release_path }} args: chdir: "{{ project_source_path }}" + executable: /bin/bash when: project.repo_subtree_path is not defined - name: Run git archive with subdirectory to populate new build dir - shell: git archive {{ project_version }} {{ project.repo_subtree_path }} | tar -x --strip-components {{ project.repo_subtree_path.split('/') | count }} -f - -C {{ deploy_helper.new_release_path }} + shell: | + set -eo pipefail + git archive {{ project_version }} {{ project.repo_subtree_path }} | tar -x --strip-components {{ project.repo_subtree_path.split('/') | count }} -f - -C {{ deploy_helper.new_release_path }} args: chdir: "{{ project_source_path }}" + executable: /bin/bash when: project.repo_subtree_path is defined - name: write unfinished file diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 480d910253..ea5780d4e5 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -15,9 +15,12 @@ - name: Generate Lets Encrypt certificate IDs shell: | + set -eo pipefail echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit] | join('\n') }}" | cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - | md5sum | cut -c -7 + args: + executable: /bin/bash register: generate_cert_ids changed_when: false when: site_uses_letsencrypt diff --git a/roles/rollback/tasks/prior-release.yml b/roles/rollback/tasks/prior-release.yml index 1788aeebe8..8ea0271e85 100644 --- a/roles/rollback/tasks/prior-release.yml +++ b/roles/rollback/tasks/prior-release.yml @@ -1,8 +1,11 @@ --- - name: Get list position of current symlinked release - shell: "ls releases | grep -n $(basename $(readlink {{ project_current_path }})) | cut -f1 -d:" + shell: | + set -eo pipefail + ls releases | grep -n $(basename $(readlink {{ project_current_path }})) | cut -f1 -d: args: chdir: "{{ project_root }}" + executable: /bin/bash register: current_release_position - name: Fail if current release is the oldest available release From 37ab5d5da0f86cea806400fae6bf5294d3d09f6d Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 17:17:30 +0000 Subject: [PATCH 182/416] Void rolled back releases --- CHANGELOG.md | 1 + roles/rollback/tasks/main.yml | 29 +++++++++++++++++++---------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..1810e62e73 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Void rolled back releases ([#1148](https://github.com/roots/trellis/pull/1148)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index 4185f2729b..cdf03f52d5 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -1,22 +1,31 @@ --- +- name: Get real path of current symlinked release + command: "readlink {{ project_current_path }}" + args: + chdir: "{{ project_root }}" + register: current_release_readlink_result + +- name: Clean up old and failed releases + deploy_helper: + state: clean + path: "{{ project_root }}" + current_path: "{{ project_current_path }}" + release: "{{ current_release_readlink_result.stdout }}" + keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" + - import_tasks: user-release.yml when: release is defined - import_tasks: prior-release.yml when: release is not defined -- name: Check whether target release was from a successful deploy - stat: - path: "{{ new_release_path }}/DEPLOY_UNFINISHED" - register: target - -- name: Fail if target release was from failed deploy - fail: - msg: "Cannot switch to release at {{ new_release_path }}. It is from an unfinished deploy. You may manually specify a different release using --extra-vars='release=12345678901234'." - when: target.stat.exists | default(False) - - name: Link 'current' directory to target release file: path: "{{ project_root }}/{{ project_current_path }}" src: "{{ new_release_path }}" state: link + +- name: Write unfinished file to old symlinked release + file: + path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" + state: touch From 0dab6ddb9250e48f476f96aa324638ed86a4d411 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 17:35:09 +0000 Subject: [PATCH 183/416] Update change log entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dee7ada8b..f1873d3a90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) * Lint: Fix: `[206] Variables should have spaces before and after: {{ var_name }}` ([#1152](https://github.com/roots/trellis/pull/1152)) +* Lint: Fix `[301] Commands should not change things if nothing needs doing ([#1139](https://github.com/roots/trellis/pull/1139)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) From a63d72706d8537edb4705c35a188c5ce1c7ae2f6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 13 Jan 2020 15:49:47 +0000 Subject: [PATCH 184/416] CircleCI: `ansible-lint` playbooks Taken from https://github.com/ItinerisLtd/trellis_install_wp_cli_via_composer/blob/a1bc936d033641cc54556da5a7501d0685f8361d/.circleci/config.yml#L24-L32 --- .ansible-lint | 3 +++ .circleci/config.yml | 12 ++++++++++++ roles/deploy/tasks/update.yml | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000000..93b07a23e5 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,3 @@ +--- +skip_list: + - 204 # Lines should be no longer than 160 chars diff --git a/.circleci/config.yml b/.circleci/config.yml index f71bbe5faf..a08cadd5ff 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -52,6 +52,15 @@ orbs: ansible-playbook --syntax-check -e env=development rollback.yml ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml + lint: + executor: python-3 + steps: + - run: python --version + - checkout + - run: sudo pip install ansible-lint + - run: ansible-lint --version + - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml + workflows: syntax-check: jobs: @@ -80,3 +89,6 @@ workflows: name: syntax-check-python-2-ansible-2.7 python-version: '2' ansible-version: ~=2.7.0 + lint: + jobs: + - trellis/lint diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 305bc82f59..fcbe6b4e52 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -33,7 +33,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed -- name: Remove untracked files from project folder +- name: Remove untracked files from project folder # noqa 303 command: git clean -fdx args: chdir: "{{ project_source_path }}" From f5784335e9b2db8d1b0a546d09ad5fbd061e5b76 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 22 Feb 2020 18:01:59 +0000 Subject: [PATCH 185/416] Lint: Fix: `[301] Commands should not change things if nothing needs doing` --- roles/rollback/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index cdf03f52d5..f8bd6f80c3 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -4,6 +4,7 @@ args: chdir: "{{ project_root }}" register: current_release_readlink_result + changed_when: false - name: Clean up old and failed releases deploy_helper: From 95aa21293474f1ada30716dcd8c581583233596c Mon Sep 17 00:00:00 2001 From: Adam Tomat Date: Mon, 2 Mar 2020 19:55:01 +0000 Subject: [PATCH 186/416] Prevent search engines indexing any non-production environments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add “X-Robots-Tag: noindex, nofollow” header to nginx conf for all requests when on staging. See: https://make.wordpress.org/core/2019/09/02/changes-to-prevent-search-engines-indexing-sites/ --- roles/wordpress-setup/defaults/main.yml | 5 +++++ roles/wordpress-setup/templates/wordpress-site.conf.j2 | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 5b2e1768ee..d20ca05bb9 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -50,6 +50,11 @@ h5bp_cross_domain_fonts_enabled: "{{ h5bp.cross_domain_fonts | default(true) }}" h5bp_expires_enabled: "{{ h5bp.expires | default(false) }}" h5bp_protect_system_files_enabled: "{{ h5bp.protect_system_files | default(true) }}" +# X-Robots-Tag Header helpers +not_prod: "{{ env != 'production' }}" +robots_tag_header: "{{ item.value.robots_tag_header | default({}) }}" +robots_tag_header_enabled: "{{ robots_tag_header.enabled | default(not_prod) }}" + # PHP FPM php_fpm_pm_max_children: 10 php_fpm_pm_start_servers: 1 diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 0e3b1270df..73830f31a5 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -218,6 +218,14 @@ server { {% endif -%} {% endblock -%} + {% block robots_tag_header -%} + {% if robots_tag_header_enabled -%} + # Prevent search engines from indexing non-production environments + add_header X-Robots-Tag "noindex, nofollow" always; + + {% endif -%} + {% endblock -%} + {% block location_php -%} location ~ \.php$ { {% block location_php_basic -%} From 1f4b10aef6d9b610ab425d01b1fe1faeb3250f50 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 14 Mar 2020 17:04:45 +0000 Subject: [PATCH 187/416] Add `WP_DEBUG_LOG` to `.env` --- CHANGELOG.md | 1 + group_vars/all/helpers.yml | 1 + roles/deploy/vars/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 997d4fa0dc..d69eea7eaa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Lint: Fix: `[306] Shells that use pipes should set the pipefail option ([#1153](https://github.com/roots/trellis/pull/1153)) * Lint: Fix `[301] Commands should not change things if nothing needs doing ([#1139](https://github.com/roots/trellis/pull/1139)) * Void rolled back releases ([#1148](https://github.com/roots/trellis/pull/1148)) +* Add `WP_DEBUG_LOG` to `.env` on deploy ([#1160](https://github.com/roots/trellis/pull/1160)) ### 1.3.0: December 7th, 2019 * Add `git_sha` and `release_version` to `.env` on deploy ([#1124](https://github.com/roots/trellis/pull/1124)) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 20a70ecf80..1e56f5c083 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -8,6 +8,7 @@ wordpress_env_defaults: wp_home: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" domain_current_site: "{{ site_hosts_canonical | first }}" + wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index 7015d3451b..c01bfc82c6 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -9,5 +9,6 @@ wordpress_env_defaults: domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" git_sha: "{{ git_clone.after }}" release_version: "{{ deploy_helper.new_release }}" + wp_debug_log: "{{ project_root }}/logs/debug.log" site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From d9ac670f7136e98101bc37cb5dbe9931f26cb271 Mon Sep 17 00:00:00 2001 From: Mark Jaquith Date: Tue, 31 Mar 2020 13:17:12 -0400 Subject: [PATCH 188/416] Update to PHP 7.4 fixes #1163 --- CHANGELOG.md | 1 + README.md | 2 +- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/defaults/main.yml | 24 ++++++++++++------------ roles/php/tasks/main.yml | 24 +++++++++++++++++++----- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/xdebug/tasks/main.yml | 10 +++++----- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 12 files changed, 47 insertions(+), 32 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d69eea7eaa..5e920fe203 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### Head +* Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) diff --git a/README.md b/README.md index 797441b887..2f73ebdab3 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ Trellis will configure a server with the following and more: * Ubuntu 18.04 Bionic LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.3 +* PHP 7.4 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt for free SSL certificates diff --git a/dev.yml b/dev.yml index 4159951902..f6658d9f58 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.3 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.4 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 2290fea7de..b61f4342cc 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.3-fpm *" + - "/usr/sbin/service php7.4-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ad0488c90b..a42884d2d3 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.3-fpm + name: php7.4-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index f7c2a1f756..751c27e0f3 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.3-fpm reload + shell: sudo service php7.4-fpm reload args: warn: false diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index f59a03b044..169df595ce 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,18 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.3-cli: "{{ apt_package_state }}" - php7.3-common: "{{ apt_package_state }}" - php7.3-curl: "{{ apt_package_state }}" - php7.3-dev: "{{ apt_package_state }}" - php7.3-fpm: "{{ apt_package_state }}" - php7.3-gd: "{{ apt_package_state }}" - php7.3-mbstring: "{{ apt_package_state }}" - php7.3-mysql: "{{ apt_package_state }}" - php7.3-opcache: "{{ apt_package_state }}" - php7.3-xml: "{{ apt_package_state }}" - php7.3-xmlrpc: "{{ apt_package_state }}" - php7.3-zip: "{{ apt_package_state }}" + php7.4-cli: "{{ apt_package_state }}" + php7.4-common: "{{ apt_package_state }}" + php7.4-curl: "{{ apt_package_state }}" + php7.4-dev: "{{ apt_package_state }}" + php7.4-fpm: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" + php7.4-mbstring: "{{ apt_package_state }}" + php7.4-mysql: "{{ apt_package_state }}" + php7.4-opcache: "{{ apt_package_state }}" + php7.4-xml: "{{ apt_package_state }}" + php7.4-xmlrpc: "{{ apt_package_state }}" + php7.4-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index ceaf843c05..3914ab70ed 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,22 +1,36 @@ --- -- name: Add PHP 7.3 PPA +- name: Add PHP 7.4 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.3 +- name: Install PHP 7.4 apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.3-fpm service +- name: Start php7.4-fpm service service: - name: php7.3-fpm + name: php7.4-fpm state: started enabled: true +- name: Check for existing php7.3-fpm service + stat: + path: /etc/init.d/php7.3-fpm + register: php73_status + +- name: Stop php7.3-fpm service if it exists + service: + name: php7.3-fpm + state: stopped + enabled: false + register: service_stopped + when: php73_status.stat.exists + notify: reload php-fpm + - name: Check for existing php7.2-fpm service stat: path: /etc/init.d/php7.2-fpm @@ -34,5 +48,5 @@ - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.3/fpm/php.ini + dest: /etc/php/7.4/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 59e3dc60f4..561811eba7 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,13 +26,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.3/fpm/pool.d/wordpress.conf + dest: /etc/php/7.4/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.3/fpm/pool.d/www.conf /etc/php/7.3/fpm/pool.d/www.disabled + command: mv /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.disabled args: - creates: /etc/php/7.3/fpm/pool.d/www.disabled + creates: /etc/php/7.4/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index deadc88c50..6463d234e0 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,13 +9,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.3/mods-available/xdebug.ini + dest: /etc/php/7.4/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.3/mods-available/xdebug.ini - dest: /etc/php/7.3/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -23,12 +23,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.3/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.4/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.3/cli/conf.d/20-xdebug.ini + path: /etc/php/7.4/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index 7c44723477..cb6db5ca53 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.3 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.4 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 2c8a975438..d85a1c59cb 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.3-fpm + name: php7.4-fpm state: reloaded From bf0cf3bdfe99e40bc4600ebcbe4f678e3d174239 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 2 Apr 2020 09:56:41 -0400 Subject: [PATCH 189/416] v1.4.0 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e920fe203..2f0d820ecb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,11 @@ -### Head +### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) * Fix `subjectAltName` for self-signed certificates ([#1128](https://github.com/roots/trellis/pull/1128)) * `composer install` without `--no-scripts` during deploy ([#1133](https://github.com/roots/trellis/pull/1133)) * Allow `composer install` with `--classmap-authoritative` during deploy ([#1132](https://github.com/roots/trellis/pull/1132)) * Use modern SSL config for Nginx ([#1127](https://github.com/roots/trellis/pull/1127)) -* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder (#[1145])(https://github.com/roots/trellis/pull/1145) +* Fix `DEPLOY_UNFINISHED` not being copied over to `release` folder ([#1145](https://github.com/roots/trellis/pull/1145)) * Deploy: Remove untracked files from project folder ([#1146](https://github.com/roots/trellis/pull/1146)) * Nginx: Block `composer/installed.json` ([#1150](https://github.com/roots/trellis/pull/1150)) * Run `git clean` after checking `git clone` is successful ([#1151](https://github.com/roots/trellis/pull/1151)) From acf2e7cfc4b60bd8264c6fb2a45fd903b1862243 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 17:53:25 -0400 Subject: [PATCH 190/416] Bump version_tested_max to 2.8.10 --- CHANGELOG.md | 3 +++ lib/trellis/plugins/vars/version.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2f0d820ecb..a3c666b90a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) + ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) * Update `wp_cli_version` to 2.4.0 ([#1131](https://github.com/roots/trellis/pull/1131)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 93c325ab34..85bbc64a32 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.7.12' -version_tested_max = '2.8.4' +version_tested_max = '2.8.10' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From 2f198e5efac5e78fc5e821a1d6334b675d5c6e08 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 21:18:38 -0400 Subject: [PATCH 191/416] Fix Callback plugin for Ansible 2.9 --- lib/trellis/plugins/callback/output.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 9bb2cbede6..7344b803aa 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -5,6 +5,14 @@ import os.path import sys +DOCUMENTATION = ''' + callback: output + type: stdout + short_description: Custom output for Trellis + extends_documentation_fragment: + - default_callback +''' + from ansible.plugins.callback.default import CallbackModule as CallbackModule_default try: From be670b165b207932957f1b87d28242e7f898a5dc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 5 Apr 2020 11:05:44 -0400 Subject: [PATCH 192/416] Use no_log for passwords --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f4e21e561e..15db772874 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -39,6 +39,7 @@ password: "{{ mysql_root_password }}" check_implicit_admin: yes state: present + no_log: true with_items: - "{{ inventory_hostname }}" - 127.0.0.1 From 6b8aed676869dc77ab03c13d27ed0eb361fa5b9c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 5 Apr 2020 11:05:58 -0400 Subject: [PATCH 193/416] Coerce value to string --- roles/memcached/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index dc62343926..359ee645f3 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -15,7 +15,7 @@ - name: Set the max open file descriptors sysctl: name: fs.file-max - value: "{{ memcached_fs_file_max }}" + value: "{{ memcached_fs_file_max | string }}" state: present - name: Start the memcached service From 1a7f473105260c631a140441fb40fcb191016f77 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 22 Jan 2020 05:05:23 +0000 Subject: [PATCH 194/416] Bump ansible requirement to 2.8.0 https://github.com/roots/trellis/pull/1141 bases on https://github.com/ansible/ansible-lint/issues/457#issuecomment-455038475 which depends on https://github.com/ansible/ansible/pull/51030 which merged into anisble v2.8.0. --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- vagrant.default.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3c666b90a..969d7b1bb4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) +* Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 85bbc64a32..afdcf34f60 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.7.12' +version_requirement = '2.8.0' version_tested_max = '2.8.10' python3_required_version = '2.5.3' diff --git a/requirements.txt b/requirements.txt index eb776ef0e2..05cb7d2920 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.7.12,<2.9 +ansible>=2.8.0,<2.9 passlib diff --git a/vagrant.default.yml b/vagrant.default.yml index 64b48f7dfe..a41258b078 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-18.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.7.12' +vagrant_ansible_version: '2.8.0' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 5f60808e5078e7369e013a1a182411ee00430cf3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 17:17:56 -0400 Subject: [PATCH 195/416] Remove 2.7 cli options compat code --- lib/trellis/plugins/callback/vars.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 338d8f9597..9cd0f941e2 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -13,6 +13,7 @@ from ansible.plugins.callback import CallbackBase from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var +from ansible import context class CallbackModule(CallbackBase): @@ -23,13 +24,7 @@ class CallbackModule(CallbackBase): def __init__(self): super(CallbackModule, self).__init__() - - # handle Ansible 2.7 and 2.8 cases by normalizing each into a dict - try: - from ansible import context - self._options = context.CLIARGS - except ImportError: - self._options = vars(cli.options) if cli else {} + self._options = context.CLIARGS def raw_triage(self, key_string, item, patterns): # process dict values From 980b1425b96c9d9e80acaab5e7a777d41cd9df27 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 6 Apr 2020 12:59:35 +0100 Subject: [PATCH 196/416] CircleCI: Drop ansible 2.7 tests --- .circleci/config.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index a08cadd5ff..88679c8332 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -72,10 +72,6 @@ workflows: name: syntax-check-python-3-ansible-2.8 python-version: '3' ansible-version: ~=2.8.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.7 - python-version: '3' - ansible-version: ~=2.7.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-latest @@ -85,10 +81,6 @@ workflows: name: syntax-check-python-2-ansible-2.8 python-version: '2' ansible-version: ~=2.8.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.7 - python-version: '2' - ansible-version: ~=2.7.0 lint: jobs: - trellis/lint From d2d7e93f652290e13cdb3ff8dfd0db03f80d9e2a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 6 Apr 2020 09:18:31 -0400 Subject: [PATCH 197/416] Remove nginx_includes_deprecated feature This has been deprecated for almost 4 years now. The proper solution is documented at https://roots.io/docs/trellis/master/nginx-includes/. --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 3 +-- roles/wordpress-setup/tasks/nginx-includes.yml | 6 ------ 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3c666b90a..5fa60a310b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) ### 1.4.0: April 2nd, 2020 diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index d20ca05bb9..7bbf3961dc 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -34,8 +34,7 @@ nginx_cache_background_update: "on" # Nginx includes nginx_includes_templates_path: nginx-includes -nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d -nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" +nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }})/(.*)\\.j2$" nginx_includes_d_cleanup: true # h5bp helpers diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 960a82fdf1..0b350dd262 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -3,18 +3,12 @@ find: paths: - "{{ nginx_includes_templates_path }}" - - "{{ nginx_includes_deprecated }}" pattern: "*.conf.j2" recurse: yes become: no delegate_to: localhost register: nginx_includes_templates -- name: Warn about deprecated Nginx includes directory - debug: - msg: "[DEPRECATION WARNING]: The `{{ nginx_includes_deprecated }}` directory for Trellis Nginx includes templates is deprecated and will no longer function beginning with Trellis 1.0. Please move these templates to a directory named `{{ nginx_includes_templates_path }}` in the root of this project. For more information, see https://roots.io/trellis/docs/nginx-includes/" - when: True in nginx_includes_templates.files | map(attribute='path') | map('search', nginx_includes_deprecated | regex_escape) | list - - name: Create includes.d directories file: path: "{{ nginx_path }}/includes.d/{{ item }}" From aa9f17dd6dcff0fc12dafbf0cbe6837466a4a214 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 4 Apr 2020 19:19:41 -0400 Subject: [PATCH 198/416] Support Ansible 2.9 --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 665eaa7e4c..eae5fa5774 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) * Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index afdcf34f60..6c14527cc6 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.8.10' +version_tested_max = '2.9.6' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index 05cb7d2920..cecd05381d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<2.9 +ansible>=2.8.0,<3.0 passlib From 67eee56a5134a626bf05f7f347a1a5babf800c28 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Mon, 6 Apr 2020 12:51:13 +0100 Subject: [PATCH 199/416] CircleCI: Add ansible 2.9 tests --- .circleci/config.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 88679c8332..4c4e865bce 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -68,6 +68,10 @@ workflows: name: syntax-check-python-3-ansible-latest python-version: '3' ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-3-ansible-2.9 + python-version: '3' + ansible-version: ~=2.9.0 - trellis/syntax-check: name: syntax-check-python-3-ansible-2.8 python-version: '3' @@ -77,6 +81,10 @@ workflows: name: syntax-check-python-2-ansible-latest python-version: '2' ansible-version: '' + - trellis/syntax-check: + name: syntax-check-python-2-ansible-2.9 + python-version: '2' + ansible-version: ~=2.9.0 - trellis/syntax-check: name: syntax-check-python-2-ansible-2.8 python-version: '2' From 136a6a8cc6fc79105052c888e8e2e55bb8a91ddb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 6 Apr 2020 22:54:10 -0400 Subject: [PATCH 200/416] Fix bare variable deprecation warnings --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 4b9d9b26b8..eeb772209d 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,5 +1,5 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' +site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" From f5609babe37064bc9288bc2b35d8986958268ffd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 7 Apr 2020 22:14:01 -0400 Subject: [PATCH 201/416] Fix site_uses_letsencrypt https://github.com/roots/trellis/pull/1175 wasn't entirely correct. This need parens around the actual conditional. --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index eeb772209d..3d924c6678 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,5 +1,5 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.items() | list if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' | bool }}" +site_uses_letsencrypt: "{{ (ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt') | bool }}" missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" From a8bfb35a88413373710d83701cd41d9f3ea9516e Mon Sep 17 00:00:00 2001 From: Brandon Date: Sat, 25 Apr 2020 17:11:12 -0500 Subject: [PATCH 202/416] enhance(readme): Refactor README fix(readme): Fix documentation URL's --- README.md | 137 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 97 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 2f73ebdab3..834d3e8999 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,51 @@ -# Trellis -[![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) -[![Build Status](https://img.shields.io/circleci/build/gh/roots/trellis?style=flat-square)](https://circleci.com/gh/roots/trellis) -[![Follow Roots](https://img.shields.io/twitter/follow/rootswp.svg?style=flat-square&color=1da1f2)](https://twitter.com/rootswp) +

+ + Trellis + +

+ +

+ + MIT License + + + + Release + + + + Build Status + + + + Follow Roots + +

+ +

+ Ansible-powered LEMP stack for WordPress +
+ Built with ❤️ +

+ +

+ Official Website | Documentation | Change Log +

+ +## Supporting + +**Trellis** is an open source project and completely free to use. + +However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below: + +
+ +[![Donate via Patreon](https://img.shields.io/badge/donate-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) +[![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) + +
+ +## Overview Ansible playbooks for setting up a LEMP stack for WordPress. @@ -14,39 +58,40 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -* Ubuntu 18.04 Bionic LTS -* Nginx (with optional FastCGI micro-caching) -* PHP 7.4 -* MariaDB (a drop-in MySQL replacement) -* SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) -* Let's Encrypt for free SSL certificates -* HTTP/2 support (requires SSL) -* Composer -* WP-CLI -* sSMTP (mail delivery) -* MailHog -* Memcached -* Fail2ban and ferm +- Ubuntu 18.04 Bionic LTS +- Nginx (with optional FastCGI micro-caching) +- PHP 7.4 +- MariaDB (a drop-in MySQL replacement) +- SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) +- Let's Encrypt for free SSL certificates +- HTTP/2 support (requires SSL) +- Composer +- WP-CLI +- sSMTP (mail delivery) +- MailHog +- Memcached +- Fail2ban and ferm ## Documentation -Full documentation is available at [https://roots.io/trellis/docs/](https://roots.io/trellis/docs/). +Full documentation is available at [https://roots.io/docs/trellis/master/installation/](https://roots.io/docs/trellis/master/installation/). ## Requirements Make sure all dependencies have been installed before moving on: -* [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 -* **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) +- [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 +- [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 +- **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) -**Windows user?** [Read the Windows getting started docs](https://roots.io/getting-started/docs/windows-development-environment-trellis/) for slightly different installation instructions. +**Windows user?** [Read the Windows getting started docs](https://roots.io/docs/getting-started/windows/#working-with-trellis) for slightly different installation instructions. ## Installation ### Using trellis-cli Create a new project: + ```bash $ trellis new example.com ``` @@ -55,7 +100,7 @@ $ trellis new example.com The recommended directory structure for a Trellis project looks like: -```shell +```bash example.com/ # → Root folder for the project ├── trellis/ # → Your clone of this repository └── site/ # → A Bedrock-based WordPress site @@ -66,18 +111,21 @@ example.com/ # → Root folder for the project See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). - - 1. Create a new project directory: -```plain + +```bash $ mkdir example.com && cd example.com ``` + 2. Install Trellis: -```plain + +```bash $ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git ``` + 3. Install Bedrock into the `site` directory: -```plain + +```bash $ composer create-project roots/bedrock site ``` @@ -89,6 +137,7 @@ $ composer create-project roots/bedrock site 2. Customize settings if necessary Start the Vagrant virtual machine: + ```bash $ trellis up ``` @@ -99,43 +148,47 @@ $ trellis up 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` -[Read the local development docs](https://roots.io/trellis/docs/local-development-setup/) for more information. +[Read the local development docs](https://roots.io/docs/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. -1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) +1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` -3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/)) +3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/docs/trellis/master/ssh-keys/)) ### Using trellis-cli Initialize Trellis (Virtualenv) environment: + ```bash $ trellis init ``` Provision the server: + ```bash $ trellis provision production ``` -Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet *and* provision it in a single command: +Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) support to create a Droplet _and_ provision it in a single command: + ```bash $ trellis droplet create production ``` ### Manual -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/docs/trellis/master/remote-server-setup/#requirements) for more information. Provision the server: + ```bash $ ansible-playbook server.yml -e env= ``` -[Read the remote server docs](https://roots.io/trellis/docs/remote-server-setup/) for more information. +[Read the remote server docs](https://roots.io/docs/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers @@ -145,11 +198,13 @@ $ ansible-playbook server.yml -e env= ### Using trellis-cli Deploy a site: + ```bash $ trellis deploy ``` Rollback a deploy: + ```bash $ trellis rollback ``` @@ -157,16 +212,18 @@ $ trellis rollback ### Manual Deploy a site: + ```bash $ ./bin/deploy.sh ``` Rollback a deploy: + ```bash $ ansible-playbook rollback.yml -e "site= env=" ``` -[Read the deploys docs](https://roots.io/trellis/docs/deploys/) for more information. +[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. ## Contributing @@ -182,8 +239,8 @@ Help support our open-source development efforts by [becoming a patron](https:// Keep track of development and community news. -* Participate on the [Roots Discourse](https://discourse.roots.io/) -* Follow [@rootswp on Twitter](https://twitter.com/rootswp) -* Read and subscribe to the [Roots Blog](https://roots.io/blog/) -* Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) -* Listen to the [Roots Radio podcast](https://roots.io/podcast/) +- Participate on the [Roots Discourse](https://discourse.roots.io/) +- Follow [@rootswp on Twitter](https://twitter.com/rootswp) +- Read and subscribe to the [Roots Blog](https://roots.io/blog/) +- Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) +- Listen to the [Roots Radio podcast](https://roots.io/podcast/) From 77e947b5f8bcbd97d182a62ec10051053c2f29cc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 6 May 2020 22:32:16 -0400 Subject: [PATCH 203/416] Update size --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 834d3e8999..ef884d53b6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- Trellis + Trellis

From 78980fc1f8cf4f535c61c1a19c4eb821fab4494d Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 9 May 2020 12:20:27 -0600 Subject: [PATCH 204/416] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ef884d53b6..daa24d2507 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@

