Skip to content

Merging latest from upstream#5

Open
apmarshall wants to merge 959 commits into
SorenTech:masterfrom
roots:master
Open

Merging latest from upstream#5
apmarshall wants to merge 959 commits into
SorenTech:masterfrom
roots:master

Conversation

@apmarshall

Copy link
Copy Markdown
Member

No description provided.

swalkinshaw and others added 30 commits July 18, 2022 18:27
Fix Ansible 6 support - remove broken and unused cli import
Fixes #905

Replaces the old h5bp location specific `expires.conf` with a new
`cache_expiration` directive-only conf. The config just sets a mapping
of expiration headers which is then used in the site specific server
template.
Ref #741

This changes the default for HSTS' `includeSubdomains` value from `true`
to `false`. Previously a user visiting a WordPress site would result in
HSTS being enabled in their browser for _all_ subdomains of the site's
domain. Now HSTS will only apply to the hostnames activately managed by
Trellis in the `wordpress_sites.yml` config.

This is a safer default since subdomains can frequently exist without
SSL.
…y-default

Disable HSTS includeSubdomains by default
Fixes #1244

Runs `composer check-platform-reqs` before installing composer
dependencies to verify that platform requirements (i.e. php and php extensions)
are fulfilled by the PHP process currently running. This could
potentially prevent some "white page of death" errors before a deploy.

Ref https://getcomposer.org/doc/07-runtime.md#platform-check
Removes the validation to enforce `password` and sets the default to `""`
which is quoted to ensure `composer` is properly passed `""` as the last
argument value.
Run composer check-platform-reqs during deploy
Co-authored-by: Tang Rufus <tangrufus@gmail.com>
…assword-default

Improve composer authentications password default
Nginx has a newer `ssl_reject_handshake` directive that lets us simplify
the "no default" site conf. Before we had to generate a self-signed
certificate just to satisfy Nginx and create a server that listened on
port 443.

Now with `ssl_reject_handshake`, SSL handshakes with server names that
are *not* part of the real WordPress server hosts will be rejected up
front.

This means we can skip self-signed certificate generation in default
cases. The two separate server configs (HTTP and HTTPS) have now been
merged into one as well since they are simpler overall.
#1414 simplified the Nginx
"no-default" site confs but broke backwards compatibility for existing
servers by leaving the old site enabled. This would result in Nginx failing
to restart because of duplicate listen options.

This keeps the `ssl.no-default.conf.j2` site conf but instead sets it to
disabled to prevent the duplicate listen options. Now there will only be
a single active site for "no-default" that contains both HTTP (port 80)
and HTTPS (port 443) listen options.
…ackwards-compatible

Fix backwards compat for ssl.no-default conf
This will trigger more conditional branches that the first deploy
doesn't (since WP isn't yet installed for that one).
…eploy

Add integration test step for second deploy
This is the direction Ansible is moving in and it provides consistency
and better loop control flexibility.
retlehs and others added 30 commits March 4, 2026 09:21
* Add template render helper and baseline smoke test

* Add wordpress-site template regression tests

* Add nginx template stale-cache regression tests

* Run template render tests in CI and export-ignore test infra
…1646)

* Add pytest integration assertions for current workflow checks

* Run integration verification through pytest assertions
…edis health (#1647)

* Expand integration assertions for HTTP behavior and Redis health

* Add canonical redirect, HSTS, and cache header assertions

* Expand 404 negative-path assertions across all sites
Scope fastcgi_cache_valid to 200 responses only, preventing nginx from
caching 301/302 redirects which can cause redirect loops when cached
redirect target points back through WordPress/canonical redirects.

Also add $upstream_http_location to fastcgi_no_cache as an additional
guard against caching any response with a Location header.

Closes #1594

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
…1640)

Use $request_uri instead of $uri in the wp-admin rewrite rule to
prevent HTTP response splitting via CRLF injection.

Closes #1548

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* Fix fastcgi cache serving stale content for unpublished pages

Remove `updating` from `fastcgi_cache_use_stale` by default so nginx
waits for the fresh upstream response instead of serving stale cached
content. This prevents unpublished/drafted pages from continuing to be
served from cache indefinitely.

