From ac336ee512a2130934892a56d4cc4314e821060c Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 22 Apr 2018 17:59:56 -0700 Subject: [PATCH 01/21] Add xdebug.remote_autostart to simplify xdebug sessions --- group_vars/development/php.yml | 1 + roles/xdebug/defaults/main.yml | 1 + roles/xdebug/templates/xdebug.ini.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index 7b9af47888..8df88dc533 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -7,3 +7,4 @@ php_opcache_enable: 0 xdebug_remote_enable: 1 xdebug_remote_connect_back: 1 +xdebug_remote_autostart: 1 diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index b210759a30..3efa2ccfb2 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -3,6 +3,7 @@ php_xdebug_package: php-xdebug # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 +xdebug_remote_autostart: 0 xdebug_remote_host: localhost xdebug_remote_port: 9000 xdebug_remote_log: /tmp/xdebug.log diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 72435a2bf8..3490bc1d9b 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -6,6 +6,7 @@ zend_extension=xdebug.so ; Remote Debugging xdebug.remote_enable={{ xdebug_remote_enable }} xdebug.remote_connect_back={{ xdebug_remote_connect_back }} +xdebug.remote_autostart={{ xdebug_remote_autostart }} xdebug.remote_host={{ xdebug_remote_host }} xdebug.remote_port={{ xdebug_remote_port }} xdebug.remote_handler=dbgp From 9d5b3c5b5ac73fa34de7043c4d6af7ad52daf967 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 24 Apr 2018 09:57:57 -0600 Subject: [PATCH 02/21] Update logrotate doc URL [ci skip] --- group_vars/all/logrotate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/all/logrotate.yml b/group_vars/all/logrotate.yml index 438947254c..c6d24962c6 100644 --- a/group_vars/all/logrotate.yml +++ b/group_vars/all/logrotate.yml @@ -1,4 +1,4 @@ -# Documentation: https://galaxy.ansible.com/list#/roles/1117 +# Documentation: https://github.com/nickhammond/ansible-logrotate logrotate_scripts: - name: wordpress-sites path: "{{ www_root }}/**/logs/*.log" From 6f2fff5e24772de9311e4a4bf54a9000416d17ea Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:53:08 -0300 Subject: [PATCH 03/21] Update WP-CLI to 1.5.1. --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 7390b123bd..0430d8cf2f 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.5.0 +wp_cli_version: 1.5.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From e3dff5f012f752a2e9be41f8e9df6dcca9073227 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Wed, 25 Apr 2018 09:54:38 -0300 Subject: [PATCH 04/21] Update changelog. [ci skip] --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..4709a091f2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 221ef605780f6b5ada034ddaeadfa29ab35e0a83 Mon Sep 17 00:00:00 2001 From: jeremy Date: Fri, 27 Apr 2018 07:18:44 -0700 Subject: [PATCH 05/21] Update geerlingguy.composer 1.6.1->1.7.0 (#983) Update from `1.6.1` -> `1.7.0` which addresses #943 ([DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated.) --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4709a091f2..cd12d3525b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) diff --git a/requirements.yml b/requirements.yml index a5dbaf621d..69d229acd6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.6.1 + version: 1.7.0 - name: ntp src: geerlingguy.ntp From 51bf9984ffc36cc9502d315c796ce068d95b8ec7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Apr 2018 08:48:46 -0600 Subject: [PATCH 06/21] Update geerlingguy.ntp 1.5.2->1.6.0 (#984) Avoids deprecation warnings introduced in Ansible 2.4: "The use of 'include' for tasks has been deprecated." --- CHANGELOG.md | 1 + requirements.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd12d3525b..0fe1e5e105 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) diff --git a/requirements.yml b/requirements.yml index 69d229acd6..eb6c001e06 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ - name: ntp src: geerlingguy.ntp - version: 1.5.2 + version: 1.6.0 - name: logrotate src: nickhammond.logrotate From ee8c43762a1076bccbe4f7463074d0d913630055 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Fri, 27 Apr 2018 08:05:01 -0700 Subject: [PATCH 07/21] Enable nginx to start on boot (#980) --- CHANGELOG.md | 1 + roles/nginx/tasks/main.yml | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0fe1e5e105..f18678f700 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) * Update geerlingguy.composer 1.6.1->1.7.0 ([#983](https://github.com/roots/trellis/pull/983)) * Update wp-cli to 1.5.1 ([#982](https://github.com/roots/trellis/pull/982)) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e38d61f526..3f0202792c 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -43,3 +43,10 @@ path: "{{ nginx_path }}/sites-enabled/default" state: absent notify: reload nginx + +- name: Enable Nginx to start on boot + service: + name: nginx + enabled: yes + state: started + use: service From 67e2bc585e31c1142035d7b67a6e38aba6946330 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Sun, 29 Apr 2018 14:44:59 -0700 Subject: [PATCH 08/21] update changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bad3e4d3a1..d29016b224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Support git url format `ssh://user@host/path/to/repo` ([#975](https://github.com/roots/trellis/pull/975)) * Fix path to h5bp/mime.types ([#974](https://github.com/roots/trellis/pull/974)) * Vendor h5bp Nginx configs ([#973](https://github.com/roots/trellis/pull/973)) From 38e3b7a152719b2d7a08f094901e86e4c439e23c Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 3 May 2018 13:23:56 -0600 Subject: [PATCH 09/21] 'yarn run' -> 'yarn' [ci skip] --- deploy-hooks/build-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 6c483c3f75..bfad9d6847 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -19,7 +19,7 @@ # chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # # - name: Compile assets for production -# command: yarn run build:production +# command: yarn build:production # connection: local # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" From c6b258e5d938f9154911a6768f1bd38292a89d4b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:32:52 -0600 Subject: [PATCH 10/21] Issue warning for all Ubuntu releases that are not Xenial (#986) --- roles/common/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7248ce50da..94eaa73e0d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -78,8 +78,7 @@ Development via Vagrant: `vagrant destroy && vagrant up` Staging/Production: Create a new server with Ubuntu 16.04 and provision - when: ansible_distribution_release == 'trusty' - run_once: true + when: ansible_distribution_release != 'xenial' - name: Check whether passlib is needed fail: From 46d6a2a92b79816592af5d3af1fafd218aa3533f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:16 -0600 Subject: [PATCH 11/21] Clarify that changelog entry indicates Trellis version (#987) --- lib/trellis/utils/output.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index cfb19176ad..9bcd31c992 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -29,7 +29,7 @@ def system(vagrant_version=None): else: change = re.search(r'^\*\s?(\[BREAKING\])?([^\(\n\[]+)', str, re.M|re.I) if change is not None: - changelog_msg = '\n Trellis at "{0}"'.format(change.group(2).strip()) + changelog_msg = '\n Trellis version (per changelog): "{0}"'.format(change.group(2).strip()) # Vagrant info, if available vagrant = ' Vagrant {0};'.format(vagrant_version) if vagrant_version else '' From b556ccdb2b3183eba4a9530b206a402422deeca3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 May 2018 15:33:44 -0600 Subject: [PATCH 12/21] Validate python version on control machine (#988) --- lib/trellis/plugins/vars/version.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index d2a296aebf..df943b9f26 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -6,6 +6,7 @@ from ansible.errors import AnsibleError from distutils.version import LooseVersion from operator import ge, gt +from sys import version_info try: from __main__ import display @@ -13,6 +14,10 @@ from ansible.utils.display import Display display = Display() +if version_info[0] > 2: + raise AnsibleError(('Trellis does not yet support Python {}.{}.{}. \n' + 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) + version_requirement = '2.4.0.0' version_tested_max = '2.4.3.0' From 60b38c0afc2b129ee23cba46451d4d8a0d712f46 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 18 May 2018 18:41:13 +0800 Subject: [PATCH 13/21] Common: Install `git` instead of `git-core` Because `git-core` is now a dummy package of `git`. See: http://git.661346.n2.nabble.com/git-core-vs-git-package-on-ubuntu-tp7576083p7576085.html --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91e16ce907..786005e2f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) * Update geerlingguy.ntp 1.5.2->1.6.0 ([#984](https://github.com/roots/trellis/pull/984)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 5e92f1487f..f34f62e723 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -26,7 +26,7 @@ apt_packages_default: build-essential: "{{ apt_package_state }}" python-mysqldb: "{{ apt_package_state }}" curl: "{{ apt_package_state }}" - git-core: "{{ apt_package_state }}" + git: "{{ apt_package_state }}" dbus: "{{ apt_package_state }}" libnss-myhostname: "{{ apt_package_state }}" From e3315fef63f290757e5ab249c96c01dadb84a8c2 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 17:31:14 -0600 Subject: [PATCH 14/21] Add CSP frame-ancestors, make X-Frame-Options conditional (#977) The X-Frame-Options header has been obsoleted by the frame-ancestors directive. Retain the X-Frame-Options header for older browsers. Return empty X-Frame-Options header for WordPress Customizer content to prevent the conflict that SAMEORIGIN would have with the ALLOW-FROM option that WordPress adds on its own (Safari browser). Discussion in https://core.trac.wordpress.org/ticket/40020 --- CHANGELOG.md | 1 + .../h5bp/directive-only/extra-security.conf | 2 +- .../templates/wordpress-site.conf.j2 | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 