- Trellis + Trellis

@@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Nestify +Kinsta KM Digital ## Community From 8fa441b891f68725f11f6977c842009d74f416cf Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 22 Apr 2020 23:11:58 +0200 Subject: [PATCH 205/416] Make Fail2ban services list extensible enable adding custom services in 'group_vars/'; rename default list to 'fail2ban_services_default'; create 'fail2ban_services_default'; combine 'default' & 'custom'. --- roles/fail2ban/defaults/main.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index 473ae8a0d5..eebd75bc29 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -19,8 +19,11 @@ fail2ban_chain: INPUT fail2ban_action: action_ -fail2ban_services: +fail2ban_services_default: - name: ssh port: ssh filter: sshd logpath: /var/log/auth.log + +fail2ban_services_custom: [] +fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" From 0997eaf0e27393a29b75d19568a0f2cedcae5959 Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 22 Apr 2020 23:20:57 +0200 Subject: [PATCH 206/416] Make Fail2ban filters pluggable enable adding custom Fail2ban filters; task style inspired from 'nginx-includes' task in 'wordpress-setup' role; add tasks to copy Fail2ban filter configurations; set default folder 'fail2ban-filters'. --- roles/fail2ban/defaults/main.yml | 3 +++ roles/fail2ban/tasks/main.yml | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index eebd75bc29..47138736a5 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -27,3 +27,6 @@ fail2ban_services_default: fail2ban_services_custom: [] fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" + +fail2ban_filter_templates_path: fail2ban_filters +fail2ban_filter_templates_pattern: "^({{ fail2ban_filter_templates_path | regex_escape }})/(.*)\\.j2$" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index dcc6adc5ab..e109366255 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -17,6 +17,28 @@ notify: - restart fail2ban +- name: build list of fail2ban filter templates + find: + paths: + - "{{ fail2ban_filter_templates_path }}" + pattern: "*.conf.j2" + become: no + delegate_to: localhost + register: fail2ban_filter_templates + +- name: ensure configuration directory exists + file: + path: /etc/fail2ban/filter.d/ + state: directory + mode: 0755 + +- name: template fail2ban filters + template: + src: "{{ item }}" + dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" + notify: restart fail2ban + - name: ensure fail2ban starts on a fresh reboot service: name: fail2ban From beaff2e0f6268b82d8399cd8e183386740ae2739 Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Wed, 6 May 2020 23:42:35 +0200 Subject: [PATCH 207/416] Improve the README Add new variables and their description. Explain how to add services and filters in `group_vars` and `fail2ban_filters` respectively. --- roles/fail2ban/README.md | 68 +++++++++++++++++++++++++--------------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md index a3aa07b68e..16b707fc8a 100644 --- a/roles/fail2ban/README.md +++ b/roles/fail2ban/README.md @@ -1,19 +1,17 @@ -## What is ansible-fail2ban? +## What is this role? -It is an [ansible](http://www.ansible.com/home) role to install and configure fail2ban. +This role installs and configures [Fail2ban](https://github.com/fail2ban/fail2ban). -### What problem does it solve and why is it useful? - -Security is important and fail2ban is an excellent tool to harden your server with minimal or even no configuration. +Fail2ban is an excellent tool to harden your server with minimal configuration. ## Role variables -Below is a list of default values along with a description of what they do. +Below is a list of available variables, their description and their default value within Trellis. -``` +```yaml # Which log level should it be output as? -# Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: ERROR -fail2ban_loglevel: WARNING +# Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. +fail2ban_loglevel: INFO # Where should log outputs be sent to? # SYSLOG, STDERR, STDOUT, file @@ -56,10 +54,25 @@ fail2ban_chain: INPUT # action_, action_mw, action_mwl fail2ban_action: action_ -# What services should fail2ban monitor? -# You can define fail2ban_services as an empty string to not monitor anything. +# Trellis by default only monitors SSH connections +# For available parameters, see fail2ban_services_custom below. +fail2ban_services_default: + - name: ssh + port: ssh + filter: sshd + logpath: /var/log/auth.log + +# In which folder did you place custom filters? +# Filters MUST have .conf.j2 extension to copied to the servers. +fail2ban_filter_templates_path: fail2ban_filters +``` + +The following list variable is available for custom services (to be set up in `group_vars`): + +```yaml +# Which additional services should fail2ban monitor? # You can define multiple services as a standard yaml list. -fail2ban_services: +fail2ban_services_custom: # The name of the service # REQUIRED. - name: ssh @@ -77,11 +90,11 @@ fail2ban_services: # OPTIONAL: Defaults to the protocol listed above. protocol: tcp - # What filter should it use? + # Which filter should it use? # REQUIRED. filter: sshd - # Which log path should it monitor? + # Which log file should it monitor? # REQUIRED. logpath: /var/log/auth.log @@ -96,24 +109,29 @@ fail2ban_services: # How should the ban be applied? # OPTIONAL: Defaults to the banaction listed above. banaction: iptables-multiport + ``` -## Example playbook +## Custom Settings -Let's say you want to edit a few values, you can do this by opening `group_vars/all` and then add the following: +To add services, you might add the following to `group_vars/all/security.yml`, e.g.: -``` -fail2ban_services: - - name: ssh - port: ssh - filter: sshd +```yaml +fail2ban_services_custom: + - name: wordpress + filter: wordpress logpath: /var/log/auth.log - - name: postfix - port: smtp,ssmtp - filter: postfix - logpath: /var/log/mail.log + maxretry: 2 ``` +To add the corresponding filter, add it to the folder specified in `fail2ban_filter_templates_path`, i.e. `fail2ban_filters` per default (next to the `group_vars` folder). The filter configuration must be of `.conf.j2` extension for Trellis to recognize it. + +Filters might be provided by plugins as `.conf` files: it is then enough to simply append the file name with `.j2`. It is not required to modify these provided filters, but you may customize them to your liking. + +To develop custom filters, refer to the Fail2ban wiki: [How Fail2ban works](https://github.com/fail2ban/fail2ban/wiki/How-fail2ban-works) and [How to ban something…](https://github.com/fail2ban/fail2ban/wiki/How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc.) for simple filter rules or [Developing Filters](https://fail2ban.readthedocs.io/en/latest/filters.html) for complex setups. + +If you need to edit the default services, copy the `fail2ban_services_default` list from `roles/fail2ban/defaults/main.yml` to `group_vars/all/security.yml` and edit as needed. + ## Attribution Many thanks to [nickjj](https://github.com/nickjj/) for creating the [original version](https://github.com/nickjj/ansible-fail2ban/) of this role. From 2fbed9d8b54d7d67fe0a494fede6e9eb33b91d4c Mon Sep 17 00:00:00 2001 From: Raphael <53143154+raph-topo@users.noreply.github.com> Date: Sun, 10 May 2020 23:09:02 +0200 Subject: [PATCH 208/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eae5fa5774..326b71b838 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) From 2ba823f2ecffe2642f791f0e824caf55ac4b5b4b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 12 May 2020 21:08:18 -0400 Subject: [PATCH 209/416] Improve ip_whitelist in development Fixes #1181 `ansible_default_ipv4.gateway` wasn't a good default as it wasn't the actual Vagrant external IP (`192.168.50.5`). `ansible_all_ipv4_addresses` is the replacement which includes that IP. This also moves the development specific override to the proper development config. --- CHANGELOG.md | 1 + group_vars/all/main.yml | 2 +- group_vars/development/main.yml | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 326b71b838..d4d29e8cf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) +* Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e7f9bd85fc..42349954d0 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -9,7 +9,7 @@ ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www ip_whitelist: - - "{{ (env == 'development') | ternary(ansible_default_ipv4.gateway, ipify_public_ip | default('')) }}" + - "{{ ipify_public_ip | default('') }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index 8d7c15913c..b922a41a5f 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,5 +1,6 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development ferm_enabled: false +ip_whitelist: "{{ ansible_all_ipv4_addresses }}" mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml web_user: vagrant From 6968b444b8b109885c6004277f4e4585cf205efc Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 2 May 2017 17:24:16 -0600 Subject: [PATCH 210/416] Remove unnecessary ID from Let's Encrypt bundled cert filename The CSR and cert_file use an ID in their filenames to ensure they are regenerated in response to changes in relevant conditions. However, an ID in the bundled cert filename serves no purpose. This commit removes the ID from the bundled cert filename, offering other programs a more stable and static path for the bundled cert. This commit also rsyncs existing ID-in-filename bundled certs to their non-ID counterparts. This ensures the non-ID certs exist when users happen to run only the `wordpress` tag and not the `letsencrypt` tag. In such a scenario, the wordpress-site.conf files would be regenerated with non-ID filenames but such files would not exist without an rsync effective under the same Ansible tag. --- CHANGELOG.md | 1 + roles/letsencrypt/tasks/certificates.yml | 4 +- roles/letsencrypt/templates/renew-certs.py | 67 ++++++++++++------- .../templates/wordpress-site.conf.j2 | 2 +- 4 files changed, 46 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4d29e8cf9..eb1d766389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) * Support Ansible 2.9 ([#1169](https://github.com/roots/trellis/pull/1169)) diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index ea5780d4e5..efc86dc568 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -25,7 +25,7 @@ changed_when: false when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [wordpress, wordpress-setup, nginx-includes, nginx-sites] + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate CSRs shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" @@ -40,6 +40,7 @@ src: renew-certs.py dest: "{{ acme_tiny_data_directory }}/renew-certs.py" mode: 0700 + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate the certificates command: ./renew-certs.py @@ -48,3 +49,4 @@ register: generate_certs changed_when: generate_certs.stdout is defined and 'Created' in generate_certs.stdout notify: reload nginx + tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 6d4b5f0304..991c1fce61 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,5 +1,7 @@ #!/usr/bin/env python +from __future__ import print_function + import os import sys import time @@ -10,38 +12,51 @@ letsencrypt_cert_ids = {{ letsencrypt_cert_ids }} for site in {{ sites_using_letsencrypt }}: - bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '-bundled.cert') + csr_path = os.path.join('{{ acme_tiny_data_directory }}', 'csrs', '{}-{}.csr'.format(site, letsencrypt_cert_ids[site])) + bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', '{}-bundled.cert'.format(site)) + bundled_hashed_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', '{}-{}-bundled.cert'.format(site, letsencrypt_cert_ids[site])) - if os.access(bundled_cert_path, os.F_OK): - stat = os.stat(bundled_cert_path) - print('Certificate file ' + bundled_cert_path + ' already exists') + # Generate or update root cert if needed + if not os.access(csr_path, os.F_OK): + failed = True + print('The required CSR file {} does not exist. This could happen if you changed site_hosts and have ' + 'not yet rerun the letsencrypt role. Create the CSR file by re-provisioning (running the Trellis ' + 'server.yml playbook) with `--tags letsencrypt`'.format(csr_path), file=sys.stderr) + continue - if time.time() - stat.st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: - print(' The certificate is younger than {{ letsencrypt_min_renewal_age }} days. Not creating a new certificate.\n') - continue + elif os.access(bundled_hashed_cert_path, os.F_OK) and time.time() - os.stat(bundled_hashed_cert_path).st_mtime < {{ letsencrypt_min_renewal_age }} * 86400: + print('Certificate file {} already exists and is younger than {{ letsencrypt_min_renewal_age }} days. ' + 'Not creating a new certificate.'.format(bundled_hashed_cert_path)) - print('Generating certificate for ' + site) + else: + cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + '--quiet ' + '--ca {{ letsencrypt_ca }} ' + '--account-key {{ letsencrypt_account_key }} ' + '--csr {} ' + '--acme-dir {{ acme_tiny_challenges_directory }}' + ).format(csr_path) + + try: + new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True) + except CalledProcessError as e: + failed = True + print('Error while generating certificate for {}\n{}'.format(site, e.output), file=sys.stderr) + continue + else: + with open(bundled_hashed_cert_path, 'w') as bundled_hashed_cert_file: + bundled_hashed_cert_file.write(new_bundled_cert) + with open(bundled_cert_path, 'w') as bundled_cert_file: + bundled_cert_file.write(new_bundled_cert) - cmd = ( - '/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' - '--quiet ' - '--ca {{ letsencrypt_ca }} ' - '--account-key {{ letsencrypt_account_key }} ' - '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' - '--acme-dir {{ acme_tiny_challenges_directory }}' - ).format(site, letsencrypt_cert_ids[site]) + if not os.access(bundled_cert_path, os.F_OK): + with open(bundled_hashed_cert_path, 'rb') as bundled_hashed_cert_file: + bundled_hashed_cert = bundled_hashed_cert_file.read() - try: - cert = check_output(cmd, stderr=STDOUT, shell=True) - except CalledProcessError as e: - failed = True - print('Error while generating certificate for ' + site) - print(e.output) - else: - with open(bundled_cert_path, 'w') as cert_file: - cert_file.write(cert) + with open(bundled_cert_path, 'w') as bundled_cert_file: + bundled_cert_file.write(bundled_hashed_cert) + print('Created bundled certificate {}'.format(bundled_cert_path)) - print('Created certificate for ' + site) if failed: sys.exit(1) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 73830f31a5..61d06356f9 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -92,7 +92,7 @@ server { ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; {% elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%} - ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}-bundled.cert; + ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-bundled.cert; ssl_certificate_key {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key; {% elif item.value.ssl.provider | default('manual') == 'self-signed' -%} From 11b9874962ac4ef78c748f4ac7a477c86c494ca0 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 17 May 2020 09:31:29 +0800 Subject: [PATCH 211/416] Update CircleCI Config --- .circleci/config.yml | 206 ++++++++++++++++++++++++++----------------- CHANGELOG.md | 1 + 2 files changed, 125 insertions(+), 82 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 4c4e865bce..ab6df8e3e3 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,94 +1,136 @@ version: 2.1 orbs: - trellis: - executors: - python-2: - docker: - - image: 'circleci/python:2-stretch' - python-3: - docker: - - image: 'circleci/python:3-stretch' + python: circleci/python@0.3 - jobs: - syntax-check: - parameters: - ansible-version: - type: string - python-version: - type: enum - enum: ['3', '2'] - executor: python-<< parameters.python-version >> - steps: - - run: python --version - - checkout - - restore_cache: - keys: - - ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - - run: - name: Install Python dependencies in a venv - command: | - virtualenv venv - . venv/bin/activate - pip install ansible<< parameters.ansible-version >> - ansible --version - - run: - name: Install Galaxy roles - command: | - . venv/bin/activate - ansible-galaxy install -r galaxy.yml - - save_cache: - key: ansible-v1-<< parameters.python-version >>-<< parameters.ansible-version >>-{{ checksum "galaxy.yml" }} - paths: - - venv - - vendor - - run: - name: Check Playbook syntax - command: | - . venv/bin/activate - ansible-playbook --syntax-check -e env=development deploy.yml - ansible-playbook --syntax-check -e env=development dev.yml - ansible-playbook --syntax-check -e env=development server.yml - ansible-playbook --syntax-check -e env=development rollback.yml - ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml +commands: + install-pip-package: + parameters: + package: + type: string + python-version: + type: string + steps: + - restore_cache: + name: Restore pip Cache + keys: + - pip-v2-<>-<>- + - run: + name: Install pip Package + command: pip install --user --upgrade <> + - save_cache: + name: Save pip Cache + key: pip-v2-<>-<>-{{ epoch }} + paths: + - /home/circleci/.local/bin/ + - /home/circleci/.local/lib/ + - /home/circleci/.cache/pip/ + install-galaxy-roles: + steps: + - restore_cache: + name: Restore Galaxy Role Cache + keys: + - galaxy-role-v2-{{ checksum "galaxy.yml" }} + - run: + name: Install Galaxy Roles + command: ansible-galaxy install -r galaxy.yml + - save_cache: + name: Save Galaxy Role Cache + key: galaxy-role-v2-{{ checksum "galaxy.yml" }} + paths: + - vendor/ + check-playbook-syntax: + steps: + - run: + name: Check Playbook Syntax + command: | + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml + +jobs: + syntax-check: + parameters: + ansible-version: + type: string + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - install-pip-package: + package: ansible<< parameters.ansible-version >> + python-version: <> + - run: ansible --version + - install-galaxy-roles + - check-playbook-syntax - lint: - executor: python-3 - steps: - - run: python --version - - checkout - - run: sudo pip install ansible-lint - - run: ansible-lint --version - - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml + syntax-check-with-requirements-txt: + parameters: + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - restore_cache: + name: Restore pip Cache + keys: + - pip-v2-<>-{{ checksum "requirements.txt" }}- + - run: + name: Install packages from requirements.txt (or any other file) via Pip. + command: pip install --user --upgrade --requirement requirements.txt + - save_cache: + name: Save pip Cache + key: pip-v2-<>-{{ checksum "requirements.txt" }}-{{ epoch }} + paths: + - /home/circleci/.local/bin/ + - /home/circleci/.local/lib/ + - /home/circleci/.cache/pip + - run: ansible --version + - install-galaxy-roles + - check-playbook-syntax + + lint: + parameters: + python-version: + type: string + executor: + name: python/default + tag: <> + steps: + - run: python --version + - checkout + - install-pip-package: + package: ansible-lint + python-version: <> + - run: ansible-lint --version + - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml workflows: syntax-check: jobs: - - trellis/syntax-check: - name: syntax-check-python-3-ansible-latest - python-version: '3' - ansible-version: '' - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.9 - python-version: '3' - ansible-version: ~=2.9.0 - - trellis/syntax-check: - name: syntax-check-python-3-ansible-2.8 - python-version: '3' - ansible-version: ~=2.8.0 + - syntax-check: + name: syntax-check-python-<>-ansible<> + matrix: + parameters: + python-version: ["3.7", "2.7"] + ansible-version: ["~=2.9.0", "~=2.8.0"] + - syntax-check-with-requirements-txt: + name: syntax-check-python-<>-requirements-txt + matrix: + parameters: + python-version: ["3.7", "2.7"] - - trellis/syntax-check: - name: syntax-check-python-2-ansible-latest - python-version: '2' - ansible-version: '' - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.9 - python-version: '2' - ansible-version: ~=2.9.0 - - trellis/syntax-check: - name: syntax-check-python-2-ansible-2.8 - python-version: '2' - ansible-version: ~=2.8.0 lint: jobs: - - trellis/lint + - lint: + name: lint-python-3.7 + python-version: "3.7" diff --git a/CHANGELOG.md b/CHANGELOG.md index eb1d766389..f7e662bc69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * [BREAKING] Remove `nginx_includes_deprecated` feature ([#1173](https://github.com/roots/trellis/pull/1173)) * Bump Ansible version_tested_max to 2.8.10 ([#1167](https://github.com/roots/trellis/pull/1167)) * Bump Ansible requirement to 2.8.0 ([#1147](https://github.com/roots/trellis/pull/1147)) +* Update CircleCI Config ([#1184](https://github.com/roots/trellis/pull/1184)) ### 1.4.0: April 2nd, 2020 * Update PHP to 7.4 ([#1164](https://github.com/roots/trellis/pull/1164)) From 6465b7d7f7b8ff860ff4b7ce957f5b188973b0ea Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 18 May 2020 19:33:36 -0600 Subject: [PATCH 212/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index daa24d2507..15469de21f 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital +Kinsta KM Digital Carrot ## Community From 71a298b68ee6a70512f61178f3537b859cbd4932 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 00:43:38 +0200 Subject: [PATCH 213/416] Update `oefenweb.swapfile` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..7cf262b99f 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.22 + version: v2.0.26 - name: mailhog src: geerlingguy.mailhog From df097d7f4376daf75c91587d7c9a8b3e6969de3c Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 00:41:20 +0200 Subject: [PATCH 214/416] Update `geerlingguy.ntp` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..6c09114c0d 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 1.6.4 + version: 2.0.0 - name: logrotate src: nickhammond.logrotate From 9b68f21b27d59e155b0f81b7ab54ab56a8bde766 Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 19:42:50 +0200 Subject: [PATCH 215/416] Update `geerlingguy.mailhog` from Ansible Galaxy --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index dbebc804ac..32926539fc 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,4 +16,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.1.4 + version: 2.2.0 From 286fafe036208f95c3e2ea0ed6828176d4d8e8cd Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 27 May 2020 19:53:45 +0200 Subject: [PATCH 216/416] Silence Ansible warning ``` TASK [mariadb : Delete anonymous MySQL server users] ************************************************************************************************************************************** ok: [staging_host] => (item=localhost) ok: [staging_host] => (item=staging_host) ok: [staging_host] => (item=******) [WARNING]: Module did not set no_log for update_password ``` I do not actually know why Ansible complains here. I guess it is just yet another "It's not a bug, it's a feature". --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 15db772874..8404f805f0 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -59,6 +59,7 @@ user: "" host: "{{ item }}" state: absent + no_log: true with_items: - localhost - "{{ inventory_hostname }}" From 66990db2e9b107ebafbdd6443e450426698f2ef2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Thu, 28 May 2020 18:06:34 +0200 Subject: [PATCH 217/416] Fix #888 & #1189 to comply with [RFC2606](https://tools.ietf.org/html/rfc2606#section-2) ".invalid" is intended for use in online construction of domain names that are sure to be invalid and which it is obvious at a glance are invalid. --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 7bbf3961dc..4684d17a67 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -5,7 +5,7 @@ nginx_ssl_path: "{{ nginx_path }}/ssl" ssl_default_site: no_default: site_hosts: - - canonical: example.com + - canonical: request.is.invalid ssl: enabled: true provider: self-signed From cf7c653e2c1e4922750bb49bd384d4fe3694d940 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 8 Jun 2020 15:38:23 +0200 Subject: [PATCH 218/416] Fix Ansible deprecation warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `[DEPRECATION WARNING]: evaluating `[…]` as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future.` --- roles/ferm/handlers/main.yml | 2 +- roles/ferm/tasks/main.yml | 2 +- roles/mariadb/tasks/main.yml | 2 +- roles/nginx/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 2 +- roles/wordpress-setup/tasks/self-signed-certificate.yml | 8 ++++---- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/roles/ferm/handlers/main.yml b/roles/ferm/handlers/main.yml index 16985eb8f5..2af34d8500 100644 --- a/roles/ferm/handlers/main.yml +++ b/roles/ferm/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: restart ferm service: name=ferm state=restarted - when: ferm_enabled \ No newline at end of file + when: ferm_enabled | bool diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 63b0b0a4d0..bdbaa0b53d 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -65,7 +65,7 @@ - name: ensure iptables rules are enabled command: ferm --slow /etc/ferm/ferm.conf changed_when: false - when: ferm_enabled + when: ferm_enabled | bool - name: ensure iptables rules are disabled command: ferm --flush /etc/ferm/ferm.conf diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 8404f805f0..205e0eea04 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,7 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root - when: mysql_binary_logging_disabled + when: mysql_binary_logging_disabled | bool notify: restart mysql server - name: Set root user password diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3f0202792c..e2e53d230a 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -21,7 +21,7 @@ args: chdir: "{{ nginx_path }}/ssl" creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: sites_use_ssl + when: sites_use_ssl | bool notify: reload nginx tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 0b350dd262..0ea756a397 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -33,7 +33,7 @@ pattern: "*.conf" recurse: yes register: nginx_includes_existing - when: nginx_includes_d_cleanup + when: nginx_includes_d_cleanup | bool - name: Remove unmanaged files from includes.d file: diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 35e04f712b..193415e7d9 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -11,8 +11,8 @@ dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - - sites_use_ssl - - ssl_enabled + - sites_use_ssl | bool + - ssl_enabled | bool - item.value.ssl.provider | default('manual') == 'self-signed' - name: Generate self-signed certificates @@ -25,8 +25,8 @@ creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - - sites_use_ssl - - ssl_enabled + - sites_use_ssl | bool + - ssl_enabled | bool - item.value.ssl.provider | default('manual') == 'self-signed' notify: reload nginx From f2cb87ee58f2def3929d2dc928127e1b72f69a8f Mon Sep 17 00:00:00 2001 From: Raphael Date: Wed, 10 Jun 2020 19:03:06 +0200 Subject: [PATCH 219/416] Silence Ansible warning ``` TASK [wordpress-setup : Create/assign database user to db and grant permissions] ********* ok: [development_host] => (item=******) [WARNING]: Module did not set no_log for update_password ``` --- roles/wordpress-setup/tasks/database.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 61c74a5475..8b1f885a98 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -20,6 +20,7 @@ login_host: "{{ site_env.db_host }}" login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" + no_log: true with_dict: "{{ wordpress_sites }}" when: site_uses_local_db and item.value.db_create | default(true) From 8d5289a5c88fe541840f0179663278957c89582b Mon Sep 17 00:00:00 2001 From: Raphael Date: Sun, 14 Jun 2020 22:19:24 +0200 Subject: [PATCH 220/416] On development, whitelist all local IP ranges in Fail2ban & Ferm (#1190) --- group_vars/all/main.yml | 2 -- group_vars/all/security.yml | 4 ++++ group_vars/development/main.yml | 2 -- group_vars/development/security.yml | 6 ++++++ roles/fail2ban/defaults/main.yml | 2 +- 5 files changed, 11 insertions(+), 5 deletions(-) create mode 100644 group_vars/development/security.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 42349954d0..333aae75df 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -8,8 +8,6 @@ apt_dev_package_state: latest ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www -ip_whitelist: - - "{{ ipify_public_ip | default('') }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index 2d9df3d3b9..0aa2b604ba 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -15,3 +15,7 @@ ferm_input_list: # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) sshd_permit_root_login: true sshd_password_authentication: false + +ip_whitelist: + - 127.0.0.0/8 + - "{{ ipify_public_ip | default('') }}" diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml index b922a41a5f..1a3d9f3bd2 100644 --- a/group_vars/development/main.yml +++ b/group_vars/development/main.yml @@ -1,6 +1,4 @@ acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt" env: development -ferm_enabled: false -ip_whitelist: "{{ ansible_all_ipv4_addresses }}" mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml web_user: vagrant diff --git a/group_vars/development/security.yml b/group_vars/development/security.yml new file mode 100644 index 0000000000..fe079a2f7e --- /dev/null +++ b/group_vars/development/security.yml @@ -0,0 +1,6 @@ +ferm_enabled: false +ip_whitelist: + - 127.0.0.0/8 + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index 47138736a5..b1aa62d1a1 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -5,7 +5,7 @@ fail2ban_loglevel: INFO fail2ban_logtarget: /var/log/fail2ban.log fail2ban_socket: /var/run/fail2ban/fail2ban.sock -fail2ban_ignoreip: 127.0.0.1/8 {{ ip_whitelist | join(' ') }} +fail2ban_ignoreip: "{{ ip_whitelist | join(' ') }}" fail2ban_bantime: 600 fail2ban_maxretry: 6 From 92fbe6c6c1e903658ae5024bf6ee316d76209e28 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:14:03 +0200 Subject: [PATCH 221/416] Fix Ansible deprecation warnings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `[DEPRECATION WARNING]: evaluating `[…]` as a bare variable, this behaviour will go away and you might need to add |bool to the expression in the future.` --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e84f720333..6ac64ff1ae 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -47,7 +47,7 @@ owner: root group: root validate: "/usr/sbin/visudo -cf %s" - when: web_sudoers + when: web_sudoers | bool - name: Add SSH keys authorized_key: From 3316adc7ccb3f2245a64cd77073b44e7f89e28ff Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:16:38 +0200 Subject: [PATCH 222/416] Bump Ansible max tested version --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 6c14527cc6..c4356aeb7d 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.6' +version_tested_max = '2.9.9' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From a6fe14dd5b1428900224a61516edd876f0b0a2c5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Sat, 20 Jun 2020 23:18:50 +0200 Subject: [PATCH 223/416] Silence Ansible warning ``` TASK [letsencrypt : Install cronjob for key generation] **************************************************************** [WARNING]: The value 30 (type int) in a string field was converted to '30' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. [WARNING]: The value 4 (type int) in a string field was converted to '4' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. ``` --- roles/letsencrypt/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 27c4b86ac7..939eeee771 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -10,6 +10,6 @@ user: root job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && /usr/sbin/service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" - hour: 4 - minute: 30 + hour: "4" + minute: "30" state: present From a9b65f05cbb3adf2d004dcf0cb95b3cff2af7fb8 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 23 Jun 2020 00:51:36 +0200 Subject: [PATCH 224/416] Typo --- lib/trellis/plugins/vars/version.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index c4356aeb7d..e27ef8d784 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -26,12 +26,12 @@ raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) elif gt(LooseVersion(__version__), LooseVersion(version_tested_max)): - display.warning(u'You Ansible version is {} but this version of Trellis has only been tested for ' + display.warning(u'Your Ansible version is {} but this version of Trellis has only been tested for ' u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) if eq(LooseVersion(__version__), LooseVersion('2.5.0')): - display.warning(u'You Ansible version is {}. Consider upgrading your Ansible version to avoid ' + display.warning(u'Your Ansible version is {}. Consider upgrading your Ansible version to avoid ' u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) # Import BaseVarsPlugin after Ansible version check. From fb7f592e8a6ea9ed81c3b525665ce2166690faf2 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 23 Jun 2020 00:51:45 +0200 Subject: [PATCH 225/416] Bump Ansible max tested version --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index e27ef8d784..3511c78774 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.9' +version_tested_max = '2.9.10' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From 71360373a3ac910a9409f25b0de3353dbb4f9fe0 Mon Sep 17 00:00:00 2001 From: nextgenthemes Date: Tue, 23 Jun 2020 13:03:52 +0200 Subject: [PATCH 226/416] | bool thing #1199 Regarding #1199 but there may be other places where a `list` type got a `| bool` added that needs fixing. I guess this is the way to do it. Not an Ansible expert though. Could also add another check if the item is actually not empty and a string or something but ... --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 6ac64ff1ae..a628ee17f9 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -47,7 +47,7 @@ owner: root group: root validate: "/usr/sbin/visudo -cf %s" - when: web_sudoers | bool + when: web_sudoers[0] is defined - name: Add SSH keys authorized_key: From b69bfb21cebb32a4cf994c8de5bed3f0512240e7 Mon Sep 17 00:00:00 2001 From: schuhwerk Date: Thu, 25 Jun 2020 13:52:15 +0200 Subject: [PATCH 227/416] Move creation and copying of .env-file to file --- roles/wordpress-install/tasks/dotenv.yml | 16 ++++++++++++++++ roles/wordpress-install/tasks/main.yml | 17 ++--------------- 2 files changed, 18 insertions(+), 15 deletions(-) create mode 100644 roles/wordpress-install/tasks/dotenv.yml diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml new file mode 100644 index 0000000000..7b6945a762 --- /dev/null +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -0,0 +1,16 @@ +--- +- name: Create .env file + template: + src: "env.j2" + dest: "/tmp/{{ item.key }}.env" + owner: "{{ web_user }}" + group: "{{ web_group }}" + with_dict: "{{ wordpress_sites }}" + +- name: Copy .env file into web root + synchronize: + src: "/tmp/{{ item.key }}.env" + dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" + checksum: true + with_dict: "{{ wordpress_sites }}" + delegate_to: "{{ inventory_hostname }}" diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index d5491a2808..25bb07f0ce 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -2,21 +2,8 @@ - import_tasks: directories.yml tags: wordpress-install-directories -- name: Create .env file - template: - src: "env.j2" - dest: "/tmp/{{ item.key }}.env" - owner: "{{ web_user }}" - group: "{{ web_group }}" - with_dict: "{{ wordpress_sites }}" - -- name: Copy .env file into web root - synchronize: - src: "/tmp/{{ item.key }}.env" - dest: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env" - checksum: true - with_dict: "{{ wordpress_sites }}" - delegate_to: "{{ inventory_hostname }}" +- import_tasks: dotenv.yml + tags: dotenv - name: Add known_hosts known_hosts: From d0fdd8133425b2f6e589ab96e17c1d04472ea65f Mon Sep 17 00:00:00 2001 From: Raphael Date: Fri, 10 Jul 2020 18:46:37 +0200 Subject: [PATCH 228/416] Ansible `file` module expects a string for `mode` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://docs.ansible.com/ansible/latest/modules/file_module.html#parameter-mode Comments say that octal numbers are tolerated, but parameter asks for string only, and so do linters… --- roles/fail2ban/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index e109366255..278f0811ab 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -30,7 +30,7 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: 0755 + mode: '0755' - name: template fail2ban filters template: From 4172a4cf42b2a1eadba882c5d5cd89c7b8521ef6 Mon Sep 17 00:00:00 2001 From: Dale Grant Date: Thu, 9 Jul 2020 13:10:08 +1000 Subject: [PATCH 229/416] Check hooked deploy scripts exists before including tasks --- roles/deploy/tasks/build.yml | 16 ++++++++++++++-- roles/deploy/tasks/finalize.yml | 16 ++++++++++++++-- roles/deploy/tasks/initialize.yml | 16 ++++++++++++++-- roles/deploy/tasks/main.yml | 16 ++++++++++++++-- roles/deploy/tasks/prepare.yml | 16 ++++++++++++++-- roles/deploy/tasks/share.yml | 16 ++++++++++++++-- roles/deploy/tasks/update.yml | 16 ++++++++++++++-- 7 files changed, 98 insertions(+), 14 deletions(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 0151fc0d8c..32554ea622 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_build_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_build_before_paths with_items: "{{ deploy_build_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_build_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-build-before - name: Copy project templates @@ -23,8 +29,14 @@ with_items: "{{ project_folder_paths.results }}" when: item.stat.exists -- include_tasks: "{{ include_path }}" +- name: Check if deploy_build_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_build_after_paths with_items: "{{ deploy_build_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_build_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-build-after diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 7ec6e32944..885ba7ac6e 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_finalize_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_finalize_before_paths with_items: "{{ deploy_finalize_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_finalize_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-finalize-before - name: Finalize the deploy @@ -13,10 +19,16 @@ state: finalize keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" -- include_tasks: "{{ include_path }}" +- name: Check if deploy_finalize_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_finalize_after_paths with_items: "{{ deploy_finalize_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_finalize_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-finalize-after - debug: diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index a78fefab90..dfacf8c5ab 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_initialize_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_initialize_before_paths with_items: "{{ deploy_initialize_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_initialize_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-initialize-before - name: Initialize @@ -11,8 +17,14 @@ path: "{{ project_root }}" state: present -- include_tasks: "{{ include_path }}" +- name: Check if deploy_initialize_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_initialize_after_paths with_items: "{{ deploy_initialize_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_initialize_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-initialize-after diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 2e6b5c27f7..ee83e8c2f6 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_before_paths with_items: "{{ deploy_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-before - import_tasks: initialize.yml @@ -12,8 +18,14 @@ - import_tasks: share.yml - import_tasks: finalize.yml -- include_tasks: "{{ include_path }}" +- name: Check if deploy_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_after_paths with_items: "{{ deploy_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-after diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 3befa99dac..0a38225d2f 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_prepare_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_prepare_before_paths with_items: "{{ deploy_prepare_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_prepare_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-prepare-before - name: Check for project repo subtree @@ -44,8 +50,14 @@ path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" state: touch -- include_tasks: "{{ include_path }}" +- name: Check if deploy_prepare_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_prepare_after_paths with_items: "{{ deploy_prepare_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_prepare_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-prepare-after diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 294c05d4b9..ae936e870a 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_share_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_share_before_paths with_items: "{{ deploy_share_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_share_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-share-before - name: Ensure shared sources are present -- directories @@ -48,8 +54,14 @@ state: link with_items: "{{ project.project_shared_children | default(project_shared_children) }}" -- include_tasks: "{{ include_path }}" +- name: Check if deploy_share_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_share_after_paths with_items: "{{ deploy_share_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_share_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-share-after diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index fcbe6b4e52..8dcc882a4c 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,8 +1,14 @@ --- -- include_tasks: "{{ include_path }}" +- name: Check if deploy_update_before scripts exist + local_action: stat path="{{ item }}" + register: deploy_update_before_paths with_items: "{{ deploy_update_before | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_update_before_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-update-before - name: Add known_hosts @@ -40,8 +46,14 @@ register: git_clean changed_when: not not(git_clean.stdout) -- include_tasks: "{{ include_path }}" +- name: Check if deploy_update_after scripts exist + local_action: stat path="{{ item }}" + register: deploy_update_after_paths with_items: "{{ deploy_update_after | default([]) }}" + +- include_tasks: "{{ include_path.item }}" + with_items: "{{ deploy_update_after_paths.results }}" loop_control: loop_var: include_path + when: include_path.stat.exists tags: deploy-update-after From 89ffcda7c350c6f96d3b6314e4d7cc361f21e841 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 15:51:24 -0400 Subject: [PATCH 230/416] Bump circleci python orb version --- .circleci/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ab6df8e3e3..9e5a99435b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - python: circleci/python@0.3 + python: circleci/python@0.3.2 commands: install-pip-package: From a4103469b2b48f3a11d8bf4c4a8fba55285672b5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 15:53:21 -0400 Subject: [PATCH 231/416] Bump Python version --- .circleci/config.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9e5a99435b..c932078d10 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -121,16 +121,16 @@ workflows: name: syntax-check-python-<>-ansible<> matrix: parameters: - python-version: ["3.7", "2.7"] + python-version: ["3.7.8", "2.7"] ansible-version: ["~=2.9.0", "~=2.8.0"] - syntax-check-with-requirements-txt: name: syntax-check-python-<>-requirements-txt matrix: parameters: - python-version: ["3.7", "2.7"] + python-version: ["3.7.8", "2.7"] lint: jobs: - lint: name: lint-python-3.7 - python-version: "3.7" + python-version: "3.7.8" From c3ab4ce15913c6d565db0779eda010536b9cfb7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 16 Jul 2020 17:50:38 -0400 Subject: [PATCH 232/416] Support branch variable for deploys This allows the branch to be specified via a command line argument to `ansible-playbook` (and eventually trellis-cli). Often this makes sense for staging environments where feature branches are deployed instead of a fixed one. --- CHANGELOG.md | 1 + roles/deploy/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f7e662bc69..6baa20ac01 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) * Improve ip_whitelist in development ([#1183](https://github.com/roots/trellis/pull/1183)) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index b6b5e6c74d..35cc39d58c 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -2,7 +2,7 @@ # - you must set a repository (no default) project_git_repo: "{{ project.repo }}" # - you can set the git ref to deploy (can be a branch, tag or commit hash) -project_version: "{{ project.branch | default('master') }}" +project_version: "{{ branch is defined | ternary(branch, project.branch) | default('master') }}" # The source_path is used to fetch the tags from git, or synchronise via rsync. This way # you do not have to download/sync the entire project on every deploy From 7224811bb73bd21cf370d2f0f24f7254b7f9ea85 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 18 Jul 2020 23:38:30 -0400 Subject: [PATCH 233/416] Add support for Lets Encrypt contact emails Let's Encrypt sends certificate expiry notice emails if a contact email is provided during account creation. Unfortunately Trellis never did this up until now; if there was a problem with the cron renewal script, there was no easy way to get notified. This adds a new required `letsencrypt_contact_emails` variable which is passed to the acme-tiny script which it passes along to Let's Encrypt. Let's Encrypt sends emails 20 days, 10 days, and finally 1 day before expiry. Since Trellis tries to renew certificates 30 days before renewal (by default), these expiry notice emails should never be sent unless something has gone wrong. --- CHANGELOG.md | 1 + roles/letsencrypt/tasks/setup.yml | 22 ++++++++++++++++++++++ roles/letsencrypt/templates/renew-certs.py | 1 + 3 files changed, 24 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6baa20ac01..5a993193a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) * Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) * Make Fail2ban settings extensible ([#1177](https://github.com/roots/trellis/pull/1177)) diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 6d3cd762aa..dd6c9f721d 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -1,4 +1,26 @@ --- +- name: Fail if letsencrypt_contact_emails is not defined + fail: + msg: > + Error: the required `letsencrypt_contact_emails` variable is not defined. + + + Please define it in `groups_vars/all/main.yml` with at least one email: + + letsencrypt_contact_emails: + - changeme@example.com + + The contact email is used by Let's Encrypt to send expiry notices when a certificate is coming up for renewal. + + + See https://letsencrypt.org/docs/expiration-emails/ for more information. + + + Since Trellis attempts to renew certificates after {{ letsencrypt_min_renewal_age }} days ({{ 90 - letsencrypt_min_renewal_age }} days before renewal), + getting an expiry notice email means something has gone wrong giving you enough notice to fix the problem. + + when: letsencrypt_contact_emails is not defined + - name: Create directories and set permissions file: mode: "{{ item.mode | default(omit) }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 991c1fce61..1dc215f298 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -34,6 +34,7 @@ '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' '--csr {} ' + '--contact {{ letsencrypt_contact_emails | map('regex_replace', '(^.