Add `nginx_cache_use_stale_updating` variable (default: false) so users
who prefer stale-while-revalidate behavior can opt back in.

This is a behavior change: previously nginx served stale cache entries
while background updates fetched fresh content. The new default favors
correctness (fresh responses) over latency during cache refreshes.

Closes #1551

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Make fastcgi_cache_use_stale fully configurable as a variable

Replace the boolean `nginx_cache_use_stale_updating` toggle with a
`nginx_cache_use_stale` variable containing the full directive value.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
#1648)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Adds the `custom-headers` auth type introduced in Composer 2.9, allowing
private repositories that use custom HTTP headers for authentication.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
JIT tracing mode in PHP 8.3 has known memory corruption bugs that can
cause recurring PHP-FPM crashes with ~4GB allocation attempts. WordPress
workloads are I/O-bound and see negligible benefit from JIT, making the
risk/reward unfavorable.

JIT can be re-enabled via group_vars by setting php_opcache_jit and
php_opcache_jit_buffer_size.

Also consolidates JIT directives into 10-opcache.ini.j2 instead of
splitting them across two config files.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Replace ssmtp with msmtp for system mail relay (#1482)

ssmtp has been unmaintained for years. msmtp is an actively maintained
replacement with better auth method auto-detection and multi-account
support.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Remove unnecessary validation and host/port parsing from msmtp role

The template already handles host/port parsing, so the duplicated
parsing and validation tasks were unnecessary overhead. Users need
to test their configuration regardless.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use generic example.com in msmtp_accounts example

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Replace local msmtp role with external roots.msmtp Galaxy role

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Simplify msmtp role integration, bump to v1.0.2

Role now defaults to Trellis mail_* variables directly, removing
the need for var mapping in server.yml.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
write() on a file opened with text mode expects a str but we have bytes
from bundled_hashed_cert_file (opened in binary mode).

Use binary mode to write to bundled cert without id in filename.
Closes #1667

Access gathered facts via the `ansible_facts` dictionary rather than the injected top-level `ansible_*` variables in roles we control:

- mariadb: ansible_hostname, ansible_distribution_release
- nginx: ansible_distribution_release
- xdebug-tunnel: ansible_user_id, ansible_default_ipv4

Also bump roots.mailpit to v1.0.1, which makes the same migration for its `ansible_architecture` reference, so no actively-run role references a top-level fact var anymore.

`INJECT_FACTS_AS_VARS` can't be changed yet due to one upstream issue. We are blocked by geerlingguy/ansible-role-ntp#149
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The `use` directive was consumed by the `service` action plugin to
force the generic SysV `service` backend instead of auto-detecting
systemd. Newer ansible-core (2.20+) no longer handles it in the action
plugin, so it gets passed through to the underlying module and fails:

    Unsupported parameters for (ansible.legacy.service) module: use

Dropping it lets the service module auto-detect the init system, which
is systemd on Trellis's supported Ubuntu targets.

Fixes #1668

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
…1675)

Ansible conditionals are already evaluated as Jinja2 expressions, so
wrapping them in {{ }}/{% %} delimiters triggers a deprecation warning
("conditional statements should not include jinja2 templating
delimiters") and is on a path to becoming a hard error.

Rewrite the two `assert` conditions as delimiter-free filter
expressions. `selectattr(...) | first | default(...)` reproduces the
original `{% for ... %}...{% else %}...{% endfor %}` no-match handling.

Fixes #1657

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The task named "Check whether Ansible can connect as <user>" reads like a
connectivity gate, but it is not one: `failed_when: false` is required
for the root -> admin_user fallback, so the task is really detecting which
remote user to use, not asserting that SSH works. Genuine SSH failures are
intentionally surfaced by Ansible's own later connection error rather than
duplicated here.

Rename it to "Determine remote user by probing connection as <user>" so the
name stops advertising a guarantee it never made. No behavior change.

Refs #1466
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.