786005e2f4..3390c67e7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) * Enable nginx to start on boot ([#980](https://github.com/roots/trellis/pull/980)) diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf index 0ac46aa295..eb10e06ca4 100644 --- a/roles/nginx/templates/h5bp/directive-only/extra-security.conf +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -1,6 +1,6 @@ # The X-Frame-Options header indicates whether a browser should be allowed # to render a page within a frame or iframe. -add_header X-Frame-Options SAMEORIGIN always; +# add_header X-Frame-Options SAMEORIGIN always; # MIME type sniffing security protection # There are very few edge cases where you wouldn't want this enabled. diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d7a584bec1..ec074aaca1 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -161,6 +161,20 @@ server { {% endblock %} + {% block embed_security -%} + {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%} + add_header Content-Security-Policy "frame-ancestors 'self'" always; + + # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved + set $x_frame_options SAMEORIGIN; + if ($arg_customize_changeset_uuid) { + set $x_frame_options ""; + } + add_header X-Frame-Options $x_frame_options always; + + {% endif -%} + {% endblock -%} + {% block location_php -%} location ~ \.php$ { {% block location_php_basic -%} From 8aa18e9bfd5747f5b5d8209b4a44534ad9359d8d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 19:08:12 -0600 Subject: [PATCH 15/21] Improve failed_when rule for Wordpress Installed check (#991) In rare cases the wp_installed registered var may be missing the stderr attribute, so add a default to avoid related error. The `wp core is-installed` command return code is 1 if WP is simply not installed. However, in rare cases the command may return some other return code indicative of true failure, so fail if rc > 1. --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index dd23480bb1..29ee76cc8a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -10,7 +10,7 @@ chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed changed_when: false - failed_when: wp_installed.stderr != "" + failed_when: wp_installed.stderr | default("") != "" or wp_installed.rc > 1 - name: Get WP theme template and stylesheet roots shell: > From c3e59f3221a896fe44fa4956df9c74137cb0aaa9 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 20 May 2018 09:13:10 +0800 Subject: [PATCH 16/21] deploy.sh: Return non-zero exit code when misuse (#990) - Exit with `127` when not enough arguments - Exit with `1` when hosts file not exist See: http://www.tldp.org/LDP/abs/html/exitcodes.html --- CHANGELOG.md | 1 + bin/deploy.sh | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3390c67e7a..7d9fc5a222 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) * Add `xdebug.remote_autostart` to simplify xdebug sessions ([#985](https://github.com/roots/trellis/pull/985)) diff --git a/bin/deploy.sh b/bin/deploy.sh index 79d72c37d4..0b346e8e34 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -21,7 +21,7 @@ Examples: " } -[[ $# -lt 2 ]] && { show_usage; exit 0; } +[[ $# -lt 2 ]] && { show_usage; exit 127; } for arg do @@ -39,7 +39,7 @@ if [[ ! -e $HOSTS_FILE ]]; then echo echo "Available environments:" ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) - exit 0 + exit 1 fi $DEPLOY_CMD From c06894054b9aea5c8393c78a49ff92ee5ddf8997 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 19 May 2018 20:33:26 -0600 Subject: [PATCH 17/21] Skip Acme Challenge failure message for non-failed sites (#993) --- roles/letsencrypt/tasks/nginx.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 298524cc07..fa564947dc 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -60,5 +60,5 @@ Make sure that a valid DNS record exists for {{ item.failed_hosts | join(', ') }} and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details. - when: not item | skipped and letsencrypt_test_challenges | failed + when: item is not skipped and item is failed with_items: "{{ letsencrypt_test_challenges.results }}" From 30ae7fe95370b24b955f971f90b3c8fe99d6473f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 20 May 2018 13:01:51 -0600 Subject: [PATCH 18/21] Bump Ansible version_tested_max to 2.5.3 (#981) * Bump Ansible version_tested_max to 2.5.3 Convert Jinja2 tests from filter format to `var is testname` format. Encourage users on Ansible 2.5.0 to upgrade to avoid erroneous warnings fixed in ansible/ansible 37538 --- CHANGELOG.md | 1 + deploy.yml | 2 +- lib/trellis/plugins/vars/version.py | 8 ++++++-- roles/common/defaults/main.yml | 2 +- roles/connection/defaults/main.yml | 2 +- roles/connection/tasks/main.yml | 2 +- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/update.yml | 2 +- roles/letsencrypt/defaults/main.yml | 2 +- roles/letsencrypt/tasks/nginx.yml | 2 +- roles/users/tasks/main.yml | 2 +- roles/wordpress-install/tasks/main.yml | 2 +- roles/xdebug-tunnel/tasks/main.yml | 4 ++-- server.yml | 2 +- vagrant.default.yml | 2 +- 15 files changed, 21 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d9fc5a222..ac328cd77a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) * Common: Install `git` instead of `git-core` ([#989](https://github.com/roots/trellis/pull/989)) diff --git a/deploy.yml b/deploy.yml index 308c5bc4f0..e391a1b641 100644 --- a/deploy.yml +++ b/deploy.yml @@ -28,6 +28,6 @@ Ensure that your site's `repo` variable is defined in `group_vars/{{ env }}/wordpress_sites.yml` and uses the SSH format (example: git@github.com:roots/bedrock.git) More info: > https://roots.io/trellis/docs/deploys/ - when: project.repo is not defined or not project.repo | match("^ssh://.