*$)', 'mailto:\\1') | join (' ') }} ' '--acme-dir {{ acme_tiny_challenges_directory }}' ).format(csr_path) From 65927822b5bd85f6dfefd6838b8a22d983e42fd5 Mon Sep 17 00:00:00 2001 From: Breno Alves Date: Tue, 21 Jul 2020 14:34:18 -0300 Subject: [PATCH 234/416] Fixes nginx reload run even if some of the certificates renewals has failed. --- roles/letsencrypt/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 939eeee771..b65a534087 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -8,7 +8,7 @@ cron_file: letsencrypt-certificate-renewal name: letsencrypt certificate renewal user: root - job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && /usr/sbin/service nginx reload + job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py ; /usr/sbin/service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" hour: "4" minute: "30" From a23126c0da8d3dc193da0b8f9924ac9ec8c7c613 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Jul 2020 22:48:09 -0400 Subject: [PATCH 235/416] Update local_action to delegate_to --- roles/deploy/tasks/build.yml | 8 ++++++-- roles/deploy/tasks/finalize.yml | 8 ++++++-- roles/deploy/tasks/initialize.yml | 8 ++++++-- roles/deploy/tasks/main.yml | 8 ++++++-- roles/deploy/tasks/prepare.yml | 8 ++++++-- roles/deploy/tasks/share.yml | 8 ++++++-- roles/deploy/tasks/update.yml | 8 ++++++-- 7 files changed, 42 insertions(+), 14 deletions(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 32554ea622..d5a99316c5 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_build_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_build_before_paths with_items: "{{ deploy_build_before | default([]) }}" @@ -30,7 +32,9 @@ when: item.stat.exists - name: Check if deploy_build_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_build_after_paths with_items: "{{ deploy_build_after | default([]) }}" diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 885ba7ac6e..824c44f3e5 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_finalize_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_finalize_before_paths with_items: "{{ deploy_finalize_before | default([]) }}" @@ -20,7 +22,9 @@ keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" - name: Check if deploy_finalize_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_finalize_after_paths with_items: "{{ deploy_finalize_after | default([]) }}" diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index dfacf8c5ab..5b1d48cc16 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_initialize_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_initialize_before_paths with_items: "{{ deploy_initialize_before | default([]) }}" @@ -18,7 +20,9 @@ state: present - name: Check if deploy_initialize_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_initialize_after_paths with_items: "{{ deploy_initialize_after | default([]) }}" diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index ee83e8c2f6..5478676a7b 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_before_paths with_items: "{{ deploy_before | default([]) }}" @@ -19,7 +21,9 @@ - import_tasks: finalize.yml - name: Check if deploy_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_after_paths with_items: "{{ deploy_after | default([]) }}" diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 0a38225d2f..ecd635aaf3 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_prepare_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_prepare_before_paths with_items: "{{ deploy_prepare_before | default([]) }}" @@ -51,7 +53,9 @@ state: touch - name: Check if deploy_prepare_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_prepare_after_paths with_items: "{{ deploy_prepare_after | default([]) }}" diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index ae936e870a..279fdcf2d5 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_share_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_share_before_paths with_items: "{{ deploy_share_before | default([]) }}" @@ -55,7 +57,9 @@ with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Check if deploy_share_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_share_after_paths with_items: "{{ deploy_share_after | default([]) }}" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 8dcc882a4c..d85ff6a963 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,6 +1,8 @@ --- - name: Check if deploy_update_before scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_update_before_paths with_items: "{{ deploy_update_before | default([]) }}" @@ -47,7 +49,9 @@ changed_when: not not(git_clean.stdout) - name: Check if deploy_update_after scripts exist - local_action: stat path="{{ item }}" + stat: + path: "{{ item }}" + delegate_to: localhost register: deploy_update_after_paths with_items: "{{ deploy_update_after | default([]) }}" From 2376349d7b239d5af5225f49e64625275b4e5037 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 5 Aug 2020 22:12:55 -0400 Subject: [PATCH 236/416] v1.5.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a993193a0..e1436f3d62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.5.0: August 5th, 2020 +* Improve Nginx reloading for failed Let's Encrypt certificates ([#1207](https://github.com/roots/trellis/pull/1207)) * Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) * Support branch variable for deploys ([#1204](https://github.com/roots/trellis/pull/1204)) * Removes ID from Lets Encrypt bundled certificate and make filename stable ([#834](https://github.com/roots/trellis/pull/834)) From c6f648f30b91bf5444a17ef27de5699617eff0a2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Jul 2020 22:33:08 -0400 Subject: [PATCH 237/416] Use official Nginx packages --- CHANGELOG.md | 3 +++ roles/nginx/defaults/main.yml | 4 +++- roles/nginx/tasks/main.yml | 13 +++++++++++++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1436f3d62..59dcd4be7e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) + ### 1.5.0: August 5th, 2020 * Improve Nginx reloading for failed Let's Encrypt certificates ([#1207](https://github.com/roots/trellis/pull/1207)) * Add support for Lets Encrypt contact emails ([#1206](https://github.com/roots/trellis/pull/1206)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c82941bcc7..69433b33fb 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,5 +1,7 @@ --- -nginx_ppa: "ppa:nginx/mainline" +nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" +nginx_keyserver_id: "ABF5BD827BD9BF62" +nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e2e53d230a..f97d720b2d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,4 +1,9 @@ --- +- name: Add Nginx APT key + apt_key: + keyserver: "{{ nginx_keyserver }}" + id: "{{ nginx_keyserver_id }}" + - name: Add Nginx PPA apt_repository: repo: "{{ nginx_ppa }}" @@ -10,6 +15,14 @@ state: "{{ nginx_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" +- name: Ensure site directories exist + file: + path: "{{ nginx_path }}/{{ item }}" + state: directory + with_items: + - sites-available + - sites-enabled + - name: Create SSL directory file: mode: 0700 From 08cecc883bf988ff72e99efa3e414a93a3fc483d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 5 Aug 2020 22:22:37 -0400 Subject: [PATCH 238/416] Improve python interpreter check Makes the python interepreter check more future compatible to prepare for Ubuntu 20.04 --- roles/python_interpreter/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml index 8935abe901..3fa493d310 100644 --- a/roles/python_interpreter/tasks/main.yml +++ b/roles/python_interpreter/tasks/main.yml @@ -1,11 +1,11 @@ - block: - - name: Get Ubuntu release - raw: lsb_release -cs - register: ubuntu_release + - name: Get Ubuntu version + raw: lsb_release -rs + register: ubuntu_version changed_when: false - - name: Set ansible_python_interpreter for Ubuntu 18.04 Bionic + - name: Set ansible_python_interpreter for Ubuntu >= 18.04 set_fact: ansible_python_interpreter: python3 - when: ubuntu_release.stdout | trim == 'bionic' + when: ubuntu_version.stdout | trim is version('18.04', '>=') when: ansible_python_interpreter is not defined tags: always From f2d98db9d993a0aeb493ad9447dd022905e89c2a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 6 Aug 2020 22:17:23 -0400 Subject: [PATCH 239/416] Update MariaDB to 10.5 This bumps the MariaDB PPA from 10.2 to 10.5. Note that this will *not* actually upgrade the version of MariaDB already installed on a server. Upgrading is a manual process that involves: 1. stopping the service 2. removing the installed package 3. re-installing the package The full process is detailed at https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/ Though it's not required, backing up your database before the upgrade is recommended. --- CHANGELOG.md | 1 + roles/mariadb/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 59dcd4be7e..fb2426b0d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) ### 1.5.0: August 5th, 2020 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 89f7b57ea0..491dd9a6f4 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From c5f1117296baef6b28baaf08e8b7d6ce883087a6 Mon Sep 17 00:00:00 2001 From: Lachlan Arthur Date: Sun, 30 Aug 2020 00:28:03 +1000 Subject: [PATCH 240/416] Remove default SMB credentials --- Vagrantfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index d59cdb3b5a..4e09cd5175 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -70,8 +70,8 @@ Vagrant.configure('2') do |config| extra_options = if vagrant_mount_type == 'smb' { - smb_username: vconfig.fetch('vagrant_smb_username', 'vagrant'), - smb_password: vconfig.fetch('vagrant_smb_password', 'vagrant'), + smb_username: vconfig.fetch('vagrant_smb_username', nil), + smb_password: vconfig.fetch('vagrant_smb_password', nil), } else {} From 10c7417b6b93ad908d4ea922af82a7e460a268fb Mon Sep 17 00:00:00 2001 From: Clinton Blackburn Date: Sun, 30 Aug 2020 13:33:25 -0700 Subject: [PATCH 241/416] Corrected use of ANSIBLE_CONFIG environment variable ANSIBLE_CONFIG is now treated as a path to a file rather than a directory. Fixes #1216 --- lib/trellis/plugins/callback/output.py | 3 ++- lib/trellis/utils/output.py | 3 ++- lib/trellis/vagrant.rb | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 7344b803aa..cf8fe73d11 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -18,7 +18,8 @@ try: from trellis.utils import output as output except ImportError: - ansible_path = os.getenv('ANSIBLE_CONFIG', os.getcwd()) + ansible_config_path = os.getenv('ANSIBLE_CONFIG') + ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() if sys.path.append(os.path.join(ansible_path, 'lib')) in sys.path: raise sys.path.append(sys.path.append(os.path.join(ansible_path, 'lib'))) from trellis.utils import output as output diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 89b073b9c7..8beef101bc 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -14,7 +14,8 @@ def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry changelog_msg = '' - ansible_path = os.getenv('ANSIBLE_CONFIG', os.getcwd()) + ansible_config_path = os.getenv('ANSIBLE_CONFIG') + ansible_path = os.path.dirname(ansible_config_path) if ansible_config_path else os.getcwd() changelog = os.path.join(ansible_path, 'CHANGELOG.md') if os.path.isfile(changelog): diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index fa60ad0112..d34f216009 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -1,5 +1,5 @@ # Set Ansible paths relative to Ansible directory -ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH +ENV['ANSIBLE_CONFIG'] = File.join(ANSIBLE_PATH, 'ansible.cfg') ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback:/usr/share/ansible/plugins/callback:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter:/usr/share/ansible/plugins/filter:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" ENV['ANSIBLE_LIBRARY'] = "~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" From e3d912ff27da22757691ea2fc49cb38dbb64ac5e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Sep 2020 19:40:15 -0400 Subject: [PATCH 242/416] Update CHANGELOG #1217 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb2426b0d9..4a5d4edafb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) From 2e18ca4e20eb991cf4c6a1894c4d56406ec9614f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 10 Sep 2020 19:42:11 -0400 Subject: [PATCH 243/416] Update CHANGELOG #1215 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a5d4edafb..917be77351 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) * Switch to official Nginx Ubuntu package ([#1208](https://github.com/roots/trellis/pull/1208)) From 550454d5ca18328c7b624a7e409a19115cdbccf5 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 23 Sep 2020 11:15:18 +0100 Subject: [PATCH 244/416] CircleCI: Invalidate pip caches ``` Upgrading directly from ansible-2.9 or less to ansible-2.10 or greater with pip is known to cause problems. Please uninstall the old version found at: /home/circleci/.local/lib/python2.7/site-packages/ansible/__init__.pyc and install the new version: pip uninstall ansible pip install ansible If you have a broken installation, perhaps because ansible-base was installed before ansible was upgraded, try this to resolve it: pip install --force-reinstall ansible ansible-base If ansible is installed in a different location than you will be installing it now (for example, if the old version is installed by a system package manager to /usr/lib/python3.8/site-packages/ansible but you are installing the new version into ~/.local/lib/python3.8/site-packages/ansible with `pip install --user ansible`) or you want to install anyways and cleanup any breakage afterwards, then you may set the ANSIBLE_SKIP_CONFLICT_CHECK environment variable to ignore this check: ANSIBLE_SKIP_CONFLICT_CHECK=1 pip install --user ansible ``` --- .circleci/config.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index c932078d10..c1efe12621 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,13 +14,13 @@ commands: - restore_cache: name: Restore pip Cache keys: - - pip-v2-<>-<>- + - pip-v3-<>-<>- - run: name: Install pip Package command: pip install --user --upgrade <> - save_cache: name: Save pip Cache - key: pip-v2-<>-<>-{{ epoch }} + key: pip-v3-<>-<>-{{ epoch }} paths: - /home/circleci/.local/bin/ - /home/circleci/.local/lib/ @@ -83,13 +83,13 @@ jobs: - restore_cache: name: Restore pip Cache keys: - - pip-v2-<>-{{ checksum "requirements.txt" }}- + - pip-v3-<>-{{ checksum "requirements.txt" }}- - run: name: Install packages from requirements.txt (or any other file) via Pip. command: pip install --user --upgrade --requirement requirements.txt - save_cache: name: Save pip Cache - key: pip-v2-<>-{{ checksum "requirements.txt" }}-{{ epoch }} + key: pip-v3-<>-{{ checksum "requirements.txt" }}-{{ epoch }} paths: - /home/circleci/.local/bin/ - /home/circleci/.local/lib/ From d66124febd2cf91fedd45c80ca328d6d1a4a919b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 19 Sep 2020 12:44:38 -0400 Subject: [PATCH 245/416] Allow WP cron minute/interval to be configurable Adds `cron_interval` and `cron_interval_multisite` settings on a wordpress site. --- CHANGELOG.md | 1 + roles/wordpress-setup/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 917be77351..5cc1f246e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) * Update MariaDB package to 10.5 ([#1212](https://github.com/roots/trellis/pull/1212)) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 561811eba7..e1e48bbe02 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -45,7 +45,7 @@ - name: Setup WP system cron cron: name: "{{ item.key }} WordPress cron" - minute: "*/15" + minute: "{{ item.value.cron_interval | default('*/15') }}" user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" @@ -55,7 +55,7 @@ - name: Setup WP Multisite system cron cron: name: "{{ item.key }} WordPress network cron" - minute: "*/30" + minute: "{{ item.value.cron_interval_multisite | default('*/30') }}" user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" From efe33fb7c7b7a227873ae35751b790d2cc357eb0 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 3 Oct 2020 10:13:19 -0600 Subject: [PATCH 246/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 15469de21f..6e4e6cd7d3 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot +Kinsta KM Digital Carrot C21 Redwood Realty ## Community From d93e82e69be12b84f160cdc99ec580cb5388b7bc Mon Sep 17 00:00:00 2001 From: "Michael W. Delaney" Date: Mon, 5 Oct 2020 14:53:42 -0400 Subject: [PATCH 247/416] Update requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index cecd05381d..2bfebcdfc6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<3.0 +ansible>=2.8.0,<2.10.0 passlib From 2ec13c3187d38f92a31b6d5287ba0c59d6147136 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:35:51 +0100 Subject: [PATCH 248/416] Ansible Lint: Skip `[106] Role name {} does not match ^[a-z][a-z0-9_]+$ pattern` --- .ansible-lint | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.ansible-lint b/.ansible-lint index 93b07a23e5..a83461d38c 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ --- skip_list: - - 204 # Lines should be no longer than 160 chars + - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern + - '204' # Lines should be no longer than 160 chars From 19eb68527324735753aa20e1e2951e916fe626b5 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:25:49 +0100 Subject: [PATCH 249/416] Separate 'Enable or disable Nginx sites' task into two Fix #1225 --- roles/wordpress-setup/tasks/nginx.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index ffb9fcb11f..0f1333fa12 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -28,12 +28,22 @@ notify: reload nginx tags: nginx-sites -- name: Enable or disable Nginx sites +- name: Enable Nginx sites file: path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - state: "{{ item.enabled | default(true) | ternary('link', 'absent') }}" + state: link force: yes + when: item.enabled | default(true) + with_items: "{{ nginx_sites_confs }}" + notify: reload nginx + tags: nginx-sites + +- name: Disable Nginx sites + file: + path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" + state: absent + when: not(item.enabled | default(true)) with_items: "{{ nginx_sites_confs }}" notify: reload nginx tags: nginx-sites From 1ad7fa1a3e45c4cdc66ddbd870a57463502aec34 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:30:35 +0100 Subject: [PATCH 250/416] Revert "Merge pull request #1226 from roots/exclude-ansible-2.10" This reverts commit 143282643a36a241d84542ee32a3b535bcbf04a0, reversing changes made to efe33fb7c7b7a227873ae35751b790d2cc357eb0. --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2bfebcdfc6..cecd05381d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,2 @@ -ansible>=2.8.0,<2.10.0 +ansible>=2.8.0,<3.0 passlib From e54e3010eb5e91ed082b4b084dbd92d8b3b0a936 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 22:25:21 +0100 Subject: [PATCH 251/416] Fix: `[WARNING]: Module did not set no_log for unsafe_login_password` --- roles/wordpress-setup/tasks/database.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 8b1f885a98..ad10a40026 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -7,6 +7,7 @@ login_host: "{{ site_env.db_host }}" login_user: "{{ mysql_root_user }}" login_password: "{{ mysql_root_password }}" + no_log: true with_dict: "{{ wordpress_sites }}" - name: Create/assign database user to db and grant permissions From aff51a5157cc05b298929b382344b68380254184 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 21:45:42 +0100 Subject: [PATCH 252/416] Ansible Lint: Fix `[208] File permissions unset or incorrect` --- .ansible-lint | 4 ++-- roles/deploy/tasks/prepare.yml | 2 ++ roles/deploy/tasks/share.yml | 1 + roles/wordpress-install/tasks/dotenv.yml | 1 + roles/wp-cli/tasks/main.yml | 1 + 5 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index a83461d38c..b7aefe84fd 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,4 @@ --- skip_list: - - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - - '204' # Lines should be no longer than 160 chars + - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern + - 204 # Lines should be no longer than 160 chars diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index ecd635aaf3..2567d7986e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,6 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" + mode: '0755' state: directory - name: Run git archive to populate new build dir @@ -50,6 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" + mode: '0744' state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 279fdcf2d5..12da9836c2 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -40,6 +40,7 @@ - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" + mode: '0777' state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 7b6945a762..5397096992 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,6 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" + mode: '0644' owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index fe3d85c62d..21494865dc 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,6 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg + mode: '0744' - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar From 7e2366b5294609e0c9767d40d4a96ce9dcfdf2b3 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 7 Oct 2020 22:51:59 +0100 Subject: [PATCH 253/416] Fix (Remove the test database): `[WARNING]: Module did not set no_log for unsafe_login_password` --- roles/mariadb/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 205e0eea04..f329616f62 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -69,5 +69,6 @@ mysql_db: name: test state: absent + no_log: true when: not sites_using_remote_db | count From 2ae67c439ba4991906e1c8564dbaabe7add49afc Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sun, 11 Oct 2020 16:47:09 +0100 Subject: [PATCH 254/416] Deploy: Set `.env` file permission to `0600` --- roles/deploy/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 35cc39d58c..61a5ad7b62 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,6 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env + mode: '0600' # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type From 490f04b6f0558549fa01ee0f9bc6ecb9569a13ae Mon Sep 17 00:00:00 2001 From: TangRufus Date: Thu, 15 Oct 2020 17:52:21 +0100 Subject: [PATCH 255/416] Ansible Lint: Fail if `experimental` rules are failed See: https://github.com/ansible/ansible-lint/issues/1031#issuecomment-687241617 Fix #1231 --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index b7aefe84fd..959984bdc8 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,4 +1,6 @@ --- +warn_list: [] + skip_list: - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - 204 # Lines should be no longer than 160 chars From 187e19e4fd10afd283b227715638f89c3aa2dad8 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 20 Oct 2020 14:37:39 +0200 Subject: [PATCH 256/416] Add [arch=amd64] to nginx_ppa --- roles/nginx/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 69433b33fb..4d837762cc 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,7 +1,7 @@ --- nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" nginx_keyserver_id: "ABF5BD827BD9BF62" -nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" +nginx_ppa: "deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From e799e0fdfdb1a5e973c4363af3835a5cdace02d6 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 20 Oct 2020 15:10:19 +0200 Subject: [PATCH 257/416] Use versioned php module for memcached and xdebug --- roles/memcached/defaults/main.yml | 2 +- roles/xdebug/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 8bdd3e663a..3fc0f0d733 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -8,7 +8,7 @@ memcached_port_udp: 0 memcached_packages_default: memcached: "{{ apt_package_state }}" - php-memcached: "{{ apt_package_state }}" + php7.4-memcached: "{{ apt_package_state }}" memcached_packages_custom: {} memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 3efa2ccfb2..65fde7dd7e 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,4 +1,4 @@ -php_xdebug_package: php-xdebug +php_xdebug_package: php7.4-xdebug # XDebug Remote Debugging xdebug_remote_enable: 0 From 31722f182801b0a265103fe0c913a6f9de466d4a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 24 Oct 2020 16:46:27 -0400 Subject: [PATCH 258/416] Set universal_newlines for renew-certs script Using `universal_newlines` is better for Python 2/3 compatibility since it will return a string and not bytes to ensure it's the same regardless of the version. --- roles/letsencrypt/templates/renew-certs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 1dc215f298..72106e3611 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -39,7 +39,7 @@ ).format(csr_path) try: - new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True) + new_bundled_cert = check_output(cmd, stderr=STDOUT, shell=True, universal_newlines=True) except CalledProcessError as e: failed = True print('Error while generating certificate for {}\n{}'.format(site, e.output), file=sys.stderr) From 9e89a072665e271d31f0bd80c2801ed82e2a0cbc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 25 Oct 2020 19:23:16 -0400 Subject: [PATCH 259/416] Remove prestissimo from composer_global_packages `hirak/prestissimo` is a composer plugin that speeded up `composer install` by downloading packages in parallel. It's not incompatible with Composer 2.0 and not needed since 2.0 has parallel downloading built-in. --- CHANGELOG.md | 1 + group_vars/all/main.yml | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5cc1f246e4..e2be3ddadb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) * Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) * Fix usage of `ANSIBLE_CONFIG` env var ([#1217](https://github.com/roots/trellis/pull/1217)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 333aae75df..e6c5b416f6 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,6 +1,4 @@ composer_keep_updated: true -composer_global_packages: - - { name: hirak/prestissimo } apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest From fc0aa1351ce3f0c86d7c6bf6a22b30ef760822e3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 5 Nov 2020 22:56:19 -0500 Subject: [PATCH 260/416] v1.6.0 --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2be3ddadb..6ff29294c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD + +### 1.6.0: November 5th, 2020 * Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) * Allow WP cron intervals to be configurable ([#1222](https://github.com/roots/trellis/pull/1222)) * Remove default Vagrant SMB credentials ([#1215](https://github.com/roots/trellis/pull/1215)) From 6bfb56f7a16613fdd0319b7195edfe42713ea8cd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 22 Jun 2020 22:51:12 -0400 Subject: [PATCH 261/416] Ubuntu 20.04 support Officially support and recommend Ubuntu 20.04 Focal. The only tangible change is bumping the Vagrant box from 18.04 to 20.04. Trellis has been made compatible with 20.04 already. --- CHANGELOG.md | 1 + roles/common/tasks/main.yml | 8 +++++--- vagrant.default.yml | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6ff29294c6..0bd367d526 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) ### 1.6.0: November 5th, 2020 * Remove prestissimo for Composer 2.0 support ([#1247](https://github.com/roots/trellis/pull/1247)) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1559a76a89..971ca45ead 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -67,7 +67,9 @@ - name: Validate Ubuntu version debug: msg: | - Trellis is built for Ubuntu 18.04 Bionic as of https://github.com/roots/trellis/pull/992 + Ubuntu 18.04 Bionic is the minimum supported version of Ubuntu in Trellis 1.0+ (as of https://github.com/roots/trellis/pull/992) + + 20.04 Focal is the recommend version for Trellis 1.7+ (as of https://github.com/roots/trellis/pull/1197) Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} @@ -77,8 +79,8 @@ Development via Vagrant: `vagrant destroy && vagrant up` - Staging/Production: Create a new server with Ubuntu 18.04 and provision - when: ansible_distribution_release != 'bionic' + Staging/Production: Create a new server with Ubuntu 20.04 and provision + when: ansible_distribution_version is version('18.04', '<') - name: Check whether passlib is needed fail: diff --git a/vagrant.default.yml b/vagrant.default.yml index a41258b078..96361bc6c4 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -2,7 +2,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB -vagrant_box: 'bento/ubuntu-18.04' +vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 201807.12.0' vagrant_ansible_version: '2.8.0' vagrant_skip_galaxy: false From b53ca37675440603eb01582eaa9fc0007801e5ef Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 10 Nov 2020 11:55:43 -0500 Subject: [PATCH 262/416] Validate that letsencrypt_contact_emails is a list We already validate that `letsencrypt_contact_emails` needs to be defined. This further validates that it's defined as a list and not a string. --- roles/letsencrypt/tasks/setup.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index dd6c9f721d..48c3221cf3 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -2,10 +2,10 @@ - name: Fail if letsencrypt_contact_emails is not defined fail: msg: > - Error: the required `letsencrypt_contact_emails` variable is not defined. + Error: the required `letsencrypt_contact_emails` variable is not defined or invalid. - Please define it in `groups_vars/all/main.yml` with at least one email: + Please define it in `groups_vars/all/main.yml` with at least one email (as a list/array, *not* a string): letsencrypt_contact_emails: - changeme@example.com @@ -19,7 +19,7 @@ Since Trellis attempts to renew certificates after {{ letsencrypt_min_renewal_age }} days ({{ 90 - letsencrypt_min_renewal_age }} days before renewal), getting an expiry notice email means something has gone wrong giving you enough notice to fix the problem. - when: letsencrypt_contact_emails is not defined + when: (letsencrypt_contact_emails is not defined) or (letsencrypt_contact_emails is string) - name: Create directories and set permissions file: From b6d6ee744ab4469c72ef8878efe7f3987b7d58de Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 13 Nov 2020 12:09:45 -0500 Subject: [PATCH 263/416] Update CHANGELOG --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bd367d526..a244a165b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ ### HEAD +* Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) + +### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) ### 1.6.0: November 5th, 2020 From f5c412198aa90ee99c51df4b4dd466587f7ef9b5 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:40:17 +0100 Subject: [PATCH 264/416] Manually update Ansible Galaxy role `geerlingguy.composer` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 10708826e3..cfab8eb28c 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.7.6 + version: 1.9.0 - name: ntp src: geerlingguy.ntp From 9ed0571c2d4dba43e291dd97f8927f9e85321c91 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:41:27 +0100 Subject: [PATCH 265/416] Manually update Ansible Galaxy role `geerlingguy.ntp` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index cfab8eb28c..809b05c851 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 2.0.0 + version: 2.2.0 - name: logrotate src: nickhammond.logrotate From 8f10dec1cadb00cdb76544e37a1b5519abef2920 Mon Sep 17 00:00:00 2001 From: Raphael Date: Tue, 24 Nov 2020 01:42:49 +0100 Subject: [PATCH 266/416] Manually update Ansible Galaxy role `oefenweb.swapfile` --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 809b05c851..5004ac69b6 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -12,7 +12,7 @@ - name: swapfile src: oefenweb.swapfile - version: v2.0.26 + version: v2.0.32 - name: mailhog src: geerlingguy.mailhog From 68df1f5f9568a0083f74b97388395c7a1051eb3b Mon Sep 17 00:00:00 2001 From: arusa Date: Mon, 21 Dec 2020 09:53:48 +0100 Subject: [PATCH 267/416] Fix security issue with empty password If no password is defined for user "web", insert "!" to disable authentication without a password. --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a628ee17f9..f4eda4025c 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -33,7 +33,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' + password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ "!" }}{% endfor %}' state: present shell: /bin/bash update_password: "{{ item.update_password | default('always') }}" From 715f17bc5efa9ce7f3d1419a07b95c1453d2dd25 Mon Sep 17 00:00:00 2001 From: Mike iLL Kilmer Date: Mon, 21 Dec 2020 14:48:06 -0600 Subject: [PATCH 268/416] Update README.md Update to Ubuntu 20 Focal. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6e4e6cd7d3..4528a8f904 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -- Ubuntu 18.04 Bionic LTS +- Ubuntu 20.04 Focal LTS - Nginx (with optional FastCGI micro-caching) - PHP 7.4 - MariaDB (a drop-in MySQL replacement) From 5bcf3029236aef688f898836318c0d56b0c3fefc Mon Sep 17 00:00:00 2001 From: Andrew Kovalyov Date: Sun, 10 Jan 2021 23:05:43 +0200 Subject: [PATCH 269/416] Add config for PHP CLI --- roles/php/tasks/main.yml | 9 +++++++-- roles/php/templates/php-cli.ini.j2 | 20 +++++++++++++++++++ .../templates/{php.ini.j2 => php-fpm.ini.j2} | 0 3 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 roles/php/templates/php-cli.ini.j2 rename roles/php/templates/{php.ini.j2 => php-fpm.ini.j2} (100%) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 3914ab70ed..520613958e 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -45,8 +45,13 @@ when: php72_status.stat.exists notify: reload php-fpm -- name: PHP configuration file +- name: Copy PHP-FPM configuration file template: - src: php.ini.j2 + src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini notify: reload php-fpm + +- name: Copy PHP CLI configuration file + template: + src: php-fpm.ini.j2 + dest: /etc/php/7.4/cli/php.ini diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 new file mode 100644 index 0000000000..a1e90f314b --- /dev/null +++ b/roles/php/templates/php-cli.ini.j2 @@ -0,0 +1,20 @@ +; {{ ansible_managed }} + +[PHP] +error_reporting = {{ php_error_reporting }} +sendmail_path = {{ php_sendmail_path }} +track_errors = {{ php_track_errors }} +expose_php = Off +date.timezone = {{ php_timezone }} + +[mysqlnd] +mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} + +[opcache] +opcache.enable = {{ php_opcache_enable }} +opcache.enable_cli = {{ php_opcache_enable_cli }} +opcache.memory_consumption = {{ php_opcache_memory_consumption }} +opcache.interned_strings_buffer = {{ php_opcache_interned_strings_buffer }} +opcache.max_accelerated_files = {{ php_opcache_max_accelerated_files }} +opcache.revalidate_freq = {{ php_opcache_revalidate_freq }} +opcache.fast_shutdown = {{ php_opcache_fast_shutdown }} diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php-fpm.ini.j2 similarity index 100% rename from roles/php/templates/php.ini.j2 rename to roles/php/templates/php-fpm.ini.j2 From 21913ffbe720d1b6dac5bf7d031b03045f0a56aa Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 10 Jan 2021 17:00:11 -0500 Subject: [PATCH 270/416] Add #1261 to CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a244a165b8..a720a3a05e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) +* Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) ### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) From 2f9479a7a6a7f1009b639850c2629583bd5829a9 Mon Sep 17 00:00:00 2001 From: Andrew Kovalyov Date: Mon, 11 Jan 2021 11:39:09 +0200 Subject: [PATCH 271/416] Use correct template file for PHP CLI env --- roles/php/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 520613958e..e706517d29 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -53,5 +53,5 @@ - name: Copy PHP CLI configuration file template: - src: php-fpm.ini.j2 + src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini From 31fb95030debc8f8a13cde5d61e578d848cf46d3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 14 Jan 2021 22:30:12 -0500 Subject: [PATCH 272/416] Remove PHP option track_errors `track_errors` was deprecated as of PHP 7.2 so we're removing it entirely. --- CHANGELOG.md | 1 + group_vars/development/php.yml | 1 - roles/php/defaults/main.yml | 1 - roles/php/templates/php-cli.ini.j2 | 1 - roles/php/templates/php-fpm.ini.j2 | 1 - 5 files changed, 1 insertion(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a720a3a05e..194f5c6ed0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 7b9af47888..4641858f1e 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -1,7 +1,6 @@ php_error_reporting: 'E_ALL' php_display_errors: 'On' php_display_startup_errors: 'On' -php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 169df595ce..879d8ec3c0 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -32,7 +32,6 @@ php_session_save_path: /tmp php_session_cookie_httponly: 'On' php_session_cookie_secure: 'Off' php_upload_max_filesize: 25M -php_track_errors: 'Off' php_timezone: '{{ ntp_timezone }}' php_output_buffering: 'Off' diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 index a1e90f314b..389f042f57 100644 --- a/roles/php/templates/php-cli.ini.j2 +++ b/roles/php/templates/php-cli.ini.j2 @@ -3,7 +3,6 @@ [PHP] error_reporting = {{ php_error_reporting }} sendmail_path = {{ php_sendmail_path }} -track_errors = {{ php_track_errors }} expose_php = Off date.timezone = {{ php_timezone }} diff --git a/roles/php/templates/php-fpm.ini.j2 b/roles/php/templates/php-fpm.ini.j2 index 84fe207c2e..8ff098f656 100644 --- a/roles/php/templates/php-fpm.ini.j2 +++ b/roles/php/templates/php-fpm.ini.j2 @@ -13,7 +13,6 @@ sendmail_path = {{ php_sendmail_path }} session.save_path = {{ php_session_save_path }} session.cookie_httponly = {{ php_session_cookie_httponly }} session.cookie_secure = {{ php_session_cookie_secure }} -track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off date.timezone = {{ php_timezone }} From 531cf8b81463d2f2d105aa2d814c783b19e42278 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 21 Jan 2021 00:14:40 +0000 Subject: [PATCH 273/416] Extend failed connection to remote repo msg Due to no_log for git clone on deploy you are unable to see the exact output error message, adding the branch being used to the fail message may help when incorrect branch name is used. --- roles/deploy/tasks/update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index d85ff6a963..ad3780a7d1 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -35,7 +35,7 @@ - name: Failed connection to remote repo fail: msg: | - Git repo {{ project.repo }} cannot be accessed. Please verify the repository exists and you have SSH forwarding set up correctly. + Git repo {{ project.repo }} on branch {{ project_version }} cannot be accessed. Please verify the repository/branch are correct and you have SSH forwarding set up correctly. More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding From e80438bc22d7981176ea4aacf5d73844b7586538 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 20 Jan 2021 23:12:45 -0500 Subject: [PATCH 274/416] CHANGELOG for #1265 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 194f5c6ed0..b67c312a51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) From 457e890365d455d1be842b315e3c65e6940f225c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 20 Jan 2021 23:14:40 -0500 Subject: [PATCH 275/416] v1.7.1 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b67c312a51..d56f627325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,9 @@ -### HEAD +### 1.7.1: January 20th, 2021 * Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) * Validate that `letsencrypt_contact_emails` is a list ([#1250](https://github.com/roots/trellis/pull/1250)) * Add config for PHP CLI ([#1261](https://github.com/roots/trellis/pull/1261)) +* Fix security issue with empty password ([#1256](https://github.com/roots/trellis/pull/1256)) ### 1.7.0: November 9th, 2020 * Officially support Ubuntu 20.04 (and default Vagrant to it) ([#1197](https://github.com/roots/trellis/pull/1197)) From 68e313ffc1a2c34badfcc22cda6a5aaba11ec2f9 Mon Sep 17 00:00:00 2001 From: Adam Bergman Date: Wed, 27 Jan 2021 05:08:59 +0100 Subject: [PATCH 276/416] Migrate to Xdebug v3 (#1260) --- group_vars/development/php.yml | 5 +++-- roles/xdebug-tunnel/defaults/main.yml | 4 ++-- roles/xdebug/defaults/main.yml | 28 +++++++++----------------- roles/xdebug/tasks/main.yml | 9 --------- roles/xdebug/templates/xdebug.ini.j2 | 29 +++++++++------------------ 5 files changed, 25 insertions(+), 50 deletions(-) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 4641858f1e..f4b4a726ad 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -4,5 +4,6 @@ php_display_startup_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 -xdebug_remote_enable: 1 -xdebug_remote_connect_back: 1 +xdebug_mode: 'debug' +xdebug_start_with_request: 'yes' +xdebug_discover_client_host: 1 diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml index 764f6a43fa..3623b4ac55 100644 --- a/roles/xdebug-tunnel/defaults/main.yml +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -1,6 +1,6 @@ -xdebug_tunnel_remote_port: 9000 +xdebug_tunnel_remote_port: 9003 xdebug_tunnel_host: localhost -xdebug_tunnel_local_port: 9000 +xdebug_tunnel_local_port: 9003 xdebug_tunnel_control_socket: /tmp/trellis-xdebug-{{ xdebug_tunnel_inventory_host }} xdebug_tunnel_control_identity: "{{ ansible_user_id }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 65fde7dd7e..a0574668c4 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,14 +1,17 @@ php_xdebug_package: php7.4-xdebug +# XDebug Generic +xdebug_output_dir: /tmp +xdebug_trigger_value: + # XDebug Remote Debugging -xdebug_remote_enable: 0 -xdebug_remote_connect_back: 0 -xdebug_remote_autostart: 0 -xdebug_remote_host: localhost -xdebug_remote_port: 9000 -xdebug_remote_log: /tmp/xdebug.log +xdebug_mode: 'off' +xdebug_start_with_request: 'no' +xdebug_discover_client_host: 0 +xdebug_client_host: localhost +xdebug_client_port: 9003 +xdebug_log: /tmp/xdebug.log xdebug_idekey: XDEBUG -xdebug_extended_info: 1 xdebug_max_nesting_level: 200 # XDebug Display Settings @@ -21,24 +24,13 @@ xdebug_var_display_max_depth: 3 # XDebug Function/Stack Traces xdebug_collect_assignments: 0 -xdebug_collect_includes: 1 -xdebug_collect_params: 0 xdebug_collect_return: 0 -xdebug_collect_vars: 0 xdebug_show_exception_trace: 0 xdebug_show_local_vars: 0 -xdebug_show_mem_delta: 0 -xdebug_trace_enable_trigger: 0 -xdebug_trace_enable_trigger_value: xdebug_trace_format: 0 xdebug_trace_options: 0 -xdebug_trace_output_dir: /tmp xdebug_trace_output_name: trace.%c # XDebug Profiler xdebug_profiler_append: 0 -xdebug_profiler_enable: 0 -xdebug_profiler_enable_trigger: 0 -xdebug_profiler_enable_trigger_value: -xdebug_profiler_output_dir: /tmp xdebug_profiler_output_name: cachegrind.out.%p diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 6463d234e0..9ef22ccab6 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -19,15 +19,6 @@ state: link notify: reload php-fpm - when: xdebug_remote_enable | bool - -- name: Disable Xdebug - file: - path: /etc/php/7.4/fpm/conf.d/20-xdebug.ini - state: absent - when: not xdebug_remote_enable | bool - notify: reload php-fpm - - name: Disable Xdebug CLI file: path: /etc/php/7.4/cli/conf.d/20-xdebug.ini diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 3490bc1d9b..fb8a18c951 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -3,16 +3,18 @@ [XDebug] zend_extension=xdebug.so +; Generic +xdebug.output_dir={{ xdebug_output_dir }} +xdebug.trigger_value={{ xdebug_trigger_value }} + ; Remote Debugging -xdebug.remote_enable={{ xdebug_remote_enable }} -xdebug.remote_connect_back={{ xdebug_remote_connect_back }} -xdebug.remote_autostart={{ xdebug_remote_autostart }} -xdebug.remote_host={{ xdebug_remote_host }} -xdebug.remote_port={{ xdebug_remote_port }} -xdebug.remote_handler=dbgp -xdebug.remote_log={{ xdebug_remote_log }} +xdebug.mode={{ xdebug_mode }} +xdebug.start_with_request={{ xdebug_start_with_request }} +xdebug.discover_client_host={{ xdebug_discover_client_host }} +xdebug.client_host={{ xdebug_client_host }} +xdebug.client_port={{ xdebug_client_port }} +xdebug.log={{ xdebug_log }} xdebug.idekey={{ xdebug_idekey }} -xdebug.extended_info={{ xdebug_extended_info }} xdebug.max_nesting_level={{ xdebug_max_nesting_level }} ; Display Settings @@ -25,24 +27,13 @@ xdebug.var_display_max_depth={{ xdebug_var_display_max_depth }} ; Function/Stack Traces xdebug.collect_assignments={{ xdebug_collect_assignments }} -xdebug.collect_includes={{ xdebug_collect_includes }} -xdebug.collect_params={{ xdebug_collect_params }} xdebug.collect_return={{ xdebug_collect_return }} -xdebug.collect_vars={{ xdebug_collect_vars }} xdebug.show_exception_trace={{ xdebug_show_exception_trace }} xdebug.show_local_vars={{ xdebug_show_local_vars }} -xdebug.show_mem_delta={{ xdebug_show_mem_delta }} -xdebug.trace_enable_trigger={{ xdebug_trace_enable_trigger }} -xdebug.trace_enable_trigger_value={{ xdebug_trace_enable_trigger_value }} xdebug.trace_format={{ xdebug_trace_format }} xdebug.trace_options={{ xdebug_trace_options }} -xdebug.trace_output_dir={{ xdebug_trace_output_dir }} xdebug.trace_output_name={{ xdebug_trace_output_name }} ; Profiler xdebug.profiler_append={{ xdebug_profiler_append }} -xdebug.profiler_enable={{ xdebug_profiler_enable }} -xdebug.profiler_enable_trigger={{ xdebug_profiler_enable_trigger }} -xdebug.profiler_enable_trigger_value={{ xdebug_profiler_enable_trigger_value }} -xdebug.profiler_output_dir={{ xdebug_profiler_output_dir }} xdebug.profiler_output_name={{ xdebug_profiler_output_name }} From 7b7a35e69d218fb3ade76173f11d466226107cd2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Jan 2021 23:09:45 -0500 Subject: [PATCH 277/416] Remove unnecessary block --- roles/xdebug/tasks/main.yml | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 9ef22ccab6..690c459baa 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -1,23 +1,22 @@ --- -- block: - - name: Install Xdebug - apt: - name: "{{ php_xdebug_package }}" - state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" - cache_valid_time: "{{ apt_cache_valid_time }}" +- name: Install Xdebug + apt: + name: "{{ php_xdebug_package }}" + state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" + cache_valid_time: "{{ apt_cache_valid_time }}" - - name: Template the Xdebug configuration file - template: - src: xdebug.ini.j2 - dest: /etc/php/7.4/mods-available/xdebug.ini - notify: reload php-fpm +- name: Template the Xdebug configuration file + template: + src: xdebug.ini.j2 + dest: /etc/php/7.4/mods-available/xdebug.ini + notify: reload php-fpm - - name: Ensure 20-xdebug.ini is present - file: - src: /etc/php/7.4/mods-available/xdebug.ini - dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini - state: link - notify: reload php-fpm +- name: Ensure 20-xdebug.ini is present + file: + src: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini + state: link + notify: reload php-fpm - name: Disable Xdebug CLI file: From cdc7260cef400a64eca08adf147cf759e0872eef Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Jan 2021 23:10:45 -0500 Subject: [PATCH 278/416] CHANGELOG for #1260 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d56f627325..0cf496b765 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) + ### 1.7.1: January 20th, 2021 * Improved repo connection failure message on deploys ([#1265](https://github.com/roots/trellis/pull/1265)) * Fix #1263 - Remove deprecated PHP option `track_errors` ([#1264](https://github.com/roots/trellis/pull/1264)) From 0478098f4169c256d5a8b564114e63ade62a60c9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 20:22:31 -0500 Subject: [PATCH 279/416] Bump vagrant_ansible_version --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 96361bc6c4..6fa047ecff 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 201807.12.0' -vagrant_ansible_version: '2.8.0' +vagrant_ansible_version: '2.9.10' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From b38b83d793855537d48f563f0053d3f2843a8b33 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 20:34:58 -0500 Subject: [PATCH 280/416] Vagrant: use python3 Pip doesn't support Python2 anymore so we're defaulting Vagrant to python3. This defines a new config option `vagrant_ansible_python_interpreter` which defaults to `/usr/bin/python3`. --- Vagrantfile | 16 ++-------------- vagrant.default.yml | 3 ++- 2 files changed, 4 insertions(+), 15 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 4e09cd5175..016f43c149 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -117,23 +117,11 @@ Vagrant.configure('2') do |config| provisioner = local_provisioning? ? :ansible_local : :ansible provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH - # Fix for https://github.com/hashicorp/vagrant/issues/10914 - if local_provisioning? - config.vm.provision 'shell', inline: <<~SHELL - sudo apt-get update -y -qq && - sudo dpkg-reconfigure libc6 && - export DEBIAN_FRONTEND=noninteractive && - sudo -E apt-get -q --option \"Dpkg::Options::=--force-confold\" --assume-yes install libssl1.1 - SHELL - end - config.vm.provision provisioner do |ansible| if local_provisioning? + ansible.extra_vars = { ansible_python_interpreter: vconfig.fetch('vagrant_ansible_python_interpreter') } ansible.install_mode = 'pip' - if Vagrant::VERSION >= '2.2.5' - # Fix for https://github.com/hashicorp/vagrant/issues/10950 - ansible.pip_install_cmd = 'curl https://bootstrap.pypa.io/get-pip.py | sudo python' - end + ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-distutils && curl https://bootstrap.pypa.io/get-pip.py | sudo python3' ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end diff --git a/vagrant.default.yml b/vagrant.default.yml index 6fa047ecff..7ff8284984 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,8 +3,9 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' -vagrant_box_version: '>= 201807.12.0' +vagrant_box_version: '>= 202012.23.0' vagrant_ansible_version: '2.9.10' +vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 21b3f720bf88307ebb1cd42edc14c57162430a37 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 29 Jan 2021 23:15:28 -0500 Subject: [PATCH 281/416] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cf496b765..f5f19b86f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD +* Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) +* Bump `vagrant_ansible_version` to `2.9.10` ([#1268](https://github.com/roots/trellis/pull/1268)) * Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) ### 1.7.1: January 20th, 2021 From 23cf10806dc6991b0b96ad2980f8a5c06bc756e7 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 6 Feb 2021 00:17:34 -0500 Subject: [PATCH 282/416] Set file permissions explicitly Fixes ansible-lint violations --- roles/deploy/defaults/main.yml | 6 +++--- roles/deploy/tasks/build.yml | 2 +- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 8 ++++---- roles/fail2ban/tasks/main.yml | 4 +++- roles/ferm/tasks/main.yml | 2 ++ roles/letsencrypt/tasks/nginx.yml | 4 +++- roles/letsencrypt/tasks/setup.yml | 6 ++++-- roles/mariadb/tasks/main.yml | 1 + roles/memcached/tasks/main.yml | 1 + roles/nginx/tasks/main.yml | 3 +++ roles/php/tasks/main.yml | 2 ++ roles/rollback/tasks/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 ++ roles/wordpress-install/tasks/directories.yml | 1 + roles/wordpress-install/tasks/dotenv.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 1 + roles/wordpress-setup/tasks/nginx-includes.yml | 1 + roles/wordpress-setup/tasks/nginx.yml | 3 +++ roles/wordpress-setup/tasks/self-signed-certificate.yml | 3 ++- roles/wp-cli/tasks/main.yml | 2 +- roles/xdebug/tasks/main.yml | 1 + 22 files changed, 43 insertions(+), 17 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 61a5ad7b62..48174a8d3c 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,7 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env - mode: '0600' + mode: 0600 # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type @@ -29,8 +29,8 @@ project_templates: # project_shared_children: # - path: app/sessions # src: sessions -# mode: '0755' // <- optional, must be quoted, defaults to `'0755'` if `directory` or `'0644'` if `file` -# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` +# mode: 0755 // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file` +# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads src: uploads diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index d5a99316c5..b9fc2f2c03 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -17,7 +17,7 @@ template: src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 2567d7986e..8af8bd223d 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,7 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" - mode: '0755' + mode: 0755 state: directory - name: Run git archive to populate new build dir @@ -51,7 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" - mode: '0744' + mode: 0744 state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 12da9836c2..ac76b09f2f 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -17,7 +17,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory - mode: "{{ item.mode | default('0755') }}" + mode: "{{ item.mode | default(0755) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' @@ -25,7 +25,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory - mode: '0755' + mode: 0755 with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' @@ -33,14 +33,14 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch - mode: "{{ item.mode | default('0644') }}" + mode: "{{ item.mode | default(0644) }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: '0777' + mode: 0777 state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 278f0811ab..5f2b8100ad 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -11,6 +11,7 @@ template: src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} + mode: 0644 with_items: - jail.local - fail2ban.local @@ -30,12 +31,13 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: '0755' + mode: 0755 - name: template fail2ban filters template: src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + mode: 0644 with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index bdbaa0b53d..453ac00112 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -28,6 +28,7 @@ template: src: "{{ item }}.j2" dest: /{{ item }} + mode: 0644 with_items: - etc/default/ferm - etc/ferm/ferm.conf @@ -55,6 +56,7 @@ {% else %} dest=/etc/ferm/filter-input.d/{{ item.weight | default('50') }}_{{ item.type }}_{{ item.dport[0] }}.conf {% endif %} + mode=0644 with_flattened: - "{{ ferm_input_list }}" - "{{ ferm_input_group_list }}" diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 20b97e63b1..d67bfa2e4f 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -3,6 +3,7 @@ template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 - name: Get list of hosts in current Nginx conf shell: | @@ -17,6 +18,7 @@ template: src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" + mode: 0644 register: challenge_site_confs when: - site_uses_letsencrypt @@ -42,7 +44,7 @@ file: path: "{{ acme_tiny_challenges_directory }}/ping.txt" state: touch - mode: '0644' + mode: 0644 - name: Test Acme Challenges test_challenges: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 48c3221cf3..942cfc4655 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -28,12 +28,12 @@ state: directory with_items: - path: "{{ acme_tiny_data_directory }}" - mode: '0700' + mode: 0700 - path: "{{ acme_tiny_data_directory }}/csrs" - path: "{{ acme_tiny_software_directory }}" - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" - mode: '0700' + mode: 0700 - name: Clone acme-tiny repository git: @@ -46,12 +46,14 @@ copy: src: "{{ letsencrypt_account_key_source_file }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_file is defined - name: Copy Lets Encrypt account key source contents copy: content: "{{ letsencrypt_account_key_source_content | trim }}" dest: "{{ letsencrypt_account_key }}" + mode: 0700 when: letsencrypt_account_key_source_content is defined - name: Generate a new account key diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f329616f62..b1acc09da4 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,6 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root + mode: 0644 when: mysql_binary_logging_disabled | bool notify: restart mysql server diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 359ee645f3..0b54161bae 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -10,6 +10,7 @@ template: src: memcached.conf.j2 dest: /etc/memcached.conf + mode: 0644 notify: restart memcached - name: Set the max open file descriptors diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f97d720b2d..e0176a8ffb 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,6 +19,7 @@ file: path: "{{ nginx_path }}/{{ item }}" state: directory + mode: 0755 with_items: - sites-available - sites-enabled @@ -42,12 +43,14 @@ copy: src: templates/h5bp dest: "{{ nginx_path }}" + mode: 0755 notify: reload nginx - name: Create nginx.conf template: src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" + mode: 0644 notify: reload nginx tags: nginx-includes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e706517d29..3feda4fd23 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -49,9 +49,11 @@ template: src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini + mode: 0644 notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini + mode: 0644 diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index f8bd6f80c3..44dad91849 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -30,3 +30,4 @@ file: path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" state: touch + mode: 0644 diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 9d62055d4d..6b98dc228b 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,8 +9,10 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf + mode: 0644 - name: ssmtp revaliases configuration template: src: revaliases.j2 dest: /etc/ssmtp/revaliases + mode: 0644 diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 093d3212a6..7070de7392 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -22,6 +22,7 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" + mode: 0755 state: directory recurse: yes with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 5397096992..84b2e3f721 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,7 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" - mode: '0644' + mode: 0644 owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index e1e48bbe02..53951327c5 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -27,6 +27,7 @@ template: src: php-fpm.conf.j2 dest: /etc/php/7.4/fpm/pool.d/wordpress.conf + mode: 0644 notify: reload php-fpm - name: Disable default PHP-FPM pool diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 0ea756a397..03885a8a59 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -24,6 +24,7 @@ template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" + mode: 0644 with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 0f1333fa12..c5e29930c7 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -23,6 +23,7 @@ template: src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + mode: 0644 with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx @@ -52,12 +53,14 @@ template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" dest: "{{ nginx_path }}/acme-challenge-location.conf" + mode: 0644 notify: reload nginx - name: Create WordPress configuration for Nginx template: src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" + mode: 0644 with_dict: "{{ wordpress_sites }}" notify: reload nginx tags: nginx-includes diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 193415e7d9..a1601f9361 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -3,12 +3,13 @@ file: path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" state: directory - mode: "0755" + mode: 0755 - name: Template openssl configs template: src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" + mode: 0644 with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - sites_use_ssl | bool diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 21494865dc..b0b6aef406 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,7 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg - mode: '0744' + mode: 0744 - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 690c459baa..5b19db0ef4 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,6 +9,7 @@ template: src: xdebug.ini.j2 dest: /etc/php/7.4/mods-available/xdebug.ini + mode: 0644 notify: reload php-fpm - name: Ensure 20-xdebug.ini is present From 2bd826fafe6b6a764b1ae0067c6ab10da9c09585 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Tue, 9 Feb 2021 05:53:29 +0000 Subject: [PATCH 283/416] File permissions: Use strings instead of octal numbers Follow up #1270 Fix: https://discourse.roots.io/t/mode-must-be-in-octal-or-symbolic-form/20038 --- roles/deploy/defaults/main.yml | 4 ++-- roles/deploy/tasks/build.yml | 2 +- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 8 ++++---- roles/fail2ban/tasks/main.yml | 6 +++--- roles/ferm/tasks/main.yml | 4 ++-- roles/letsencrypt/tasks/certificates.yml | 4 ++-- roles/letsencrypt/tasks/nginx.yml | 6 +++--- roles/letsencrypt/tasks/setup.yml | 8 ++++---- roles/mariadb/tasks/main.yml | 4 ++-- roles/memcached/tasks/main.yml | 2 +- roles/nginx/tasks/main.yml | 8 ++++---- roles/php/tasks/main.yml | 4 ++-- roles/rollback/tasks/main.yml | 2 +- roles/sshd/tasks/main.yml | 4 ++-- roles/ssmtp/tasks/main.yml | 4 ++-- roles/users/tasks/main.yml | 2 +- roles/wordpress-install/tasks/directories.yml | 6 +++--- roles/wordpress-install/tasks/dotenv.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 6 +++--- roles/wordpress-setup/tasks/nginx-client-cert.yml | 2 +- roles/wordpress-setup/tasks/nginx-includes.yml | 4 ++-- roles/wordpress-setup/tasks/nginx.yml | 10 +++++----- .../wordpress-setup/tasks/self-signed-certificate.yml | 4 ++-- roles/wp-cli/tasks/main.yml | 2 +- roles/xdebug/tasks/main.yml | 2 +- 26 files changed, 57 insertions(+), 57 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 48174a8d3c..597fa036b2 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -20,7 +20,7 @@ project_templates: - name: .env config src: roles/deploy/templates/env.j2 dest: .env - mode: 0600 + mode: '0600' # The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type @@ -29,7 +29,7 @@ project_templates: # project_shared_children: # - path: app/sessions # src: sessions -# mode: 0755 // <- optional, use an octal number starting with 0 or quote it, defaults to `0755` if `directory` or `0644` if `file` +# mode: '0755' // <- optional, use an octal number starting with 0 or quote it, defaults to `'0755'` if `directory` or `'0644'` if `file` # type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index b9fc2f2c03..d5a99316c5 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -17,7 +17,7 @@ template: src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" - mode: "{{ item.mode | default(0644) }}" + mode: "{{ item.mode | default('0644') }}" with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 8af8bd223d..2567d7986e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -27,7 +27,7 @@ - name: Create new release dir file: path: "{{ deploy_helper.new_release_path }}" - mode: 0755 + mode: '0755' state: directory - name: Run git archive to populate new build dir @@ -51,7 +51,7 @@ - name: write unfinished file file: path: "{{ deploy_helper.new_release_path }}/{{ deploy_helper.unfinished_filename }}" - mode: 0744 + mode: '0744' state: touch - name: Check if deploy_prepare_after scripts exist diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index ac76b09f2f..12da9836c2 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -17,7 +17,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory - mode: "{{ item.mode | default(0755) }}" + mode: "{{ item.mode | default('0755') }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' @@ -25,7 +25,7 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory - mode: 0755 + mode: '0755' with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' @@ -33,14 +33,14 @@ file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch - mode: "{{ item.mode | default(0644) }}" + mode: "{{ item.mode | default('0644') }}" with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" - mode: 0777 + mode: '0777' state: directory with_items: "{{ project.project_shared_children | default(project_shared_children) }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 5f2b8100ad..45580f1a3f 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -11,7 +11,7 @@ template: src: "{{ item }}.j2" dest: /etc/fail2ban/{{ item }} - mode: 0644 + mode: '0644' with_items: - jail.local - fail2ban.local @@ -31,13 +31,13 @@ file: path: /etc/fail2ban/filter.d/ state: directory - mode: 0755 + mode: '0755' - name: template fail2ban filters template: src: "{{ item }}" dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" - mode: 0644 + mode: '0644' with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 453ac00112..2848cb488a 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -19,7 +19,7 @@ file: path: "{{ item }}" state: directory - mode: 0750 + mode: '0750' with_items: - /etc/ferm/ferm.d - /etc/ferm/filter-input.d @@ -28,7 +28,7 @@ template: src: "{{ item }}.j2" dest: /{{ item }} - mode: 0644 + mode: '0644' with_items: - etc/default/ferm - etc/ferm/ferm.conf diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index efc86dc568..110af4219e 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -9,7 +9,7 @@ - name: Ensure correct permissions on private keys file: path: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" - mode: 0600 + mode: '0600' when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" @@ -39,7 +39,7 @@ template: src: renew-certs.py dest: "{{ acme_tiny_data_directory }}/renew-certs.py" - mode: 0700 + mode: '0700' tags: [wordpress, wordpress-setup, wordpress-setup-nginx, nginx-includes] - name: Generate the certificates diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index d67bfa2e4f..877ed09c92 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -3,7 +3,7 @@ template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" - mode: 0644 + mode: '0644' - name: Get list of hosts in current Nginx conf shell: | @@ -18,7 +18,7 @@ template: src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" - mode: 0644 + mode: '0644' register: challenge_site_confs when: - site_uses_letsencrypt @@ -44,7 +44,7 @@ file: path: "{{ acme_tiny_challenges_directory }}/ping.txt" state: touch - mode: 0644 + mode: '0644' - name: Test Acme Challenges test_challenges: diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 942cfc4655..c23ba5918d 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -28,12 +28,12 @@ state: directory with_items: - path: "{{ acme_tiny_data_directory }}" - mode: 0700 + mode: '0700' - path: "{{ acme_tiny_data_directory }}/csrs" - path: "{{ acme_tiny_software_directory }}" - path: "{{ acme_tiny_challenges_directory }}" - path: "{{ letsencrypt_certs_dir }}" - mode: 0700 + mode: '0700' - name: Clone acme-tiny repository git: @@ -46,14 +46,14 @@ copy: src: "{{ letsencrypt_account_key_source_file }}" dest: "{{ letsencrypt_account_key }}" - mode: 0700 + mode: '0700' when: letsencrypt_account_key_source_file is defined - name: Copy Lets Encrypt account key source contents copy: content: "{{ letsencrypt_account_key_source_content | trim }}" dest: "{{ letsencrypt_account_key }}" - mode: 0700 + mode: '0700' when: letsencrypt_account_key_source_content is defined - name: Generate a new account key diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index b1acc09da4..4a533a0ba9 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -29,7 +29,7 @@ dest: /etc/mysql/conf.d owner: root group: root - mode: 0644 + mode: '0644' when: mysql_binary_logging_disabled | bool notify: restart mysql server @@ -53,7 +53,7 @@ dest: ~/.my.cnf owner: root group: root - mode: 0600 + mode: '0600' - name: Delete anonymous MySQL server users mysql_user: diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 0b54161bae..04bec4ffb4 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -10,7 +10,7 @@ template: src: memcached.conf.j2 dest: /etc/memcached.conf - mode: 0644 + mode: '0644' notify: restart memcached - name: Set the max open file descriptors diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e0176a8ffb..3bf25d435e 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -19,14 +19,14 @@ file: path: "{{ nginx_path }}/{{ item }}" state: directory - mode: 0755 + mode: '0755' with_items: - sites-available - sites-enabled - name: Create SSL directory file: - mode: 0700 + mode: '0700' path: "{{ nginx_path }}/ssl" state: directory @@ -43,14 +43,14 @@ copy: src: templates/h5bp dest: "{{ nginx_path }}" - mode: 0755 + mode: '0755' notify: reload nginx - name: Create nginx.conf template: src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" - mode: 0644 + mode: '0644' notify: reload nginx tags: nginx-includes diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 3feda4fd23..832ee00974 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -49,11 +49,11 @@ template: src: php-fpm.ini.j2 dest: /etc/php/7.4/fpm/php.ini - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 dest: /etc/php/7.4/cli/php.ini - mode: 0644 + mode: '0644' diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index 44dad91849..6ceb07dc30 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -30,4 +30,4 @@ file: path: "{{ current_release_readlink_result.stdout }}/DEPLOY_UNFINISHED" state: touch - mode: 0644 + mode: '0644' diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index acabc23938..152b4f7fd3 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -11,7 +11,7 @@ template: src: "{{ sshd_config }}" dest: /etc/ssh/sshd_config - mode: 0600 + mode: '0600' validate: '/usr/sbin/sshd -T -f %s' notify: restart ssh @@ -19,7 +19,7 @@ template: src: "{{ ssh_config }}" dest: /etc/ssh/ssh_config - mode: 0644 + mode: '0644' - name: Remove Diffie-Hellman moduli of size < 2000 lineinfile: diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 6b98dc228b..c0e78ba3ec 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -9,10 +9,10 @@ template: src: ssmtp.conf.j2 dest: /etc/ssmtp/ssmtp.conf - mode: 0644 + mode: '0644' - name: ssmtp revaliases configuration template: src: revaliases.j2 dest: /etc/ssmtp/revaliases - mode: 0644 + mode: '0644' diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index f4eda4025c..acfcd74838 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -43,7 +43,7 @@ template: src: sudoers.d.j2 dest: "/etc/sudoers.d/{{ web_user }}-services" - mode: 0440 + mode: '0440' owner: root group: root validate: "/usr/sbin/visudo -cf %s" diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 7070de7392..680951a57e 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -4,7 +4,7 @@ path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -13,7 +13,7 @@ path: "{{ www_root }}/{{ item.key }}/shared" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -22,7 +22,7 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory recurse: yes with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-install/tasks/dotenv.yml b/roles/wordpress-install/tasks/dotenv.yml index 84b2e3f721..5397096992 100644 --- a/roles/wordpress-install/tasks/dotenv.yml +++ b/roles/wordpress-install/tasks/dotenv.yml @@ -3,7 +3,7 @@ template: src: "env.j2" dest: "/tmp/{{ item.key }}.env" - mode: 0644 + mode: '0644' owner: "{{ web_user }}" group: "{{ web_group }}" with_dict: "{{ wordpress_sites }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 53951327c5..69851a902d 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -11,7 +11,7 @@ path: "{{ www_root }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory - name: Create logs folder of sites @@ -19,7 +19,7 @@ path: "{{ www_root }}/{{ item.key }}/logs" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: 0755 + mode: '0755' state: directory with_dict: "{{ wordpress_sites }}" @@ -27,7 +27,7 @@ template: src: php-fpm.conf.j2 dest: /etc/php/7.4/fpm/pool.d/wordpress.conf - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Disable default PHP-FPM pool diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml index 49d810eee5..69f7026a22 100644 --- a/roles/wordpress-setup/tasks/nginx-client-cert.yml +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -3,6 +3,6 @@ get_url: url: "{{ item.value.ssl.client_cert_url }}" dest: "{{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt" - mode: 0640 + mode: '0640' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.client_cert_url is defined diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 03885a8a59..a18e2e1851 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -13,7 +13,7 @@ file: path: "{{ nginx_path }}/includes.d/{{ item }}" state: directory - mode: 0755 + mode: '0755' with_items: "{{ nginx_includes_templates.files | map(attribute='path') | map('regex_replace', nginx_includes_pattern, '\\2') | map('dirname') | unique | list | sort @@ -24,7 +24,7 @@ template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" - mode: 0644 + mode: '0644' with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index c5e29930c7..ebeb80c49b 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -3,7 +3,7 @@ copy: src: "{{ item.value.ssl.cert }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}" - mode: 0640 + mode: '0640' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.cert is defined notify: reload nginx @@ -12,7 +12,7 @@ copy: src: "{{ item.value.ssl.key }}" dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}" - mode: 0600 + mode: '0600' with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.key is defined notify: reload nginx @@ -23,7 +23,7 @@ template: src: "{{ item.src }}" dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" - mode: 0644 + mode: '0644' with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) notify: reload nginx @@ -53,14 +53,14 @@ template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" dest: "{{ nginx_path }}/acme-challenge-location.conf" - mode: 0644 + mode: '0644' notify: reload nginx - name: Create WordPress configuration for Nginx template: src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" - mode: 0644 + mode: '0644' with_dict: "{{ wordpress_sites }}" notify: reload nginx tags: nginx-includes diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index a1601f9361..1147125d93 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -3,13 +3,13 @@ file: path: "{{ nginx_ssl_path }}/self-signed-openssl-configs/" state: directory - mode: 0755 + mode: '0755' - name: Template openssl configs template: src: self-signed-openssl-config.j2 dest: "{{ nginx_ssl_path }}/self-signed-openssl-configs/{{ item.key }}.cnf" - mode: 0644 + mode: '0644' with_dict: "{{ wordpress_sites | combine(ssl_default_site) }}" when: - sites_use_ssl | bool diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index b0b6aef406..21494865dc 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -19,7 +19,7 @@ copy: src: "{{ wp_cli_pgp_public_key }}" dest: /tmp/wp-cli.pgp.gpg - mode: 0744 + mode: '0744' - name: Verify WP-CLI Phar Signature command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 5b19db0ef4..50d7396e86 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -9,7 +9,7 @@ template: src: xdebug.ini.j2 dest: /etc/php/7.4/mods-available/xdebug.ini - mode: 0644 + mode: '0644' notify: reload php-fpm - name: Ensure 20-xdebug.ini is present From cb83384c14aee8a5bd2bb4d7d2e137a7a5df261d Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 12 Feb 2021 15:41:37 +0000 Subject: [PATCH 284/416] Add ` wp_post_revisions: true` to `wordpress_env_defaults` Complementing https://github.com/roots/bedrock/pull/572/ --- roles/deploy/vars/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml index c01bfc82c6..1a7612f9bb 100644 --- a/roles/deploy/vars/main.yml +++ b/roles/deploy/vars/main.yml @@ -10,5 +10,6 @@ wordpress_env_defaults: git_sha: "{{ git_clone.after }}" release_version: "{{ deploy_helper.new_release }}" wp_debug_log: "{{ project_root }}/logs/debug.log" + wp_post_revisions: true site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), project.env | default({}), vault_wordpress_sites[site].env) }}" From 4a5332e299ce6ed4803d6b8a49d31832b7e456eb Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 12 Feb 2021 17:44:01 -0500 Subject: [PATCH 285/416] v1.8.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5f19b86f3..7ebd0d975f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.8.0: February 12th, 2021 +* Set permissions on all file related tasks ([#1270](https://github.com/roots/trellis/pull/1270)) * Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) * Bump `vagrant_ansible_version` to `2.9.10` ([#1268](https://github.com/roots/trellis/pull/1268)) * Migrate to Xdebug 3 ([#1260](https://github.com/roots/trellis/pull/1260)) From 72d244497e5054bdee0785b3ab3926ec16686df7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 15 Feb 2021 12:07:31 -0700 Subject: [PATCH 286/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4528a8f904..6921a16ca2 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty +Kinsta Carrot C21 Redwood Realty WordPress.com ## Community From 9ea779c65845689bb834849911f96ae6aafedc39 Mon Sep 17 00:00:00 2001 From: Lukas Besch Date: Tue, 16 Feb 2021 21:11:44 +0100 Subject: [PATCH 287/416] Update required Ubuntu version in README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6921a16ca2..4a8a965874 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ $ trellis up ## Remote server setup (staging/production) -A base Ubuntu 18.04 (Bionic) server is required for setting up remote servers. +A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` From 64601d51641df093003e5cf319e405ea3b9128f6 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 10 Mar 2021 06:06:04 +0000 Subject: [PATCH 288/416] CircleCI: Remove `ansible-lint` --- .ansible-lint | 6 ------ .circleci/config.yml | 22 ---------------------- roles/deploy/tasks/update.yml | 2 +- 3 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 .ansible-lint diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index 959984bdc8..0000000000 --- a/.ansible-lint +++ /dev/null @@ -1,6 +0,0 @@ ---- -warn_list: [] - -skip_list: - - 106 # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - - 204 # Lines should be no longer than 160 chars diff --git a/.circleci/config.yml b/.circleci/config.yml index c1efe12621..9e78a3993b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -98,22 +98,6 @@ jobs: - install-galaxy-roles - check-playbook-syntax - lint: - parameters: - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - install-pip-package: - package: ansible-lint - python-version: <> - - run: ansible-lint --version - - run: ansible-lint deploy.yml dev.yml server.yml rollback.yml xdebug-tunnel.yml - workflows: syntax-check: jobs: @@ -128,9 +112,3 @@ workflows: matrix: parameters: python-version: ["3.7.8", "2.7"] - - lint: - jobs: - - lint: - name: lint-python-3.7 - python-version: "3.7.8" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index ad3780a7d1..fb8831e24f 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -41,7 +41,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone is failed -- name: Remove untracked files from project folder # noqa 303 +- name: Remove untracked files from project folder command: git clean -fdx args: chdir: "{{ project_source_path }}" From 654518c94e3f33bd9cd587ff0317cbb71d2112b6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 15 Mar 2021 16:31:36 -0600 Subject: [PATCH 289/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4a8a965874..28da5ceb59 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta Carrot C21 Redwood Realty WordPress.com +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com ## Community From 5f398b2e27f1838b2eb4998a961c43db81c7aa57 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 2 Apr 2021 18:04:48 -0400 Subject: [PATCH 290/416] Improve handling of PHP versions Refactors how PHP and its extensions are installed per version. Previously all version references were hardcoded and updating to a new version (ie from `7.4` to `8.0`) meant replacing a bunch of version numbers across lots of files which made it difficult to use a different version than Trellis' default. Now to switch to another PHP version that Trellis supports, only the `php_version` variable needs to be changed. And to support a new version, only a single version specific vars file needs to be created (example: `roles/php/vars/8.0.yml`). --- group_vars/all/main.yml | 3 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/common/tasks/main.yml | 12 +++++++ roles/deploy/hooks/finalize-after.yml | 2 +- roles/memcached/defaults/main.yml | 3 +- roles/php/defaults/main.yml | 14 --------- roles/php/tasks/main.yml | 45 ++++++++++----------------- roles/php/vars/7.4.yml | 16 ++++++++++ roles/php/vars/8.0.yml | 16 ++++++++++ roles/wordpress-setup/tasks/main.yml | 6 ++-- roles/xdebug/defaults/main.yml | 2 -- roles/xdebug/tasks/main.yml | 8 ++--- xdebug-tunnel.yml | 2 +- 14 files changed, 75 insertions(+), 58 deletions(-) create mode 100644 roles/php/vars/7.4.yml create mode 100644 roles/php/vars/8.0.yml diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e6c5b416f6..b53f26c92e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,8 +1,9 @@ -composer_keep_updated: true apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest +composer_keep_updated: true +php_version: "7.4" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index b61f4342cc..c19aafa286 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.4-fpm *" + - "/usr/sbin/service php{{ php_version }}-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index a42884d2d3..8035cb64b4 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -9,7 +9,7 @@ - name: reload php-fpm service: - name: php7.4-fpm + name: php{{ php_version }}-fpm state: reloaded - import_tasks: reload_nginx.yml diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 971ca45ead..34271b37b6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -34,6 +34,18 @@ when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] +- name: Import PHP version specific vars + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - '{{ php_version }}.yml' + - '7.4.yml' + paths: + - "{{ playbook_dir }}/roles/php/vars/" + + tags: [php, memcached] + - name: Verify dict format for apt package component variables fail: msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 751c27e0f3..1d20d3b456 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -34,6 +34,6 @@ when: wp_installed.rc == 0 - name: Reload php-fpm - shell: sudo service php7.4-fpm reload + shell: sudo service php{{ php_version }}-fpm reload args: warn: false diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index 3fc0f0d733..0e9ba87761 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -8,7 +8,6 @@ memcached_port_udp: 0 memcached_packages_default: memcached: "{{ apt_package_state }}" - php7.4-memcached: "{{ apt_package_state }}" memcached_packages_custom: {} -memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" +memcached_packages: "{{ memcached_packages_default | combine(php_memcached_packages, memcached_packages_custom) }}" diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 879d8ec3c0..8f68a7dc27 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -1,20 +1,6 @@ disable_default_pool: true memcached_sessions: false -php_extensions_default: - php7.4-cli: "{{ apt_package_state }}" - php7.4-common: "{{ apt_package_state }}" - php7.4-curl: "{{ apt_package_state }}" - php7.4-dev: "{{ apt_package_state }}" - php7.4-fpm: "{{ apt_package_state }}" - php7.4-gd: "{{ apt_package_state }}" - php7.4-mbstring: "{{ apt_package_state }}" - php7.4-mysql: "{{ apt_package_state }}" - php7.4-opcache: "{{ apt_package_state }}" - php7.4-xml: "{{ apt_package_state }}" - php7.4-xmlrpc: "{{ apt_package_state }}" - php7.4-zip: "{{ apt_package_state }}" - php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 832ee00974..d67879fbda 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,59 +1,48 @@ --- -- name: Add PHP 7.4 PPA +- name: Add PHP PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.4 +- name: Install PHP and extensions apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.4-fpm service +- name: Start php fpm service service: - name: php7.4-fpm + name: "php{{ php_version }}-fpm" state: started enabled: true -- name: Check for existing php7.3-fpm service - stat: - path: /etc/init.d/php7.3-fpm - register: php73_status +- name: Find existing php fpm services + find: + paths: /etc/init.d + patterns: "^php((?!{{ php_version }})(\\d\\.\\d))-fpm$" + use_regex: true + register: old_php_fpm_services -- name: Stop php7.3-fpm service if it exists +- name: Stop old php-fpm services service: - name: php7.3-fpm + name: "{{ item.path | basename }}" state: stopped enabled: false - register: service_stopped - when: php73_status.stat.exists - notify: reload php-fpm - -- name: Check for existing php7.2-fpm service - stat: - path: /etc/init.d/php7.2-fpm - register: php72_status - -- name: Stop php7.2-fpm service if it exists - service: - name: php7.2-fpm - state: stopped - enabled: false - register: service_stopped - when: php72_status.stat.exists + loop: "{{ old_php_fpm_services.files }}" + loop_control: + label: "{{ item.path | basename }}" notify: reload php-fpm - name: Copy PHP-FPM configuration file template: src: php-fpm.ini.j2 - dest: /etc/php/7.4/fpm/php.ini + dest: /etc/php/{{ php_version }}/fpm/php.ini mode: '0644' notify: reload php-fpm - name: Copy PHP CLI configuration file template: src: php-cli.ini.j2 - dest: /etc/php/7.4/cli/php.ini + dest: /etc/php/{{ php_version }}/cli/php.ini mode: '0644' diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml new file mode 100644 index 0000000000..8f6a9eb8a7 --- /dev/null +++ b/roles/php/vars/7.4.yml @@ -0,0 +1,16 @@ +php_extensions_default: + php7.4-cli: "{{ apt_package_state }}" + php7.4-curl: "{{ apt_package_state }}" + php7.4-dev: "{{ apt_package_state }}" + php7.4-fpm: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" + php7.4-mbstring: "{{ apt_package_state }}" + php7.4-mysql: "{{ apt_package_state }}" + php7.4-xml: "{{ apt_package_state }}" + php7.4-xmlrpc: "{{ apt_package_state }}" + php7.4-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php7.4-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php7.4-xdebug diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml new file mode 100644 index 0000000000..a1781ec34e --- /dev/null +++ b/roles/php/vars/8.0.yml @@ -0,0 +1,16 @@ +php_extensions_default: + php8.0-cli: "{{ apt_package_state }}" + php8.0-curl: "{{ apt_package_state }}" + php8.0-dev: "{{ apt_package_state }}" + php8.0-fpm: "{{ apt_package_state }}" + php8.0-gd: "{{ apt_package_state }}" + php8.0-mbstring: "{{ apt_package_state }}" + php8.0-mysql: "{{ apt_package_state }}" + php8.0-xml: "{{ apt_package_state }}" + php8.0-xmlrpc: "{{ apt_package_state }}" + php8.0-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.0-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.0-xdebug diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 69851a902d..ac1fd8a735 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -26,14 +26,14 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.4/fpm/pool.d/wordpress.conf + dest: /etc/php/{{ php_version }}/fpm/pool.d/wordpress.conf mode: '0644' notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.disabled + command: mv /etc/php/{{ php_version }}/fpm/pool.d/www.conf /etc/php/{{ php_version }}/fpm/pool.d/www.disabled args: - creates: /etc/php/7.4/fpm/pool.d/www.disabled + creates: /etc/php/{{ php_version }}/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index a0574668c4..ff80d8fba9 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,5 +1,3 @@ -php_xdebug_package: php7.4-xdebug - # XDebug Generic xdebug_output_dir: /tmp xdebug_trigger_value: diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 50d7396e86..2b52f58420 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -8,18 +8,18 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.4/mods-available/xdebug.ini + dest: /etc/php/{{ php_version }}/mods-available/xdebug.ini mode: '0644' notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.4/mods-available/xdebug.ini - dest: /etc/php/7.4/fpm/conf.d/20-xdebug.ini + src: /etc/php/{{ php_version }}/mods-available/xdebug.ini + dest: /etc/php/{{ php_version }}/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.4/cli/conf.d/20-xdebug.ini + path: /etc/php/{{ php_version }}/cli/conf.d/20-xdebug.ini state: absent diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index d85a1c59cb..014c1f0d41 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -15,5 +15,5 @@ handlers: - name: reload php-fpm service: - name: php7.4-fpm + name: php{{ php_version }}-fpm state: reloaded From 6697b0639ed42ac0379034a3fe0c0bd19d425a67 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 7 Apr 2021 21:17:58 -0400 Subject: [PATCH 291/416] Update CHANGELOG for #1284 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ebd0d975f..4dd6dcca0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) + ### 1.8.0: February 12th, 2021 * Set permissions on all file related tasks ([#1270](https://github.com/roots/trellis/pull/1270)) * Use Python 3 for `ansible_local` Vagrant provisioner ([#1269](https://github.com/roots/trellis/pull/1269)) From 17430191bb7211545eb63ba3ba989ee95c262c5f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 8 Apr 2021 14:54:48 -0600 Subject: [PATCH 292/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 28da5ceb59..4752d55de7 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Motto ## Community From 74edb049bd7fb59792994ce87dcf88315fb28319 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 19 May 2021 18:40:31 -0600 Subject: [PATCH 293/416] Update `wp_cli_version` to 2.5.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index f13bd98c4a..6abe35ebe1 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.4.0 +wp_cli_version: 2.5.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From 99719079a2fd9ac9d8e2f1e27302e37f252f34fd Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 08:56:45 -0500 Subject: [PATCH 294/416] Add php-intl extension Per the WordPress Hosting Team recommendation: https://make.wordpress.org/hosting/2021/05/20/why-hosters-should-install-the-php-intl-extension/ --- roles/php/vars/7.4.yml | 1 + roles/php/vars/8.0.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 8f6a9eb8a7..74e1d64c22 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -4,6 +4,7 @@ php_extensions_default: php7.4-dev: "{{ apt_package_state }}" php7.4-fpm: "{{ apt_package_state }}" php7.4-gd: "{{ apt_package_state }}" + php7.4-intl: "{{ apt_package_state }}" php7.4-mbstring: "{{ apt_package_state }}" php7.4-mysql: "{{ apt_package_state }}" php7.4-xml: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index a1781ec34e..54b793f4d1 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -4,6 +4,7 @@ php_extensions_default: php8.0-dev: "{{ apt_package_state }}" php8.0-fpm: "{{ apt_package_state }}" php8.0-gd: "{{ apt_package_state }}" + php8.0-intl: "{{ apt_package_state }}" php8.0-mbstring: "{{ apt_package_state }}" php8.0-mysql: "{{ apt_package_state }}" php8.0-xml: "{{ apt_package_state }}" From e5cd61e1ffaecd081c19257ee71c43cb5350e682 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 19:11:00 -0500 Subject: [PATCH 295/416] Replace GD with ImageMagick; Add bc_math extension and ghostscript --- roles/common/defaults/main.yml | 3 +++ roles/php/vars/7.4.yml | 2 +- roles/php/vars/8.0.yml | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 1dcdd38d15..40bfd96589 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -24,7 +24,10 @@ _apt_packages_default: build-essential: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" + ghostscript: "{{ apt_package_state }}" git: "{{ apt_package_state }}" + imagemagick: "{{ apt_package_state }}" + libgs-dev: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" python: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 74e1d64c22..6fb725e79f 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -3,7 +3,7 @@ php_extensions_default: php7.4-curl: "{{ apt_package_state }}" php7.4-dev: "{{ apt_package_state }}" php7.4-fpm: "{{ apt_package_state }}" - php7.4-gd: "{{ apt_package_state }}" + php7.4-imagick: "{{ apt_package_state }}" php7.4-intl: "{{ apt_package_state }}" php7.4-mbstring: "{{ apt_package_state }}" php7.4-mysql: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index 54b793f4d1..6ab784b6e2 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -3,7 +3,7 @@ php_extensions_default: php8.0-curl: "{{ apt_package_state }}" php8.0-dev: "{{ apt_package_state }}" php8.0-fpm: "{{ apt_package_state }}" - php8.0-gd: "{{ apt_package_state }}" + php8.0-imagick: "{{ apt_package_state }}" php8.0-intl: "{{ apt_package_state }}" php8.0-mbstring: "{{ apt_package_state }}" php8.0-mysql: "{{ apt_package_state }}" From d924947d79900511a1abac4fe3b963789cd222c8 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Thu, 20 May 2021 19:11:27 -0500 Subject: [PATCH 296/416] Enable PDF thumbnail generation --- roles/php/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index d67879fbda..370e7d5aeb 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -46,3 +46,11 @@ src: php-cli.ini.j2 dest: /etc/php/{{ php_version }}/cli/php.ini mode: '0644' + +- name: Change ImageMagick policy.xml to allow for PDFs + replace: + path: /etc/ImageMagick-6/policy.xml + regexp: '' + replace: '' + backup: no + notify: reload php-fpm From 87ef14a1e4bbd35dbc8d20a089e1bc2da70651f9 Mon Sep 17 00:00:00 2001 From: Dale Grant Date: Fri, 28 May 2021 12:55:51 +1000 Subject: [PATCH 297/416] Correct logrotate error using reload over rotate --- group_vars/all/logrotate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/logrotate.yml b/group_vars/all/logrotate.yml index c6d24962c6..ba1ba124fa 100644 --- a/group_vars/all/logrotate.yml +++ b/group_vars/all/logrotate.yml @@ -17,4 +17,4 @@ logrotate_scripts: if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi \ - postrotate: service nginx rotate + postrotate: service nginx reload >/dev/null 2>&1 From a54cb8746f54b04ca22ce657602f09605f4b66b5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 27 May 2021 22:58:11 -0400 Subject: [PATCH 298/416] Changelog entry for #1292 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dd6dcca0d..250976f4fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) ### 1.8.0: February 12th, 2021 From 2811e3cb42fa0ea95e9748609ea4266723c7120c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 27 May 2021 23:36:45 -0400 Subject: [PATCH 299/416] CHANGELOG entry for #1293 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 250976f4fb..bacd90c3ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) From 8a777d4331587afa89a5b79444487db4a1c29990 Mon Sep 17 00:00:00 2001 From: strarsis Date: Tue, 1 Jun 2021 15:34:08 +0200 Subject: [PATCH 300/416] Remove PHP version from messages. --- dev.yml | 2 +- server.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev.yml b/dev.yml index f6658d9f58..4b86ffc748 100644 --- a/dev.yml +++ b/dev.yml @@ -6,7 +6,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: "WordPress Server: Install LEMP Stack with PHP 7.4 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/server.yml b/server.yml index cb6db5ca53..cdc43e206a 100644 --- a/server.yml +++ b/server.yml @@ -16,7 +16,7 @@ roles: - { role: python_interpreter, tags: [always] } -- name: WordPress Server - Install LEMP Stack with PHP 7.4 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: From 4932e5b8165546cf516e065d40a6d4e51195d7f8 Mon Sep 17 00:00:00 2001 From: Daniel Robinson Date: Wed, 2 Jun 2021 09:15:11 -0400 Subject: [PATCH 301/416] overridden ansible_ssh_extra_args should always take precedence --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 00b89ba68a..d3b13bafcc 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - not (not ansible_ssh_extra_args) + - not ansible_ssh_extra_args - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} From b317844535446ffecfc679aebba7f1d9ad6178c9 Mon Sep 17 00:00:00 2001 From: Joshua Fredrickson Date: Sat, 5 Jun 2021 17:06:48 -0500 Subject: [PATCH 302/416] Add php-bcmath extension This commit was missing from #1292. It adds the PHP bc_math extension. --- roles/php/vars/7.4.yml | 1 + roles/php/vars/8.0.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 6fb725e79f..61ab906904 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -1,4 +1,5 @@ php_extensions_default: + php7.4-bcmath: "{{ apt_package_state }}" php7.4-cli: "{{ apt_package_state }}" php7.4-curl: "{{ apt_package_state }}" php7.4-dev: "{{ apt_package_state }}" diff --git a/roles/php/vars/8.0.yml b/roles/php/vars/8.0.yml index 6ab784b6e2..02eb376120 100644 --- a/roles/php/vars/8.0.yml +++ b/roles/php/vars/8.0.yml @@ -1,4 +1,5 @@ php_extensions_default: + php8.0-bcmath: "{{ apt_package_state }}" php8.0-cli: "{{ apt_package_state }}" php8.0-curl: "{{ apt_package_state }}" php8.0-dev: "{{ apt_package_state }}" From b603902f5360c1c4d1d756ee0c322a8a647cb9fa Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 01:47:35 +0100 Subject: [PATCH 303/416] GitHub: Add issue forms --- .github/ISSUE_TEMPLATE/bug_report.yml | 108 +++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 4 + .github/ISSUE_TEMPLATE/feature_request.yml | 54 +++++++++++ 3 files changed, 166 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000000..164f6940eb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,108 @@ +name: Bug Report +description: Report a problem with Trellis. Please provide enough information that we can reproduce the problem. +title: "Bug: " +labels: [bug] + +body: + - type: markdown + attributes: + value: | + This form is for reporting Trellis technical issues. + If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + + - type: checkboxes + id: terms + attributes: + options: + - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) + required: true + - label: This request is not a duplicate of an existing issue + required: true + - label: I have read the [Trellis docs](https://roots.io/docs/trellis/) and followed them (if applicable) + required: true + - label: I have seached the [Roots Discourse](https://discourse.roots.io/) for answers and followed them (if applicable) + required: true + - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community + required: true + + - type: textarea + id: description + attributes: + label: Description + value: | + #### What's wrong? + + #### What have you tried? + + #### What insights have you gained? + + #### Possible solutions? + + #### Temporary workaround? + validations: + required: true + + - type: textarea + id: steps-to-reproduce + attributes: + label: Steps To Reproduce + description: | + Non-reproducible issues may be immediately closed as not actionable. + Please provide reproduction steps as details as possible. + value: | + 1. + 1. + 1. + validations: + required: true + + - type: textarea + id: expected-behavior + attributes: + label: Expected Behavior + placeholder: What you expect to happen? + validations: + required: true + + - type: textarea + id: actual-behavior + attributes: + label: Actual Behavior + placeholder: What actually happens? + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant log output + description: Please copy and paste any relevant log output. + render: shell + + - type: input + id: trellis-version + attributes: + label: Trellis Version + description: You can get this information from referencing `CHANGELOG.md`. If you know, please provide the [roots/trellis](https://github.com/roots/trellis) Git commit SHA. + validations: + required: true + + - type: textarea + id: ansible-version + attributes: + label: Ansible Version + description: You can get this information by running `$ ansible --version`. Please include the whole console output. + render: shell + validations: + required: true + + - type: input + id: trellis-cli-version + attributes: + label: Trellis CLI Version + description: If you are using [Trellis CLI](https://github.com/roots/trellis-cli), please provide the version (for stable versions; `$ trellis --version`) or the Git commit SHA (for canary builds). + + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 0000000000..089dbe29f9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,4 @@ +contact_links: + - name: Roots Discourse + url: https://discourse.roots.io + about: Is this a personal support request? Find help on our support forum. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000000..52c6e3c8f2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,54 @@ +name: Feature Request +description: Suggest an idea for Trellis. +title: "Feature Request: " +labels: [feature, enhancement] + +body: + - type: markdown + attributes: + value: | + This form is for suggesting an idea for Trellis. + If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + + - type: checkboxes + id: terms + attributes: + options: + - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) + required: true + - label: This request is not a duplicate of an existing issue + required: true + - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community + required: true + + - type: textarea + id: summary + attributes: + label: Summary + description: One paragraph explanation of the feature. + validations: + required: true + + - type: textarea + id: motivation + attributes: + label: Motivation + value: | + #### Why are we doing this? + + #### What use cases does it support? + + #### What is the expected outcome? + validations: + required: true + + - type: textarea + id: additional-context + attributes: + label: Additional context + description: Add any other context or screenshots about the feature request here. + + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this feature request form! From 55f9193b5c13e14b417e4befb8976eb7a8aee6d7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 13 Jul 2021 19:19:42 -0600 Subject: [PATCH 304/416] Update bug_report.yml --- .github/ISSUE_TEMPLATE/bug_report.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 164f6940eb..f786e1bee6 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -1,5 +1,5 @@ name: Bug Report -description: Report a problem with Trellis. Please provide enough information that we can reproduce the problem. +description: Report a problem with Trellis. Please provide enough information so that we can reproduce the problem. title: "Bug: " labels: [bug] @@ -8,7 +8,7 @@ body: attributes: value: | This form is for reporting Trellis technical issues. - If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - type: checkboxes id: terms @@ -60,7 +60,7 @@ body: id: expected-behavior attributes: label: Expected Behavior - placeholder: What you expect to happen? + placeholder: What did you expect to happen? validations: required: true From 62eded89a9d719047d19020c8810da5ece1963b7 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 06:06:43 +0100 Subject: [PATCH 305/416] Titilize form labels --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index f786e1bee6..39d63ef6eb 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -75,7 +75,7 @@ body: - type: textarea id: logs attributes: - label: Relevant log output + label: Relevant Log Output description: Please copy and paste any relevant log output. render: shell diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 52c6e3c8f2..07458fbbf7 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -45,7 +45,7 @@ body: - type: textarea id: additional-context attributes: - label: Additional context + label: Additional Context description: Add any other context or screenshots about the feature request here. - type: markdown From f6fd617ab07cc5c9ba2245cccc796e79f6844c68 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Wed, 14 Jul 2021 06:13:04 +0100 Subject: [PATCH 306/416] Update default value wordings --- .github/ISSUE_TEMPLATE/bug_report.yml | 4 ++-- .github/ISSUE_TEMPLATE/feature_request.yml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 39d63ef6eb..08c14e4055 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -36,9 +36,9 @@ body: #### What insights have you gained? - #### Possible solutions? + #### Possible solutions - #### Temporary workaround? + #### Temporary workarounds validations: required: true diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 07458fbbf7..9fbbcbc8a0 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -39,6 +39,8 @@ body: #### What use cases does it support? #### What is the expected outcome? + + #### Potential conflicts / foreseeable issues validations: required: true From c9988f9b7486950f17726f44bd84341fc261b9dd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 1 Jun 2021 22:55:36 -0400 Subject: [PATCH 307/416] Improve handling of WP-CLI failed verification Fixes #1295 Sometimes gpg signature verification for WP-CLI could fail due to network reasons (the downloaded phar or asc files were corrupt). In those cases the playbook will be a "stuck" state unless the files are manually deleted from the server. This improves error handling by deleting both the phar and asc files which will allow Ansible to re-download them next time. --- CHANGELOG.md | 1 + roles/wp-cli/tasks/main.yml | 19 ++++++++++++++++--- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bacd90c3ee..ace92cae62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) * Improve handling of PHP versions and support PHP 8.0 (default is still 7.4) ([#1284](https://github.com/roots/trellis/pull/1284)) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 21494865dc..dab02c6ea8 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -21,9 +21,22 @@ dest: /tmp/wp-cli.pgp.gpg mode: '0744' -- name: Verify WP-CLI Phar Signature - command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar - changed_when: false +- name: Verify WP-CLI + block: + - name: Check GPG signature + command: gpg2 --lock-never --no-default-keyring --keyring /tmp/wp-cli.pgp.gpg --verify /tmp/wp-cli-{{ wp_cli_version }}.phar.asc /tmp/wp-cli-{{ wp_cli_version }}.phar + changed_when: false + rescue: + - name: Delete invalid WP-CLI Phar file + file: + path: "{{ item }}" + state: absent + with_items: + - "/tmp/wp-cli-{{ wp_cli_version }}.phar" + - "/tmp/wp-cli-{{ wp_cli_version }}.phar.asc" + - name: Fail verification + fail: + msg: "WP-CLI Phar signature could not be verified. Please try again." - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} From 04428ba015a0ef06a4cd6c2a671f99273f0cef91 Mon Sep 17 00:00:00 2001 From: TangRufus Date: Sat, 6 Mar 2021 21:22:50 +0000 Subject: [PATCH 308/416] Allow customizing PHP CLI `memory_limit` Close #1277 --- roles/php/defaults/main.yml | 1 + roles/php/templates/php-cli.ini.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 8f68a7dc27..9f4baf5e39 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -11,6 +11,7 @@ php_max_execution_time: 120 php_max_input_time: 300 php_max_input_vars: 1000 php_memory_limit: 96M +php_cli_memory_limit: "{{ php_memory_limit }}" php_mysqlnd_collect_memory_statistics: 'Off' php_post_max_size: 25M php_sendmail_path: /usr/sbin/ssmtp -t diff --git a/roles/php/templates/php-cli.ini.j2 b/roles/php/templates/php-cli.ini.j2 index 389f042f57..44360aa80d 100644 --- a/roles/php/templates/php-cli.ini.j2 +++ b/roles/php/templates/php-cli.ini.j2 @@ -5,6 +5,7 @@ error_reporting = {{ php_error_reporting }} sendmail_path = {{ php_sendmail_path }} expose_php = Off date.timezone = {{ php_timezone }} +memory_limit = {{ php_cli_memory_limit }} [mysqlnd] mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} From 8cfbbefbadd21adcf277149683394233ee1b8b46 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 14 Jul 2021 11:02:08 -0400 Subject: [PATCH 309/416] Default PHP CLI memory limit to -1 --- CHANGELOG.md | 1 + roles/php/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ace92cae62..76b989aa54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1277 - Disable PHP CLI memory limit ([#1278](https://github.com/roots/trellis/pull/1278)) * Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) * Replace php-gd with php-imagick ([#1292](https://github.com/roots/trellis/pull/1292)) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 9f4baf5e39..f157c97b98 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -11,7 +11,7 @@ php_max_execution_time: 120 php_max_input_time: 300 php_max_input_vars: 1000 php_memory_limit: 96M -php_cli_memory_limit: "{{ php_memory_limit }}" +php_cli_memory_limit: -1 php_mysqlnd_collect_memory_statistics: 'Off' php_post_max_size: 25M php_sendmail_path: /usr/sbin/ssmtp -t From 7240ba6471dbd335b810b5eb1e389d1a1fb58737 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Debuchy?= Date: Thu, 12 Aug 2021 16:56:56 -0300 Subject: [PATCH 310/416] Replace dist folder with public --- deploy-hooks/build-before.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index a42b124490..6fef7df48f 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -1,7 +1,7 @@ # Placeholder `deploy_build_before` hook for building theme assets on the # host machine and then copying the files to the remote server # -# ⚠️ This example assumes your theme is using Sage 9 +# ⚠️ This example assumes your theme is using Sage 10 # An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # # Uncomment the lines below and replace `sage` with your theme folder @@ -26,7 +26,7 @@ # # - name: Copy production assets # synchronize: -# src: "{{ project_local_path }}/web/app/themes/sage/dist" +# src: "{{ project_local_path }}/web/app/themes/sage/public" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no From 669033603d9409bf92ede335cf41c5e02216dbf5 Mon Sep 17 00:00:00 2001 From: SteelWagstaff Date: Sat, 21 Aug 2021 09:22:18 -0700 Subject: [PATCH 311/416] Update Trellis configurations --- galaxy.yml | 8 +++---- group_vars/all/main.yml | 4 +--- roles/php/defaults/main.yml | 24 +++++++++---------- roles/php/tasks/main.yml | 48 +++++++++++++++++++++++++------------ 4 files changed, 50 insertions(+), 34 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 387e4b4a12..0652c20b1e 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,10 +1,10 @@ - name: composer src: geerlingguy.composer - version: 1.7.6 + version: 1.9.0 - name: ntp src: geerlingguy.ntp - version: 1.6.4 + version: 2.3.0 - name: logrotate src: nickhammond.logrotate @@ -16,11 +16,11 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.1.4 + version: 2.2.0 - name: princexml src: pressbooks.princexml version: 12.5.0 - src: geerlingguy.redis - version: 1.6.0 + version: 1.7.0 diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 6c26f24cf2..e8db692ea3 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,8 +1,6 @@ composer_keep_updated: true -composer_version: "1.10.20" composer_version_branch: '' -composer_global_packages: - - { name: hirak/prestissimo } +php_version: "7.4" apt_cache_valid_time: 3600 apt_package_state: present apt_security_package_state: latest diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index f59a03b044..169df595ce 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,18 +2,18 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - php7.3-cli: "{{ apt_package_state }}" - php7.3-common: "{{ apt_package_state }}" - php7.3-curl: "{{ apt_package_state }}" - php7.3-dev: "{{ apt_package_state }}" - php7.3-fpm: "{{ apt_package_state }}" - php7.3-gd: "{{ apt_package_state }}" - php7.3-mbstring: "{{ apt_package_state }}" - php7.3-mysql: "{{ apt_package_state }}" - php7.3-opcache: "{{ apt_package_state }}" - php7.3-xml: "{{ apt_package_state }}" - php7.3-xmlrpc: "{{ apt_package_state }}" - php7.3-zip: "{{ apt_package_state }}" + php7.4-cli: "{{ apt_package_state }}" + php7.4-common: "{{ apt_package_state }}" + php7.4-curl: "{{ apt_package_state }}" + php7.4-dev: "{{ apt_package_state }}" + php7.4-fpm: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" + php7.4-mbstring: "{{ apt_package_state }}" + php7.4-mysql: "{{ apt_package_state }}" + php7.4-opcache: "{{ apt_package_state }}" + php7.4-xml: "{{ apt_package_state }}" + php7.4-xmlrpc: "{{ apt_package_state }}" + php7.4-zip: "{{ apt_package_state }}" php_extensions_custom: {} php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index ceaf843c05..370e7d5aeb 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,38 +1,56 @@ --- -- name: Add PHP 7.3 PPA +- name: Add PHP PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.3 +- name: Install PHP and extensions apt: name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" -- name: Start php7.3-fpm service +- name: Start php fpm service service: - name: php7.3-fpm + name: "php{{ php_version }}-fpm" state: started enabled: true -- name: Check for existing php7.2-fpm service - stat: - path: /etc/init.d/php7.2-fpm - register: php72_status +- name: Find existing php fpm services + find: + paths: /etc/init.d + patterns: "^php((?!{{ php_version }})(\\d\\.\\d))-fpm$" + use_regex: true + register: old_php_fpm_services -- name: Stop php7.2-fpm service if it exists +- name: Stop old php-fpm services service: - name: php7.2-fpm + name: "{{ item.path | basename }}" state: stopped enabled: false - register: service_stopped - when: php72_status.stat.exists + loop: "{{ old_php_fpm_services.files }}" + loop_control: + label: "{{ item.path | basename }}" notify: reload php-fpm -- name: PHP configuration file +- name: Copy PHP-FPM configuration file template: - src: php.ini.j2 - dest: /etc/php/7.3/fpm/php.ini + src: php-fpm.ini.j2 + dest: /etc/php/{{ php_version }}/fpm/php.ini + mode: '0644' + notify: reload php-fpm + +- name: Copy PHP CLI configuration file + template: + src: php-cli.ini.j2 + dest: /etc/php/{{ php_version }}/cli/php.ini + mode: '0644' + +- name: Change ImageMagick policy.xml to allow for PDFs + replace: + path: /etc/ImageMagick-6/policy.xml + regexp: '' + replace: '' + backup: no notify: reload php-fpm From 77e81feb72ea38dfe5a6868708700569cb222927 Mon Sep 17 00:00:00 2001 From: SteelWagstaff Date: Mon, 30 Aug 2021 15:39:13 -0700 Subject: [PATCH 312/416] Restore Princexml and Redis roles --- galaxy.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/galaxy.yml b/galaxy.yml index 5004ac69b6..a8c25e5403 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -17,3 +17,10 @@ - name: mailhog src: geerlingguy.mailhog version: 2.2.0 + +- name: princexml + src: pressbooks.princexml + version: 12.5.0 + +- src: geerlingguy.redis + version: 1.7.0 From f89ae25b32d037bc14168da2ec47b7f874f0f018 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 7 Oct 2021 17:17:42 -0500 Subject: [PATCH 313/416] Update sponsors [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4752d55de7..c434e75f3c 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,7 @@ Contributions are welcome from everyone. We have [contributing guidelines](https Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Motto +Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon ## Community From bf43f27ccd02142e6daa00fbb38a8931369fcea8 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:53:09 -0400 Subject: [PATCH 314/416] Removing princexml from galaxy.yml and making it a role in Trellis --- galaxy.yml | 4 - roles/princexml/.travis.yml | 30 ++++ roles/princexml/README.md | 48 ++++++ roles/princexml/defaults/main.yml | 5 + roles/princexml/meta/.galaxy_install_info | 2 + roles/princexml/meta/main.yml | 176 ++++++++++++++++++++++ roles/princexml/tasks/main.yml | 35 +++++ roles/princexml/tests/inventory | 1 + roles/princexml/tests/test.yml | 5 + 9 files changed, 302 insertions(+), 4 deletions(-) create mode 100644 roles/princexml/.travis.yml create mode 100644 roles/princexml/README.md create mode 100644 roles/princexml/defaults/main.yml create mode 100644 roles/princexml/meta/.galaxy_install_info create mode 100644 roles/princexml/meta/main.yml create mode 100644 roles/princexml/tasks/main.yml create mode 100644 roles/princexml/tests/inventory create mode 100644 roles/princexml/tests/test.yml diff --git a/galaxy.yml b/galaxy.yml index a8c25e5403..41193246a0 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -18,9 +18,5 @@ src: geerlingguy.mailhog version: 2.2.0 -- name: princexml - src: pressbooks.princexml - version: 12.5.0 - - src: geerlingguy.redis version: 1.7.0 diff --git a/roles/princexml/.travis.yml b/roles/princexml/.travis.yml new file mode 100644 index 0000000000..24e14eb011 --- /dev/null +++ b/roles/princexml/.travis.yml @@ -0,0 +1,30 @@ +--- +dist: xenial +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/princexml/README.md b/roles/princexml/README.md new file mode 100644 index 0000000000..ed45eab366 --- /dev/null +++ b/roles/princexml/README.md @@ -0,0 +1,48 @@ +PrinceXML +========= + +[![Build Status](https://img.shields.io/travis/pressbooks/ansible-role-princexml.svg?style=flat-square)](https://travis-ci.org/pressbooks/ansible-role-princexml) [![GitHub release](https://img.shields.io/github/release/pressbooks/ansible-role-princexml.svg?style=flat-square)](https://github.com/pressbooks/ansible-role-princexml/releases/latest) + +Installs [PrinceXML](https://princexml.com) on Ubuntu 16.04 or 18.04. + +Requirements +------------ + +Optionally, a PrinceXML `license.dat` file. + +Role Variables +-------------- + +Available variables are listed below, along with default values (see defaults/main.yml): + + # PrinceXML package URI for Ubuntu 16.04 Xenial. Defaults to latest stable 64-bit. + prince_package_uri_ubuntu_xenial: https://www.princexml.com/download/prince_12.5-1_ubuntu16.04_amd64.deb + + # PrinceXML package URI for Ubuntu 18.04 Bionic. Defaults to latest stable 64-bit. + prince_package_uri_ubuntu_bionic: https://www.princexml.com/download/prince_12.5-1_ubuntu18.04_amd64.deb + + # The local path to your PrinceXML `license.dat` file (optional). + prince_license: "" + + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - hosts: servers + roles: + - pressbooks.princexml + +License +------- + +MIT + +Author Information +------------------ + +This role was created in 2016 by [Ned Zimmerman](https://github.com/greatislander) for [Pressbooks](https://pressbooks.org). diff --git a/roles/princexml/defaults/main.yml b/roles/princexml/defaults/main.yml new file mode 100644 index 0000000000..b32becf192 --- /dev/null +++ b/roles/princexml/defaults/main.yml @@ -0,0 +1,5 @@ +--- +prince_package_uri_ubuntu_xenial: https://www.princexml.com/download/prince_12.5-1_ubuntu16.04_amd64.deb +prince_package_uri_ubuntu_bionic: https://www.princexml.com/download/prince_12.5-1_ubuntu18.04_amd64.deb +prince_package_uri_ubuntu_focal: https://www.princexml.com/download/prince_14.2-1_ubuntu20.04_amd64.deb +prince_license: "" diff --git a/roles/princexml/meta/.galaxy_install_info b/roles/princexml/meta/.galaxy_install_info new file mode 100644 index 0000000000..fbada44785 --- /dev/null +++ b/roles/princexml/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Wed Oct 13 20:58:21 2021 +version: 12.5.0 diff --git a/roles/princexml/meta/main.yml b/roles/princexml/meta/main.yml new file mode 100644 index 0000000000..8ba54e17b8 --- /dev/null +++ b/roles/princexml/meta/main.yml @@ -0,0 +1,176 @@ +galaxy_info: + author: greatislander + description: Installs PrinceXML. + company: Pressbooks (Book Oven Inc.) + license: MIT + min_ansible_version: 2.5 + platforms: + #- name: OpenBSD + # versions: + # - all + # - 5.6 + # - 5.7 + # - 5.8 + # - 5.9 + # - 6.0 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + # - 24 + #- name: DellOS + # versions: + # - all + # - 10 + # - 6 + # - 9 + #- name: MacOSX + # versions: + # - all + # - 10.10 + # - 10.11 + # - 10.12 + # - 10.7 + # - 10.8 + # - 10.9 + #- name: Junos + # versions: + # - all + # - any + #- name: GenericBSD + # versions: + # - all + # - any + #- name: Void Linux + # versions: + # - all + # - any + #- name: GenericLinux + # versions: + # - all + # - any + #- name: NXOS + # versions: + # - all + # - any + #- name: IOS + # versions: + # - all + # - any + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + # - 2016.03 + #- name: ArchLinux + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 10.0 + # - 10.1 + # - 10.2 + # - 10.3 + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + - name: Ubuntu + versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + # - wily + - xenial + - bionic + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - sid + # - squeeze + # - stretch + # - wheezy + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + # - 11SP4 + # - 12 + # - 12SP1 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: eos + # versions: + # - all + # - Any + galaxy_tags: + - eprdctn + - publishing + - authoring + - xhtml + - pdf diff --git a/roles/princexml/tasks/main.yml b/roles/princexml/tasks/main.yml new file mode 100644 index 0000000000..c77983df8e --- /dev/null +++ b/roles/princexml/tasks/main.yml @@ -0,0 +1,35 @@ +--- +- name: 'Check for supported environment' + fail: msg="PrinceXML can only be installed on Ubuntu Xenial, Bionic or Focal." + when: (ansible_distribution|string != 'Ubuntu') or + (ansible_distribution_release|string != 'xenial' and ansible_distribution_release|string != 'bionic' and ansible_distribution_release|string != 'focal') + +- name: Determine PrinceXML version + set_fact: + prince_package_uri: "prince_package_uri_ubuntu_{{ ansible_distribution_release|string }}" + +- name: Install PrinceXML + apt: + deb: "{{ lookup('vars', prince_package_uri) }}" + +- name: Upload PrinceXML license + copy: + src: "{{ prince_license }}" + dest: /usr/lib/prince/license/license.dat.new + owner: root + group: root + mode: "u=rw,g=r,o=r" + when: prince_license != "" + +- name: Check for existing PrinceXML license + stat: path=/usr/lib/prince/license/license.dat + register: existing_license + when: prince_license != "" + +- name: Backup old PrinceXML license + command: mv /usr/lib/prince/license/license.dat /usr/lib/prince/license/license.dat.{{ lookup('pipe', 'date +%Y%m%d') }}.old + when: prince_license != "" and existing_license.stat.exists + +- name: Install new PrinceXML license + command: mv /usr/lib/prince/license/license.dat.new /usr/lib/prince/license/license.dat + when: prince_license != "" diff --git a/roles/princexml/tests/inventory b/roles/princexml/tests/inventory new file mode 100644 index 0000000000..d18580b3c3 --- /dev/null +++ b/roles/princexml/tests/inventory @@ -0,0 +1 @@ +localhost \ No newline at end of file diff --git a/roles/princexml/tests/test.yml b/roles/princexml/tests/test.yml new file mode 100644 index 0000000000..ae87d45c38 --- /dev/null +++ b/roles/princexml/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ansible-role-princexml From deccded48fef311966a31b4789e842a580d95743 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:53:48 -0400 Subject: [PATCH 315/416] Adding php7.4-gd as a package requirement --- roles/php/vars/7.4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/php/vars/7.4.yml b/roles/php/vars/7.4.yml index 61ab906904..562b7468c2 100644 --- a/roles/php/vars/7.4.yml +++ b/roles/php/vars/7.4.yml @@ -3,6 +3,7 @@ php_extensions_default: php7.4-cli: "{{ apt_package_state }}" php7.4-curl: "{{ apt_package_state }}" php7.4-dev: "{{ apt_package_state }}" + php7.4-gd: "{{ apt_package_state }}" php7.4-fpm: "{{ apt_package_state }}" php7.4-imagick: "{{ apt_package_state }}" php7.4-intl: "{{ apt_package_state }}" From 7192ebdb342482c36f50dae03aed38fc88920f18 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:54:22 -0400 Subject: [PATCH 316/416] Fixing syntax error for redis state change check --- roles/redis/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/redis/tasks/main.yml b/roles/redis/tasks/main.yml index 8c039c0c64..4e7bc44c3c 100644 --- a/roles/redis/tasks/main.yml +++ b/roles/redis/tasks/main.yml @@ -22,7 +22,7 @@ - name: Load Disable THP service into systemd command: "/bin/systemctl daemon-reload" - when: disable_thp_service_added | changed + when: disable_thp_service_added.changed - name: Enable and start Disable THP service service: From 45bebef0029c3537ffc378216efb7003d719b7a1 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:55:33 -0400 Subject: [PATCH 317/416] hh package has been renamed to hstr in bash-for-pressbooks-dev --- roles/bash-for-pressbooks-dev/tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/bash-for-pressbooks-dev/tasks/main.yml b/roles/bash-for-pressbooks-dev/tasks/main.yml index 27f4cc9a98..54a6db7a82 100644 --- a/roles/bash-for-pressbooks-dev/tasks/main.yml +++ b/roles/bash-for-pressbooks-dev/tasks/main.yml @@ -1,10 +1,10 @@ -- name: Add hh PPA +- name: Add hstr PPA apt_repository: repo: "ppa:ultradvorka/ppa" update_cache: yes -- name: Install hh +- name: Install hstr apt: - name: hh + name: hstr state: present - name: Checkout git aware prompt become_user: vagrant @@ -19,4 +19,4 @@ dest: ~/.bash_aliases vars: pathToLogs: "{{ www_root }}/{{ item.key }}/logs" - pathToCurrent: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}" \ No newline at end of file + pathToCurrent: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}" From 7eb41bd9562fa89bc028439b118925912cae722e Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:56:11 -0400 Subject: [PATCH 318/416] Removing syntax error for package_vars_wrong_format --- roles/common/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 97fea6fd06..1af22b0c4e 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -73,7 +73,7 @@ memcached_packages: "{{ memcached_packages }}" php_extensions: "{{ php_extensions }}" sshd_packages: "{{ sshd_packages }}" - package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + package_vars_wrong_format: "[{% for k,v in package_vars.items() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" tags: [sshd, memcached, php] - name: Validate Ubuntu version From 9dd19697820ecd215fdbad435f4cb06a6931bde0 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh Date: Thu, 14 Oct 2021 13:56:39 -0400 Subject: [PATCH 319/416] Adding --yes to wp login install because it was hanging on a prompt --- roles/local-development/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/local-development/tasks/main.yml b/roles/local-development/tasks/main.yml index c4275bd270..7495220d06 100644 --- a/roles/local-development/tasks/main.yml +++ b/roles/local-development/tasks/main.yml @@ -77,7 +77,7 @@ login_password: "{{ mysql_root_password }}" with_dict: "{{ wordpress_sites }}" - name: Install WP-CLI login helper - command: wp login install --activate + command: wp login install --activate --yes args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" with_dict: "{{ wordpress_sites }}" From 0b8e481f72404704179019f71b296062db3125fd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Oct 2021 23:44:07 -0400 Subject: [PATCH 320/416] Add default for composer_authentications --- roles/deploy/hooks/build-after.yml | 2 +- roles/wordpress-install/tasks/composer-authentications.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index 8e7daf91dc..4c088f6452 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -20,7 +20,7 @@ - composer_authentication.hostname is defined and composer_authentication.hostname != "" - composer_authentication.username is defined and composer_authentication.username != "" - composer_authentication.password is defined and composer_authentication.password != "" - loop: "{{ composer_authentications }}" + loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication label: "{{ composer_authentication.hostname }}" diff --git a/roles/wordpress-install/tasks/composer-authentications.yml b/roles/wordpress-install/tasks/composer-authentications.yml index 8d8445fa86..2b2e8649e2 100644 --- a/roles/wordpress-install/tasks/composer-authentications.yml +++ b/roles/wordpress-install/tasks/composer-authentications.yml @@ -10,7 +10,7 @@ - not (not composer_authentication.hostname) - not (not composer_authentication.username) - not (not composer_authentication.password) - loop: "{{ composer_authentications }}" + loop: "{{ composer_authentications | default([]) }}" loop_control: loop_var: composer_authentication label: "{{ composer_authentication.hostname }}" From 49b85e228682757d1842d4a669018ace9f2d6f00 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 26 Oct 2021 23:59:15 -0400 Subject: [PATCH 321/416] Remove explicit permission for site directory Fixes #1311 The `mode` option was set in https://github.com/roots/trellis/pull/1270 for linting purposes. However, this can result in the permissions changing on local site files causing them to appear as changed in Git. Since this directory is guaranteed to exist, we don't need to set `mode`. The purpose of this task is just to set the owner + group recursively. --- roles/wordpress-install/tasks/directories.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 680951a57e..0a6956fad7 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -22,7 +22,6 @@ path: "{{ www_root }}/{{ item.key }}" owner: "{{ web_user }}" group: "{{ web_group }}" - mode: '0755' state: directory recurse: yes with_dict: "{{ wordpress_sites }}" From 97980efc12540e1c2ef0c483c464993ad1ac164e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 20:23:06 -0400 Subject: [PATCH 322/416] Fix display output in logs Background: https://github.com/roots/trellis/pull/1235#issuecomment-729621213 Ansible bases the log level based on colour (yeah, it's dumb) when logging is enabled. `bright gray` was a valid log level mapping. Instead of trying to pick some other colur supported in both contexts, we can just set `screen_only` to skip these messages which are meant for STDOUT anyway. --- lib/trellis/utils/output.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 8beef101bc..ca4eb22728 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -102,17 +102,17 @@ def display(obj, result): hr = '-' * int(wrap_width*.67) if obj.task_failed and first: - display(system(obj.vagrant_version), 'bright gray') - display(hr, 'bright gray') + display(system(obj.vagrant_version), 'bright gray', screen_only=True) + display(hr, 'bright gray', screen_only=True) if msg == '': if obj.task_failed and not first: - display(hr, 'bright gray') + display(hr, 'bright gray', screen_only=True) else: return else: if not first: - display(hr, 'bright gray') + display(hr, 'bright gray', screen_only=True) display(msg, 'red' if obj.task_failed else 'bright purple') def display_host(obj, result): From 65a9710632802d7b543278b635d21e98cd3286bc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:10:11 -0400 Subject: [PATCH 323/416] Bump version_tested_max to 2.10.7 --- lib/trellis/plugins/vars/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 3511c78774..cee62944f7 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -15,7 +15,7 @@ display = Display() version_requirement = '2.8.0' -version_tested_max = '2.9.10' +version_tested_max = '2.10.7' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): From cc03544717c37832dbe685dcc45db951850b261c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:19:33 -0400 Subject: [PATCH 324/416] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 76b989aa54..e24dc45eb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,8 @@ ### HEAD +* Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) +* Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) +* Define `composer_authentications` default ([#1315](https://github.com/roots/trellis/pull/1315)) +* Fix #1311 - Remove explicit permission for site directory ([#1314](https://github.com/roots/trellis/pull/1314)) * Fix #1277 - Disable PHP CLI memory limit ([#1278](https://github.com/roots/trellis/pull/1278)) * Fix #1285 - Improve handling of WP-CLI failed verification ([#1295](https://github.com/roots/trellis/pull/1295)) * Fix #1284 - Update logrotate postrotate Nginx command ([#1293](https://github.com/roots/trellis/pull/1293)) From 0baee93b6bfcd06e775e82c9a68042b68458f490 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 27 Oct 2021 22:20:27 -0400 Subject: [PATCH 325/416] v1.9.0 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e24dc45eb0..d7405045ba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) * Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) * Define `composer_authentications` default ([#1315](https://github.com/roots/trellis/pull/1315)) From 32b1b6fcec8cb9fe14c6ec43cc1fccd3851fac2f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 30 Oct 2021 15:55:45 -0400 Subject: [PATCH 326/416] Remove explicit arch deb options Apt defaults to the architecture supported by `dpkg`, which defaults to the actual architecture of the OS (as it should). Removing this explicit `arc=amd64` option just means we'll get the smart default which improves support for `arm64` (Apple M1 CPUs primarily). --- roles/mariadb/defaults/main.yml | 2 +- roles/nginx/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 491dd9a6f4..8eed8ce06f 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb [arch=amd64] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 4d837762cc..69433b33fb 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,7 +1,7 @@ --- nginx_keyserver: "https://nginx.org/keys/nginx_signing.key" nginx_keyserver_id: "ABF5BD827BD9BF62" -nginx_ppa: "deb [arch=amd64] http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" +nginx_ppa: "deb http://nginx.org/packages/mainline/ubuntu {{ ansible_distribution_release }} nginx" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx From 319a29fb1257ac17050ec6e67e7e98e933de421e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 10 Nov 2021 20:49:44 -0500 Subject: [PATCH 327/416] Change MariaDB mirror source Digitalocean has proven to be an unreliable mirror so let's switch to another one (from the official MariaDB site). --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 8eed8ce06f..3eee94bcf2 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://mirrors.gigenet.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From 630c41cf00addd324ac1ecd2a99511ab5a0a184c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 11 Nov 2021 08:33:26 -0500 Subject: [PATCH 328/416] 1.9.1 Changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7405045ba..a97e4e80ed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.9.1: November 11th, 2021 +* Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) + ### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) * Fix display color output in logs ([#1316](https://github.com/roots/trellis/pull/1316)) From b8098497a39f932ea304a41fc958fc535b5e6138 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 11 Nov 2021 08:34:36 -0500 Subject: [PATCH 329/416] CHANGELOG update --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a97e4e80ed..6953abb013 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### 1.9.1: November 11th, 2021 * Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) +* Remove explicit arch deb options for MariaDB (improves ARM support) ([#1318](https://github.com/roots/trellis/pull/1318)) ### 1.9.0: October 27th, 2021 * Bump max tested Ansible version to `2.10.7` ([#1317](https://github.com/roots/trellis/pull/1317)) From 0e22a90aef264a48b21b6fd28fdde5f14c713ade Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 18 Nov 2021 14:02:54 -0500 Subject: [PATCH 330/416] Default to proper box for M1 macs --- Vagrantfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 016f43c149..1d55bd42b0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,7 +19,13 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version '>= 2.1.0' Vagrant.configure('2') do |config| - config.vm.box = vconfig.fetch('vagrant_box') + vagrant_box = if Vagrant::Util::Platform.darwin? && `uname -m`.chomp == "arm64" + 'jeffnoxon/ubuntu-20.04-arm64' + else + vconfig.fetch('vagrant_box') + end + + config.vm.box = vagrant_box config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message From fa716ac8f3b0e42693e74d6aed7b49afe29be362 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 22 Nov 2021 14:39:58 -0500 Subject: [PATCH 331/416] Update default PHP version to 8.0 --- group_vars/all/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index b53f26c92e..562864d6ee 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -3,7 +3,7 @@ apt_package_state: present apt_security_package_state: latest apt_dev_package_state: latest composer_keep_updated: true -php_version: "7.4" +php_version: "8.0" ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www From 3feabc765361e0a8919032c087cd091888c2cf74 Mon Sep 17 00:00:00 2001 From: Craig Pearson Date: Thu, 25 Nov 2021 16:34:26 +0000 Subject: [PATCH 332/416] Enable pipelining for local connections Enabling pipelining for SSH connections only means that `become` behaves differently for vagrant, than it does VMs over SSH. Moving this config to the defaults makes both vagrant and VMs behave the same in regards to become, and perhaps we will see some local speed improvements on local provisions as a result. --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index c1a2890ca7..e6467d2586 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,8 +8,8 @@ inventory = hosts nocows = 1 roles_path = vendor/roles vars_plugins = ~/.ansible/plugins/vars:/usr/share/ansible/plugins/vars:lib/trellis/plugins/vars +pipelining = True [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -pipelining = True retries = 1 From 35e14991819fa2a3d0c7809d2bf9dff04fe80ffd Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 26 Nov 2021 19:25:07 -0500 Subject: [PATCH 333/416] Add GitHub SSH ed25519 key to known hosts --- group_vars/all/known_hosts.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/all/known_hosts.yml b/group_vars/all/known_hosts.yml index b8af937ca5..1db951997f 100644 --- a/group_vars/all/known_hosts.yml +++ b/group_vars/all/known_hosts.yml @@ -6,6 +6,8 @@ known_hosts: - name: github.com key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + - name: github.com + key: github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl - name: bitbucket.org key: bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - name: gitlab.com From 8f841e61e10e3325a62f857d63f28cd264e4540a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 26 Nov 2021 19:28:40 -0500 Subject: [PATCH 334/416] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6953abb013..fc2a86b9a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) +* Enable pipelining for local Ansible connections ([#1323](https://github.com/roots/trellis/pull/1323)) + ### 1.9.1: November 11th, 2021 * Update MariaDB mirror source ([#1320](https://github.com/roots/trellis/pull/1320)) * Remove explicit arch deb options for MariaDB (improves ARM support) ([#1318](https://github.com/roots/trellis/pull/1318)) From 97426b8ca8ea0eff7cd460f5dac231cff2aedd1b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 28 Nov 2021 13:22:13 -0500 Subject: [PATCH 335/416] v1.10.0 --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc2a86b9a1..8d50f4f622 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ -### HEAD +### 1.10.0: November 28th, 2021 +* Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) * Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) * Enable pipelining for local Ansible connections ([#1323](https://github.com/roots/trellis/pull/1323)) From 31b7e7fe93950541f3297412c102b394ad453fe7 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 28 Nov 2021 21:58:40 -0600 Subject: [PATCH 336/416] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c434e75f3c..6d0649a654 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ Trellis will configure a server with the following and more: - Ubuntu 20.04 Focal LTS - Nginx (with optional FastCGI micro-caching) -- PHP 7.4 +- PHP 8.0 - MariaDB (a drop-in MySQL replacement) - SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) - Let's Encrypt for free SSL certificates From 7afb000e57a6a96bcf999e20bffe03ec4e1dd8a8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Nov 2021 00:23:04 -0500 Subject: [PATCH 337/416] Add PHP 8.1 support --- roles/php/vars/8.1.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 roles/php/vars/8.1.yml diff --git a/roles/php/vars/8.1.yml b/roles/php/vars/8.1.yml new file mode 100644 index 0000000000..1b15ae2d4e --- /dev/null +++ b/roles/php/vars/8.1.yml @@ -0,0 +1,18 @@ +php_extensions_default: + php8.1-bcmath: "{{ apt_package_state }}" + php8.1-cli: "{{ apt_package_state }}" + php8.1-curl: "{{ apt_package_state }}" + php8.1-dev: "{{ apt_package_state }}" + php8.1-fpm: "{{ apt_package_state }}" + php8.1-imagick: "{{ apt_package_state }}" + php8.1-intl: "{{ apt_package_state }}" + php8.1-mbstring: "{{ apt_package_state }}" + php8.1-mysql: "{{ apt_package_state }}" + php8.1-xml: "{{ apt_package_state }}" + php8.1-xmlrpc: "{{ apt_package_state }}" + php8.1-zip: "{{ apt_package_state }}" + +php_memcached_packages: + php8.1-memcached: "{{ apt_package_state }}" + +php_xdebug_package: php8.1-xdebug From c054a7ab75cc6f518727e2a26f4679f0fe23cc50 Mon Sep 17 00:00:00 2001 From: Nathan Knowler Date: Thu, 2 Dec 2021 05:41:58 -0600 Subject: [PATCH 338/416] chore(github): fix typos in issue templates [skip ci] Co-authored-by: QWp6t --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- .github/ISSUE_TEMPLATE/feature_request.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 08c14e4055..552d2b64c2 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -48,7 +48,7 @@ body: label: Steps To Reproduce description: | Non-reproducible issues may be immediately closed as not actionable. - Please provide reproduction steps as details as possible. + Please provide reproduction steps as detailed as possible. value: | 1. 1. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml index 9fbbcbc8a0..7842e919f4 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -8,7 +8,7 @@ body: attributes: value: | This form is for suggesting an idea for Trellis. - If want to ask a question is looking for support, [Roots Discourse](https://discourse.roots.io/) is the best place for getting support. + If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - type: checkboxes id: terms From 577e6cc683a010d719b55df017644d7f5e8faa31 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Nov 2021 00:23:44 -0500 Subject: [PATCH 339/416] Remove ssl_dhparam and Diffie-Hellman group This was needed to prevent Logjam attacks but those only applied to DHE cyphers which haven't been supported in Trellis for 2 years. --- CHANGELOG.md | 3 +++ roles/nginx/tasks/main.yml | 9 --------- roles/wordpress-setup/templates/ssl.no-default.conf.j2 | 1 - roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 - 4 files changed, 3 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8d50f4f622..070526f68c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) + ### 1.10.0: November 28th, 2021 * Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) * Add GitHub SSH ed25519 key to known hosts ([#1324](https://github.com/roots/trellis/pull/1324)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3bf25d435e..676679ce1b 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -30,15 +30,6 @@ path: "{{ nginx_path }}/ssl" state: directory -- name: Generate strong unique Diffie-Hellman group. - command: openssl dhparam -out dhparams.pem 2048 - args: - chdir: "{{ nginx_path }}/ssl" - creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: sites_use_ssl | bool - notify: reload nginx - tags: [diffie-hellman, letsencrypt, wordpress, wordpress-setup, nginx-includes, nginx-sites] - - name: Copy h5bp configs copy: src: templates/h5bp diff --git a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 index a29b113dbd..479979c710 100644 --- a/roles/wordpress-setup/templates/ssl.no-default.conf.j2 +++ b/roles/wordpress-setup/templates/ssl.no-default.conf.j2 @@ -12,7 +12,6 @@ server { listen 443 ssl default_server deferred; include h5bp/directive-only/ssl.conf; - ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_certificate {{ nginx_path }}/ssl/no_default.cert; ssl_trusted_certificate {{ nginx_path }}/ssl/no_default.cert; diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 61d06356f9..e090b2ea6a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -75,7 +75,6 @@ server { include h5bp/directive-only/ssl-stapling.conf; {% endif -%} - ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% if item.value.ssl.provider | default('manual') != 'self-signed' -%} From 8ca1f45e5df478637bbbe16315b7b635717b1548 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 3 Dec 2021 19:28:38 -0500 Subject: [PATCH 340/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 070526f68c..1d274348f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) +* Add PHP 8.1 support ([#1325](https://github.com/roots/trellis/pull/1325)) ### 1.10.0: November 28th, 2021 * Default to PHP 8.0 ([#1322](https://github.com/roots/trellis/pull/1322)) From c86fa9b83f1e6476ece6f3ec982b321edfaabf77 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 6 Dec 2021 15:41:18 -0600 Subject: [PATCH 341/416] Remove issue closer --- .github/workflows/issues.yml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 .github/workflows/issues.yml diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml deleted file mode 100644 index f2b2474ec3..0000000000 --- a/.github/workflows/issues.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Issue closer -on: [issues] -jobs: - autoclose: - runs-on: ubuntu-latest - steps: - - name: Autoclose issues that did not follow issue template - uses: roots/issue-closer@v1.1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-close-message: "Hi @${issue.user.login}, -It looks like the issue template is missing from this issue. Please take a look at the [Contribution Guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md), which will tell you **exactly** what your ticket has to contain in order to be processable. -Please **do not** use the issue tracker for personal support requests. Use [Roots Discourse](https://discourse.roots.io/) to ask the Roots community for help, or [hire someone from the community](https://discourse.roots.io/c/jobs)." - issue-pattern: ".*guidelines for Contributing.*" From 978700dd59b20b9b4a48c3c4f67e093cd0815a6f Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 8 Dec 2021 13:18:26 -0600 Subject: [PATCH 342/416] Update docs links [ci skp] --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 6d0649a654..34751b908f 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@

- Official Website | Documentation | Change Log + Official Website | Documentation | Change Log

## Supporting @@ -74,7 +74,7 @@ Trellis will configure a server with the following and more: ## Documentation -Full documentation is available at [https://roots.io/docs/trellis/master/installation/](https://roots.io/docs/trellis/master/installation/). +Full documentation is available at [https://docs.roots.io/trellis/master/installation/](https://docs.roots.io/trellis/master/installation/). ## Requirements @@ -84,7 +84,7 @@ Make sure all dependencies have been installed before moving on: - [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 - **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) -**Windows user?** [Read the Windows getting started docs](https://roots.io/docs/getting-started/windows/#working-with-trellis) for slightly different installation instructions. +**Windows user?** [Read the Windows getting started docs](https://docs.roots.io/getting-started/windows/#working-with-trellis) for slightly different installation instructions. ## Installation @@ -148,15 +148,15 @@ $ trellis up 2. Ensure you're in the trellis directory: `cd trellis` 3. Run `vagrant up` -[Read the local development docs](https://roots.io/docs/trellis/master/local-development/#wordpress-installation) for more information. +[Read the local development docs](https://docs.roots.io/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for setting up remote servers. -1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/docs/trellis/master/vault/) for how to encrypt files containing passwords) +1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://docs.roots.io/trellis/master/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` -3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://roots.io/docs/trellis/master/ssh-keys/)) +3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://docs.roots.io/trellis/master/ssh-keys/)) ### Using trellis-cli @@ -180,7 +180,7 @@ $ trellis droplet create production ### Manual -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/docs/trellis/master/remote-server-setup/#requirements) for more information. +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://docs.roots.io/trellis/master/remote-server-setup/#requirements) for more information. Provision the server: @@ -188,7 +188,7 @@ Provision the server: $ ansible-playbook server.yml -e env= ``` -[Read the remote server docs](https://roots.io/docs/trellis/master/remote-server-setup/) for more information. +[Read the remote server docs](https://docs.roots.io/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers From 98816fa3bfd61217ae56d83b3d33aefb6badc9a1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 8 Dec 2021 22:34:02 -0500 Subject: [PATCH 343/416] Bump vagrant_ansible_version to 2.10.7 --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 7ff8284984..6698daf6e3 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 202012.23.0' -vagrant_ansible_version: '2.9.10' +vagrant_ansible_version: '2.10.7' vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 3518a2432a2bcc52083c92b280a633083b5e5d5c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 00:19:06 -0500 Subject: [PATCH 344/416] Require Vagrant < 2.2.19 2.2.19 has a bug affecting macOS Big Sur and should be avoided. --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 016f43c149..133616b618 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.1.0' +Vagrant.require_version '>= 2.1.0', '< 2.2.19' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') From e2b12a6badfd0da16749c6d56cd61e3bd2b61de4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:36:55 -0500 Subject: [PATCH 345/416] Set default for ansible_ssh_extra_args ansible-base in 2.10.16 changed how SSH option defaults worked breaking this. Just ensuring it has a proper default instead of undefined solves the issue. --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index d3b13bafcc..8acdef9606 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,7 +12,7 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - not ansible_ssh_extra_args + - not ansible_ssh_extra_args | default(None) - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} From 56ec12d8dcd5f403236c5b48b7e3b8fd15ddcae4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:43:21 -0500 Subject: [PATCH 346/416] v1.11.0 --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d274348f7..5d29648121 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,7 @@ -### HEAD +### 1.11.0: December 10th, 2021 +* Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) +* Set max supported Vagrant version to `< 2.2.19` ([#1332](https://github.com/roots/trellis/pull/1332)) +* Bump `vagrant_ansible_version` to `2.10.7` ([#1329](https://github.com/roots/trellis/pull/1329)) * Remove Nginx `ssl_dhparam` directive and Diffie-Hellman params group ([#1326](https://github.com/roots/trellis/pull/1326)) * Add PHP 8.1 support ([#1325](https://github.com/roots/trellis/pull/1325)) From 32b1625d1e00e7060b95ffe232ecffb25afdab0a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 20:52:39 -0500 Subject: [PATCH 347/416] Add ansible-base to requirements Bumps minimum required Ansible to >= 2.10 as well. The Ansible ecosystem has changed how their versions and packages work causing the main `ansible` package versions to no longer determine the version of `ansible-playbook`. Instead, the new `ansible-base` package is what matters. Background: https://blog.while-true-do.io/ansible-release-3-0-0/ For example, installing `ansible==2.10.7` would result in `ansible-playbook==2.10.16` which was confusing. By adding `ansible-base` to our `requirements.txt`, we'll get more consistent and predictable version constraints. Installing `ansible-base==2.10.16` would result in `ansible-playbook==2.10.16` as you'd expect. --- .circleci/config.yml | 2 +- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 4 ++-- requirements.txt | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9e78a3993b..ac59b18eee 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -106,7 +106,7 @@ workflows: matrix: parameters: python-version: ["3.7.8", "2.7"] - ansible-version: ["~=2.9.0", "~=2.8.0"] + ansible-version: ["~=2.10.0"] - syntax-check-with-requirements-txt: name: syntax-check-python-<>-requirements-txt matrix: diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d29648121..69d36cb36d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### 1.11.0: December 10th, 2021 +* Bump minimum ansible version to `2.10.0` and add `ansible-base` to requirements ([#1334](https://github.com/roots/trellis/pull/1334)) * Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) * Set max supported Vagrant version to `< 2.2.19` ([#1332](https://github.com/roots/trellis/pull/1332)) * Bump `vagrant_ansible_version` to `2.10.7` ([#1329](https://github.com/roots/trellis/pull/1329)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index cee62944f7..5ecff33d4a 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,8 +14,8 @@ from ansible.utils.display import Display display = Display() -version_requirement = '2.8.0' -version_tested_max = '2.10.7' +version_requirement = '2.10.0' +version_tested_max = '2.10.16' python3_required_version = '2.5.3' if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): diff --git a/requirements.txt b/requirements.txt index cecd05381d..d794f8d619 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,3 @@ -ansible>=2.8.0,<3.0 +ansible>=2.10.0,<3.0 +ansible-base>=2.10,<=2.10.16 passlib From aa78f3aec8d01d1568efad883d5648dacbdec71d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 10 Dec 2021 21:15:18 -0500 Subject: [PATCH 348/416] Remove old version checks --- lib/trellis/plugins/vars/version.py | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 5ecff33d4a..951cf30d2a 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -16,11 +16,6 @@ version_requirement = '2.10.0' version_tested_max = '2.10.16' -python3_required_version = '2.5.3' - -if version_info[0] == 3 and not ge(LooseVersion(__version__), LooseVersion(python3_required_version)): - raise AnsibleError(('Ansible >= {} is required when using Python 3.\n' - 'Either downgrade to Python 2 or update your Ansible version to {}.').format(python3_required_version, python3_required_version)) if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' @@ -30,10 +25,6 @@ u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) -if eq(LooseVersion(__version__), LooseVersion('2.5.0')): - display.warning(u'Your Ansible version is {}. Consider upgrading your Ansible version to avoid ' - u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) - # Import BaseVarsPlugin after Ansible version check. # Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. from ansible.plugins.vars import BaseVarsPlugin From 587738ec1324e1f1138ebb2cf000fff9185c74b8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 15:42:43 -0500 Subject: [PATCH 349/416] Simplify README This removes the "manual" docs from the README and focuses on the trellis-cli workflow. This README isn't meant to be the full documentation anyway. --- README.md | 86 ++++--------------------------------------------------- 1 file changed, 6 insertions(+), 80 deletions(-) diff --git a/README.md b/README.md index 34751b908f..f79f869a31 100644 --- a/README.md +++ b/README.md @@ -78,61 +78,18 @@ Full documentation is available at [https://docs.roots.io/trellis/master/install ## Requirements -Make sure all dependencies have been installed before moving on: - -- [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -- [Vagrant](https://www.vagrantup.com/downloads.html) >= 2.1.0 -- **Recommended**: [trellis-cli](https://github.com/roots/trellis-cli) - -**Windows user?** [Read the Windows getting started docs](https://docs.roots.io/getting-started/windows/#working-with-trellis) for slightly different installation instructions. +See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. ## Installation -### Using trellis-cli - Create a new project: ```bash $ trellis new example.com ``` -### Manual - -The recommended directory structure for a Trellis project looks like: - -```bash -example.com/ # → Root folder for the project -├── trellis/ # → Your clone of this repository -└── site/ # → A Bedrock-based WordPress site - └── web/ - ├── app/ # → WordPress content directory (themes, plugins, etc.) - └── wp/ # → WordPress core (don't touch!) -``` - -See a complete working example in the [roots-example-project.com repo](https://github.com/roots/roots-example-project.com). - -1. Create a new project directory: - -```bash -$ mkdir example.com && cd example.com -``` - -2. Install Trellis: - -```bash -$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git -``` - -3. Install Bedrock into the `site` directory: - -```bash -$ composer create-project roots/bedrock site -``` - ## Local development setup -### Using trellis-cli - 1. Review the automatically created site in `group_vars/development/wordpress_sites.yml` 2. Customize settings if necessary @@ -142,12 +99,6 @@ Start the Vagrant virtual machine: $ trellis up ``` -### Manual - -1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` -2. Ensure you're in the trellis directory: `cd trellis` -3. Run `vagrant up` - [Read the local development docs](https://docs.roots.io/trellis/master/local-development/#wordpress-installation) for more information. ## Remote server setup (staging/production) @@ -158,14 +109,6 @@ A base Ubuntu 18.04 (Bionic) or Ubuntu 20.04 (Focal LTS) server is required for 2. Add your server IP/hostnames to `hosts/` 3. Specify public SSH keys for `users` in `group_vars/all/users.yml` (see the [SSH Keys docs](https://docs.roots.io/trellis/master/ssh-keys/)) -### Using trellis-cli - -Initialize Trellis (Virtualenv) environment: - -```bash -$ trellis init -``` - Provision the server: ```bash @@ -178,16 +121,6 @@ Or take advantage of its [Digital Ocean](https://roots.io/r/digitalocean) suppor $ trellis droplet create production ``` -### Manual - -For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://docs.roots.io/trellis/master/remote-server-setup/#requirements) for more information. - -Provision the server: - -```bash -$ ansible-playbook server.yml -e env= -``` - [Read the remote server docs](https://docs.roots.io/trellis/master/remote-server-setup/) for more information. ## Deploying to remote servers @@ -195,8 +128,6 @@ $ ansible-playbook server.yml -e env= 1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars//wordpress_sites.yml` file 2. Set the `branch` you want to deploy (defaults to `master`) -### Using trellis-cli - Deploy a site: ```bash @@ -209,22 +140,17 @@ Rollback a deploy: $ trellis rollback ``` -### Manual +[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. -Deploy a site: +## Migrating existing projects to trellis-cli: -```bash -$ ./bin/deploy.sh -``` - -Rollback a deploy: +Assuming you're using the standard project structure, you just need to make the +project trellis-cli compatible by initializing it: ```bash -$ ansible-playbook rollback.yml -e "site= env=" +$ trellis init ``` -[Read the deploys docs](https://roots.io/docs/trellis/master/deployments/) for more information. - ## Contributing Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. From 19bdce6638c98ea438b9e8a4bb13f43de2351653 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 16:39:31 -0500 Subject: [PATCH 350/416] Fix #1331 - Improve passlib instructions Updates the error message when `passlib` isn't installed on macOS. This recommends using trellis-cli as the main solution but still provides a manual method including better options for install pip. --- roles/common/tasks/main.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 34271b37b6..84ff7aa2fd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -97,10 +97,21 @@ - name: Check whether passlib is needed fail: msg: | - Ansible on OS X requires python passlib module to create user password hashes + Ansible on macOS requires Python's passlib module to create user password hashes + + If you're seeing this error message, you likely didn't use trellis-cli to create your project. + We highly recommend installing and using trellis-cli to manage your Trellis projects. + + See https://github.com/roots/trellis-cli for more documentation. + + For existing projects, you can run `trellis init` which will manage the dependencies automatically and fix this problem + as long as you use the `trellis` commands (like `trellis provision`) afterwards. + + To fix this manually, use pip to install the package: pip install passlib + + If pip is not installed, you'll have to install it first. + See https://stackoverflow.com/questions/17271319/how-do-i-install-pip-on-macos-or-os-x for many options. - sudo easy_install pip - pip install passlib when: env != 'development' and darwin_without_passlib | default(false) run_once: true From e8fcd02b836586f918a0d9ac15983a1c8eba47be Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 18:24:03 -0500 Subject: [PATCH 351/416] Fixes #1319 - Improve how ssh_args are loaded This refactors how `ssh_args` are loaded since the private method `_ssh_args` on `PlayContext` has been removed in Ansible 2.11. Instead, we load the ssh plugin and get the option directly. --- lib/trellis/plugins/callback/vars.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 9cd0f941e2..f42bebf2c8 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -3,6 +3,7 @@ import re import sys +import os from __main__ import cli from ansible.module_utils.six import iteritems @@ -14,6 +15,7 @@ from ansible.template import Templar from ansible.utils.unsafe_proxy import wrap_var from ansible import context +from ansible.plugins.loader import connection_loader class CallbackModule(CallbackBase): @@ -94,6 +96,9 @@ def darwin_without_passlib(self): return True def v2_playbook_on_play_start(self, play): + play_context = PlayContext(play=play) + connection = connection_loader.get('ssh', play_context, os.devnull) + env = play.get_variable_manager().get_vars(play=play).get('env', '') env_group = next((group for key,group in iteritems(play.get_variable_manager()._inventory.groups) if key == env), False) if env_group: @@ -102,7 +107,7 @@ def v2_playbook_on_play_start(self, play): for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) - host.vars['ssh_args_default'] = PlayContext(play=play)._ssh_args.default + host.vars['ssh_args_default'] = connection.get_option('ssh_args') host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = self._options.get('ask_pass', False) host.vars['cli_ask_become_pass'] = self._options.get('become_ask_pass', False) From ba5767d5452c8f30974ddf29d7aafca5e37e4e03 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Dec 2021 19:02:53 -0500 Subject: [PATCH 352/416] Update CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 69d36cb36d..e7b441ed0c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +### HEAD +* Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) +* Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) + ### 1.11.0: December 10th, 2021 * Bump minimum ansible version to `2.10.0` and add `ansible-base` to requirements ([#1334](https://github.com/roots/trellis/pull/1334)) * Fix Ansible `2.10.16` - set default for `ansible_ssh_extra_args` ([#1333](https://github.com/roots/trellis/pull/1333)) From a51674d7299d7953933311a99bee41722c650957 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 13 Dec 2021 22:52:17 -0500 Subject: [PATCH 353/416] Remove old WP customizer frame options hack --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index e090b2ea6a..414328fcc4 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -206,14 +206,7 @@ server { {% block embed_security -%} {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%} add_header Content-Security-Policy "frame-ancestors 'self'" always; - - # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved - set $x_frame_options SAMEORIGIN; - if ($arg_customize_changeset_uuid) { - set $x_frame_options ""; - } - add_header X-Frame-Options $x_frame_options always; - + add_header X-Frame-Options SAMEORIGIN always; {% endif -%} {% endblock -%} From b193890bad0d0fac5b41f6179dc528fbd55ff912 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 22 Dec 2021 23:59:21 -0500 Subject: [PATCH 354/416] Update default vagrant_ip Changes the default `vagrant_ip` from `192.168.50.5` to `192.168.56.5` (note the subtle change from `50` -> `56`). A recent change in VirtualBox means that only IP addresses in the 192.168.56.0/21 range are allowed. Vagrant is now validating that the IP is within this range as well (https://github.com/hashicorp/vagrant/pull/12564). --- hosts/development | 4 ++-- vagrant.default.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts/development b/hosts/development index 4af294aca7..2075118800 100644 --- a/hosts/development +++ b/hosts/development @@ -35,7 +35,7 @@ # into the Vagrantfile's `config.vm.provision` section. [development] -192.168.50.5 ansible_connection=local +192.168.56.5 ansible_connection=local [web] -192.168.50.5 ansible_connection=local +192.168.56.5 ansible_connection=local diff --git a/vagrant.default.yml b/vagrant.default.yml index 6698daf6e3..581f36a61c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: '192.168.50.5' +vagrant_ip: '192.168.56.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' From 5b6a295e70a998f311ba9e025f5d159755b13977 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 29 Dec 2021 16:03:30 -0500 Subject: [PATCH 355/416] Add support for public keys for deploys Adding a deploy specific SSH public key to a Trellis server is a common task to enable CI/CD deploys (such as GitHub Actions). This creates a standard folder (`public_keys`) for them. Any public SSH keys in that folder (ending in `.pub`) will be automatically added to the `web_user` as an authorized key. --- CHANGELOG.md | 1 + lib/trellis/utils/output.py | 2 +- public_keys/.gitkeep | 0 roles/users/tasks/main.yml | 8 +++++++- 4 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 public_keys/.gitkeep diff --git a/CHANGELOG.md b/CHANGELOG.md index e7b441ed0c..322b31fe5b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) * Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) * Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index ca4eb22728..33dbc4b55a 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -55,7 +55,7 @@ def replace_item_with_key(obj, result): ) if should_replace: - if 'key' in result._result[item]: + if type(result._result[item]) is dict and 'key' in result._result[item]: result._result[item] = result._result[item]['key'] elif type(result._result[item]) is dict: subitem = '_ansible_item_label' if '_ansible_item_label' in result._result[item] else 'item' diff --git a/public_keys/.gitkeep b/public_keys/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index acfcd74838..09b84830df 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -49,7 +49,7 @@ validate: "/usr/sbin/visudo -cf %s" when: web_sudoers[0] is defined -- name: Add SSH keys +- name: Add user SSH keys authorized_key: user: "{{ item.0.name }}" key: "{{ item.1 }}" @@ -57,6 +57,12 @@ - "{{ users | default([]) }}" - keys +- name: Add deploy SSH keys + authorized_key: + user: "{{ web_user }}" + key: "{{ lookup('file', item) }}" + with_fileglob: 'public_keys/*.pub' + - name: Check whether Ansible can connect as admin_user command: ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} delegate_to: localhost From 39423738b70cfd06cc777ebf219921a30cc9d194 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 31 Dec 2021 16:22:41 -0500 Subject: [PATCH 356/416] Update sponsors section in README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f79f869a31..fb94b64b48 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,8 @@ However, the amount of effort needed to maintain and develop new features and pr
-[![Donate via Patreon](https://img.shields.io/badge/donate-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) +[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub)](https://github.com/sponsors/roots) +[![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) [![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev)
From 47b04b70e299eab1d34294401290a4bb6db7858c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 2 Jan 2022 16:12:34 -0500 Subject: [PATCH 357/416] Revert "Default to proper box for M1 macs" --- Vagrantfile | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 88514e3310..133616b618 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -19,13 +19,7 @@ trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version '>= 2.1.0', '< 2.2.19' Vagrant.configure('2') do |config| - vagrant_box = if Vagrant::Util::Platform.darwin? && `uname -m`.chomp == "arm64" - 'jeffnoxon/ubuntu-20.04-arm64' - else - vconfig.fetch('vagrant_box') - end - - config.vm.box = vagrant_box + config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true config.vm.post_up_message = post_up_message From 8f1c4600ac27529872eedee490d13b6a9f750bc4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 3 Jan 2022 10:45:59 -0500 Subject: [PATCH 358/416] v1.12.0 --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 322b31fe5b..c8d5c6b634 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ -### HEAD +### 1.12.0: January 3rd, 2022 * Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) +* Update default Vagrant IP to 192.168.56.5 ([#1341](https://github.com/roots/trellis/pull/1341)) +* Remove old WP customizer frame options hack ([#1338](https://github.com/roots/trellis/pull/1338)) * Fix #1319 - Improve how ssh_args are loaded ([#1337](https://github.com/roots/trellis/pull/1337)) * Fix #1331 - Improve passlib instructions([#1336](https://github.com/roots/trellis/pull/1336)) From 4045d3050491d7dd25d7e1141ea7474f10e9129b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 10:33:42 -0500 Subject: [PATCH 359/416] Switch CI to GitHub Actions --- .circleci/config.yml | 114 --------------------------------------- .github/workflows/ci.yml | 37 +++++++++++++ 2 files changed, 37 insertions(+), 114 deletions(-) delete mode 100644 .circleci/config.yml create mode 100644 .github/workflows/ci.yml diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index ac59b18eee..0000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,114 +0,0 @@ -version: 2.1 - -orbs: - python: circleci/python@0.3.2 - -commands: - install-pip-package: - parameters: - package: - type: string - python-version: - type: string - steps: - - restore_cache: - name: Restore pip Cache - keys: - - pip-v3-<>-<>- - - run: - name: Install pip Package - command: pip install --user --upgrade <> - - save_cache: - name: Save pip Cache - key: pip-v3-<>-<>-{{ epoch }} - paths: - - /home/circleci/.local/bin/ - - /home/circleci/.local/lib/ - - /home/circleci/.cache/pip/ - install-galaxy-roles: - steps: - - restore_cache: - name: Restore Galaxy Role Cache - keys: - - galaxy-role-v2-{{ checksum "galaxy.yml" }} - - run: - name: Install Galaxy Roles - command: ansible-galaxy install -r galaxy.yml - - save_cache: - name: Save Galaxy Role Cache - key: galaxy-role-v2-{{ checksum "galaxy.yml" }} - paths: - - vendor/ - check-playbook-syntax: - steps: - - run: - name: Check Playbook Syntax - command: | - ansible-playbook --syntax-check -e env=development deploy.yml - ansible-playbook --syntax-check -e env=development dev.yml - ansible-playbook --syntax-check -e env=development server.yml - ansible-playbook --syntax-check -e env=development rollback.yml - ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml - -jobs: - syntax-check: - parameters: - ansible-version: - type: string - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - install-pip-package: - package: ansible<< parameters.ansible-version >> - python-version: <> - - run: ansible --version - - install-galaxy-roles - - check-playbook-syntax - - syntax-check-with-requirements-txt: - parameters: - python-version: - type: string - executor: - name: python/default - tag: <> - steps: - - run: python --version - - checkout - - restore_cache: - name: Restore pip Cache - keys: - - pip-v3-<>-{{ checksum "requirements.txt" }}- - - run: - name: Install packages from requirements.txt (or any other file) via Pip. - command: pip install --user --upgrade --requirement requirements.txt - - save_cache: - name: Save pip Cache - key: pip-v3-<>-{{ checksum "requirements.txt" }}-{{ epoch }} - paths: - - /home/circleci/.local/bin/ - - /home/circleci/.local/lib/ - - /home/circleci/.cache/pip - - run: ansible --version - - install-galaxy-roles - - check-playbook-syntax - -workflows: - syntax-check: - jobs: - - syntax-check: - name: syntax-check-python-<>-ansible<> - matrix: - parameters: - python-version: ["3.7.8", "2.7"] - ansible-version: ["~=2.10.0"] - - syntax-check-with-requirements-txt: - name: syntax-check-python-<>-requirements-txt - matrix: - parameters: - python-version: ["3.7.8", "2.7"] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..e4133c470c --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,37 @@ +name: ci + +on: + push: + branches: + - master + pull_request: + branches: + - master + workflow_dispatch: + +jobs: + test: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ['2.x', '3.x'] + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python-version }} + architecture: x64 + cache: 'pip' + - run: pip install -r requirements.txt + - uses: actions/cache@v2 + with: + path: vendor + key: ${{ runner.os }}-galaxy-${{ hashFiles('galaxy.yml') }} + - run: ansible-galaxy install -r galaxy.yml + - name: Check playbook syntax + run: | + ansible-playbook --syntax-check -e env=development deploy.yml + ansible-playbook --syntax-check -e env=development dev.yml + ansible-playbook --syntax-check -e env=development server.yml + ansible-playbook --syntax-check -e env=development rollback.yml + ansible-playbook --syntax-check -e xdebug_tunnel_inventory_host=1 xdebug-tunnel.yml From 089f023a54ff52725fba0887cd8c818ed3b76f09 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 00:13:31 -0500 Subject: [PATCH 360/416] Use trellis-cli for Vagrant galaxy install This replaces the default galaxy command (`ansible-galaxy install`) with the much better `trellis galaxy install` if trellis-cli is available on the host machine. With trellis-cli's command, there should be no reason to use the annoying `SKIP_GALAXY` env var which was added to prevent Vagrant from always installing the roles each time. `trellis galaxy install` is efficient and quickly skips already installed roles. --- Vagrantfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 133616b618..92e29c3c3b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -131,6 +131,10 @@ Vagrant.configure('2') do |config| ansible.galaxy_role_file = File.join(provisioning_path, 'galaxy.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') + if which('trellis') + ansible.galaxy_command = 'trellis galaxy install' + end + ansible.groups = { 'web' => ['default'], 'development' => ['default'] From 967c1ee115ffee0290c72069038319f27eba8171 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 3 Jan 2022 14:50:55 -0500 Subject: [PATCH 361/416] Update default ssh key paths Adds id_ed25519 in addition to the existing id_rsa entry and sets `errors='ignore'` to both. If that local path doesn't exist, Ansible will still show a helpful warning but won't fail. --- group_vars/all/users.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index c19aafa286..4d38ac23d2 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -7,13 +7,15 @@ users: groups: - "{{ web_group }}" keys: - - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}" + - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}" # - https://github.com/username.keys - name: "{{ admin_user }}" groups: - sudo keys: - - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" + - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}" + - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}" # - https://github.com/username.keys web_user: web From 3b72c4f5f5c9fa0b3bc49101df7c3a4b69ddbf7e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 14:13:52 -0500 Subject: [PATCH 362/416] Fix #970 - Improve git clone failure error Outputs the original stderr message as well in case of failure. --- roles/deploy/tasks/update.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index fb8831e24f..92ac949b00 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -39,6 +39,9 @@ More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding + + Error: + {{ git_clone.stderr }} when: git_clone is failed - name: Remove untracked files from project folder From 45d88096dc92c2b1eeb7e6b898a0c82e9180ffca Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 4 Jan 2022 20:03:17 -0500 Subject: [PATCH 363/416] Update CHANGELOG --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8d5c6b634..ba63f4e2a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) +* Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) +* Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) + ### 1.12.0: January 3rd, 2022 * Improve support for adding public SSH keys ([#1344](https://github.com/roots/trellis/pull/1344)) * Update default Vagrant IP to 192.168.56.5 ([#1341](https://github.com/roots/trellis/pull/1341)) From 825c0e1a4adf42b23120a0e295d747be17e4d759 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 18 Jan 2022 16:14:18 -0600 Subject: [PATCH 364/416] Remove issue templates --- .github/ISSUE_TEMPLATE/bug_report.yml | 108 --------------------- .github/ISSUE_TEMPLATE/config.yml | 4 - .github/ISSUE_TEMPLATE/feature_request.yml | 56 ----------- 3 files changed, 168 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml delete mode 100644 .github/ISSUE_TEMPLATE/config.yml delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml deleted file mode 100644 index 552d2b64c2..0000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ /dev/null @@ -1,108 +0,0 @@ -name: Bug Report -description: Report a problem with Trellis. Please provide enough information so that we can reproduce the problem. -title: "Bug: " -labels: [bug] - -body: - - type: markdown - attributes: - value: | - This form is for reporting Trellis technical issues. - If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - - - type: checkboxes - id: terms - attributes: - options: - - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) - required: true - - label: This request is not a duplicate of an existing issue - required: true - - label: I have read the [Trellis docs](https://roots.io/docs/trellis/) and followed them (if applicable) - required: true - - label: I have seached the [Roots Discourse](https://discourse.roots.io/) for answers and followed them (if applicable) - required: true - - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community - required: true - - - type: textarea - id: description - attributes: - label: Description - value: | - #### What's wrong? - - #### What have you tried? - - #### What insights have you gained? - - #### Possible solutions - - #### Temporary workarounds - validations: - required: true - - - type: textarea - id: steps-to-reproduce - attributes: - label: Steps To Reproduce - description: | - Non-reproducible issues may be immediately closed as not actionable. - Please provide reproduction steps as detailed as possible. - value: | - 1. - 1. - 1. - validations: - required: true - - - type: textarea - id: expected-behavior - attributes: - label: Expected Behavior - placeholder: What did you expect to happen? - validations: - required: true - - - type: textarea - id: actual-behavior - attributes: - label: Actual Behavior - placeholder: What actually happens? - validations: - required: true - - - type: textarea - id: logs - attributes: - label: Relevant Log Output - description: Please copy and paste any relevant log output. - render: shell - - - type: input - id: trellis-version - attributes: - label: Trellis Version - description: You can get this information from referencing `CHANGELOG.md`. If you know, please provide the [roots/trellis](https://github.com/roots/trellis) Git commit SHA. - validations: - required: true - - - type: textarea - id: ansible-version - attributes: - label: Ansible Version - description: You can get this information by running `$ ansible --version`. Please include the whole console output. - render: shell - validations: - required: true - - - type: input - id: trellis-cli-version - attributes: - label: Trellis CLI Version - description: If you are using [Trellis CLI](https://github.com/roots/trellis-cli), please provide the version (for stable versions; `$ trellis --version`) or the Git commit SHA (for canary builds). - - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this bug report! diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100644 index 089dbe29f9..0000000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,4 +0,0 @@ -contact_links: - - name: Roots Discourse - url: https://discourse.roots.io - about: Is this a personal support request? Find help on our support forum. diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml deleted file mode 100644 index 7842e919f4..0000000000 --- a/.github/ISSUE_TEMPLATE/feature_request.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Feature Request -description: Suggest an idea for Trellis. -title: "Feature Request: " -labels: [feature, enhancement] - -body: - - type: markdown - attributes: - value: | - This form is for suggesting an idea for Trellis. - If you have a question or you're looking for support, please visit [Roots Discourse](https://discourse.roots.io/). - - - type: checkboxes - id: terms - attributes: - options: - - label: I have read the [guidelines for Contributing to Roots Projects](https://github.com/roots/.github/blob/master/CONTRIBUTING.md) - required: true - - label: This request is not a duplicate of an existing issue - required: true - - label: This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/) community - required: true - - - type: textarea - id: summary - attributes: - label: Summary - description: One paragraph explanation of the feature. - validations: - required: true - - - type: textarea - id: motivation - attributes: - label: Motivation - value: | - #### Why are we doing this? - - #### What use cases does it support? - - #### What is the expected outcome? - - #### Potential conflicts / foreseeable issues - validations: - required: true - - - type: textarea - id: additional-context - attributes: - label: Additional Context - description: Add any other context or screenshots about the feature request here. - - - type: markdown - attributes: - value: | - Thanks for taking the time to fill out this feature request form! From 73285794f0382e6ea81cb16951c9b5c231f53114 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 18 Jan 2022 18:38:59 -0500 Subject: [PATCH 365/416] Disable install_recommends for php packages php8.1-cli is being installed due to another package recommending it. Right now this breaks WordPress installation due to WP-CLI being incompatible. However, 8.1 shouldn't be installed anyway when the `php_version` is set to `8.0`. This fixes the root cause by setting `install_recommends: no` which disables the feature in `apt`. More background: https://github.com/oerdnj/deb.sury.org/wiki/Frequently-Asked-Questions#why-is-phpdefaultversion-cli-always-installed and https://github.com/oerdnj/deb.sury.org/issues/1711 --- CHANGELOG.md | 1 + roles/php/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba63f4e2a4..65a1c4640a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #1354 - Disable `install_recommends` for php packages ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) * Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) * Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 370e7d5aeb..e70d1cbf57 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -9,6 +9,7 @@ name: "{{ item.key }}" state: "{{ item.value }}" cache_valid_time: "{{ apt_cache_valid_time }}" + install_recommends: no with_dict: "{{ php_extensions }}" - name: Start php fpm service From fadd2bebfe433b3d3de52e36b55c14937e55cfe3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 21 Jan 2022 17:01:04 -0500 Subject: [PATCH 366/416] v1.13.0 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65a1c4640a..4ec3f45b76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ -### HEAD -* Fix #1354 - Disable `install_recommends` for php packages ([#1355](https://github.com/roots/trellis/pull/1355)) +### 1.13.0: January 21st, 2022 +* Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) * Use trellis-cli for Vagrant galaxy install when available ([#1349](https://github.com/roots/trellis/pull/1349)) * Fix #970 - Improve git clone failure error ([#1351](https://github.com/roots/trellis/pull/1351)) From 495ae1ce102fba6f9f4299f796a254a0dc7fb056 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 22 Jan 2022 00:43:29 -0600 Subject: [PATCH 367/416] Deploy hook build example: Update Sage build command --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 6fef7df48f..87951f4735 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -19,7 +19,7 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn build:production +# command: yarn build # delegate_to: localhost # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From afdeade3d0bf7c35a887623d82f4cc4e731b962c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 22 Jan 2022 01:42:01 -0600 Subject: [PATCH 368/416] chore(project): Remove .circleci and add .github to .gitattributes --- .gitattributes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index 41c1519e9f..aacb20e852 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1,2 @@ -/.circleci export-ignore /.gitattributes export-ignore +/.github export-ignore From 51c1a3e58ee5600bf486ccfc51e922ff617de1cb Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 26 Jan 2022 12:30:16 -0600 Subject: [PATCH 369/416] Update `wp_cli_version` to 2.6.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 6abe35ebe1..b27b963495 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,5 +1,5 @@ gpg2_package: gnupg2 -wp_cli_version: 2.5.0 +wp_cli_version: 2.6.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_phar_asc_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar.asc" From f977a2580a6a4b5b9ee9bff5a8900f36bc7b474c Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Jan 2022 12:03:04 -0500 Subject: [PATCH 370/416] Remove bin scripts These scripts were created as better interfaces to running the deploy and xdebug tunnel Ansible playbooks (since the Ansible CLI developer experience isn't the best when arguments are needed). They've been superceded by the much better trellis-cli now. If you don't want to use trellis-cli, then the `ansible-playbook` commands that these scripts ran can always be used. --- CHANGELOG.md | 5 +++++ Vagrantfile | 4 ---- bin/deploy.sh | 45 -------------------------------------------- bin/xdebug-tunnel.sh | 43 ------------------------------------------ 4 files changed, 5 insertions(+), 92 deletions(-) delete mode 100755 bin/deploy.sh delete mode 100755 bin/xdebug-tunnel.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ec3f45b76..22c84c09a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +### HEAD +* Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) +* Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) +* Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) + ### 1.13.0: January 21st, 2022 * Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) * Update default ssh key paths (include ed25519 keys) ([#1348](https://github.com/roots/trellis/pull/1348)) diff --git a/Vagrantfile b/Vagrantfile index 92e29c3c3b..1e198139f8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -64,8 +64,6 @@ Vagrant.configure('2') do |config| fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" end - bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') - vagrant_mount_type = vconfig.fetch('vagrant_mount_type') extra_options = if vagrant_mount_type == 'smb' @@ -84,7 +82,6 @@ Vagrant.configure('2') do |config| end config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 644), type: vagrant_mount_type, **extra_options - config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: mount_options(vagrant_mount_type, dmode: 755, fmode: 755), type: vagrant_mount_type, **extra_options elsif !Vagrant.has_plugin?('vagrant-bindfs') fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else @@ -95,7 +92,6 @@ Vagrant.configure('2') do |config| config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' - config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end vconfig.fetch('vagrant_synced_folders', []).each do |folder| diff --git a/bin/deploy.sh b/bin/deploy.sh deleted file mode 100755 index 0b346e8e34..0000000000 --- a/bin/deploy.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -shopt -s nullglob - -ENVIRONMENTS=( hosts/* ) -ENVIRONMENTS=( "${ENVIRONMENTS[@]##*/}" ) - -show_usage() { - echo "Usage: deploy [options] - - is the environment to deploy to ("staging", "production", etc) - is the WordPress site to deploy (name defined in "wordpress_sites") -[options] is any number of parameters that will be passed to ansible-playbook - -Available environments: -`( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" )` - -Examples: - deploy staging example.com - deploy production example.com - deploy staging example.com -vv -T 60 -" -} - -[[ $# -lt 2 ]] && { show_usage; exit 127; } - -for arg -do - [[ $arg = -h ]] && { show_usage; exit 0; } -done - -ENV="$1"; shift -SITE="$1"; shift -EXTRA_PARAMS=$@ -DEPLOY_CMD="ansible-playbook deploy.yml -e env=$ENV -e site=$SITE $EXTRA_PARAMS" -HOSTS_FILE="hosts/$ENV" - -if [[ ! -e $HOSTS_FILE ]]; then - echo "Error: $ENV is not a valid environment ($HOSTS_FILE does not exist)." - echo - echo "Available environments:" - ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) - exit 1 -fi - -$DEPLOY_CMD diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh deleted file mode 100755 index e60e4d48bb..0000000000 --- a/bin/xdebug-tunnel.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -show_usage() { - echo " -Usage: bin/xdebug-tunnel.sh - - can be 'open' or 'close' - is the hostname, IP, or inventory alias in your \`hosts/\` file. - -Examples: - To open a tunnel: - bin/xdebug-tunnel.sh open 12.34.56.78 - - To close a tunnel: - bin/xdebug-tunnel.sh close 12.34.56.78 -" -} - -ENABLE_TCP_FORWARDING= -if [[ $1 == "open" ]]; then - REMOTE_ENABLE=1 - ENABLE_TCP_FORWARDING="-e sshd_allow_tcp_forwarding=yes" -elif [[ $1 == "close" ]]; then - REMOTE_ENABLE=0 -else - >&2 echo "The provided argument '${1}' is not acceptable." - show_usage - exit 1 -fi - -if [[ -z $2 ]]; then - >&2 echo "The argument is required." - show_usage - exit 1 -fi - -XDEBUG_ENABLE="-e xdebug_remote_enable=${REMOTE_ENABLE}" -SSH_HOST="-e xdebug_tunnel_inventory_host=$2" - -if [[ -n $DEBUG ]]; then - PARAMS="$PARAMS ${VERBOSITY:--vvvv}" -fi - -ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $ENABLE_TCP_FORWARDING $SSH_HOST $PARAMS From 0e6aa1eca20e3bc14e27b6730d56a542c15d4d69 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 28 Jan 2022 17:20:17 -0500 Subject: [PATCH 371/416] Create mysql my.cnf credentials file earlier In some situations the "Set root user password" task might fail because it tries to connect with no root password. Moving the my.cnf credentials file task above it fixes that situation and also just makes more sense in general. --- CHANGELOG.md | 1 + roles/mariadb/tasks/main.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 22c84c09a9..c77e5960aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Create mysql my.cnf credentials file earlier ([#1360](https://github.com/roots/trellis/pull/1360)) * Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) * Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) * Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 4a533a0ba9..0da81f6f95 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -33,6 +33,14 @@ when: mysql_binary_logging_disabled | bool notify: restart mysql server + - name: Copy .my.cnf file with root password credentials. + template: + src: my.cnf.j2 + dest: ~/.my.cnf + owner: root + group: root + mode: '0600' + - name: Set root user password mysql_user: name: root @@ -47,14 +55,6 @@ - ::1 - localhost - - name: Copy .my.cnf file with root password credentials. - template: - src: my.cnf.j2 - dest: ~/.my.cnf - owner: root - group: root - mode: '0600' - - name: Delete anonymous MySQL server users mysql_user: user: "" From 56582d408054f556e8d634a6308730ec17f75068 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 31 Jan 2022 18:04:28 -0600 Subject: [PATCH 372/416] Update README.md --- README.md | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index fb94b64b48..ac9977290b 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,8 @@ Release - - Build Status + + Build Status @@ -24,12 +24,10 @@

Ansible-powered LEMP stack for WordPress -
- Built with ❤️

- Official Website | Documentation | Change Log + Website    Documentation    Releases    Support

## Supporting @@ -40,7 +38,7 @@ However, the amount of effort needed to maintain and develop new features and pr
-[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub)](https://github.com/sponsors/roots) +[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub&style=flat-square)](https://github.com/sponsors/roots) [![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) [![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) @@ -73,10 +71,6 @@ Trellis will configure a server with the following and more: - Memcached - Fail2ban and ferm -## Documentation - -Full documentation is available at [https://docs.roots.io/trellis/master/installation/](https://docs.roots.io/trellis/master/installation/). - ## Requirements See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. @@ -152,22 +146,18 @@ project trellis-cli compatible by initializing it: $ trellis init ``` -## Contributing - -Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. - ## Trellis sponsors -Help support our open-source development efforts by [becoming a patron](https://www.patreon.com/rootsdev). +Help support our open-source development efforts by [becoming a GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev). -Kinsta KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon +KM Digital Carrot C21 Redwood Realty WordPress.com Pantheon ## Community Keep track of development and community news. +- Join us on Roots Slack by becoming a [GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev) - Participate on the [Roots Discourse](https://discourse.roots.io/) - Follow [@rootswp on Twitter](https://twitter.com/rootswp) - Read and subscribe to the [Roots Blog](https://roots.io/blog/) - Subscribe to the [Roots Newsletter](https://roots.io/subscribe/) -- Listen to the [Roots Radio podcast](https://roots.io/podcast/) From 2225973005119112e0167ac34c9500c3fb0464b0 Mon Sep 17 00:00:00 2001 From: Lucas DEMEA Date: Sat, 12 Feb 2022 20:24:47 +0100 Subject: [PATCH 373/416] allow to copy subfolders between releases --- roles/deploy/tasks/build.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index d5a99316c5..aa0e043e69 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -27,7 +27,11 @@ with_items: "{{ project.project_copy_folders | default(project_copy_folders) }}" - name: Copy project folders - command: cp -rp {{ deploy_helper.current_path }}/{{ item.item }} {{ deploy_helper.new_release_path }} + copy: + src: "{{ deploy_helper.current_path }}/{{ item.item }}/" + dest: "{{ deploy_helper.new_release_path }}/{{ item.item }}" + remote_src: true + mode: 'preserve' with_items: "{{ project_folder_paths.results }}" when: item.stat.exists From 1b900f3d6433c9644513354c1b15260d1b03ff29 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 26 Jan 2022 19:24:08 -0500 Subject: [PATCH 374/416] Add integration test using trellis-cli Uses trellis-cli to create a new Trellis project from the current SHA. The project is provisioned and deployed all using trellis-cli. Finally the site is verified that WordPress was actually installed and working. The steps are a little more complex than someone provisioning a normal remote server for a few reasons: 1. GitHub's Ubuntu image has a lot of software installed by default including mysql-server which needs to be purged completely. 2. there's a few workarounds to force Ansible to use a local connection since we aren't actually SSHing into a remote server. --- .github/workflows/integration.yml | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/integration.yml diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml new file mode 100644 index 0000000000..96cd6fc7e4 --- /dev/null +++ b/.github/workflows/integration.yml @@ -0,0 +1,51 @@ +name: Integration + +on: + push: + branches: + - master + workflow_dispatch: + +jobs: + test: + runs-on: ubuntu-latest + steps: + - run: mkdir $HOME/.ssh + - name: Remove and cleanup mysql + run: | + sudo apt-get remove --purge mysql* + sudo apt-get autoremove + sudo apt-get autoclean + sudo rm -rf /etc/apparmor.d/abstractions/mysql /etc/apparmor.d/cache/usr.sbin.mysqld /etc/mysql /var/lib/mysql /var/log/mysql* /var/log/upstart/mysql.log* /var/run/mysqld ~/.mysql_history + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - uses: actions/setup-python@v2 + with: + python-version: '3.9' + - uses: roots/setup-trellis-cli@v1 + with: + ansible-vault-password: 'fake' + auto-init: false + galaxy-install: false + trellis-directory: '.' + - name: Create new Trellis project + run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com + - name: Update configs + run: | + sudo echo "127.0.0.1 www.example.com example.com" | sudo tee -a /etc/hosts + rm hosts/production && echo -e "[production]\nlocalhost ansible_connection=local\n[web]\nlocalhost ansible_connection=local\n" > hosts/production + sed --in-place '/repo_subtree_path: site/d' group_vars/production/wordpress_sites.yml + working-directory: example.com/trellis + - name: Provision + run: trellis provision --extra-vars web_user=runner production + working-directory: example.com + - name: Deploy + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production + working-directory: example.com + - name: Install WordPress + run: | + wp core install --url="http://example.com" --title="Example.com" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" + working-directory: /srv/www/example.com/current + - name: Verify install + run: curl -s http://www.example.com | grep "Example" From c41bb8d92ee5751e8758275586356afa07f82604 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 10:40:22 -0500 Subject: [PATCH 375/416] Ensure correct PHP version is set Background: https://github.com/roots/trellis/issues/1354 https://github.com/roots/trellis/pull/1355 fixed half of this problem, but there's still situations where php-cli ends up defaulting to 8.1. This ensures the correct version of PHP is always set based on `php_version` by using the `update-alternatives` command. --- roles/php/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index e70d1cbf57..eaec4b4f16 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -12,6 +12,11 @@ install_recommends: no with_dict: "{{ php_extensions }}" +- name: Ensure correct PHP version selected + community.general.alternatives: + name: php + path: /usr/bin/php{{ php_version }} + - name: Start php fpm service service: name: "php{{ php_version }}-fpm" From f42e15fa8d82e1a7db7fef199f5579f0d8431307 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 12:15:48 -0500 Subject: [PATCH 376/416] Run integration tests on pull requests --- .github/workflows/integration.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 96cd6fc7e4..ebb53a7062 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -4,6 +4,9 @@ on: push: branches: - master + pull_request: + branches: + - master workflow_dispatch: jobs: From fa1a5a42b0f892224625b5cd640293949921b2a3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 16 Feb 2022 23:43:57 -0500 Subject: [PATCH 377/416] v1.14.0 --- CHANGELOG.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c77e5960aa..39e9e0942b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,10 @@ -### HEAD +### 1.14.0: February 16th, 2022 +* Fix #1026 - Preserve nested path for copied folders between deploys ([#1364](https://github.com/roots/trellis/pull/1364)) +* Fix #1354 - Ensure correct PHP version is set ([#1365](https://github.com/roots/trellis/pull/1365)) * Create mysql my.cnf credentials file earlier ([#1360](https://github.com/roots/trellis/pull/1360)) * Remove bin scripts (trellis-cli should be used instead) ([#1352](https://github.com/roots/trellis/pull/1352)) * Update `wp_cli_version` to `2.6.0` ([#1358](https://github.com/roots/trellis/pull/1358)) -* Deploy hook build example: Update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) +* Deploy hook build example: update Sage build command ([#1356](https://github.com/roots/trellis/pull/1356)) ### 1.13.0: January 21st, 2022 * Fix #1354 - Prevent apt from installing recommended packages for php ([#1355](https://github.com/roots/trellis/pull/1355)) From f931c899453fdf4acec8dc92217eed1a2fb9b3d1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 28 Jan 2022 18:29:03 -0500 Subject: [PATCH 378/416] Remove python2 support Python 2 has been EOL for a while now anad is unsupported. macOS is removing it as well as of 12.3 Trellis was compatible with both Python 2 or 3 but it took some extra work and complexity. This removes all workarounds for python2 and makes python3 a requirement. --- .github/workflows/ci.yml | 2 +- CHANGELOG.md | 3 +++ Vagrantfile | 3 +-- dev.yml | 7 ------- lib/trellis/__init__.py | 3 --- lib/trellis/plugins/callback/output.py | 4 ---- lib/trellis/plugins/callback/vars.py | 3 --- lib/trellis/plugins/filter/filters.py | 4 ---- lib/trellis/plugins/vars/version.py | 4 ---- lib/trellis/utils/__init__.py | 3 --- lib/trellis/utils/output.py | 4 +--- roles/common/defaults/main.yml | 20 +++++--------------- roles/letsencrypt/library/test_challenges.py | 9 ++------- roles/letsencrypt/templates/renew-certs.py | 6 ++---- roles/python_interpreter/tasks/main.yml | 11 ----------- server.yml | 7 ------- vagrant.default.yml | 1 - 17 files changed, 15 insertions(+), 79 deletions(-) delete mode 100644 lib/trellis/__init__.py delete mode 100644 lib/trellis/utils/__init__.py delete mode 100644 roles/python_interpreter/tasks/main.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4133c470c..67ab61288b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ['2.x', '3.x'] + python-version: ['3.x'] steps: - uses: actions/checkout@v2 - uses: actions/setup-python@v2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 39e9e0942b..d18d304b1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) + ### 1.14.0: February 16th, 2022 * Fix #1026 - Preserve nested path for copied folders between deploys ([#1364](https://github.com/roots/trellis/pull/1364)) * Fix #1354 - Ensure correct PHP version is set ([#1365](https://github.com/roots/trellis/pull/1365)) diff --git a/Vagrantfile b/Vagrantfile index 1e198139f8..1fb5a27031 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -115,9 +115,8 @@ Vagrant.configure('2') do |config| config.vm.provision provisioner do |ansible| if local_provisioning? - ansible.extra_vars = { ansible_python_interpreter: vconfig.fetch('vagrant_ansible_python_interpreter') } ansible.install_mode = 'pip' - ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-distutils && curl https://bootstrap.pypa.io/get-pip.py | sudo python3' + ansible.pip_install_cmd = 'sudo apt-get install -y -qq python3-pip' ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') end diff --git a/dev.yml b/dev.yml index 4b86ffc748..2ef8d4eaac 100644 --- a/dev.yml +++ b/dev.yml @@ -1,11 +1,4 @@ --- -- name: Set ansible_python_interpreter - hosts: web:&development - gather_facts: false - become: yes - roles: - - { role: python_interpreter, tags: [always] } - - name: "WordPress Server: Install LEMP Stack with PHP and MariaDB MySQL" hosts: web:&development become: yes diff --git a/lib/trellis/__init__.py b/lib/trellis/__init__.py deleted file mode 100644 index 980f84a225..0000000000 --- a/lib/trellis/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index cf8fe73d11..61935552a0 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - import os.path import sys diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index f42bebf2c8..2ffbbf9854 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -1,6 +1,3 @@ -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - import re import sys import os diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index 6c8eed5eb7..8b4f624232 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function, unicode_literals) -__metaclass__ = type - import types from ansible import errors diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 951cf30d2a..32acf93327 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -1,7 +1,3 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion diff --git a/lib/trellis/utils/__init__.py b/lib/trellis/utils/__init__.py deleted file mode 100644 index 980f84a225..0000000000 --- a/lib/trellis/utils/__init__.py +++ /dev/null @@ -1,3 +0,0 @@ -# Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 33dbc4b55a..4ae252df67 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -1,5 +1,4 @@ # Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) __metaclass__ = type import os.path @@ -9,7 +8,6 @@ from ansible import __version__ from ansible.module_utils._text import to_text -from ansible.module_utils.six import string_types def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry @@ -91,7 +89,7 @@ def display(obj, result): # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks if isinstance(msg, list): msg = '\n'.join([to_text(x) for x in msg]) - elif not isinstance(msg, string_types): + elif not isinstance(msg, str): msg = to_text(msg) # Wrap text diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 40bfd96589..2ba0cb8252 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -20,7 +20,7 @@ site_keys_by_env_pair: "[ {% endfor %} ]" -_apt_packages_default: +apt_packages_default: build-essential: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" @@ -29,22 +29,12 @@ _apt_packages_default: imagemagick: "{{ apt_package_state }}" libgs-dev: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" - python: "{{ apt_package_state }}" + python3: "{{ apt_package_state }}" + python3-software-properties: "{{ apt_package_state }}" + python3-mysqldb: "{{ apt_package_state }}" + python3-pycurl: "{{ apt_package_state }}" unzip: "{{ apt_package_state }}" -apt_packages_python: - '2': - python-software-properties: "{{ apt_package_state }}" - python-mysqldb: "{{ apt_package_state }}" - python-pycurl: "{{ apt_package_state }}" - '3': - python3-software-properties: "{{ apt_package_state }}" - python3-mysqldb: "{{ apt_package_state }}" - python3-pycurl: "{{ apt_package_state }}" - -python_major_version: "{{ ansible_python_version[0] }}" -apt_packages_default: "{{ _apt_packages_default | combine(apt_packages_python[python_major_version]) }}" - apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py index d7f4a8cc2c..8d5899e745 100644 --- a/roles/letsencrypt/library/test_challenges.py +++ b/roles/letsencrypt/library/test_challenges.py @@ -1,13 +1,8 @@ -#!/usr/bin/python +#!/usr/bin/python3 # -*- coding: utf-8 -*- import socket - -try: - from httplib import HTTPConnection, HTTPException -except ImportError: - # Python 3 - from http.client import HTTPConnection, HTTPException +from http.client import HTTPConnection, HTTPException DOCUMENTATION = ''' --- diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 72106e3611..b13ed8efa6 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -1,6 +1,4 @@ -#!/usr/bin/env python - -from __future__ import print_function +#!/usr/bin/env python3 import os import sys @@ -29,7 +27,7 @@ 'Not creating a new certificate.'.format(bundled_hashed_cert_path)) else: - cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + cmd = ('/usr/bin/env python3 {{ acme_tiny_software_directory }}/acme_tiny.py ' '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' diff --git a/roles/python_interpreter/tasks/main.yml b/roles/python_interpreter/tasks/main.yml deleted file mode 100644 index 3fa493d310..0000000000 --- a/roles/python_interpreter/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ -- block: - - name: Get Ubuntu version - raw: lsb_release -rs - register: ubuntu_version - changed_when: false - - name: Set ansible_python_interpreter for Ubuntu >= 18.04 - set_fact: - ansible_python_interpreter: python3 - when: ubuntu_version.stdout | trim is version('18.04', '>=') - when: ansible_python_interpreter is not defined - tags: always diff --git a/server.yml b/server.yml index cdc43e206a..be9a456eb4 100644 --- a/server.yml +++ b/server.yml @@ -9,13 +9,6 @@ roles: - { role: connection, tags: [connection, always] } -- name: Set ansible_python_interpreter - hosts: web:&{{ env }} - gather_facts: false - become: yes - roles: - - { role: python_interpreter, tags: [always] } - - name: WordPress Server - Install LEMP Stack with PHP and MariaDB MySQL hosts: web:&{{ env }} become: yes diff --git a/vagrant.default.yml b/vagrant.default.yml index 581f36a61c..b02ed2384f 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -5,7 +5,6 @@ vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 202012.23.0' vagrant_ansible_version: '2.10.7' -vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From f409fe3895a4d7d1e7368fa57aed37a389a05bee Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 20 Feb 2022 16:25:23 -0500 Subject: [PATCH 379/416] Require python3 in code --- lib/trellis/plugins/vars/version.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 32acf93327..81d206d810 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -2,7 +2,7 @@ from ansible.errors import AnsibleError from distutils.version import LooseVersion from operator import eq, ge, gt -from sys import version_info +from platform import python_version, python_version_tuple try: from __main__ import display @@ -13,6 +13,11 @@ version_requirement = '2.10.0' version_tested_max = '2.10.16' +if python_version_tuple()[0] == '2': + raise AnsibleError(('Trellis no longer supports Python 2 (you are using version {}).' + ' Python 2 reached end of life in 2020 and is unmaintained.\n' + 'Python 3 is required as of Trellis version v1.15.0.').format(python_version())) + if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) From 7b7061ee607c99d2d700c119921d717d9a495f04 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Tue, 15 Feb 2022 12:50:06 -0500 Subject: [PATCH 380/416] Add HTTPS site to integration tests --- .github/actions/setup-step-ca/action.yml | 42 ++++++++++++++++++++++++ .github/files/inventory | 4 +++ .github/files/step-ca.service | 15 +++++++++ .github/files/vault.yml | 36 ++++++++++++++++++++ .github/files/wordpress_sites.yml | 34 +++++++++++++++++++ .github/workflows/integration.yml | 25 ++++++++++---- 6 files changed, 149 insertions(+), 7 deletions(-) create mode 100644 .github/actions/setup-step-ca/action.yml create mode 100644 .github/files/inventory create mode 100644 .github/files/step-ca.service create mode 100644 .github/files/vault.yml create mode 100644 .github/files/wordpress_sites.yml diff --git a/.github/actions/setup-step-ca/action.yml b/.github/actions/setup-step-ca/action.yml new file mode 100644 index 0000000000..1f95236d7f --- /dev/null +++ b/.github/actions/setup-step-ca/action.yml @@ -0,0 +1,42 @@ +name: Setup Step CA ACME server +description: Installs and runs an ACME compatible server via step-ca +inputs: + path: + description: 'step-ca path' + required: false + default: /root/.step +runs: + using: composite + steps: + - name: Set STEP_CA_PATH env + run: echo STEP_CA_PATH=${{ inputs.path }} >> $GITHUB_ENV + shell: bash + - name: Download packages + run: | + wget -q https://dl.step.sm/gh-release/cli/docs-ca-install/v0.18.1/step-cli_0.18.1_amd64.deb + wget -q https://dl.step.sm/gh-release/certificates/docs-ca-install/v0.18.1/step-ca_0.18.1_amd64.deb + shell: bash + - name: Install packages + run: | + sudo dpkg -i step-cli_0.18.1_amd64.deb + sudo dpkg -i step-ca_0.18.1_amd64.deb + shell: bash + - name: Create password file + run: | + sudo mkdir $STEP_CA_PATH && sudo touch $STEP_CA_PATH/password.txt + echo $(openssl rand -hex 12) | sudo tee $STEP_CA_PATH/password.txt + shell: bash + - name: Initialize + run: | + sudo step ca init --name trellis-local-ca --dns 127.0.0.1 --address :8443 --provisioner admin --password-file $STEP_CA_PATH/password.txt --provisioner-password-file $STEP_CA_PATH/password.txt + sudo step ca provisioner add acme --type ACME + shell: bash + - name: Install certificate to system + run: | + sudo step certificate install $STEP_CA_PATH/certs/root_ca.crt + shell: bash + - name: Run service + run: | + sudo cp .github/files/step-ca.service /etc/systemd/system/step-ca.service + sudo systemctl start step-ca + shell: bash diff --git a/.github/files/inventory b/.github/files/inventory new file mode 100644 index 0000000000..87d5779a91 --- /dev/null +++ b/.github/files/inventory @@ -0,0 +1,4 @@ +[production] +localhost ansible_connection=local +[web] +localhost ansible_connection=local diff --git a/.github/files/step-ca.service b/.github/files/step-ca.service new file mode 100644 index 0000000000..e62cc2bc5d --- /dev/null +++ b/.github/files/step-ca.service @@ -0,0 +1,15 @@ +[Unit] +Description=step-ca service +After=network.target +StartLimitIntervalSec=0 + +[Service] +Type=simple +Restart=always +RestartSec=1 +Environment=STEPPATH=/root/.step +WorkingDirectory=/root/.step +ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt + +[Install] +WantedBy=multi-user.target diff --git a/.github/files/vault.yml b/.github/files/vault.yml new file mode 100644 index 0000000000..0dd232f46a --- /dev/null +++ b/.github/files/vault.yml @@ -0,0 +1,36 @@ +# Documentation: https://roots.io/trellis/docs/vault/ +vault_mysql_root_password: productionpw + +# Documentation: https://roots.io/trellis/docs/security/ +vault_users: + - name: "{{ admin_user }}" + password: example_password + salt: "generateme" + +# Variables to accompany `group_vars/production/wordpress_sites.yml` +# Note: the site name (`example.com`) must match up with the site name in the above file. +vault_wordpress_sites: + example.com: + env: + db_password: example_dbpassword + # Generate your keys here: https://roots.io/salts.html + auth_key: "generateme" + secure_auth_key: "generateme" + logged_in_key: "generateme" + nonce_key: "generateme" + auth_salt: "generateme" + secure_auth_salt: "generateme" + logged_in_salt: "generateme" + nonce_salt: "generateme" + example-https.com: + env: + db_password: example_dbpassword + # Generate your keys here: https://roots.io/salts.html + auth_key: "generateme" + secure_auth_key: "generateme" + logged_in_key: "generateme" + nonce_key: "generateme" + auth_salt: "generateme" + secure_auth_salt: "generateme" + logged_in_salt: "generateme" + nonce_salt: "generateme" diff --git a/.github/files/wordpress_sites.yml b/.github/files/wordpress_sites.yml new file mode 100644 index 0000000000..8fa390b191 --- /dev/null +++ b/.github/files/wordpress_sites.yml @@ -0,0 +1,34 @@ +letsencrypt_contact_emails: + - admin@example.com + +wordpress_sites: + example.com: + site_hosts: + - canonical: example.com + redirects: + - www.example.com + local_path: ../site + repo: git@github.com:roots/bedrock.git + branch: master + multisite: + enabled: false + ssl: + enabled: false + provider: letsencrypt + cache: + enabled: true + example-https.com: + site_hosts: + - canonical: example-https.com + redirects: + - www.example-https.com + local_path: ../site + repo: git@github.com:roots/bedrock.git + branch: master + multisite: + enabled: false + ssl: + enabled: true + provider: letsencrypt + cache: + enabled: false diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index ebb53a7062..0cc9c0f380 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -26,6 +26,7 @@ jobs: - uses: actions/setup-python@v2 with: python-version: '3.9' + - uses: ./.github/actions/setup-step-ca - uses: roots/setup-trellis-cli@v1 with: ansible-vault-password: 'fake' @@ -36,19 +37,29 @@ jobs: run: trellis new --name example.com --host www.example.com --trellis-version ${{ github.sha }} ./example.com - name: Update configs run: | - sudo echo "127.0.0.1 www.example.com example.com" | sudo tee -a /etc/hosts - rm hosts/production && echo -e "[production]\nlocalhost ansible_connection=local\n[web]\nlocalhost ansible_connection=local\n" > hosts/production - sed --in-place '/repo_subtree_path: site/d' group_vars/production/wordpress_sites.yml + sudo echo "127.0.0.1 www.example.com example.com www.example-https.com example-https.com" | sudo tee -a /etc/hosts + cp ../../.github/files/inventory hosts/production + cp ../../.github/files/wordpress_sites.yml group_vars/production/wordpress_sites.yml + cp ../../.github/files/vault.yml group_vars/production/vault.yml working-directory: example.com/trellis - name: Provision - run: trellis provision --extra-vars web_user=runner production + run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production working-directory: example.com - - name: Deploy - run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production + - name: Deploy non-https site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example.com working-directory: example.com - name: Install WordPress run: | wp core install --url="http://example.com" --title="Example.com" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" working-directory: /srv/www/example.com/current - name: Verify install - run: curl -s http://www.example.com | grep "<title>Example" + run: curl -s http://example.com | grep "<title>Example" + - name: Deploy https site + run: trellis deploy --extra-vars "web_user=runner project_git_repo=https://github.com/roots/bedrock.git" production example-https.com + working-directory: example.com + - name: Install WordPress + run: | + wp core install --url="http://example-https.com" --title="Example HTTPS" --admin_user="admin" --admin_password="password" --admin_email="admin@example.com" + working-directory: /srv/www/example-https.com/current + - name: Verify install + run: curl -s https://example-https.com | grep "<title>Example HTTPS" From 40b949a910373398e3fda06105287e0edf24051a Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Sat, 26 Feb 2022 23:33:40 -0600 Subject: [PATCH 381/416] =?UTF-8?q?=F0=9F=93=9D=20remove=20getting=20start?= =?UTF-8?q?ed=20ref?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac9977290b..a350e8e28d 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Trellis will configure a server with the following and more: ## Requirements -See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements and our [getting started pages](https://docs.roots.io/getting-started) for more OS specific instructions. +See the full [installation](https://docs.roots.io/trellis/master/installation/#installation) docs for requirements. ## Installation From 87492641ca642ee7a27fbcd0dce4cae20d4879ce Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Tue, 8 Mar 2022 02:09:37 -0500 Subject: [PATCH 382/416] Updating Vagrantfile to allow for vagrant 2.2.19, changing example.com to pressbooks.test --- Vagrantfile | 2 +- group_vars/production/wordpress_sites.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 1fb5a27031..d454e2ff3a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,7 +16,7 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.1.0', '< 2.2.19' +Vagrant.require_version '>= 2.1.0', '<= 2.2.19' Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index 62e95f430c..e22a685929 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -3,13 +3,13 @@ # Define accompanying passwords/secrets in group_vars/production/vault.yml wordpress_sites: - example.com: + pressbooks.test: site_hosts: - - canonical: example.com + - canonical: pressbooks.test redirects: - - www.example.com + - www.pressbooks.test local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) - repo: git@github.com:example/example.com.git # replace with your Git repo URL + repo: git@github.com:example/pressbooks.test.git # replace with your Git repo URL repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo branch: master multisite: @@ -21,6 +21,6 @@ wordpress_sites: cache: enabled: false env: - domain_current_site: example.com - wp_home: https://example.com - wp_siteurl: https://example.com/wp + domain_current_site: pressbooks.test + wp_home: https://pressbooks.test + wp_siteurl: https://pressbooks.test/wp From 4e3720724f441049c5865bb233bbd87417355ec9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sat, 12 Mar 2022 21:59:23 -0800 Subject: [PATCH 383/416] Support Ansible >= 2.10 This removes the upper version constraint and supports Ansible versions up to 5.4.0 (ansible-core 2.12) --- lib/trellis/plugins/vars/version.py | 2 +- requirements.txt | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 81d206d810..e05b94e800 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -11,7 +11,7 @@ display = Display() version_requirement = '2.10.0' -version_tested_max = '2.10.16' +version_tested_max = '5.4.0' if python_version_tuple()[0] == '2': raise AnsibleError(('Trellis no longer supports Python 2 (you are using version {}).' diff --git a/requirements.txt b/requirements.txt index d794f8d619..5955db3396 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,2 @@ -ansible>=2.10.0,<3.0 -ansible-base>=2.10,<=2.10.16 +ansible>=2.10.0 passlib From b24115ce81faacb14f99c9b5485dfbf19c6a2e56 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Sun, 13 Mar 2022 18:43:55 -0700 Subject: [PATCH 384/416] Add Discourse release topic workflow --- .github/workflows/discourse.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/discourse.yml diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml new file mode 100644 index 0000000000..c98763d53a --- /dev/null +++ b/.github/workflows/discourse.yml @@ -0,0 +1,19 @@ +name: Post release topic on Discourse + +on: + release: + types: [published] + +jobs: + post: + runs-on: ubuntu-latest + steps: + - uses: roots/discourse-topic-github-release-action@main + with: + discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }} + discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} + discourse-author-username: swalkinshaw + discourse-category: 12 + discourse-tags: + trellis + releases From 9631aa53765b7503e8572244cad4ae1f8f85e80a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 17 Mar 2022 00:06:22 -0400 Subject: [PATCH 385/416] Add ansible version to integration tests --- .github/workflows/integration.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 0cc9c0f380..9741423727 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -42,6 +42,8 @@ jobs: cp ../../.github/files/wordpress_sites.yml group_vars/production/wordpress_sites.yml cp ../../.github/files/vault.yml group_vars/production/vault.yml working-directory: example.com/trellis + - run: trellis exec ansible-playbook --version + working-directory: example.com/trellis - name: Provision run: trellis provision --extra-vars "web_user=runner letsencrypt_ca=https://127.0.0.1:8443/acme/acme" production working-directory: example.com From a0c313f63efeaad3629e650f43cca54058098940 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Thu, 17 Mar 2022 00:19:56 -0400 Subject: [PATCH 386/416] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d18d304b1b..8ce3cda53d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) * Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) ### 1.14.0: February 16th, 2022 From b2905e0d587fcdab936885f62833545d3601659e Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Fri, 18 Mar 2022 00:06:52 -0500 Subject: [PATCH 387/416] =?UTF-8?q?=F0=9F=93=84=20update=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- LICENSE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.md b/LICENSE.md index ee859d0f58..1b5cd27da6 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) Roots +Copyright (c) Roots Software Foundation LLC Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 6db53e76b602663edfc5efc87a8a0dacde1ba395 Mon Sep 17 00:00:00 2001 From: Paul Brzeski <mail@paulbrzeski.com> Date: Tue, 22 Mar 2022 06:38:58 +0000 Subject: [PATCH 388/416] Updating ntp role to latest (2.3.1) --- galaxy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index 5004ac69b6..3a526930eb 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 2.2.0 + version: 2.3.1 - name: logrotate src: nickhammond.logrotate From fa082f263b6f398258547df370624809d32c9af9 Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Mon, 28 Mar 2022 08:40:35 -0500 Subject: [PATCH 389/416] =?UTF-8?q?=E2=9C=A8=20add=20`build-after`=20place?= =?UTF-8?q?holder=20(#1377)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- deploy-hooks/build-after.yml | 11 +++++++++++ deploy-hooks/build-before.yml | 4 ++-- roles/deploy/defaults/main.yml | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 deploy-hooks/build-after.yml diff --git a/deploy-hooks/build-after.yml b/deploy-hooks/build-after.yml new file mode 100644 index 0000000000..9cce3a2ac3 --- /dev/null +++ b/deploy-hooks/build-after.yml @@ -0,0 +1,11 @@ +# Placeholder `deploy_build_after` hook +# +# ⚠️ This example assumes your theme is using Sage 10 +# +# Uncomment the lines below if you are using Sage 10 +# +# --- +# - name: Run Acorn optimize +# command: wp acorn optimize +# args: +# chdir: "{{ deploy_helper.new_release_path }}" diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 87951f4735..78003bd92c 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -2,9 +2,9 @@ # host machine and then copying the files to the remote server # # ⚠️ This example assumes your theme is using Sage 10 -# An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # -# Uncomment the lines below and replace `sage` with your theme folder +# Uncomment the lines below if you are using Sage 10 +# and replace `sage` with your theme folder # # --- # - name: Install npm dependencies diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 597fa036b2..50b91e6b8b 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -67,6 +67,7 @@ deploy_build_before: deploy_build_after: - "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml" + - "{{ playbook_dir }}/deploy-hooks/build-after.yml" # - "{{ playbook_dir }}/deploy-hooks/sites/{{ site }}-build-after.yml" deploy_finalize_before: From 5d1529ef8f8bbc5c7c71327203d5e12bdb3819e7 Mon Sep 17 00:00:00 2001 From: SteelWagstaff <steel@pressbooks.com> Date: Tue, 5 Apr 2022 08:11:10 -0700 Subject: [PATCH 390/416] Replace git with https --- roles/bash-for-pressbooks-dev/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/bash-for-pressbooks-dev/tasks/main.yml b/roles/bash-for-pressbooks-dev/tasks/main.yml index 54a6db7a82..952264d759 100644 --- a/roles/bash-for-pressbooks-dev/tasks/main.yml +++ b/roles/bash-for-pressbooks-dev/tasks/main.yml @@ -9,7 +9,7 @@ - name: Checkout git aware prompt become_user: vagrant git: - repo: git://github.com/jimeh/git-aware-prompt.git + repo: https://github.com/jimeh/git-aware-prompt.git dest: ~/.bash/git-aware-prompt - name: Create .bash_aliases file with_dict: "{{ wordpress_sites }}" From 1abd6575aeddfe75f9997e0040d5d643086a23cf Mon Sep 17 00:00:00 2001 From: Hemang Ajmera <hemang.ajmera@teliacompany.com> Date: Thu, 14 Apr 2022 18:47:16 +0530 Subject: [PATCH 391/416] replacing hardcoded values with parameter --- roles/deploy/defaults/main.yml | 4 +++- roles/wordpress-install/tasks/directories.yml | 2 +- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 50b91e6b8b..329075b9de 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -32,7 +32,7 @@ project_templates: # mode: '0755' // <- optional, use an octal number starting with 0 or quote it, defaults to `'0755'` if `directory` or `'0644'` if `file` # type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - - path: web/app/uploads + - path: "{{ project_public_path }}/{{ project_upload_path }}" src: uploads # The project_environment is a list of environment variables that can be used in hooks @@ -58,6 +58,8 @@ composer_classmap_authoritative: true project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" +project_public_path: "{{ project.public_path | default('web') }}" +project_upload_path: "{{ project.upload_path | default('app/uploads') }}" # Deploy hooks diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 0a6956fad7..591255688b 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -1,7 +1,7 @@ --- - name: Create web root of sites file: - path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web" + path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/{{ item.value.public_path | default('web') }}" owner: "{{ web_user }}" group: "{{ web_group }}" mode: '0755' diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 414328fcc4..2096c6d45b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -15,7 +15,7 @@ server { {% endblock %} {% block server_basic -%} - root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; + root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/{{ item.value.public_path | default('web') }}; index index.php index.htm index.html; add_header Fastcgi-Cache $upstream_cache_status; From 73b50739f613261ae123248e2d2fb371a25f36b8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Fri, 18 Mar 2022 21:02:29 -0400 Subject: [PATCH 392/416] Add built-in fail2ban filters Trellis supported default fail2ban services previously but they were restricted to filters built into fail2ban itself (like `sshd`). This adds filters defined by Trellis as well now by automatically creating the filter configuration files from templates. Importantly, these filters will be _disabled_ by default. Any time a new filter is added, it will also be added to `fail2ban_services_custom` with enabled set to `false.` This achieves a few goals: 1. makes it very easy to enable the built-in filters, which 2. brings more awareness to them by adding them to `group_vars/all/security.yml` 3. hopefully encourages more fail2ban filters to be created and used Currently there's only one built-in filter for banning requests to WordPress' `xmlrpc.php` endpoint which is a common DDoS attack vector. --- CHANGELOG.md | 1 + group_vars/all/security.yml | 17 ++++++++++++++++- roles/fail2ban/defaults/main.yml | 1 - roles/fail2ban/tasks/main.yml | 3 ++- .../filters/wordpress-wp-login.conf.j2 | 2 ++ .../templates/filters/wordpress-xmlrpc.conf.j2 | 2 ++ 6 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 create mode 100644 roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ce3cda53d..dbb85e0e16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add built-in fail2ban filters ([#1375](https://github.com/roots/trellis/pull/1375)) * Support Ansible >= 2.10 (tested up to 5.4.0) ([#1373](https://github.com/roots/trellis/pull/1373)) * Remove Python 2 support ([#1361](https://github.com/roots/trellis/pull/1361)) diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index 0aa2b604ba..bac2bbb098 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -1,3 +1,5 @@ +# Documentation: https://roots.io/trellis/docs/security/ + ferm_input_list: - type: dport_accept dport: [http, https] @@ -10,7 +12,20 @@ ferm_input_list: seconds: 300 hits: 20 -# Documentation: https://roots.io/trellis/docs/security/ + +# Enable built-in fail2ban services or add your own custom ones +fail2ban_services_custom: + - name: wordpress_xmlrpc + filter: wordpress-xmlrpc + enabled: "false" + port: http,https + logpath: "{{ www_root }}/**/logs/access.log" + - name: wordpress_wp_login + filter: wordpress-wp-login + enabled: "false" + port: http,https + logpath: "{{ www_root }}/**/logs/access.log" + # If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group # and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) sshd_permit_root_login: true diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index b1aa62d1a1..598172cfbd 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -29,4 +29,3 @@ fail2ban_services_custom: [] fail2ban_services: "{{ fail2ban_services_default + fail2ban_services_custom }}" fail2ban_filter_templates_path: fail2ban_filters -fail2ban_filter_templates_pattern: "^({{ fail2ban_filter_templates_path | regex_escape }})/(.*)\\.j2$" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 45580f1a3f..2a900a2a87 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -21,6 +21,7 @@ - name: build list of fail2ban filter templates find: paths: + - "{{ playbook_dir }}/roles/fail2ban/templates/filters" - "{{ fail2ban_filter_templates_path }}" pattern: "*.conf.j2" become: no @@ -36,7 +37,7 @@ - name: template fail2ban filters template: src: "{{ item }}" - dest: "/etc/fail2ban/filter.d/{{ item | regex_replace(fail2ban_filter_templates_pattern, '\\2') }}" + dest: "/etc/fail2ban/filter.d/{{ item | basename | regex_replace('.j2$', '') }}" mode: '0644' with_items: "{{ fail2ban_filter_templates.files | map(attribute='path') | list | sort(True) }}" notify: restart fail2ban diff --git a/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 b/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 new file mode 100644 index 0000000000..d0f9271098 --- /dev/null +++ b/roles/fail2ban/templates/filters/wordpress-wp-login.conf.j2 @@ -0,0 +1,2 @@ +[Definition] +failregex = ^<HOST> .* "POST .*wp-login\.php diff --git a/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 b/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 new file mode 100644 index 0000000000..6d8547146f --- /dev/null +++ b/roles/fail2ban/templates/filters/wordpress-xmlrpc.conf.j2 @@ -0,0 +1,2 @@ +[Definition] +failregex = ^<HOST> .* "POST .*xmlrpc\.php From 1f676098d8590933a4d63716ac256d244cf13eaa Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Wed, 4 May 2022 12:25:40 +0100 Subject: [PATCH 393/416] Remove redundant ansible_connection=local and comments --- hosts/development | 41 ++++------------------------------------- 1 file changed, 4 insertions(+), 37 deletions(-) diff --git a/hosts/development b/hosts/development index 2075118800..c71378df73 100644 --- a/hosts/development +++ b/hosts/development @@ -1,41 +1,8 @@ -# This file is only used for Windows hosts. -# -# Windows -# ------------------------------------------------------------- -# If you want to run `dev.yml` manually you can SSH into the VM -# to the directory with the `dev.yml` playbook and run: - -# `ansible-playbook dev.yml` -# -# Non-Windows -# ------------------------------------------------------------- -# If you want to run `dev.yml` manually via the `ansible-playbook` -# command (vs. `vagrant up` or `vagrant provision`), you might be -# inclined to define your development host information in this file. -# We recommend instead that you use the `-i` (inventory) option with -# your `ansible-playbook` command to specify the custom inventory file -# Vagrant has created for the VM. Vagrant's custom inventory -# includes necessary non-standard SSH connection information. -# -# Here is an example command: -# -# `ansible-playbook dev.yml -i .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory` -# -# The `.vagrant` directory above is usually in the same directory as -# your `Vagrantfile`. If not, you will need to adjust this path in the -# command. -# -# Why run `dev.yml` manually? -# ------------------------------------------------------------- -# One reason you may want to run `dev.yml` via the `ansible-playbook` -# command is for the convenience of adding Ansible options via the -# command line (e.g., `--tags`, `--skip-tags`, or `-vvvv`). In contrast, -# the commands `vagrant up` and `vagrant provision` would only run the -# `dev.yml` playbook with such options if you were edit the options -# into the Vagrantfile's `config.vm.provision` section. +# Add each host to the [staging] group and to a "type" group such as [web] or [db]. +# List each machine only once per [group], even if it will host multiple sites. [development] -192.168.56.5 ansible_connection=local +192.168.56.5 [web] -192.168.56.5 ansible_connection=local +192.168.56.5 From 734e262d85b38e656000a8abdac256dd1a88b649 Mon Sep 17 00:00:00 2001 From: Craig Pearson <hello@craigpearson.co.uk> Date: Wed, 4 May 2022 21:59:52 +0100 Subject: [PATCH 394/416] Fix typo --- hosts/development | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/development b/hosts/development index c71378df73..694b39e540 100644 --- a/hosts/development +++ b/hosts/development @@ -1,4 +1,4 @@ -# Add each host to the [staging] group and to a "type" group such as [web] or [db]. +# Add each host to the [development] group and to a "type" group such as [web] or [db]. # List each machine only once per [group], even if it will host multiple sites. [development] From 44025584b67ab11af09840bd8c08a876ffd9711d Mon Sep 17 00:00:00 2001 From: nextgenthemes <nextgenthemes@users.noreply.github.com> Date: Sat, 14 May 2022 11:24:07 +0200 Subject: [PATCH 395/416] Do not disallow up to date Vagrant vers. on Linux When this version restriction was introduced, I found out from the changelog or an issue that this was specifically because of a mac OS issue. I have successfully ran Vagrant versions that ship with Open SUSE Tumbleweed (Not sure), Ubuntu 21.10 and Ubuntu 22.04. AFAIK there is no reason to shut Linux users out of up-to-date Vagrant versions. --- Vagrantfile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 1fb5a27031..da2eec1f18 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,8 +16,12 @@ ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_insta trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) -Vagrant.require_version '>= 2.1.0', '< 2.2.19' - +if Vagrant::Util::Platform.darwin? + Vagrant.require_version '>= 2.1.0', '< 2.2.19' +else + Vagrant.require_version '>= 2.1.0' +end + Vagrant.configure('2') do |config| config.vm.box = vconfig.fetch('vagrant_box') config.vm.box_version = vconfig.fetch('vagrant_box_version') From b530f7e6d2a6f4dde4d108294b75b41534ee1393 Mon Sep 17 00:00:00 2001 From: jakobmeusburger <48139550+jakobmeusburger@users.noreply.github.com> Date: Mon, 23 May 2022 18:53:49 +0200 Subject: [PATCH 396/416] Change MariaDB PPA link --- roles/mariadb/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 3eee94bcf2..d337299bfb 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,6 +1,6 @@ mariadb_keyserver: "hkp://keyserver.ubuntu.com:80" mariadb_keyserver_id: "0xF1656F24C74CD1D8" -mariadb_ppa: "deb http://mirrors.gigenet.com/mariadb/repo/10.5/ubuntu {{ ansible_distribution_release }} main" +mariadb_ppa: "deb http://mariadb.mirror.globo.tech/repo/10.5/ubuntu {{ ansible_distribution_release }} main" mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server From c7729fcc29c16734bcb267ed72f2edc4cdf6d63c Mon Sep 17 00:00:00 2001 From: Ben Word <ben@benword.com> Date: Tue, 31 May 2022 13:55:05 -0500 Subject: [PATCH 397/416] =?UTF-8?q?=F0=9F=92=AC=20update=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index a350e8e28d..eca8889534 100644 --- a/README.md +++ b/README.md @@ -30,18 +30,16 @@ <a href="https://roots.io/"><strong><code>Website</code></strong></a>    <a href="https://docs.roots.io/trellis/master/installation/"><strong><code>Documentation</code></strong></a>    <a href="https://github.com/roots/trellis/releases"><strong><code>Releases</code></strong></a>    <a href="https://discourse.roots.io/"><strong><code>Support</code></strong></a> </p> -## Supporting +## Sponsors **Trellis** is an open source project and completely free to use. -However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider donating using the links below: +However, the amount of effort needed to maintain and develop new features and products within the Roots ecosystem is not sustainable without proper financial backing. If you have the capability, please consider [sponsoring Roots](https://github.com/sponsors/roots). -<div align="center"> - -[![Sponsor on GitHub](https://img.shields.io/static/v1?label=sponsor&message=%E2%9D%A4&logo=GitHub&style=flat-square)](https://github.com/sponsors/roots) -[![Sponsor on Patreon](https://img.shields.io/badge/sponsor-patreon-orange.svg?style=flat-square&logo=patreon")](https://www.patreon.com/rootsdev) -[![Donate via PayPal](https://img.shields.io/badge/donate-paypal-blue.svg?style=flat-square&logo=paypal)](https://www.paypal.me/rootsdev) +<p align="center"><a href="https://github.com/sponsors/roots"><img height="32" src="https://img.shields.io/badge/sponsor%20roots-525ddc?logo=github&logoColor=ffffff&message=" alt="Sponsor Roots"></a></p> +<div align="center"> +<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="148" height="111"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="148" height="111"></a> <a href="https://www.c21redwood.com/"><img src="https://cdn.roots.io/app/uploads/c21redwood.svg" alt="C21 Redwood Realty" width="148" height="111"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="148" height="111"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="148" height="111"></a> </div> ## Overview @@ -146,17 +144,11 @@ project trellis-cli compatible by initializing it: $ trellis init ``` -## Trellis sponsors - -Help support our open-source development efforts by [becoming a GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev). - -<a href="https://k-m.com/"><img src="https://cdn.roots.io/app/uploads/km-digital.svg" alt="KM Digital" width="200" height="150"></a> <a href="https://carrot.com/"><img src="https://cdn.roots.io/app/uploads/carrot.svg" alt="Carrot" width="200" height="150"></a> <a href="https://www.c21redwood.com/"><img src="https://cdn.roots.io/app/uploads/c21redwood.svg" alt="C21 Redwood Realty" width="200" height="150"></a> <a href="https://wordpress.com/"><img src="https://cdn.roots.io/app/uploads/wordpress.svg" alt="WordPress.com" width="200" height="150"></a> <a href="https://pantheon.io/"><img src="https://cdn.roots.io/app/uploads/pantheon.svg" alt="Pantheon" width="200" height="150"></a> - ## Community Keep track of development and community news. -- Join us on Roots Slack by becoming a [GitHub sponsor](https://github.com/sponsors/roots) or [patron](https://www.patreon.com/rootsdev) +- Join us on Discord by [sponsoring us on GitHub](https://github.com/sponsors/roots) - Participate on the [Roots Discourse](https://discourse.roots.io/) - Follow [@rootswp on Twitter](https://twitter.com/rootswp) - Read and subscribe to the [Roots Blog](https://roots.io/blog/) From c2f6eebda47b7351c086fa662929c13d346807f3 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 00:50:56 +0200 Subject: [PATCH 398/416] Split is installed check into a non-multisite and a mulitsite specific one. --- roles/deploy/hooks/finalize-before.yml | 48 ++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 4c46ed35ea..0b88736b49 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,16 +1,58 @@ --- +# Is installed check +# Non-multisite specific check +- name: WordPress Installed (non-multisite)? + command: wp core is-installed --skip-plugins --skip-themes + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_single + changed_when: false + failed_when: wp_installed_single.stderr | length > 0 or wp_installed_single.rc > 1 + when: + - not project.multisite.enabled | default(false) + +# Multisite specific check - name: Create file with multisite constants defined as false copy: src: "tmp_multisite_constants.php" dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + when: + - project.multisite.enabled | default(false) + +- name: Set variables used in "WordPress Installed?" check + set_fact: + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + when: + #- project.multisite.enabled | default(false) + - not project.multisite.enabled | default(false) -- name: WordPress Installed? +- name: WordPress Installed (multisite)? command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php args: chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed + register: wp_installed_multisite changed_when: false - failed_when: wp_installed.stderr | default("") != "" or wp_installed.rc > 1 + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + when: + - project.multisite.enabled | default(false) +# /Multisite specific check + +# Because variable is always registered, even with non-applying when-condition +- name: Set "WordPress installed (non-multisite)?" result variable + set_fact: + wp_installed: "{{ wp_installed_single }}" + when: + - not project.multisite.enabled | default(false) + +- name: Set "WordPress installed (multisite)?" result variable + set_fact: + wp_installed: "{{ wp_installed_multisite }}" + when: + - project.multisite.enabled | default(false) +# /Is installed check + + + - name: Get WP theme template and stylesheet roots shell: > From 49d95c980eddded5e90f30029cea0a8e9f36e272 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 15:44:16 +0200 Subject: [PATCH 399/416] Fix `when` for defining variable used in multisite-specific check. --- roles/deploy/hooks/finalize-before.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 0b88736b49..aebfc7c0c9 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -19,12 +19,11 @@ when: - project.multisite.enabled | default(false) -- name: Set variables used in "WordPress Installed?" check +- name: Set variables used in "WordPress Installed (multisite)?" check set_fact: php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" when: - #- project.multisite.enabled | default(false) - - not project.multisite.enabled | default(false) + - project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php From 4952e88778cf65c5a2e9efe555f873d3429399d4 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 18:24:52 +0200 Subject: [PATCH 400/416] Group "WordPress Installed" non-multisite and multisite tasks into Ansible blocks. --- roles/deploy/hooks/finalize-before.yml | 80 +++++++++++--------------- 1 file changed, 35 insertions(+), 45 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index aebfc7c0c9..056216c0bb 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,57 +1,47 @@ --- -# Is installed check -# Non-multisite specific check - name: WordPress Installed (non-multisite)? - command: wp core is-installed --skip-plugins --skip-themes - args: - chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed_single - changed_when: false - failed_when: wp_installed_single.stderr | length > 0 or wp_installed_single.rc > 1 - when: - - not project.multisite.enabled | default(false) - -# Multisite specific check -- name: Create file with multisite constants defined as false - copy: - src: "tmp_multisite_constants.php" - dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - when: - - project.multisite.enabled | default(false) - -- name: Set variables used in "WordPress Installed (multisite)?" check - set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + block: + - name: "'wp core is-installed' command" + command: wp core is-installed --skip-plugins --skip-themes + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_singlesite + changed_when: false + failed_when: wp_installed_singlesite.stderr | length > 0 or wp_installed_singlesite.rc > 1 + + - name: Set "WordPress installed?" result variable (from non-multisite) + set_fact: + wp_installed: "{{ wp_installed_singlesite }}" when: + #- not project.multisite.enabled | default(false) - project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? - command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php - args: - chdir: "{{ deploy_helper.new_release_path }}" - register: wp_installed_multisite - changed_when: false - failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 - when: - - project.multisite.enabled | default(false) -# /Multisite specific check - -# Because variable is always registered, even with non-applying when-condition -- name: Set "WordPress installed (non-multisite)?" result variable - set_fact: - wp_installed: "{{ wp_installed_single }}" + block: + - name: Create file with multisite constants defined as false + copy: + src: "tmp_multisite_constants.php" + dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + + - name: Set variables used in "WordPress Installed (multisite)?" check + set_fact: + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + + - name: "'wp core is-installed' command" + command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed_multisite + changed_when: false + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + + - name: Set "WordPress installed?" result variable (from multisite) + set_fact: + wp_installed: "{{ wp_installed_multisite }}" when: + #- project.multisite.enabled | default(false) - not project.multisite.enabled | default(false) -- name: Set "WordPress installed (multisite)?" result variable - set_fact: - wp_installed: "{{ wp_installed_multisite }}" - when: - - project.multisite.enabled | default(false) -# /Is installed check - - - - name: Get WP theme template and stylesheet roots shell: > From 2f1cfe05ec76f23e38f04535be934d36939c05a8 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 18:29:02 +0200 Subject: [PATCH 401/416] Fix when lines. --- roles/deploy/hooks/finalize-before.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 056216c0bb..b72b2c1c1a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -13,8 +13,7 @@ set_fact: wp_installed: "{{ wp_installed_singlesite }}" when: - #- not project.multisite.enabled | default(false) - - project.multisite.enabled | default(false) + - not project.multisite.enabled | default(false) - name: WordPress Installed (multisite)? block: @@ -39,8 +38,7 @@ set_fact: wp_installed: "{{ wp_installed_multisite }}" when: - #- project.multisite.enabled | default(false) - - not project.multisite.enabled | default(false) + - project.multisite.enabled | default(false) - name: Get WP theme template and stylesheet roots From e1e82a8d094c96367d67afbe104dcc044aa32c5b Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 19:38:47 +0200 Subject: [PATCH 402/416] Make `strpos` `empty needle` PHP warning match less strict (omit line number). --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index b72b2c1c1a..70c5988f1d 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -24,7 +24,7 @@ - name: Set variables used in "WordPress Installed (multisite)?" check set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php on line 3535" + php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" - name: "'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php From cc07d1e194d13f43b05c2a2bef162dfc6d87bc20 Mon Sep 17 00:00:00 2001 From: Kelly Mears <developers@tinypixel.dev> Date: Wed, 1 Jun 2022 10:54:40 -0700 Subject: [PATCH 403/416] fix: set mjs as application/javascript in h5bp (#1383) --- roles/nginx/templates/h5bp/mime.types | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/h5bp/mime.types b/roles/nginx/templates/h5bp/mime.types index 7c3b1e7386..972fd08958 100644 --- a/roles/nginx/templates/h5bp/mime.types +++ b/roles/nginx/templates/h5bp/mime.types @@ -14,7 +14,7 @@ types { # Normalize to standard type. # https://tools.ietf.org/html/rfc4329#section-7.2 - application/javascript js; + application/javascript js mjs; # Manifest files From 8edc250e4597b183892240ca3f4a6d35a7d5d437 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Wed, 1 Jun 2022 20:00:16 +0200 Subject: [PATCH 404/416] Improve task names (invoke). --- roles/deploy/hooks/finalize-before.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 70c5988f1d..550b0f85cf 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,7 +1,7 @@ --- - name: WordPress Installed (non-multisite)? block: - - name: "'wp core is-installed' command" + - name: "Invoke 'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.new_release_path }}" @@ -26,7 +26,7 @@ set_fact: php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" - - name: "'wp core is-installed' command" + - name: "Invoke 'wp core is-installed' command" command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php args: chdir: "{{ deploy_helper.new_release_path }}" From 052ace7a34967186e53c68009a8f6d680b422c7e Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Thu, 2 Jun 2022 16:45:17 -0500 Subject: [PATCH 405/416] Using apt to install epubcheck from Ubuntu Universe instead of fetching a 3rd party binary --- roles/epubcheck/defaults/main.yml | 2 -- roles/epubcheck/tasks/main.yml | 17 ++++------------- 2 files changed, 4 insertions(+), 15 deletions(-) delete mode 100644 roles/epubcheck/defaults/main.yml diff --git a/roles/epubcheck/defaults/main.yml b/roles/epubcheck/defaults/main.yml deleted file mode 100644 index 4b7cd15dc8..0000000000 --- a/roles/epubcheck/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -epubcheck_release_url: https://github.com/w3c/epubcheck/releases/download/v4.1.1/epubcheck-4.1.1.zip diff --git a/roles/epubcheck/tasks/main.yml b/roles/epubcheck/tasks/main.yml index bd1ce24e01..8a6c13783a 100644 --- a/roles/epubcheck/tasks/main.yml +++ b/roles/epubcheck/tasks/main.yml @@ -1,13 +1,4 @@ ---- -- name: Download epubcheck - unarchive: - src: "{{ epubcheck_release_url }}" - dest: /tmp - remote_src: yes - -- name: Sync epubcheck into place - synchronize: - src: /tmp/{{ epubcheck_release_url[:-4] | basename }}/ - dest: /opt/epubcheck - delete: yes - delegate_to: "{{ inventory_hostname }}" +- name: Install EpubCheck + apt: + name: epubcheck + state: present From 43622e1e82ecfc2b5363caf44b77b43198a294ac Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Tue, 7 Jun 2022 09:25:54 -0400 Subject: [PATCH 406/416] Only add hstr when using x86, as this currently doesn't have an ARM build --- roles/bash-for-pressbooks-dev/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/bash-for-pressbooks-dev/tasks/main.yml b/roles/bash-for-pressbooks-dev/tasks/main.yml index 952264d759..88d22baf0e 100644 --- a/roles/bash-for-pressbooks-dev/tasks/main.yml +++ b/roles/bash-for-pressbooks-dev/tasks/main.yml @@ -2,10 +2,14 @@ apt_repository: repo: "ppa:ultradvorka/ppa" update_cache: yes + when: ansible_architecture == "x86_64" + - name: Install hstr apt: name: hstr state: present + when: ansible_architecture == "x86_64" + - name: Checkout git aware prompt become_user: vagrant git: From b344616b797b93088922e39d493f15791bfbf188 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Tue, 7 Jun 2022 09:27:02 -0400 Subject: [PATCH 407/416] Use chromium and chromedriver from Ubuntu instead of this binary and deb --- roles/acceptance-test/tasks/main.yml | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/roles/acceptance-test/tasks/main.yml b/roles/acceptance-test/tasks/main.yml index 73515895dc..86bd0cded0 100644 --- a/roles/acceptance-test/tasks/main.yml +++ b/roles/acceptance-test/tasks/main.yml @@ -31,24 +31,18 @@ login_user: "root" login_password: "devpw" -- name: Add Chrome deb to target - copy: - src: "google-chrome-stable_current_amd64.deb" - dest: "/tmp/google-chrome-stable_current_amd64.deb" +- name: Install Chromium + apt: + name: chromium-browser + state: present -- name: Install a Google Chrome .deb package +- name: Install Chromium Chrome Driver apt: - deb: "/tmp/google-chrome-stable_current_amd64.deb" + name: chromium-chromedriver + state: present - name: Check that the chromedriver exists stat: path: /usr/bin/chromedriver register: chromedriver_present -- name: Add chromedriver - copy: - src: "chromedriver" - dest: "/usr/bin/chromedriver" - owner: root - group: root - mode: '0777' From 3346871b6aaedbd5771dc639f2c482525f45755f Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Wed, 8 Jun 2022 01:31:44 -0400 Subject: [PATCH 408/416] ObjectCache Pro needs php7.4-redis --- roles/php/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index a40804e9ed..c6ef36e940 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -11,6 +11,7 @@ php_extensions_default: php7.4-mbstring: "{{ apt_package_state }}" php7.4-mysql: "{{ apt_package_state }}" php7.4-opcache: "{{ apt_package_state }}" + php7.4-redis: "{{ apt_package_state }}" php7.4-xml: "{{ apt_package_state }}" php7.4-xmlrpc: "{{ apt_package_state }}" php7.4-zip: "{{ apt_package_state }}" From 868d6c3bb443ef2388593f335cd2e585b5bfcbe1 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 8 Jun 2022 22:11:15 -0400 Subject: [PATCH 409/416] Fix discourse release tags --- .github/workflows/discourse.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml index c98763d53a..14893e0879 100644 --- a/.github/workflows/discourse.yml +++ b/.github/workflows/discourse.yml @@ -14,6 +14,4 @@ jobs: discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} discourse-author-username: swalkinshaw discourse-category: 12 - discourse-tags: - trellis - releases + discourse-tags: trellis, releases From b419b8b36dbcadd7028c558101dbdb14e72374ed Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw <scott.walkinshaw@gmail.com> Date: Wed, 8 Jun 2022 22:23:44 -0400 Subject: [PATCH 410/416] [skip ci] Update discourse release tags --- .github/workflows/discourse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/discourse.yml b/.github/workflows/discourse.yml index 14893e0879..0205abbd1f 100644 --- a/.github/workflows/discourse.yml +++ b/.github/workflows/discourse.yml @@ -14,4 +14,4 @@ jobs: discourse-base-url: ${{ secrets.DISCOURSE_BASE_URL }} discourse-author-username: swalkinshaw discourse-category: 12 - discourse-tags: trellis, releases + discourse-tags: releases From 71955807c244d75ff4c176d40ee42b377e33105c Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 00:29:24 +0200 Subject: [PATCH 411/416] Change is-installed check to exempt DB error dump PHP warning for not yet set up multisite sites. --- roles/deploy/hooks/finalize-before.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 550b0f85cf..06cbd1b0d7 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -17,22 +17,17 @@ - name: WordPress Installed (multisite)? block: - - name: Create file with multisite constants defined as false - copy: - src: "tmp_multisite_constants.php" - dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - - name: Set variables used in "WordPress Installed (multisite)?" check set_fact: - php_needle_warning: "Warning: strpos\\(\\): Empty needle in {{ deploy_helper.new_release_path }}/web/wp/wp-includes/link-template.php" + multisite_non_setup_db_error: "WordPress database error Table '{{ site_env.db_name }}.wp_blogs' doesn't exist" - name: "Invoke 'wp core is-installed' command" - command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + command: wp core is-installed --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed_multisite changed_when: false - failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(php_needle_warning)) or wp_installed_multisite.rc > 1 + failed_when: (wp_installed_multisite.stderr | length > 0 and wp_installed_multisite.stderr is not match(multisite_non_setup_db_error)) or wp_installed_multisite.rc > 1 - name: Set "WordPress installed?" result variable (from multisite) set_fact: From b58ca90e5d99617c713462952cc8c02904178557 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 01:44:45 +0200 Subject: [PATCH 412/416] Clean up now unused `tmp_multisite_constants.php`. --- roles/deploy/hooks/finalize-before.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 06cbd1b0d7..46700d51a3 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,4 +1,9 @@ --- +- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed check. + file: + state: absent + path: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + - name: WordPress Installed (non-multisite)? block: - name: "Invoke 'wp core is-installed' command" From c982803dde94647c1380302ea2ea636bc62aebc3 Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 01:47:39 +0200 Subject: [PATCH 413/416] Improve name. --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 46700d51a3..b9fb5fd981 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -1,5 +1,5 @@ --- -- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed check. +- name: Clean up unused, temporary PHP file with multisite constants that had been used for WordPress Installed checks. file: state: absent path: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" From 3bea855b015acd209e4c0bbf9931a8e6897e02ce Mon Sep 17 00:00:00 2001 From: strarsis <strarsis@gmail.com> Date: Sun, 12 Jun 2022 13:05:52 +0200 Subject: [PATCH 414/416] Remove unused `tmp_multisite_constants.php` source file. --- roles/deploy/files/tmp_multisite_constants.php | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 roles/deploy/files/tmp_multisite_constants.php diff --git a/roles/deploy/files/tmp_multisite_constants.php b/roles/deploy/files/tmp_multisite_constants.php deleted file mode 100644 index e468cc8bfc..0000000000 --- a/roles/deploy/files/tmp_multisite_constants.php +++ /dev/null @@ -1,7 +0,0 @@ -<?php -error_reporting(E_ALL & ~E_NOTICE); -define('MULTISITE', false); -define('SUBDOMAIN_INSTALL', false); -define('WPMU_PLUGIN_DIR', null); -define('WP_PLUGIN_DIR', null); -define('WP_USE_THEMES', false); From 24ef855518e8544e0d550e01fde4438d25968120 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Thu, 16 Jun 2022 16:06:32 -0400 Subject: [PATCH 415/416] Bumping geerlingguy.mailhog. Geerlingguy merged our PR into master and released 2.3.0 to support arm --- galaxy.yml | 2 +- vagrant.default.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/galaxy.yml b/galaxy.yml index c5a79cbe39..788cd63b1b 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -16,7 +16,7 @@ - name: mailhog src: geerlingguy.mailhog - version: 2.2.0 + version: 2.3.0 - src: geerlingguy.redis version: 1.7.0 diff --git a/vagrant.default.yml b/vagrant.default.yml index b02ed2384f..85df0b0622 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,6 +4,10 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-20.04' vagrant_box_version: '>= 202012.23.0' +## Uncomment below for use on Apple M1/Arm hardware, and comment out the two lines above this +#vagrant_box: 'jeffnoxon/ubuntu-20.04-arm64' +#vagrant_box_version: '>= 1.0.0' +#vagrant_ansible_python_interpreter: '/usr/bin/python3' vagrant_ansible_version: '2.10.7' vagrant_skip_galaxy: false vagrant_mount_type: 'nfs' From 6d9d62955337efc1b78a14249eff9b83108e4c66 Mon Sep 17 00:00:00 2001 From: Christopher Murtagh <christopher@pressbooks.com> Date: Thu, 16 Jun 2022 17:02:11 -0400 Subject: [PATCH 416/416] Adding a temporary condidtional for princexml until there's a .deb package or a proper installer script ported to ansible --- roles/princexml/tasks/amd64.yml | 35 ++++++++++++++++++++++++++++++ roles/princexml/tasks/arm64.yml | 3 +++ roles/princexml/tasks/main.yml | 38 ++++++--------------------------- 3 files changed, 44 insertions(+), 32 deletions(-) create mode 100644 roles/princexml/tasks/amd64.yml create mode 100644 roles/princexml/tasks/arm64.yml diff --git a/roles/princexml/tasks/amd64.yml b/roles/princexml/tasks/amd64.yml new file mode 100644 index 0000000000..c77983df8e --- /dev/null +++ b/roles/princexml/tasks/amd64.yml @@ -0,0 +1,35 @@ +--- +- name: 'Check for supported environment' + fail: msg="PrinceXML can only be installed on Ubuntu Xenial, Bionic or Focal." + when: (ansible_distribution|string != 'Ubuntu') or + (ansible_distribution_release|string != 'xenial' and ansible_distribution_release|string != 'bionic' and ansible_distribution_release|string != 'focal') + +- name: Determine PrinceXML version + set_fact: + prince_package_uri: "prince_package_uri_ubuntu_{{ ansible_distribution_release|string }}" + +- name: Install PrinceXML + apt: + deb: "{{ lookup('vars', prince_package_uri) }}" + +- name: Upload PrinceXML license + copy: + src: "{{ prince_license }}" + dest: /usr/lib/prince/license/license.dat.new + owner: root + group: root + mode: "u=rw,g=r,o=r" + when: prince_license != "" + +- name: Check for existing PrinceXML license + stat: path=/usr/lib/prince/license/license.dat + register: existing_license + when: prince_license != "" + +- name: Backup old PrinceXML license + command: mv /usr/lib/prince/license/license.dat /usr/lib/prince/license/license.dat.{{ lookup('pipe', 'date +%Y%m%d') }}.old + when: prince_license != "" and existing_license.stat.exists + +- name: Install new PrinceXML license + command: mv /usr/lib/prince/license/license.dat.new /usr/lib/prince/license/license.dat + when: prince_license != "" diff --git a/roles/princexml/tasks/arm64.yml b/roles/princexml/tasks/arm64.yml new file mode 100644 index 0000000000..7ebd8451e7 --- /dev/null +++ b/roles/princexml/tasks/arm64.yml @@ -0,0 +1,3 @@ +--- +- name: 'Skip PrinceXML for now until there is an arm .deb' + action: command echo "Arm detected. Skipping PrinceXML" diff --git a/roles/princexml/tasks/main.yml b/roles/princexml/tasks/main.yml index c77983df8e..e51a84945b 100644 --- a/roles/princexml/tasks/main.yml +++ b/roles/princexml/tasks/main.yml @@ -1,35 +1,9 @@ --- -- name: 'Check for supported environment' - fail: msg="PrinceXML can only be installed on Ubuntu Xenial, Bionic or Focal." - when: (ansible_distribution|string != 'Ubuntu') or - (ansible_distribution_release|string != 'xenial' and ansible_distribution_release|string != 'bionic' and ansible_distribution_release|string != 'focal') + - name: AMD64/x86_64 + import_tasks: amd64.yml + when: ansible_architecture == "x86_64" -- name: Determine PrinceXML version - set_fact: - prince_package_uri: "prince_package_uri_ubuntu_{{ ansible_distribution_release|string }}" + - name: ARM64 + import_tasks: arm64.yml + when: ansible_architecture == "aarch64" -- name: Install PrinceXML - apt: - deb: "{{ lookup('vars', prince_package_uri) }}" - -- name: Upload PrinceXML license - copy: - src: "{{ prince_license }}" - dest: /usr/lib/prince/license/license.dat.new - owner: root - group: root - mode: "u=rw,g=r,o=r" - when: prince_license != "" - -- name: Check for existing PrinceXML license - stat: path=/usr/lib/prince/license/license.dat - register: existing_license - when: prince_license != "" - -- name: Backup old PrinceXML license - command: mv /usr/lib/prince/license/license.dat /usr/lib/prince/license/license.dat.{{ lookup('pipe', 'date +%Y%m%d') }}.old - when: prince_license != "" and existing_license.stat.exists - -- name: Install new PrinceXML license - command: mv /usr/lib/prince/license/license.dat.new /usr/lib/prince/license/license.dat - when: prince_license != ""