Merging latest from upstream#5
Open
apmarshall wants to merge 959 commits into
Open
Conversation
Fix Ansible 6 support - remove broken and unused cli import
Fixes #905 Replaces the old h5bp location specific `expires.conf` with a new `cache_expiration` directive-only conf. The config just sets a mapping of expiration headers which is then used in the site specific server template.
Update hb5p configs
Fix warnings for missing paths
Update mailhog galaxy role
Ref #741 This changes the default for HSTS' `includeSubdomains` value from `true` to `false`. Previously a user visiting a WordPress site would result in HSTS being enabled in their browser for _all_ subdomains of the site's domain. Now HSTS will only apply to the hostnames activately managed by Trellis in the `wordpress_sites.yml` config. This is a safer default since subdomains can frequently exist without SSL.
…y-default Disable HSTS includeSubdomains by default
Fixes #1244 Runs `composer check-platform-reqs` before installing composer dependencies to verify that platform requirements (i.e. php and php extensions) are fulfilled by the PHP process currently running. This could potentially prevent some "white page of death" errors before a deploy. Ref https://getcomposer.org/doc/07-runtime.md#platform-check
Removes the validation to enforce `password` and sets the default to `""` which is quoted to ensure `composer` is properly passed `""` as the last argument value.
Run composer check-platform-reqs during deploy
Co-authored-by: Tang Rufus <tangrufus@gmail.com>
…assword-default Improve composer authentications password default
Nginx has a newer `ssl_reject_handshake` directive that lets us simplify the "no default" site conf. Before we had to generate a self-signed certificate just to satisfy Nginx and create a server that listened on port 443. Now with `ssl_reject_handshake`, SSL handshakes with server names that are *not* part of the real WordPress server hosts will be rejected up front. This means we can skip self-signed certificate generation in default cases. The two separate server configs (HTTP and HTTPS) have now been merged into one as well since they are simpler overall.
Simplify Nginx no-default sites for HTTPS
#1414 simplified the Nginx "no-default" site confs but broke backwards compatibility for existing servers by leaving the old site enabled. This would result in Nginx failing to restart because of duplicate listen options. This keeps the `ssl.no-default.conf.j2` site conf but instead sets it to disabled to prevent the duplicate listen options. Now there will only be a single active site for "no-default" that contains both HTTP (port 80) and HTTPS (port 443) listen options.
…ackwards-compatible Fix backwards compat for ssl.no-default conf
This will trigger more conditional branches that the first deploy doesn't (since WP isn't yet installed for that one).
…eploy Add integration test step for second deploy
This is the direction Ansible is moving in and it provides consistency and better loop control flexibility.
* Add template render helper and baseline smoke test * Add wordpress-site template regression tests * Add nginx template stale-cache regression tests * Run template render tests in CI and export-ignore test infra
…1646) * Add pytest integration assertions for current workflow checks * Run integration verification through pytest assertions
…edis health (#1647) * Expand integration assertions for HTTP behavior and Redis health * Add canonical redirect, HSTS, and cache header assertions * Expand 404 negative-path assertions across all sites
Scope fastcgi_cache_valid to 200 responses only, preventing nginx from caching 301/302 redirects which can cause redirect loops when cached redirect target points back through WordPress/canonical redirects. Also add $upstream_http_location to fastcgi_no_cache as an additional guard against caching any response with a Location header. Closes #1594 Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Fix fastcgi cache serving stale content for unpublished pages Remove `updating` from `fastcgi_cache_use_stale` by default so nginx waits for the fresh upstream response instead of serving stale cached content. This prevents unpublished/drafted pages from continuing to be served from cache indefinitely. Add `nginx_cache_use_stale_updating` variable (default: false) so users who prefer stale-while-revalidate behavior can opt back in. This is a behavior change: previously nginx served stale cache entries while background updates fetched fresh content. The new default favors correctness (fresh responses) over latency during cache refreshes. Closes #1551 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Make fastcgi_cache_use_stale fully configurable as a variable Replace the boolean `nginx_cache_use_stale_updating` toggle with a `nginx_cache_use_stale` variable containing the full directive value. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
#1648) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Adds the `custom-headers` auth type introduced in Composer 2.9, allowing private repositories that use custom HTTP headers for authentication. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
JIT tracing mode in PHP 8.3 has known memory corruption bugs that can cause recurring PHP-FPM crashes with ~4GB allocation attempts. WordPress workloads are I/O-bound and see negligible benefit from JIT, making the risk/reward unfavorable. JIT can be re-enabled via group_vars by setting php_opcache_jit and php_opcache_jit_buffer_size. Also consolidates JIT directives into 10-opcache.ini.j2 instead of splitting them across two config files. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Replace ssmtp with msmtp for system mail relay (#1482) ssmtp has been unmaintained for years. msmtp is an actively maintained replacement with better auth method auto-detection and multi-account support. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Remove unnecessary validation and host/port parsing from msmtp role The template already handles host/port parsing, so the duplicated parsing and validation tasks were unnecessary overhead. Users need to test their configuration regardless. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Use generic example.com in msmtp_accounts example Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Replace local msmtp role with external roots.msmtp Galaxy role Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Simplify msmtp role integration, bump to v1.0.2 Role now defaults to Trellis mail_* variables directly, removing the need for var mapping in server.yml. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
write() on a file opened with text mode expects a str but we have bytes from bundled_hashed_cert_file (opened in binary mode). Use binary mode to write to bundled cert without id in filename.
Closes #1667 Access gathered facts via the `ansible_facts` dictionary rather than the injected top-level `ansible_*` variables in roles we control: - mariadb: ansible_hostname, ansible_distribution_release - nginx: ansible_distribution_release - xdebug-tunnel: ansible_user_id, ansible_default_ipv4 Also bump roots.mailpit to v1.0.1, which makes the same migration for its `ansible_architecture` reference, so no actively-run role references a top-level fact var anymore. `INJECT_FACTS_AS_VARS` can't be changed yet due to one upstream issue. We are blocked by geerlingguy/ansible-role-ntp#149
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The `use` directive was consumed by the `service` action plugin to
force the generic SysV `service` backend instead of auto-detecting
systemd. Newer ansible-core (2.20+) no longer handles it in the action
plugin, so it gets passed through to the underlying module and fails:
Unsupported parameters for (ansible.legacy.service) module: use
Dropping it lets the service module auto-detect the init system, which
is systemd on Trellis's supported Ubuntu targets.
Fixes #1668
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…1675) Ansible conditionals are already evaluated as Jinja2 expressions, so wrapping them in {{ }}/{% %} delimiters triggers a deprecation warning ("conditional statements should not include jinja2 templating delimiters") and is on a path to becoming a hard error. Rewrite the two `assert` conditions as delimiter-free filter expressions. `selectattr(...) | first | default(...)` reproduces the original `{% for ... %}...{% else %}...{% endfor %}` no-match handling. Fixes #1657 Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The task named "Check whether Ansible can connect as <user>" reads like a connectivity gate, but it is not one: `failed_when: false` is required for the root -> admin_user fallback, so the task is really detecting which remote user to use, not asserting that SSH works. Genuine SSH failures are intentionally surfaced by Ansible's own later connection error rather than duplicated here. Rename it to "Determine remote user by probing connection as <user>" so the name stops advertising a guarantee it never made. No behavior change. Refs #1466
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.