+@.+|.+@.+:.+") + when: project.repo is not defined or project.repo is not match("^ssh://.+@.+|.+@.+:.+") roles: - deploy diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index df943b9f26..ada7aeaf63 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -5,7 +5,7 @@ from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion -from operator import ge, gt +from operator import eq, ge, gt from sys import version_info try: @@ -19,7 +19,7 @@ 'Please use Python 2.7.').format(version_info[0], version_info[1], version_info[2])) version_requirement = '2.4.0.0' -version_tested_max = '2.4.3.0' +version_tested_max = '2.5.3' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' @@ -29,6 +29,10 @@ u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) +if eq(LooseVersion(__version__), LooseVersion('2.5.0')): + display.warning(u'You Ansible version is {}. Consider upgrading your Ansible version to avoid ' + u'erroneous warnings such as `Removed restricted key from module data...`'.format(__version__)) + # Import BaseVarsPlugin after Ansible version check. # Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. from ansible.plugins.vars import BaseVarsPlugin diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index f34f62e723..c97104a18e 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -33,7 +33,7 @@ apt_packages_default: apt_packages_custom: {} apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" -openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" +openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml index f6c42a8444..70219ac2e1 100644 --- a/roles/connection/defaults/main.yml +++ b/roles/connection/defaults/main.yml @@ -1,5 +1,5 @@ ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}" ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}" ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}" -openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.5', '>=') }}" +openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') is version_compare('6.5', '>=') }}" host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}" diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 92ba31315d..de07be3538 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -60,7 +60,7 @@ debug: msg: | Note: Ansible will attempt connections as user = {{ ansible_user }} - {% if not preferred_host_key_algorithms | skipped %} + {% if preferred_host_key_algorithms is not skipped %} Note: The host `{{ ansible_host }}` was not detected in known_hosts so Trellis prompted the host to offer a key type that will work with diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 29ee76cc8a..4c46ed35ea 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -23,7 +23,7 @@ chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false - failed_when: not wp_template_root.stderr | default('') | match("(|.*Could not get '" + item + "' option\. Does it exist\?)") + failed_when: wp_template_root.stderr | default('') is not match("(|.*Could not get '" + item + "' option\. Does it exist\?)") when: - wp_installed.rc == 0 - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 672784b3f8..0a456b0b10 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -49,7 +49,7 @@ More info: > https://roots.io/trellis/docs/deploys/#ssh-keys > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding - when: git_clone | failed + when: git_clone is failed - include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 2bd7b12805..52b628fc7a 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" -letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" +letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if item is not skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index fa564947dc..c0578e4933 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -36,7 +36,7 @@ notify: disable temporary challenge sites - import_tasks: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" - when: challenge_site_confs | changed or challenge_sites_enabled | changed + when: challenge_site_confs is changed or challenge_sites_enabled is changed - name: Create test Acme Challenge file shell: touch {{ acme_tiny_challenges_directory }}/ping.txt diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e1487bc5c6..a9313429fe 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -67,5 +67,5 @@ tags: [connection-tests, sshd] - import_tasks: connection-warnings.yml - when: not admin_user_status | skipped and admin_user_status.rc != 0 + when: admin_user_status is not skipped and admin_user_status.rc != 0 tags: [connection-tests, sshd] diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 060f386d76..58b1f88f95 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -68,7 +68,7 @@ args: chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" with_items: "{{ wp_install.results }}" - when: item | changed + when: item is changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index b015c11099..9147f73733 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -20,9 +20,9 @@ SSH tunnel already closed! {% endif %} {{ xdebug_tunnel.stderr | default('Unknown error in handling Xdebug SSH tunnel') }} - when: xdebug_tunnel | failed or 'already' in xdebug_tunnel.stderr | default('') + when: xdebug_tunnel is failed or 'already' in xdebug_tunnel.stderr | default('') - name: Announce Xdebug SSH tunnel status debug: msg: SSH Tunnel was {{ xdebug_remote_enable | bool | ternary('created', 'closed') }}! - when: xdebug_tunnel | changed + when: xdebug_tunnel is changed diff --git a/server.yml b/server.yml index d4fb1b00c3..ac86b53f93 100644 --- a/server.yml +++ b/server.yml @@ -17,7 +17,7 @@ - name: Install Python 2.x raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson register: python_check - changed_when: not python_check.stdout | search('/usr/bin/python') + changed_when: python_check.stdout is not search('/usr/bin/python') - name: WordPress Server - Install LEMP Stack with PHP 7.2 and MariaDB MySQL hosts: web:&{{ env }} diff --git a/vagrant.default.yml b/vagrant.default.yml index ddcaca4737..c73a622a1c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '>= 201801.02.0' -vagrant_ansible_version: '2.4.3.0' +vagrant_ansible_version: '2.5.3' vagrant_skip_galaxy: false vagrant_install_plugins: true From eb20979b7181d5eb800c15f031f804335918fbc7 Mon Sep 17 00:00:00 2001 From: Bradley Date: Mon, 21 May 2018 13:29:32 +1000 Subject: [PATCH 19/21] Add option to enable FastCGI background updates (#962) Enabled by default --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac328cd77a..0c032478c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) * Add CSP `frame-ancestors`, make `X-Frame-Options` conditional ([#977](https://github.com/roots/trellis/pull/977)) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 928e61c02d..8d622fb89a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,6 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in +nginx_cache_background_update: on # Nginx includes nginx_includes_templates_path: nginx-includes diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ec074aaca1..d731acad03 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -189,6 +189,7 @@ server { fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; + fastcgi_cache_background_update {{ item.value.cache.background_update | default(nginx_cache_background_update) }}; {% endif -%} {% endblock -%} From 54a108e2a5d9a9e0cf2c9c7c13e136b256622460 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 21 May 2018 11:00:50 -0600 Subject: [PATCH 20/21] Add quotes to nginx_cache_background_update value "on" Quotes prevent Ansible from interpolating the variable value as True. True is an invalid value for fastcgi_cache_background_update and would would make Nginx unable to reload. --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 8d622fb89a..5b2e1768ee 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,7 +30,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te nginx_cache_duration: 30s nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in -nginx_cache_background_update: on +nginx_cache_background_update: "on" # Nginx includes nginx_includes_templates_path: nginx-includes From d52893c2e3759bd7a48a692b2321240a61005b12 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 3 Jun 2018 20:27:54 +0800 Subject: [PATCH 21/21] Verify `wp-cli.phar` checksum --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 1 + roles/wp-cli/tasks/main.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c032478c0..9b85267035 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Verify `wp-cli.phar` checksum ([#996](https://github.com/roots/trellis/pull/996)) * Enable `fastcgi_cache_background_update` by default ([#962](https://github.com/roots/trellis/pull/962)) * Bump Ansible `version_tested_max` to 2.5.3 ([#981](https://github.com/roots/trellis/pull/981)) * deploy.sh: Return non-zero exit code when misuse ([#990](https://github.com/roots/trellis/pull/990)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 0430d8cf2f..b1f1acf604 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,5 @@ wp_cli_version: 1.5.1 +wp_cli_phar_checksum: "sha512:8dd68c98c6fa00e1acc5e036f9393c8b052937045b5232e4aa0eb4f15773908eae48760607bc853a4f951bd5ba69e5050337e5d9dcfa48df87a12cebb1de3432" wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index c3f6770953..8888ff40d6 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -3,6 +3,7 @@ get_url: url: "{{ wp_cli_phar_url }}" dest: /tmp/wp-cli-{{ wp_cli_version }}.phar + checksum: "{{ wp_cli_phar_checksum }}" - name: Install WP-CLI command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }}